View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Module 3Module 3Concealment and Log AlterationConcealment and Log Alteration
Highline Community CollegeHighline Community CollegeSeattle University Seattle University
University of Washington University of Washington in conjunction within conjunction with
the the National Science FoundationNational Science Foundation
TopicsTopics
Hexadecimal ASCII/numeric dataHexadecimal ASCII/numeric data Alteration of logsAlteration of logs ExamplesExamples
ASCII text fileASCII text file
% cat hexcharacters.txt% cat hexcharacters.txt0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
% man ascii% man ascii
NAMENAME ascii - octal, hexadecimal and decimal ASCII character setsascii - octal, hexadecimal and decimal ASCII character sets
DESCRIPTIONDESCRIPTION The hexadecimal set:The hexadecimal set:
00 nul00 nul 01 soh 02 stx 03 etx 04 eot 05 enq 06 ack 07 bel 01 soh 02 stx 03 etx 04 eot 05 enq 06 ack 07 bel 08 bs 09 ht 08 bs 09 ht 0a nl0a nl 0b vt 0c np 0d cr 0e so 0f si 0b vt 0c np 0d cr 0e so 0f si 10 dle 11 dc1 12 dc2 13 dc3 14 dc4 15 nak 16 syn 17 etb10 dle 11 dc1 12 dc2 13 dc3 14 dc4 15 nak 16 syn 17 etb 18 can 19 em 1a sub 1b esc 1c fs 1d gs 1e rs 1f us18 can 19 em 1a sub 1b esc 1c fs 1d gs 1e rs 1f us 20 sp 21 ! 22 " 23 # 24 $ 25 % 26 & 27 '20 sp 21 ! 22 " 23 # 24 $ 25 % 26 & 27 ' 28 ( 29 ) 2a * 2b + 2c , 2d - 2e . 2f /28 ( 29 ) 2a * 2b + 2c , 2d - 2e . 2f / 30 030 0 31 1 32 2 33 3 34 4 35 5 36 6 37 7 31 1 32 2 33 3 34 4 35 5 36 6 37 7 38 8 39 9 3a : 3b ; 3c < 3d = 3e > 3f ?38 8 39 9 3a : 3b ; 3c < 3d = 3e > 3f ? 40 @ 40 @ 41 A41 A 42 B 43 C 44 D 45 E 46 F 47 G 42 B 43 C 44 D 45 E 46 F 47 G 48 H 49 I 4a J 4b K 4c L 4d M 4e N 4f O48 H 49 I 4a J 4b K 4c L 4d M 4e N 4f O 50 P 51 Q 52 R 53 S 54 T 55 U 56 V 57 W50 P 51 Q 52 R 53 S 54 T 55 U 56 V 57 W
Hexadecimal (base16) dumpHexadecimal (base16) dump
% hexdump -C hexcharacters.txt% hexdump -C hexcharacters.txt
00000000 00000000 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 4630 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 | |0123456789ABCDEF0123456789ABCDEF||
00000010 00000010 0a0a 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 | 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 |..0123456789ABCDE|0123456789ABCDE|
00000020 46 00000020 46 0a0a 30 31 32 33 34 35 36 37 38 39 41 42 43 44 |F 30 31 32 33 34 35 36 37 38 39 41 42 43 44 |F..0123456789ABCD|0123456789ABCD|
00000030 45 46 00000030 45 46 0a0a 30 31 32 33 34 35 36 37 38 39 41 42 43 |EF 30 31 32 33 34 35 36 37 38 39 41 42 43 |EF..0123456789ABC|0123456789ABC|
00000040 44 45 46 00000040 44 45 46 0a0a 30 31 32 33 34 35 36 37 38 39 41 42 |DEF 30 31 32 33 34 35 36 37 38 39 41 42 |DEF..0123456789AB|0123456789AB|
00000050 43 44 45 46 00000050 43 44 45 46 0a0a 30 31 32 33 34 35 36 37 38 39 41 |CDEF 30 31 32 33 34 35 36 37 38 39 41 |CDEF..0123456789A|0123456789A|
00000060 42 43 44 45 46 00000060 42 43 44 45 46 0a0a |BCDEF |BCDEF..||
0000006600000066
Concealment using "Rootkits"Concealment using "Rootkits" Replacement of operating system commands or Replacement of operating system commands or
system callssystem calls Two fundamental typesTwo fundamental types
• Application (User) LevelApplication (User) Level• Kernel LevelKernel Level
Configuration file(s) to control hidingConfiguration file(s) to control hiding Often simple to identify/bypass, but can be very Often simple to identify/bypass, but can be very
difficult to detect/disabledifficult to detect/disable
http://staff.washington.edu/dittrich/misc/faqs/rootkits.faqhttp://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
Alteration of logsAlteration of logs
Types of logsTypes of logs Ways to clean logsWays to clean logs Disable logging for futureDisable logging for future
Types of logsTypes of logs
TextText• Unix syslogUnix syslog• Apache access logsApache access logs
BinaryBinary• Unix utmp/wtmp/lastlogUnix utmp/wtmp/lastlog• Windows Event logsWindows Event logs
Ways to clean logsWays to clean logs
Delete (or shred)Delete (or shred) Filter & DeleteFilter & Delete Edit in placeEdit in place
Disable loggingDisable logging
Kill syslogdKill syslogd Link log files to /dev/nullLink log files to /dev/null Edit/delete syslog configuration fileEdit/delete syslog configuration file Fill partition containing log filesFill partition containing log files
Deleting login entries from Unix Deleting login entries from Unix wtmpwtmp
How does wtmp logging work?How does wtmp logging work? ExamplesExamples
• Using wzapUsing wzap• Using wipeUsing wipe• Using marryUsing marry
How does wtmp logging work?How does wtmp logging work?
Definition of wtmp entryDefinition of wtmp entryFrom /usr/include/bits/utmp.hFrom /usr/include/bits/utmp.h
UT_LINESIZE is 32 bytesUT_LINESIZE is 32 bytes
UT_NAMESIZE is 32 bytesUT_NAMESIZE is 32 bytes
UT_HOSTSIZE is 256 bytesUT_HOSTSIZE is 256 bytes
. . .. . .
UT_LINESIZE is 32 bytes UT_NAMESIZE is 32 bytes UT_HOSTSIZE is 256 bytes
/* The structure describing an entry in the user accounting database. */ struct utmp { short int ut_type; /* Type of login. */ pid_t ut_pid; /* Process ID of login process. */ char ut_line[UT_LINESIZE]; /* Devicename. */ char ut_id[4]; /* Inittab ID. */ char ut_user[UT_NAMESIZE]; /* Username. */ char ut_host[UT_HOSTSIZE]; /* Hostname for remote login. */ struct exit_status ut_exit; /* Exit status of a process marked as DEAD_PROCESS. */ long int ut_session; /* Session ID, used for windowing. */ struct timeval ut_tv; /* Time entry was made. */ int32_t ut_addr_v6[4]; /* Internet address of remote host. */ char __unused[20]; /* Reserved for future use. */ };
Output of lastOutput of last
reboot system boot 2.4.2-2 Fri Aug 24 11:13 (01:53) reboot system boot 2.4.2-2 Fri Aug 24 11:13 (01:53) ftp ftpd12458 localhost.locald Fri Aug 24 09:45 - 09:46 (00:00) ftp ftpd12458 localhost.locald Fri Aug 24 09:45 - 09:46 (00:00) dittrich pts/1 Fri Aug 24 09:45 - down (01:25) dittrich pts/1 Fri Aug 24 09:45 - down (01:25) ftp ftpd12433 localhost.locald Fri Aug 24 09:43 - 09:44 (00:00) ftp ftpd12433 localhost.locald Fri Aug 24 09:43 - 09:44 (00:00) dittrich pts/0 Fri Aug 24 09:28 - down (01:42) dittrich pts/0 Fri Aug 24 09:28 - down (01:42) dittrich :0 Fri Aug 24 09:28 - down (01:42) dittrich :0 Fri Aug 24 09:28 - down (01:42) dittrich pts/0 Fri Aug 24 09:24 - 09:28 (00:03) dittrich pts/0 Fri Aug 24 09:24 - 09:28 (00:03) dittrich pts/6 Sun Aug 19 11:43 - 13:45 (2+02:02) dittrich pts/6 Sun Aug 19 11:43 - 13:45 (2+02:02) dittrich pts/1 Sun Aug 19 01:32 - 13:27 (2+11:54) dittrich pts/1 Sun Aug 19 01:32 - 13:27 (2+11:54) dittrich pts/5 Sun Aug 19 01:26 - 09:23 (5+07:56) dittrich pts/5 Sun Aug 19 01:26 - 09:23 (5+07:56) dittrich pts/4 Sun Aug 19 01:23 - 09:23 (5+08:00) dittrich pts/4 Sun Aug 19 01:23 - 09:23 (5+08:00) dittrich pts/0 Sun Aug 19 01:19 - 09:24 (5+08:04) dittrich pts/0 Sun Aug 19 01:19 - 09:24 (5+08:04) dittrich pts/6 Sat Aug 18 21:26 - 01:18 (03:52) dittrich pts/6 Sat Aug 18 21:26 - 01:18 (03:52) dittrich pts/5 Sat Aug 18 21:16 - 01:19 (04:02) dittrich pts/5 Sat Aug 18 21:16 - 01:19 (04:02) dittrich pts/4 Sat Aug 18 21:14 - 01:19 (04:04) dittrich pts/4 Sat Aug 18 21:14 - 01:19 (04:04) dittrich pts/3 Sat Aug 18 15:15 - 09:24 (5+18:08) dittrich pts/3 Sat Aug 18 15:15 - 09:24 (5+18:08) dittrich pts/1 Sat Aug 18 13:21 - 01:32 (12:11) dittrich pts/1 Sat Aug 18 13:21 - 01:32 (12:11) dittrich pts/2 Sun Aug 5 15:49 - 21:13 (13+05:24) dittrich pts/2 Sun Aug 5 15:49 - 21:13 (13+05:24) dittrich pts/0 Sun Aug 5 15:40 - 01:18 (13+09:38)dittrich pts/0 Sun Aug 5 15:40 - 01:18 (13+09:38) wtmp begins Sun Aug 5 15:40:05 2001wtmp begins Sun Aug 5 15:40:05 2001
Hex dump of wtmp fileHex dump of wtmp file
0000000: 0700 0000 e404 0000 7074 732f 3000 0000 ........pts/0...0000000: 0700 0000 e404 0000 7074 732f 3000 0000 ........pts/0...0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000020: 0000 0000 0000 0000 2f30 0000 0000020: 0000 0000 0000 0000 2f30 0000 6469 74746469 7474 ......../0.. ......../0..dittditt0000030: 0000030: 7269 63687269 6368 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 richrich........................0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ . . .. . .0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000150: 0000 0000 0000150: 0000 0000 45cb 6d3b45cb 6d3b 8325 0a00 0000 0000 .... 8325 0a00 0000 0000 ....E.m;E.m;.%.......%......0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000000: 0700 0000 e404 0000 7074 732f 3000 0000 ........pts/0...0000000: 0700 0000 e404 0000 7074 732f 3000 0000 ........pts/0... |-type--| |--pid--| |------------------|-type--| |--pid--| |------------------0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ -------------device name----------------------------device name---------------0000020: 0000 0000 0000 0000 2f30 0000 0000020: 0000 0000 0000 0000 2f30 0000 6469 74746469 7474 ......../0.. ......../0..dittditt ------------------| |---id--| ------------------| |---id--| |--------|--------0000030: 0000030: 7269 63687269 6368 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 richrich........................ --------------username-------------------------------username-----------------0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ----------------------------|----------------------------| |-------- |-------- . . .. . .0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ---------------hostname-----| |--exit-----------------hostname-----| |--exit--0000150: 0000 0000 0000150: 0000 0000 45cb 6d3b45cb 6d3b 8325 0a008325 0a00 0000 0000 .... 0000 0000 ....E.m;E.m;.%.......%...... --------| --------| |------time-------||------time-------| |-------- |--------0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ---------IP address---------| |-----------------IP address---------| |--------0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ------------reserved------------------|------------reserved------------------| 0x0x0000000000000000 == == 00 == == Thu Jan 1 0:00:00 GMT 1970Thu Jan 1 0:00:00 GMT 1970 Wed Dec 31 16:00:00 PDT 1969Wed Dec 31 16:00:00 PDT 19690x0x3b6dcb453b6dcb45 == == 997051205997051205 == == Sun Aug 5 15:40:05 PDT 2001Sun Aug 5 15:40:05 PDT 2001
t0rnkit wzapt0rnkit wzap
Section of t0rn script that calls wzapSection of t0rn script that calls wzap
. . .. . .
mv wzap /var/logmv wzap /var/log
cd /var/logcd /var/log
./wzap ftp./wzap ftp
mv wtmp.out wtmpmv wtmp.out wtmp
rm -rf /var/log/wzaprm -rf /var/log/wzap
. . .. . .
t0rnkit wzap in uset0rnkit wzap in use
ltrace while running wzapltrace while running wzap
__libc_start_main(0x080485c0, 2, 0xbffff8ec, __libc_start_main(0x080485c0, 2, 0xbffff8ec, 0x080483fc,0x0804876c <unfinished ...>0x080483fc,0x0804876c <unfinished ...>
__register_frame_info(0x08049884, 0x08049980, __register_frame_info(0x08049884, 0x08049980, 0xbffff8a0,0x08048421, 0x4014a9e4) = 0x4014b5e00xbffff8a0,0x08048421, 0x4014a9e4) = 0x4014b5e0
strcpy(0xbffff86c, "ftp")strcpy(0xbffff86c, "ftp") = = 0xbffff86c0xbffff86c
printf("\nopening file...\n") = 17printf("\nopening file...\n") = 17fopen("wtmp", "r")fopen("wtmp", "r") = =
0x08049b300x08049b30printf("opening output file...\n") = 23printf("opening output file...\n") = 23fopen("wtmp.out", "wr")fopen("wtmp.out", "wr") = =
0x08049ca00x08049ca0printf("working...\n") = 11printf("working...\n") = 11feof(0x08049b30) = 0feof(0x08049b30) = 0fread(0x080499a0, 384, 1, 0x08049b30)fread(0x080499a0, 384, 1, 0x08049b30) = 1 = 1strncmp("dittrich", "ftp", 8)strncmp("dittrich", "ftp", 8) = = -2-2fwrite("\007", 384, 1, 0x08049ca0)fwrite("\007", 384, 1, 0x08049ca0) = 1 = 1feof(0x08049b30) = 0feof(0x08049b30) = 0 . . .. . .
. . .. . .fread(0x080499a0, 384, 1, 0x08049b30)fread(0x080499a0, 384, 1, 0x08049b30) = 1 = 1strncmp("ftp", "ftp", 8)strncmp("ftp", "ftp", 8) = = 00feof(0x08049b30) = 0feof(0x08049b30) = 0fread(0x080499a0, 384, 1, 0x08049b30) = 1fread(0x080499a0, 384, 1, 0x08049b30) = 1strncmp("", "ftp", 8) = -102strncmp("", "ftp", 8) = -102fwrite("", 384, 1, 0x08049ca0) = 1fwrite("", 384, 1, 0x08049ca0) = 1feof(0x08049b30) = 0feof(0x08049b30) = 0fread(0x080499a0, 384, 1, 0x08049b30) = 1fread(0x080499a0, 384, 1, 0x08049b30) = 1 . . .. . .
wtmp before wzapwtmp before wzapdittrich pts/3 Fri Aug 24 13:19 - 13:30 (00:10)dittrich pts/3 Fri Aug 24 13:19 - 13:30 (00:10)dittrich pts/0 Fri Aug 24 13:19 still logged indittrich pts/0 Fri Aug 24 13:19 still logged indittrich pts/1 Fri Aug 24 13:19 - 21:49 (5+08:29)dittrich pts/1 Fri Aug 24 13:19 - 21:49 (5+08:29)dittrich pts/2 Fri Aug 24 13:19 - 15:57 (02:37)dittrich pts/2 Fri Aug 24 13:19 - 15:57 (02:37)dittrich :0 Fri Aug 24 13:19 still logged indittrich :0 Fri Aug 24 13:19 still logged inreboot system boot 2.4.2-2 Fri Aug 24 13:18 (11+09:33)reboot system boot 2.4.2-2 Fri Aug 24 13:18 (11+09:33)root tty1 Fri Aug 24 13:17 - down (00:00)root tty1 Fri Aug 24 13:17 - down (00:00)dittrich :0 Fri Aug 24 13:16 - down (00:00)dittrich :0 Fri Aug 24 13:16 - down (00:00)root tty2 Fri Aug 24 13:10 - 13:16 (00:05)root tty2 Fri Aug 24 13:10 - 13:16 (00:05)root tty1 Fri Aug 24 13:10 - 13:16 (00:06)root tty1 Fri Aug 24 13:10 - 13:16 (00:06)reboot system boot 2.4.2-2 Fri Aug 24 13:08 (00:08)reboot system boot 2.4.2-2 Fri Aug 24 13:08 (00:08)dittrich pts/1 Fri Aug 24 11:35 - down (01:30)dittrich pts/1 Fri Aug 24 11:35 - down (01:30)dittrich pts/0 Fri Aug 24 11:35 - down (01:30)dittrich pts/0 Fri Aug 24 11:35 - down (01:30)dittrich :0 Fri Aug 24 11:35 - down (01:30)dittrich :0 Fri Aug 24 11:35 - down (01:30)reboot system boot 2.4.2-2 Fri Aug 24 11:13 (01:53)reboot system boot 2.4.2-2 Fri Aug 24 11:13 (01:53)ftp ftpd12458 localhost.locald Fri Aug 24 09:45 - 09:46 (00:00)ftp ftpd12458 localhost.locald Fri Aug 24 09:45 - 09:46 (00:00)dittrich pts/1 Fri Aug 24 09:45 - down (01:25)dittrich pts/1 Fri Aug 24 09:45 - down (01:25)ftp ftpd12433 localhost.locald Fri Aug 24 09:43 - 09:44 (00:00)ftp ftpd12433 localhost.locald Fri Aug 24 09:43 - 09:44 (00:00)dittrich pts/0 Fri Aug 24 09:28 - down (01:42)dittrich pts/0 Fri Aug 24 09:28 - down (01:42)dittrich :0 Fri Aug 24 09:28 - down (01:42)dittrich :0 Fri Aug 24 09:28 - down (01:42)wtmp begins Sun Aug 5 15:40:05 2001wtmp begins Sun Aug 5 15:40:05 2001
wtmp after wzapwtmp after wzapdittrich pts/3 Fri Aug 24 13:19 - 13:30 (00:10)dittrich pts/3 Fri Aug 24 13:19 - 13:30 (00:10)dittrich pts/0 Fri Aug 24 13:19 still logged indittrich pts/0 Fri Aug 24 13:19 still logged indittrich pts/1 Fri Aug 24 13:19 - 21:49 (5+08:29)dittrich pts/1 Fri Aug 24 13:19 - 21:49 (5+08:29)dittrich pts/2 Fri Aug 24 13:19 - 15:57 (02:37)dittrich pts/2 Fri Aug 24 13:19 - 15:57 (02:37)dittrich :0 Fri Aug 24 13:19 still logged indittrich :0 Fri Aug 24 13:19 still logged inreboot system boot 2.4.2-2 Fri Aug 24 13:18 (11+09:33)reboot system boot 2.4.2-2 Fri Aug 24 13:18 (11+09:33)root tty1 Fri Aug 24 13:17 - down (00:00)root tty1 Fri Aug 24 13:17 - down (00:00)dittrich :0 Fri Aug 24 13:16 - down (00:00)dittrich :0 Fri Aug 24 13:16 - down (00:00)root tty2 Fri Aug 24 13:10 - 13:16 (00:05)root tty2 Fri Aug 24 13:10 - 13:16 (00:05)root tty1 Fri Aug 24 13:10 - 13:16 (00:06)root tty1 Fri Aug 24 13:10 - 13:16 (00:06)reboot system boot 2.4.2-2 Fri Aug 24 13:08 (00:08)reboot system boot 2.4.2-2 Fri Aug 24 13:08 (00:08)dittrich pts/1 Fri Aug 24 11:35 - down (01:30)dittrich pts/1 Fri Aug 24 11:35 - down (01:30)dittrich pts/0 Fri Aug 24 11:35 - down (01:30)dittrich pts/0 Fri Aug 24 11:35 - down (01:30)dittrich :0 Fri Aug 24 11:35 - down (01:30)dittrich :0 Fri Aug 24 11:35 - down (01:30)reboot system boot 2.4.2-2 Fri Aug 24 11:13 (01:53)reboot system boot 2.4.2-2 Fri Aug 24 11:13 (01:53)dittrich pts/1 Fri Aug 24 09:45 - down (01:25)dittrich pts/1 Fri Aug 24 09:45 - down (01:25)dittrich pts/0 Fri Aug 24 09:28 - down (01:42)dittrich pts/0 Fri Aug 24 09:28 - down (01:42)dittrich :0 Fri Aug 24 09:28 - down (01:42)dittrich :0 Fri Aug 24 09:28 - down (01:42)wtmp begins Sun Aug 5 15:40:05 2001wtmp begins Sun Aug 5 15:40:05 2001
t0rnkit wzap in uset0rnkit wzap in use
wzap must be run in /var/logwzap must be run in /var/log wzap copied to /var and deletedwzap copied to /var and deleted
• (Can be recovered from /var)(Can be recovered from /var) wtmp file cleaned properly, but not in wtmp file cleaned properly, but not in
placeplace Original wtmp deletedOriginal wtmp deleted
• (Can be recovered from /var)(Can be recovered from /var)
wipe featureswipe features
USAGE: wipe [ u|w|l|a ] ...options...USAGE: wipe [ u|w|l|a ] ...options...UTMP editing:UTMP editing: Erase all usernames : wipe u [username]Erase all usernames : wipe u [username] Erase one username on tty: wipe u [username] [tty]Erase one username on tty: wipe u [username] [tty]WTMP editing:WTMP editing: Erase last entry for user : Erase last entry for user : wipe w [username]wipe w [username] Erase last entry on tty : wipe w [username] [tty]Erase last entry on tty : wipe w [username] [tty]LASTLOG editing:LASTLOG editing: Blank lastlog for user : wipe l [username]Blank lastlog for user : wipe l [username] Alter lastlog entry : wipe l [username] [tty] [time] Alter lastlog entry : wipe l [username] [tty] [time]
[host][host] Where [time] is in the format [YYMMddhhmm]Where [time] is in the format [YYMMddhhmm]ACCT editing:ACCT editing: Erase acct entries on tty : wipe a [username] [tty]Erase acct entries on tty : wipe a [username] [tty]
wipe in use (ltrace output)wipe in use (ltrace output) . . . . . . printf("Patching %s .... ", "/var/log/wtmp") = 28printf("Patching %s .... ", "/var/log/wtmp") = 28fflush(0x0804a9d0) = 0fflush(0x0804a9d0) = 0open("/var/log/wtmp", 2, 03766) = 3open("/var/log/wtmp", 2, 03766) = 3lseek(3, -384, 2, 2038, 0x4003670e) = 68736lseek(3, -384, 2, 2038, 0x4003670e) = 68736read(3, "\007", 384) = 384read(3, "\007", 384) = 384strlen(0xbffffbbc, 7, 15576, 0x2f737470, 51) = 3strlen(0xbffffbbc, 7, 15576, 0x2f737470, 51) = 3strncmp("dittrich", "ftp", 3)strncmp("dittrich", "ftp", 3) = = -2-2 . . .. . .strlen(0xbffffbbc, 0x08090968, 0, 0x64707466, 0x33343231) = 3strlen(0xbffffbbc, 0x08090968, 0, 0x64707466, 0x33343231) = 3strncmp("ftp", "ftp", 3)strncmp("ftp", "ftp", 3) = = 00bzero(0xbffff8e8, 384)bzero(0xbffff8e8, 384) = <void> = <void>lseek(3, -384, 1, 0, 0) = 11520lseek(3, -384, 1, 0, 0) = 11520write(3, "", 384) = 384write(3, "", 384) = 384close(3) = 0close(3) = 0printf("Done.\n") = 6printf("Done.\n") = 6exit(0) = <void>exit(0) = <void>+++ exited (status 0) ++++++ exited (status 0) +++
wipe in usewipe in use
OriginalOriginal0003180: 8009 0908 0000 0000 6674 7064 3132 34350003180: 8009 0908 0000 0000 6674 7064 3132 3435 ........ ........ftpd1245ftpd1245
0003190: 0003190: 383800 0000 0000 0000 0000 0000 0000 0000 00 0000 0000 0000 0000 0000 0000 0000 88..............................
00031a0: 0000 0000 0000 0000 00031a0: 0000 0000 0000 0000 78d8 ffbf 6674 700078d8 ffbf 6674 7000 ........ ........x...ftp.x...ftp.
After wipeAfter wipe0003180: 0000 0000 0000 0000 0000 0000 0000 00000003180: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ................
0003190: 0003190: 000000 0000 0000 0000 0000 0000 0000 0000 ................00 0000 0000 0000 0000 0000 0000 0000 ................
00031a0: 0000 0000 0000 0000 00031a0: 0000 0000 0000 0000 0000 0000 0000 00000000 0000 0000 0000 ................ ................
wipe in usewipe in use
OriginalOriginal00031c0: 0000 0000 0000 0000 0000 0000 00031c0: 0000 0000 0000 0000 0000 0000 6c6f 63616c6f 6361 ............ ............localoca
00031d0: 00031d0: 6c68 6f73 742e 6c6f 6361 6c64 6f6d 61696c68 6f73 742e 6c6f 6361 6c64 6f6d 6169 lhost.localdomailhost.localdomai
00031e0: 00031e0: 6e6e00 0000 0000 0000 0000 0000 0000 0000 00 0000 0000 0000 0000 0000 0000 0000 nn..............................
After wipeAfter wipe00031c0: 0000 0000 0000 0000 0000 0000 00031c0: 0000 0000 0000 0000 0000 0000 0000 00000000 0000 ................ ................
00031d0: 00031d0: 0000 0000 0000 0000 0000 0000 0000 00000000 0000 0000 0000 0000 0000 0000 0000 ................ ................
00031e0: 00031e0: 000000 0000 0000 0000 0000 0000 0000 0000 ................00 0000 0000 0000 0000 0000 0000 0000 ................
wipe in usewipe in use
OriginalOriginal00032d0: 0000 0000 00032d0: 0000 0000 b884 836b 207a 1040 1140 1410b884 836b 207a 1040 1140 1410 .......; z.@.@.@ .......; z.@.@.@
00032e0: 00032e0: c0d9 ffbfc0d9 ffbf 0000 00 0000 0040 20d9 f0fb fe3d 104040 20d9 f0fb fe3d 1040 .......@ ....=.@ .......@ ....=.@
00032f0: 00032f0: 979700 0000 00 0000 99fc 14a0 10ef fbfe f3fe f35f99fc 14a0 10ef fbfe f3fe f35f .......@`....... .......@`.......
After wipeAfter wipe00032d0: 0000 0000 00032d0: 0000 0000 0000 0000 0000 0000 0000 00000000 0000 0000 0000 0000 0000 ................ ................
00032e0: 00032e0: 0000 00000000 0000 0000 00 0000 0000 0000 0000 0000 000000 0000 0000 0000 0000 ................ ................
00032f0: 00032f0: 000000 0000 00 0000 0000 0000 0000 0000 0000 00000000 0000 0000 0000 0000 0000 ................ ................
wipe in usewipe in use
Original wtmp edited in placeOriginal wtmp edited in place wtmp file left with zeroed areaswtmp file left with zeroed areas wipe may still be in file system wipe may still be in file system
somewhere (anywhere)somewhere (anywhere)
marry.c featuresmarry.c features
Convert wtmp/utmp/lastlog to textConvert wtmp/utmp/lastlog to text Invokes editor on converted fileInvokes editor on converted file Re-writes original in-situRe-writes original in-situ Has other "stealth" featuresHas other "stealth" features
Example marry.dmp fileExample marry.dmp file
00000 dittrich pts/1 ts/1 7 9286 20010502225034 10.0.0.1 hostname00000 dittrich pts/1 ts/1 7 9286 20010502225034 10.0.0.1 hostname00001 "" pts/1 "" 8 9285 20010502231052 0.0.0.0 ""00001 "" pts/1 "" 8 9285 20010502231052 0.0.0.0 ""00002 dittrich pts/1 ts/1 7 11320 20010503103800 10.0.0.1 hostname00002 dittrich pts/1 ts/1 7 11320 20010503103800 10.0.0.1 hostname00003 "" pts/1 "" 8 11317 20010503104241 0.0.0.0 ""00003 "" pts/1 "" 8 11317 20010503104241 0.0.0.0 ""00004 dittrich pts/1 /1 7 25438 20010505172540 0.0.0.0 ""00004 dittrich pts/1 /1 7 25438 20010505172540 0.0.0.0 ""00005 "" pts/8 "" 8 26600 20010505182523 0.0.0.0 ""00005 "" pts/8 "" 8 26600 20010505182523 0.0.0.0 ""00006 dittrich pts/4 ts/4 7 3332 20010508111744 10.0.0.1 hostname00006 dittrich pts/4 ts/4 7 3332 20010508111744 10.0.0.1 hostname00007 "" pts/4 "" 8 3331 20010508115759 0.0.0.0 ""00007 "" pts/4 "" 8 3331 20010508115759 0.0.0.0 ""00008 dittrich pts/4 /4 7 5038 20010508230648 0.0.0.0 ""00008 dittrich pts/4 /4 7 5038 20010508230648 0.0.0.0 ""00009 dittrich pts/6 ts/6 7 7136 20010509110712 10.0.0.1 hostname00009 dittrich pts/6 ts/6 7 7136 20010509110712 10.0.0.1 hostname0000a "" pts/6 "" 8 7135 20010509121218 0.0.0.0 ""0000a "" pts/6 "" 8 7135 20010509121218 0.0.0.0 ""0000b dittrich pts/6 ts/6 7 7637 20010509143847 10.0.0.1 hostname0000b dittrich pts/6 ts/6 7 7637 20010509143847 10.0.0.1 hostname0000c "" pts/6 "" 8 7636 20010509144014 0.0.0.0 ""0000c "" pts/6 "" 8 7636 20010509144014 0.0.0.0 ""0000d dittrich pts/6 ts/6 7 7807 20010509154348 10.0.0.1 hostname0000d dittrich pts/6 ts/6 7 7807 20010509154348 10.0.0.1 hostname0000e "" pts/6 "" 8 7806 20010509232823 0.0.0.0 ""0000e "" pts/6 "" 8 7806 20010509232823 0.0.0.0 ""0000f "" "" si 8 9 20010510084158 0.0.0.0 2.4.9-12custom0000f "" "" si 8 9 20010510084158 0.0.0.0 2.4.9-12custom00010 reboot ~ ~~ 2 0 20010510084158 0.0.0.0 2.4.9-12custom00010 reboot ~ ~~ 2 0 20010510084158 0.0.0.0 2.4.9-12custom00011 runlevel ~ ~~ 1 20021 20010510084158 0.0.0.0 2.4.9-12custom00011 runlevel ~ ~~ 1 20021 20010510084158 0.0.0.0 2.4.9-12custom
marry in use on wipe cleaned marry in use on wipe cleaned log filelog file
00407 "" ttyp0 p0 8 0 20010708003633 0.0.0.0 :000407 "" ttyp0 p0 8 0 20010708003633 0.0.0.0 :000408 "" "" "" 0 0 19691231160000 0.0.0.0 ""00408 "" "" "" 0 0 19691231160000 0.0.0.0 ""00409 "" "" "" 0 0 19691231160000 0.0.0.0 ""00409 "" "" "" 0 0 19691231160000 0.0.0.0 ""0040a "" "" "" 0 0 19691231160000 0.0.0.0 ""0040a "" "" "" 0 0 19691231160000 0.0.0.0 ""0040b "" "" "" 0 0 19691231160000 0.0.0.0 ""0040b "" "" "" 0 0 19691231160000 0.0.0.0 ""0040c "" "" "" 0 0 19691231160000 0.0.0.0 ""0040c "" "" "" 0 0 19691231160000 0.0.0.0 ""0040d "" pts/1 "" 8 1755 20010708163736 0.0.0.0 ""0040d "" pts/1 "" 8 1755 20010708163736 0.0.0.0 ""0040e "" "" "" 0 0 19691231160000 0.0.0.0 ""0040e "" "" "" 0 0 19691231160000 0.0.0.0 ""0040f "" "" "" 0 0 19691231160000 0.0.0.0 ""0040f "" "" "" 0 0 19691231160000 0.0.0.0 ""00410 "" pts/1 "" 8 1968 20010708195947 0.0.0.0 ""00410 "" pts/1 "" 8 1968 20010708195947 0.0.0.0 ""00411 root pts/1 /1 7 2244 20010708200833 0.0.0.0 ""00411 root pts/1 /1 7 2244 20010708200833 0.0.0.0 ""00412 root pts/2 /2 7 2285 20010708201005 0.0.0.0 ""00412 root pts/2 /2 7 2285 20010708201005 0.0.0.0 ""00413 root pts/1 /1 8 2244 20010708201551 0.0.0.0 ""00413 root pts/1 /1 8 2244 20010708201551 0.0.0.0 ""00414 root pts/2 /2 8 2285 20010708201554 0.0.0.0 ""00414 root pts/2 /2 8 2285 20010708201554 0.0.0.0 ""00415 root pts/1 /1 7 2348 20010708201558 0.0.0.0 ""00415 root pts/1 /1 7 2348 20010708201558 0.0.0.0 ""00416 root pts/1 /1 8 2348 20010708204818 0.0.0.0 ""00416 root pts/1 /1 8 2348 20010708204818 0.0.0.0 ""00417 root pts/0 /0 8 1204 20010708204833 0.0.0.0 ""00417 root pts/0 /0 8 1204 20010708204833 0.0.0.0 ""00418 root pts/0 /0 7 3459 20010708213206 0.0.0.0 ""00418 root pts/0 /0 7 3459 20010708213206 0.0.0.0 ""00419 root pts/1 /1 7 3855 20010708214424 0.0.0.0 ""00419 root pts/1 /1 7 3855 20010708214424 0.0.0.0 ""
Countering concealmentCountering concealment
Look for ways around rootkitsLook for ways around rootkits• Alternate commandsAlternate commands• Analysis kitsAnalysis kits
Look for corroborating evidenceLook for corroborating evidence• Other logs (e.g., ssh logins, su logs…)Other logs (e.g., ssh logins, su logs…)• Active/deleted file metadataActive/deleted file metadata• Deleted file contents (esp. sniffer logs!)Deleted file contents (esp. sniffer logs!)
Look for second sources (external)Look for second sources (external)• Network traffic flowsNetwork traffic flows• Logs on serversLogs on servers• Logins to/from other hostsLogins to/from other hosts
ConclusionsConclusions
You can't trust what you seeYou can't trust what you see• ...or what you don't see...or what you don't see
You can find (most) answersYou can find (most) answers• ...but you have to look hard...but you have to look hard
We know Tools Are Good!We know Tools Are Good!• ...but what tools DON’T we know about?...but what tools DON’T we know about?