CIS 450 – Network Security Chapter 16 – Covering the Tracks

Hacker’s Perspective Backdoor – a way for an attacker to get back into a network or system without being detected. Attacker wants to maintain his access by hiding the fact that he was ever there.

Four areas that an attacker is concerned with when covering their tracks: Log files – audit trails that list who gained access, and for how long (and possibly what they did and what files they accessed) File Information – since attackers normally have to modify key system files information for these files (date and file size) tend to change Additional Files – attacker usually loads additional files to the system which could take a large amount of space Network traffic – if IDS is utilized attacker has to search and eliminate the IDS records or mask his traffic to appear to be normal network traffic

Log Files Provide a listing of exactly what is done on the system and by whom Logging has to be turned and checked Attacker can delete the entire log file but this will set off a red flag to the administrator Attacker can edit the log files and delete the entries to what the attacker did

Linux Log Files /etc/syslog.conf – main configuration file for the syslogd daemon that controls logging on /var/run/utmp Tracks who is currently logged into the system Entry is added when user logs in and removed when user logs out Binary file that can not be accessed directly but by common programs than come with OS: who; users; and finger

Linux Log Files /var/log/wtmp Tracks all users who have logged in and have logged out of system. Can be created manually if not created by login. Entry is added when user logs in and updated when user logs out The file can grow rapidly on busy systems, so daily or weekly rotation is recommended Binary file that can be accessed by the programs last and aclastac /var/log/btmp Records bad log on attempts Can be created manually if not created by login Should combine the results with those from wtmp to see if an attacker gained access after a failed attempt Binary file that can be accessed by the lastb program

Linux Log Files /var/log/messages Syslog is a utility for tracking and logging all manner of system messages from the merely informational to the extremely critical and can be configured to put most of the messages the file /var/log/messages Syslog File is ASCII text and be looked at with the more, cat, and grep commands /var/log/secure Used to log any attempts to log in as root and attempts to use the su command. This file also contains information on attempts to connect from remote systems and failed attempts to log in as root. File is ASCII text and be looked at with the more, cat, and grep commands

Programs Available to Clean Up Log Files Available from: exploits/log-tools/ exploits/log-tools/

Protecting UNIX Log Files Set proper permissions on log files – read and write access should be limited to root Use a separate server Store your log files on a separate server Use Honey PotsHoney Pots Honey pots are one of the newest methods used in intrusion detection. The idea behind a honey pot is to setup a "decoy" system that has a non- hardened operating system or one that appears to have several vulnerabilities for easy access to its resources. The decoy system should be set up in a similar manner to those of the production servers in the corporation and should be loaded with numerous fake files, directories, and other information that may look real. By making the honey pot appear to be a legitimate machine with legitimate files, it leads the hacker to believe that they have gained access to important information Make regular backups of the log files – backup to several places across the network and some on removable media Use write once media Encrypt the log files Review the log files on a regular basis

System 2000 Logging /windows2000serv/maintain/monitor/03w2kad b.mspx /windows2000serv/maintain/monitor/03w2kad b.mspx

File Information When attacker puts in backdoor he has to modify some key system files If file came with the base OS then it should not be modified in the course of using the system – check modified date Some rootkits have utilities built in to modify file information Protection Against Create cryptographic hash on file - tripwiretripwire

Additional Files Attacker uploads tool to victim’s site so he has access to them when needed Attacker tries to hide the fact that additional files have been added by: Set the hidden attribute for a file Rename the files Create hidden partitions or shares Modify the free space utility

Additional Files Use steganography tools The art and science of hiding information by embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images.datafilesHTMLfloppy disksplain textcipher text THC Steganographic Challenge

Additional Files Protection Against – Know what’s on your system Run software such as TripwireTripwire

Covering Tracks on the Network Attacker will either try to hide their traffic or make it look like other traffic on the network Loki Reverse WWW Shell Malicious code attacks via HTTP Covert TCP