[WBEL-users] ROOTKIT checking software

Graham Waring liverbird89@hotmail.com
Fri, 12 Nov 2004 10:13:23 +1000 

G'day all,

Great advice here from Kirby.  My first port of call in situations like this 
is always the wtmp file, just try utmpdump /var/log/wtmp which is quite 
helpful.

Good luck
Graham

>From: "Kirby C. Bohling" <kbohling@birddog.com>
>To: Denis Croombs <denis@just-servers.co.uk>
>CC: whitebox-users@beau.org
>Subject: Re: [WBEL-users] ROOTKIT checking software
>Date: Thu, 11 Nov 2004 14:04:38 -0600
>
>On Thu, Nov 11, 2004 at 07:15:34PM -0000, Denis Croombs wrote:
> > I have found some of my customers systems have had the root password 
>changed
> > remotely by an ex-employee, I know I can go do a rescue CD boot and 
>change
> > the root password to something I know BUT I have a few questions.
> >
>
>	Take the machine offline, duplicate the disk, run an MD5SUM of
>the original write it down for documentation purposes.  Put the new
>drive back in, do your forensics off the new duplicate copy.  If you
>want to start over on the forensics just copy the original disk
>again.  Don't even mount the drive, just use "dd" to copy the
>individual partitions if need be.
>
>	In the US, I believe that's the policy of the FBI and police to
>avoid data integrity accusations in court.  The defendant in the
>case claims he's being framed, they can't prove that someone didn't
>setup a harddrive to look just like he did it.  So they keep an
>absolutely original copy w/ md5sum from the moment they touched the
>drive.  Thus the forensics can be duplicated both independent
>experts.
>
>	Now because the drive has been in your hands, it might be
>unnecessary for the md5sum.  However, I'd want an original copy I
>could always duplicate to start over with to double check that I
>hadn't modified something.  I'd always mount the disk read only so I
>didn't accidently change a filesystem timestamp or contents by
>accident.
>
> > 1) What files record when root last loged in and from what IP address ?
>
>Normally the command "last", will tell you the last sets of login's.
>Last parses a file named utmp or wtmp.  I forget it's location, but
>it's not a human readable file.  Just use "last".
>
>If they logged in via ssh, I believe that /var/log/messages has the
>timestamps (not sure about IP's).
>
>$ grep "sshd" /var/log/messages
>
>It appears to give me the reverse lookup, and fall back to the IP,
>the reverse name could be faked, but that's a lot of work for the
>attacker to go to.  (Generally storing IP's is easier, faster, and
>more reliable.  I wish more people did that, or at least stored both
>in logs).
>
>If they didn't log into the machine as root, they probably su'ed,
>for that do this:
>
>$ grep "su" /var/log/messages
>
>If they logged into the console this should bring up the appropriate
>lines:
>
>$ grep "login" /var/log/messages
>
>You'll probably have to look closer at it.  The archive logs might
>have rolled, so you might have to look at files with the same
>prefix.  The person who did this is a fool if they didn't wipe the
>logs however.
>
> > 2) What file record any other activity by the same person ?
>
>If it is anywhere, it'll probably be in this directory:
>
>/var/log
>
>It might be in the .bash_history of the various users you believe
>they are logged in as (save this file as soon as possible).  It
>generally only holds 1000 commands, so if you do too much logged in
>as root, it'll erase what history you have.
>
>
> > 3) What log files should be kept for handing over to the police ?
> > (we have informed them and they are sending someone tomorrow)
>
>Keep the original disk if at all possible.  If they are serious
>about forensics, they'll immediatly duplicate it as described above.
>
>I'm doubtful they'll take you terribly seriously unless you can
>demonstrate serious financial damage.  However, it never hurts to
>assume they will take it seriously.
>
> >
> > 4) What else should I be doing ?
> >
> > All help would be very helpful
> > (I think I know the answer to most of the above must I MUST do a sanity
> > check ! ) I just do not want to miss anything.
> >
>
>I'd take the machine offline and try the rootkits the other people
>have mentioned.  I'd examine everything:
>
>/var/spool/cron/
>/etc/cron.*
>/etc/cron
>
>That's where crontabs are stored.
>
>Those are the places people stick files to do nasty things in a
>week.  I forget where "at" stores it's commands.  You probably want
>to check that too.
>
>I've had one machine broken into, we setup a new machine to replace
>the existing one.  We burned the old one to the ground once we
>figured out what they had done.  Made sure we had patched for the
>attack they used and got current with all the other patches we could
>for security purposes.
>
>I can understand your reluctance if it's a customer machine, or if
>you have to do this for 20 machines in a short period.
>
>There's a ton of things to do, I really don't want to ramble on,
>it's not an area I have great deal of knowledge or expertise on.
>I've read about this before, but never had to deal with it
>personally much.  You really should find a forensics expertise list.
>
>I've really just listed the things I've done to track down what
>happened to a machine when I can't get in touch with the admin.
>Looking in /var/log/messages, and examining .bash_history of various
>users is an easy way of seeing what someone has been doing on your
>machine.  However, a compentent malicious user won't leave those
>behind.
>
>	Thanks,
>		Kirby
>
>_______________________________________________
>Whitebox-users mailing list
>Whitebox-users@beau.org
>http://beau.org/mailman/listinfo/whitebox-users