Analysing capture.cap
In this section, we describe briefly the tools used to analyse the
traffic in capture.cap. The information in capture.cap is
processed into another form suitable for streams analysis. This
transformation and analysis is presented in the section "Data Flow/ Streams Analysis". As the
intruder used ssh as the means for communication, a section "Analysis of ssh traffic" is dedicated to the
analysis of these encrypted communication channels.
Tools Used For Traffic Analysis
tcpflow: http://www.circlemud.org/~jelson/software/tcpflow/
ngrep: http://www.packetfactory.net/Projects/ngrep/
tcdump: http://www.tcpdump.org
tcpslice. Available at http://www.tcpdump.org/other/tcpslice.tar.Z
ethereal/tethereal. http://www.ethereal.com
Norton Anti-Virus. http://www.norton.com
Snort. http://www.snort.org
Data Flow / Streams Analysis
Tcpflow was used to identify and extract sessions from the tcpdump
file. Several streams was produced and the types identified in the
attached traffic.txt.
The breakdown of file types is as follows:
- ASCII English text
- ASCII English text, with CRLF, CR, LF line terminators
- ASCII English text, with CRLF, LF line terminators
- ASCII English text, with CRLF line terminators
- ASCII mail text, with CRLF line terminators
- ASCII text
- ASCII text, with CRLF, LF line terminators
- ASCII text, with CRLF line terminators
- ASCII text, with CRLF line terminators, with escape sequences
- ASCII text, with no line terminators
- data
- empty
- gzip compressed data, deflated, last modified
- ISO-8859 text, with CRLF line terminators
- MP2, 32 kBits, 32 kHz, Mono
- RPM v3 bin i386 wu-ftpd-2.6.1-20
- RPM v4 bin i386 wu-ftpd-2.6.1-16.7x.1
We can see that a large proportion of the file types are ASCII. From an
analysis of the traffic data, it seem to be a result of ftp probing and
attacks. the http and ssh traffic are largely in the data group as a
result of downloaded binaries and encrypted sessions.
Traffic breakdown is as follows:
5310 streams to and from port 21
40 streams to and from port 22
18 streams to and from port 80
4 streams to and from port 25
1 streams to and from port 23
A lot of the port 21 traffic are attacks and some are repeated attempts
to retrieve rootkits and tools. Some of the http traffic are wget
attempts to retrieve files from rho-team.org and haxteam.org. 2 emails
were also sent to the email addresses haxteam@yahoo.com
and haxteam@haxteam.org containing
data such as uptimes, routes, hardware configuration and network
configuration.
Of the other streams
012.249.106.060.00113-192.168.001.002.01074 contains 1162 , 21 : USERID
:
OTHER :root, of which the meaning is unclear.
There are also a few ssh traffic going to uncommon ports
066.088.064.196.55211-192.168.001.002.01082: data
192.168.001.002.01082-066.088.064.196.55211: data
192.168.001.002.02255-213.150.165.194.55211: data
213.150.165.194.55211-192.168.001.002.02255: data
066.088.064.196.55211-192.168.001.002.01082: data
192.168.001.002.01082-066.088.064.196.55211: data
192.168.001.002.02255-213.150.165.194.55211: data
213.150.165.194.55211-192.168.001.002.02255: data
A cursory examination would indicate ssh servers running at port 55211,
which suggests they are either trying to hide it or they do not have
permission to start the server at lower ports.
A rough sketch of the events that have occurred is provided in the
attached files traffic01.html and traffic02.html. traffic01.html
contains links to all the session files in chronological order. traffic02.html reduces the amount of contents
by summarizing sessions of 3 lines and less into a count to improve
human readability.
Analysis of ssh traffic
Based on the observations from the
captured logs as well as the presence of several SSH configuration
files found in the "bigwar" and "hax" tarballs, the intruder(s) seem
to have used ssh as the communication channel after successfully
compromised the target host via wu-ftpd. Close inspection of the two
sshd_config files found in "bigwar.tgz" and "hax.tgz" revealed two
unorthodox ports for the SSH servers. They are port 17985 and 55211.
| sshd_config (in "bigwar") |
# This is ssh server systemwide configuration file.
Port 17985
ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /usr/lib/ssh_host_key
RandomSeed /usr/lib/ssh_random_seed
ServerKeyBits 768
KeyRegenerationInterval 1
|
| sshd_config (in "hax") |
# This is ssh server systemwide configuration file.
Port 55211
ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /usr/lib/ssh_host_key
RandomSeed /usr/lib/ssh_random_seed
ServerKeyBits 768
KeyRegenerationInterval 3600
|
With these information, the network
traffic logs were parsed for port 22, 17985 and 55211. We
observed that most of the ssh sessions on port 22 came from the
address range 66.218.97.141-144 which coincides with previous
observation that the adversaries first re-entered the system via ssh at
23:04 hrs (29 Nov 2002) from 62.231.97.143 after exploiting wu-ftpd.
Attempts to connect to the victim host with ssh via port 17985
also suggested that the adversary attempted to configure a sshd at the
mentioned port. However, all attempts to connect from external host
62.231.97.141 and 143 to this port were unsuccessful as indicated by
the RST flag in the returned packets.
The victim host (192.168.1.2) also attempted to connect to an
external host (66.88.64.196) via ssh at port 55211. Details are shown
below:
08:18:43.688317 IP
66.88.64.196.55211 > 192.168.1.2.1082: P 1:26(25) ack 1 win 5792
<nop,nop,timestamp 43781206 74649583>
(DF)
0x0000 4500 004d 68be 4000 3106 9c26 4258
40c4
E..Mh.@.1..&BX@.
0x0010 c0a8 0102 d7ab 043a 4ccb 64f1 2f27
db3e
.......:L.d./'.>
0x0020 8018 16a0 2add 0000 0101 080a 029c
0c56
....*..........V
0x0030 0473 0fef 5353 482d 312e 352d 284e
4f4e
.s..SSH-1.5-(NON
0x0040 2d43 4f4d 4d45 5243 4941 4c29
0a
-COMMERCIAL).
08:18:43.688758 IP 192.168.1.2.1082 > 66.88.64.196.55211: . ack 26
win 5840 <nop,nop,timestamp 74649604 43781206> (DF)
0x0000 4500 0034 d4df 4000 4006 211e c0a8
0102
E..4..@.@.!.....
0x0010 4258 40c4 043a d7ab 2f27 db3e 4ccb
650a
BX@..:../'.>L.e.
0x0020 8010 16d0 5f9c 0000 0101 080a 0473
1004
...._........s..
0x0030 029c
0c56
...V
08:18:43.690883 IP 192.168.1.2.1082
> 66.88.64.196.55211: P
1:23(22) ack 26 win 5840 <nop,nop,timestamp 74649604 43781206
> (DF)
0x0000 4500 004a d4e0 4000 4006 2107 c0a8
0102
E..J..@.@.!.....
0x0010 4258 40c4 043a d7ab 2f27 db3e 4ccb
650a
BX@..:../'.>L.e.
0x0020 8018 16d0 6f68 0000 0101 080a 0473
1004
....oh.......s..
0x0030 029c 0c56 5353 482d 312e 352d 4f70
656e
...VSSH-1.5-Open
0x0040 5353 485f 322e 3970
320a
SSH_2.9p2.
08:18:43.835747 IP 66.88.64.196.55211 > 192.168.1.2.1082: . ack 23
win 5792 <nop,nop,timestamp 43781221 74649604> (DF)
0x0000 4500 0034 68bf 4000 3106 9c3e 4258
40c4
E..4h.@.1..>BX@.
0x0010 c0a8 0102 d7ab 043a 4ccb 650a 2f27
db54
.......:L.e./'.T
0x0020 8010 16a0 5fa7 0000 0101 080a 029c
0c65
...._..........e
0x0030 0473
1004
.s..
This is a non-standard port for ssh communication and may suggest that
the external host is another launch pad used by the adversaries.
However, due to the fact that the server_key pair are constantly
changing every hour by default and not kept on the system, there is no
way to recover the clear text from the encrypted traffic in the captured
logs.