.

Simple Question

<<

scottga

Newbie
Newbie

Posts: 5

Joined: Fri Aug 15, 2008 8:29 pm

Post Fri Aug 15, 2008 8:48 pm

Simple Question

Ok after spending quite some time reading through the site and seeing the reality of ethical hacking, I have a couple of questions.

I host several forums, phpbb, phpbb3 and SMF (my personal favourite being the heavily modded phpbb). The questions i have are firstly, is anyone bored depressed and lonely enough to take on an attempt to discover just what vulnerabilities are left and let me know what holes exist, so that I can go back down into the engine room and patch any holes found.

We have survived several attempts from the dark side, partly due to my keeping an eye on vulnerability sites and applying patches and partly because I am one of the most pedantic people ever born about backups (in particular database backups), but since the phpbb board is my favourite I suppose I have spent considerably more time looking out for it, then I have for the SMF or Phpbb3 boards and i would hate to lose one or more of the forums simply because of an open doorway in another forum I am hosting. (Well, I am hosting is not strictly accurate as I pay for hosting here in Australia with one of the better companies and thus far, their attitude to security seems fairly solid).

Secondly, forensics... Are there any good tools out there that allow an indepth analysis of where someone did get in, where they came in from etc?

Thanks for your thoughts in advance...

Oh and I can provide evidence of site ownership in both the certificates and identification (figured since this place is ethical, that would be a must...)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Aug 15, 2008 10:35 pm

Re: Simple Question

I will chime in on the forensics question.  There are lots of great tools out there.  The industry standards are Encase and FTK.  Open source tools also exist to aide with investigations.  The issue is that these are just tools.  They do a fantastic job of giving you access to the entire capture device.  You still have to know exactly what you are looking for.  It really comes down to training and experience.  Yes, Encase will allow you to mount the registry and index.dat files for example.  You still have to know what's contained in the index.dat file and the registry and what you are looking for.

If you do play with forensics tools and are dealing with responding to an incident, you have to make sure that  you capture volatile data.  I typically capture running services, open ports, RAM, open files, and do a remote port scan.  I usually use the Helix disc for this.  You also have to make sure you use write blockers and document exhaustively. 

I would really recommend getting training in forensics, rather then diving in.  So much of it is in the process, rather then the tools.  One mistake can cascade down, invalidating the case results.
~~~~~~~~~~~~~~
Ketchup
<<

scottga

Newbie
Newbie

Posts: 5

Joined: Fri Aug 15, 2008 8:29 pm

Post Sat Aug 16, 2008 5:03 am

Re: Simple Question

Thanks for that friend, just so happens I have a spare box i was looking at setting up to bash to death in every aspect while figuring out such tools. and been doing some serious reading on the maintaining of evidence integrity.

I guess this is one of the useful things about being a backup freak, lol I now have 3 and a half years of twice daily database backups, burnt to dvd every seven days and timestamps are wonderful things :) But my main reason for interest is if of course someone does manage to do the so far (perhaps luckily) unachievable and take my sites down, I want to be able to gather as much evidence as possible to pass on to those whom deal with these issues (and yes, I have reported Cyber crimes with logs, backup data etc) but mostly, I am looking for a way that i can examine the evidence trail myself, and find out where the access was made so that I can go and weld the hole shut. All the reporting and evidence in the world, is pretty pointless if the door is left wide open...

Fortunately am very familiar with index.dat and registry editing as well as sql code rebuilding, so I guess am going software hunting..

Thanks again for that
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Aug 16, 2008 11:34 am

Re: Simple Question

Well if you are not worried whether or not your case will stand up in court.....  Here is what I would do:

1.  Capture volatile data while the system is running.  Use the Helix disc for this.  You cannot use the tools from the OS because they can be modified to hide the intruder from you. 
2.  Do a basic nmap port scan to see if there are any root kits hiding open ports.
3.  Pull the plug from the machine (don't gracefully shut down).  Take an image from the machine.  Boot from the Helix disc and use dcfldd.
4.  Open the image in Encase or FTK and have at it. 

Document each an every step you do, including every minuscule detail. 
~~~~~~~~~~~~~~
Ketchup
<<

scottga

Newbie
Newbie

Posts: 5

Joined: Fri Aug 15, 2008 8:29 pm

Post Tue Aug 19, 2008 2:42 am

Re: Simple Question

Greatly appreciated friend. That should keep me occupied for a while as I work my way through the thing lol...

I do love a challenge :)
<<

mad_irish

User avatar

Newbie
Newbie

Posts: 17

Joined: Thu Aug 14, 2008 7:45 am

Post Tue Aug 19, 2008 7:31 am

Re: Simple Question

There is a growing trend amongst infosec circles, especially with information assurance people, to concede that compromise in inevitable.  If you subscribe to this school of thought then backups are your best friend.  In an economic analysis, when you take compromise as a given, it makes the most sense to spend your time/energy investing in returning services to availability rather than exploit prevention.  To that end I'd say your backups are a very, very wise way to devote your time.  Because law enforcement agencies rarely take on cases of cyber crime I would suggest that any forensic analysis you do should be to discover the vulnerability utilized to compromise your systems so you can patch them (rather than worrying about chain of evidence to build a criminal case).  If you're going to pursue a criminal case law enforcement is going to insist on doing the forensic investigation anyways.  Just my $.02.
<<

scottga

Newbie
Newbie

Posts: 5

Joined: Fri Aug 15, 2008 8:29 pm

Post Thu Aug 21, 2008 4:09 am

Re: Simple Question

Thanks for that Mad_Irish. I have successfully reported before only because my hosting company is very thorough in the way they handle these issues that and the fact that in Australia due to limited population and therefore taxes lol the government does host some of its services privately, meaning that most of our hosting companies are very very careful about logging etc.

Thats the main reason I am here, if there are any holes, I want to discover what they are so they can be plugged. Been sitting analysing raw access data and logs from the last even (some time back) just to discover what the loophole was and thus far have managed to close several nasty little holes (phpbb tip, if you dont use a language, delete it and all its files, amazing how many holes are in the package via alternative languages).

But as I said, if it is at all feasible, I would like to discuss with someone the possibility of them making the attempt and letting me know any vulnerabilities. The best offense in this is defense in my opinion. As to backups Irish, well I have on multiple dvd's twice daily backups since the sites inception over 3 years ago. It may seem excessive, but if an error appears I can go back to day one and find what existed and fix it. As it stands, on the last attempt, the site was down for a total of three and a half hours and in three years with 3 hacks and including server down time, I have only lost 41 hours of service. Not trying to show off, but it certainly confirms every word you said mad_irish... Thanks for reaffirming that my backup madness is actually very sane lol.
<<

LSOChris

Post Thu Aug 21, 2008 10:09 am

Re: Simple Question

man mad_irish is up in here?  good to have you hear man, been reading your shizzle since back in the day.

welcome!

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software