.

CEH question on Snortlogs (form Testking)

<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Mon Sep 25, 2006 12:50 am

CEH question on Snortlogs (form Testking)

Study the log given below and answer the following questions.


Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

What can you infer from the above log?

A.  The system is a windows system which is being scanned unsuccessfully.
B.  The system is a web application server compromised through SQL injection.
C.  The system has been compromised and backdoored by the attacker.
D.  The actual IP of the successful attacker is 24.9.255.53.


Answer: A


It looks like one attack was successful and the hacker has access to server. I think the answer is C. Maybe a real snort user can anlyse this log better than me.

The CEH exam may give this same log in 2-3 questions and ask different questions form it.

regards
Skel
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Mon Sep 25, 2006 1:43 am

Re: CEH question on Snortlogs (form Testking)

I'm not  a "real" snort user as you say, but I agree with your answer.
Firstly there's a port scan;
  Code:
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169

Secondly the passwd file is retrieved by ftp;
  Code:
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21

Thirdly the user simple logs on and then opens a su session for user simon;
  Code:
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Mon Sep 25, 2006 7:35 am

Re: CEH question on Snortlogs (form Testking)

I agree that the Answer would be C.

But sorry Negrita, I somewhat disagree with your explanation because:

1) though it is still possible it's not very likely that somebody still has valid accounts/passwords in the dummy passwd file used by most ftp-servers
2) why an attacker would wait more than 36 hours to login after retrieving a valid account ? (sure it could have happened that way, but I don't think so.)

Look at these entries:
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:80
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)


It looks like an attacker has first discovered a certain version of DNS-server-software (most likely some vulnerable version of bind), then exploited a buffer overflow (NOPs are often part of the payload to exploit buffer overflows) and then logged in first with an unprivileged account and then su'ed to a privileged account...

BTW, I found that log somewhat familiar - if you are interested in the whole story have a look here
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Mon Sep 25, 2006 9:16 am

Re: CEH question on Snortlogs (form Testking)

skel wrote:
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80



just for curiosity, what does this entry mean. What would trigger "web-cgi-space-wildcard" ? Is it a attempted directory traversal ?
Skel
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Mon Sep 25, 2006 12:48 pm

Re: CEH question on Snortlogs (form Testking)

I don't think that sig is apart of current ruleset
http://www.snort.org/pub-bin/sigs-search.cgi?sid=WEB

My guess is that its a sig that just looks for ' *', which would probably be
GET *

I think in older versions of CGI you could also execute CGI's by using the wildcard.

Return to CEH - Certified Ethical Hacker

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software