ࡱ> no9A3cXqP83lqPNG  IHDRgPLTE9<9]ebKGDH IDATx흉z(ٙdqײt7͡ϱeqR M w,5''0"Ơ=' 緻.sP'81qr !!N]%vBM^pi#}K>qK\E.2&Ie\֩ k!ۭdL"YߏggL=I N0&e:˧B8߿3";PZmΓ.??AqIUqFmNiALi \FŹ\Kqo>o}|j#1mEKvN8>gU9$yv9m|UWFdި+N~eCY?fqλtRC!N> JѥĹbs?nf2pEv!zN%=c-N{.vğ?C`7e.NYLfgqz@n qCS8ذ8Y N`ey~ހ8%G"!=U* 8aXCyNEP+Ǯ8a`s49flK]B$JIyi⮴!w =py4` n.AR' vs9]*pN`8'  tC~ im9ӡǬE|,_rRGK_⽶!ΡeWes}o=ŹVg7ַ*#ι{]z^mTKѶO:!P bG H2sN6/T&ӑAE/I-l<;rb@'_q6svѱN)!8u*NyH\!NuRPÜCnJ* "X|e'Ȁ+N¼9E Kd:#qGs$~Ȼ qrdB#cC]wdG?l\N/qRRmS˟ %8I9Rr<4>vܮᶔoB C֏:s{*Ѻn(|5zRϲD_ w)Yׅj;[%N EoFwȎrHAAע>L'ѹI6"}] }^s*ȞLf_'ߖ'{b> %9uqIdmdjXi [S^ӎV; TSXbK>ed'/=U27EXPp{`y!A:u`9rcHo0S-笏?F=Dc 3ʴ FQ>Բ-O6|kaN9)8C~vRlFlg!'JL;I7Fgf=>ZPq|'xxQE4yzՂb4;\էxJg.dxv*EEt/$g{ U)WYi`dbjpVEdqA&W]r :rR, S8>gzr(4R2_6f/Y(C VĹ><Sgx3uMԦ(BQx"ID/{{)|q3?q#U[28'  vs9]*pN`8'  tNb c:?$I\`:K{Kh9粀eik̒7']+RXaM5tt.s]'a(~1Tr^bB\ qI_^IX*{/r,ӗWCzrM'%^|Nf9Jyfsm/t[AT䧖G*ÊלM)#KR?t٩{tFY2ڀc[W2^tCTN!FPbQqV<2ٌ9,gPR exF)FQOXhQUQ=윭tbu*ynqΚF<k8weҩ˾q"NxD:7$m$WߥDzLێAq.;"/(xS/jbi:TP,PǓd9tzODZ;j-\q{ܢ#٨gz>;9zL/]ˁ{*x*  vs9]*pN`8'  vs9]*pN`8'  vs9]*pN`8'J9+qp.M?G~/sf 7\s2NBƜ36٬sD m{ &xn`3O/bkp|Iq8 ,G qCX"`f8Y'Pqlp8#{@,80%`$U5,qIENDB`n(A*pA P8~ZD{PNG  IHDRHޚPLTE{Pc:bKGDHIDATx흍d:k yT%4R|IG! av ぴAxif0iڕ2&.2ړ^rESZ(Ҧ>i3kxUksq|>iO˰ 4xA{4i ړg}~N~}3$mf,4 B)C° oSⅴY?/YӏF#E+ ix1I!m;ɚf9&2jUA|/yzϑ[JIa=$KLj@/oH%5iWLI iWN#%4AФuW@21gVOɇw#}@2$5e7'qQO)y6 B|6w"Nd[ m)6Ht :EJ;dٯi *Re~I; *#9JʏHi8U,5HNEK1; |\$e9/ F%$? i ErݵSVz^1h|:*H;:z&_% "8E&8UHԥ$y0%c?ǰ4v)qU8Dzu7R@ӣqR.oUrV i@)6Ht :K{1HBKz8>K{/_>Յ$/>8pv/e9$*oYcS}]{gK̮?+ͪa+Y$)n UEҺa i)=~+$ډ7mC!*Jһ N!i׵_@r) op܍ ]pwז݈!티9>wqm#u¿1p3OvbuEמօ8xi i]0rf0wڢ=\{w"%mAV\:.ǞkKܡL mI6]k-`е}]H{۵'i e#YCsVŏĢkO"L-:7?aC[8 cL̆hv3m^ӃkEaGiSⶶ†kTNVk][H;M駛p, Qģ'?Yng6nP-\;Z69N"W=Cj!e30ltõ.mkݳ_e/ԕȰ(dm^HdDױq5}׵i;6b^ڲxTf򺵗v'ڍnndyPد9Jq)mkɅnrKs+_8wLҎ`1tiJb0t|uRi];k+kCcϵmG3kQ1׶QkQڟצ lxaKᶢ-bwdJm۸[{]oʣJ ,T*>֖?3}hCT:]*zjmSkЊ\[v8·~:GZW(tYSmƵk"~CiFc-2/t$Z>2"L:QV.69е2٧]'X2is7ovP)(}rktQg% ~q B#E+ z}@ݵGɕw)֪$<(V i_f߫6N9`o׾: &p7k)v veV?فҾi_\p7]tmG`ϵWkQ׸t5{_{Mڎ~7\]{ .,nE^_ߕyz))[p׎"N\k`Ƶ7ޯ=A)_箽Rk6nڼvkۨ\ f\鯭$a̘oõ[p_N#umSp&tޯ]{6H?(+1=_:Khh;[=(\Nrm9vw@ڒ\[}>[ҦQNΩM|%\e#=O'oM]qóc>ӵEsr ȍ(k5yPv.mzOumC"~[鯝Yݿk~K{A b\;ĂksYm!m ?X|H s~mֵNvg.Ew).eKr~<[v _\9tz3 iKs7k+INWiK;c†X[M嬋?<\\f;k׵?YS{s9ųpi88=EڭK=IڗsM6iN 6=H)6Htoc_s2_YbY>%[Ce2[_V_Lm$&幖זlr;ӢdCڅrm (&"o| YTLJ{"uiojn>eǥMalifP=#o;fϊ琷B~IE u{͎Tv7Y6e#8JZɝ:7C6Tbz]cZeyBXi<^帏QLwDo1dWϊ6ܐKriG)9 2Q/I$)S\$˟IL#YUH6/vx*LTG8\-&CJk"Ҥ5YQC5VrՆeΩ,/{eRvk;d-ZzS"GLǷ.miUoHܒTѻ.,ZU:MAڻ]$\0cl) H7ɶ9Q/S:R^vھ,ʪ)m&m%k[0_, dsJYAA٥QP ETQvM^9UمZ)D&OK.2Krbu+N#ǴR42* _ bn^Y͔ߍ\k!KPvk+=tDeg &)=!g#A7dJdS m)[??V= ļIENDB`njf}0~IH-mXr.(/PM퍄PNG  IHDRHޚPLTE{Pc:bKGDH AIDATx흋b EݦF1jT'Fz =Bd,1Ү}yp>6'$Zn8K@}Hr$"87ЄMrڣg瞯|GyP\x`7ig r4*䵐yO<ͤ=^־5rikJ{;J[Qڮ1W7Y'.)896f♴I֯,LV-yWڮNIɷ]Q̮ZҎ[B$>ua޺Re|X+$sګ~/|C$D֤xd:I&fpE!flFV(%i~R;cz0D/piEۃ! ҾTj;}'I?4@7ϵtmFBkv,:՞jf :sm6¤=6:D`Ӊ>׶&|!FiyUеM&mޟdN{ҎWuk;iSKn{BB:Џ&d\k>nN+f4*6 nҪr31i+nf-f7\ZvxUL"vY~OlW^vҶ".m"6@IWY7#qm٫Ej-Gzȏo} s'v=d mǹUHn%o73J;4B7՜PkSaq<ތP4vF_r3i@~Ү>Ϧ7h:SCiµ[gѵCr.]˫ Bkw7NϵƻwU^nu)S \ ]{ڭH]w|dZmkЌkϺ׮yQ6/}kЌkɦTUPlvKrU]\[oь$ߚpLp*(tmA]}p׮Bv7׮FFmp ]sr_kWAk'bv_kk@k{i--] mgi/!9켪v vɵ-Di]=?Q_==&m AڷЌk[֑5iҾMBŗaoC7ĵj] I4#!*hpmҮN9_[I7$?D-(tH75 N@k68}_{17o׮>^&m]_{CnHx v4Jm>'̃u=kנ"\kUkWAko=Bf2m%l ׮C3mK Y][DZƵ Sp4PNˬkjFµе_{,)PbS؉2q|mNԚ?.v}QK3\څTiK.smlI\K]NԹv˾ =O+M]pcҾҵEqrȍ(j*sTDi_ڼC"֭׎YF ߵݰ}khpms?&үc}`Ӡ!946Vvg/Ew1neK2s_ֿKk3CzV~!msF_ۿ m5j9z7Ip^."t{''侦d$پT]L0ˆO/Ċ6 QyyK[mj~e}9 igrKe"<6Բ)=KC&%{KI4)5C7YFVrJ7O%"m^Binɳl$i)puYXaW͎X2vsIڔk=V/aԩSs;E\a,6qr!kBuz!x!tJ=NR<!KEc`TJ;HˉONZ}-JĒ "3֋CDu=|ܑ[4*IRi//bE&c9&)|sI@x-CBHOw(<@iA@`PLF:̍KP*ӳ4$8DaQɟTo$68K]TSe,nD,:I).dU)DrC2~PP\1rN!h|NٵucU (jYt68eXU"=Rv1 I=iQY*!mpO#+ 9N2Ea6Hp.{w#Rv|2J@*!mpCiA8iO&i]Q{z"c"!9Hi|p>d=c}\{2^-!Pګ,?uZ 6sm17 ?v:Dr¦}my{mxUUCkGeLڴ|>ImK' 7۽Ni\Bkq9I|PZ6IkS^\ zCV>${LڊLŵY54ŵצ)^!ᯪZWL&m^z%̵Wa?D:R$BүotmA?sHɯk?Fd֥9܍l:k6}\{8J澡7u$k߀/s q"&8i i]P׮H5ր>~v'WP6\nGkMG]~ ]p^ڳ_\JDk]P[ev'۟u2(iMO.Ҧum~zǥ+i54vUKU Qń'?InWv]i7([t]6:׎"=C!e+P5=cmg|DmE!}l;p@}o-k[ii[Ce(&򺵗6kL5`8FF]sm: fv8 g+]OP1jH=>!SIi5p]ۮWӛLt4mr]UpfַPumїTv}?fl6 =D t̵(tmw/^椪-M 3CQ:2ڋP9pg׵ٝvDp퇢ϵk|}8AT6W9Eמ^0$pƵivsHf+P\\E=KPԸ6"ڶ.m1Q\WHa@ڲ[Fsk?-s@AphtmvF>]; Gk|ԧPpށk@kivޯ .Dk߯Up&(p/^߯כ(-Pړx{- mWiWgo(-PB%f MP k{gWҖ} ݸT;FM=p탱6ɀ3 i߄fߛ6{'us i7Ak'׵xvꀴSxi7AkW&ID-(tH7- N@k68}_Zx]7k7AkoޒUnB꯽#65nFMih"m]-ŵc¦Vr?p&q6g}; Ht݂n\fݴy,QvԸ6yv9 6\ݸ6627H~][i$\ ]}P{62)Dk_jFӟKhh;Y>(\ڥ3]څTiK.smIK]JԹ ˾ =OkM=\qcҾҵEsr ȝ(kWv*mz/umC"m׎$=k~펥mDX2+;l_[HL?M'݌,< [f]XmewV(&ouOr<[׶ _J\9t|kg`Җ%/ɬw$W!dsRdbe; IyyKKjqQ|9{1H;[J->M逯X2+=_KIioV1_.VMZrNܟ#k&?p6Ɔy m"P1ٳb$y9Px_$VX^s ]z.IZˑݰ VRNisSI%Ʒm*J*}Bt#x#u(JX=+NSH%ce^vJ>P|;֘Eiڜqq(ÆgQL#IUُdZ*Jf-XX2fS6aOJJ.UٟK;I`* W_ eهFE:dZk$ҐU#2],[MM͊gibluϬ4֖J;$Ib/rt|mRoH;ܒ$m!wUY`]b.EY@cBUM7lأ&xLG7|Y\YqYyU)mcIKր`I3˶K[I; si :̶w8ʶTlʥα(",.J%i</Ȭ.mC̉-;4qidLTdmAԴ8!+;o%*|7r# $W(z)H N&*#!g#0$Jd`P m0([??Y¦LIENDB`n8TPܚ*ɣJtoO;PNG  IHDRVGPLTEA{AAba{}ybKGDHzIDATx흉E3k IU쀩tfٮff8i`, +gOAd5]7 AEVu^Η)j~y8'LrLQwEU/*NJLP+ޒ0 e2/䧯խ~BVdPZЖߋBE՚ Ye`UOQJu0NY YMI}}KuDAFYK䣸[L!jrI_[ !6RU^nmT_ߚzk"O." L`ܪ I+XדU&pBV* f]₳QVߙEY_KUm@0`TŚ \-U;] ^Η)j@U AɊ.8pYp8Yp8\VA΋OHˋ4`!4(hOʇdI +0ʪ ECV!gLΰS'ԗULW U~* uʛo`\tlSw+}*i)<* *YF~%dӐU^Ukʊ2mYU3%ŬZ>~%d쳻ʢqǧҘUh<ܕ,8lL)`&4S]0 O Yp8Yp8&&aW8e84p !k=03k3u>;'8A՛3%2aN#Xlnrtiol] jD*B {-ǥ)Oxd5>/(U% d,`CV%tp[M|M + !mYiUynT.fEV^e=[øKl5V&0R s:SL!+w,Ue.Y);@*s}^݊ev0 \bljqUՀT.=o@-g9݇]Nr#[m`3zqT.6z8[e~M:K̭ j;쑎vw!XfI5 nU*=o Uㅎ}{[-GVdtZؑ،y#& Ykni nU&(dZ{39?*eUeտ "pv>"tfn&.Gl2Ȫ YURVoí j_McZu6vqRqu䣽;ɵ̺Uv*xV*[9粀И5ܱ~u nE&7$WVYBDV6c$R)Ҏ:h֭<8!Y=W֩ݐP-Y'e.+n0ڢr6݊f*-Y O@T<L;PV;Bq˼cV,Ȫ,R4k ɷmZ6yB./~jYwiU|R7SC}e$j8nZcdenuMb)j裮[0VwB wFZˉwjI*0 J\%^UaVtkYV]Bht+t},;5@+!+CdOG[_*m1%E.rdcKe"Mùﱓ'Cvg[0VqS +S[]@ӭ abln5XDۭˈؖ znF[\Al01PVa&֌A+(tWz/YU*0Fht+Qeq+3jgӭ~U%xnEeE>٭r*zK>jmV`*ݪo'Vleh؄znǏyhJӡ*݊&/dհ&wQt3nշ?n%ek,L[ey (u+:) s~ UFev_EW<>{``O<QWÜJۭ~}Un̺USNN.sTGi׭eϏQԺU1VdU<_I硫[-j0iĬ JN?8rx-:~nEG Y>N?AVA;YnE4!g(qRZ"=rL`"^Nl2ĭne>o%,ϧL*}5n=*ͅkwUg jFzV,[Ϫ~}DZ$`dݭ}~^*[QYU:rYe^7sy&"+>$exd /PVñV1vRVre&ePpiʊo~n 2]eE?|[ۭFUks[}~|,Z:X||:,|e"^VI-:K|ـbnU@6mbO]U;ުʅs+⭬߭,m[uꤵǁ^q5 ocn^6{V$hnoylT,mcխQ1Ym޷1XD[V٪viw\ϭ1v<աBUPұ56Jue4b^R|mxc4͋:TDl*6;ޭ^|Wܪ|#q;:T֋VVm_Ve(n55kdE[ |\znEei& ­.ƀ[CV1o^աUg+0V7GA[=ok/zmc߭^iT6݊1|ϤV/[4 eu+0j3J8^ϯ"i..[!q fAz~pug9GP~jl.:$Y4s0ơ?}g6eEӼ9GP*݊}+ުUܪ[ (ΘujJExw]g0FɊ.fՂVn%C@VZY.i|YNVuԅfM˯:*@x\Ҩ*n5^@eU1<)SZ2.&\UU:j8ڽ,*a %vcw†V̀Y^oj@ڽ,x2*8ڲBF jooV4F@Mh /Bۭ0msjA[5ƢVcJnWDӭǠֆN*C݊1F#=խ\PMU pdڭ@'H.p+&[PC@#e ^qn*UYVCt_j /ژ*n%/D[Q|Y ?SӨOPlu/Y]45,FjxYyJ7Mv^p}AJ0N{J9mʗNrqVp62WqCVU`?+`Э@,C4lee51PX0r{[v+Vm 쎷\lc^]zY|*L𢬎x+˲j= X*'<ldu^ɲGF߼{ RNe`eBud%oda l7/M>vޫy-Y[T5bjY >}=K@Y_5Wx!,$?MbGV|)݋4gx^bqIjwD]2rǾ>%\_iRJ2>F6nSOvI>.ҥR)Lȅ'|H+,x3AU.\+AVCeW}DΑw Tܫ4E)YFV)jO YC[['66pdي)ˊ_MY,wy]V3[kĞ(/m*wnKVl%ix+U@z4dc/-YyzN+Ɋ܊yГ۬/eʽ._Ydɉ @U5^Ƥ|a*mKhn% r#R:iRKkYh*,[}e Ǔ~Y ;siJ.),)UYY52>BU'ˢwMpƋ1AT([Et/_XwTaLT%2Wɪ8*<*C=Yp8. `H_p0I"IENDB`nx#z#{ϯqa)qc4$'p=Z/`PNG  IHDRSPLTE{Pc:bKGDH\IDATx흋0 E33+Q4IӇ"bʣ@+28u8ezWqڸL 2vh2QQdz p^~#F Lo?~ً rL]j.T.ʫ·c2=QMQӮT1&^eMq]JwkmEeƢ|-!Q(JLmgPꮅLoJ~b[kG&Y`ifT/d% ?{̊#6Set: [H~5k#7gc^BvBQKjڷdZm X24- uUq~B]?RUk.@gPп5R-7Zo_QE8Ikq E>>jV*tGeOe )# ݫ74}E3ߋI:Bo>Ăkiv+'妨QEx!oMsd3۞*̸)75tFCHjXe2.H@Gz) 0o&X"@&˔gd!=iݔa~l`hl `S,)lQ\1޴RP,Sl~`сpj;0tZ,M/HMӏML0&w`M/GM:FmҝژMꦌkp^-M=,z {nMt~7X봁7vD/gl0oa 7F}74yi6&PnJâyNS7 FܔɴoJ K4TEd*Ku=djRhFÍvSȧ|j2pϓ7-ܔޫݯ+Ti"=B)S7aMG릓-7¢Y*8Sej;)GgT1xn*¢5;aMEǛ&>#ԀJ>)ޔ#i.:ЏxnZELeJ4t`E1覗eXt&[@MReBOaMVwSonA T7ELBs4==7MжLM] : L(ӱ~Sn`M1}O_ FIM=,,nL:7VnJ¢&(xaB6i0БwVq+fܴ|S`?K1q#TyZt'/]׼tʛMmCD[Ma;(@@iŗ94A{oǠ~V:cy(Lta/eJVn)|3M)S|MylJWGHm`hJ4&{Cdjw^Ӣ`#jx[e i٬"SvCg.@Maâ^-^0 ƛ^ܴ|2t4=ߴS}uSÀ=ĩTZ7u6aYR+FUa`dC26TvL5IE â;pӵԌ7F >Mtݔ>-V3g۵nFlMâĖLMEO%gJ sؒ-zosfr'VwS55n7S@8n75.Fâǰ1؏h!e;uqu26Eob^l8oa L3Ys +ŌNOU:yan7>P}7a-#=1uS񌯊Kgo nؒ<Ǣք*jl8mB27|-\vMC2ޔYR7h74MCfӢOlatӆSsS*A!XY*覗cPe*: jY:Wnڄ(t7{Z'鱂=7ěEϱ-Mq_NŞ"}}JMy>ݴWfL:ݴ7KIa]R5 mҵ7}5=~D=ln}g&$!{l v.OLyNqS|4;I?#5 AȮv ǛM`7I j-oHUT}2fܔLܴ(dKg$,znPnlch[o?,nS\lO^Յ$ܼf3ZDl =aK(Vu}jp{1覗{):a.{n7UdJ{׀c鐖dbzD!^Q.K6&T`M/H#B|Z4DXfј,EV2/l ܻĠ^~uSZ&J#r 5Aj15e\o„LOuӿ\3Y$&SHi|MKoLES=-:M72A4JRo|GMordj떨])*M(*Ss(Y9B EZB457M¢7bn u枩LUK+t ,z3dV=R)`M ԟTb?ߴ|P^n87ǜM]Fp7%f'ʃ#8M1qSMZʠLk#T9&2#Yezv."l yXeL@:U Lԙ3\kL suo?;k,-S#$Y layLJZfth.{63Бi!Iq)Ll}|G+{z>'qXnRiqu_j;L!Egא) *2]ln@I6>UAB߲&R=)wmj2qQz.y*w%dJղ,Tl-%2}ҹef_iz!طe]0s!'33&e_Rx[4;琪\D)0eaXUQ%;'TɄX&QDT= ]TdfVninxV +AU۟ϡPݫNNC8"#K^Ɍ}*uSoPDwXʔ{1cL2- A5dJN8|U|I^d>d 0 }ppp@ ? %O ;8 Overview 0Review some possible signs that an intrusion has taken place Examine system details that may/may not exist as evidence Examine  Poor Mans techniques intrusion detection Look at some internal API s and Registry info to see how it can help us Visit file time stamping behavior  `The Day Begins Verify Logon Status(Note - ntlast is a free tool at http://www.ntobjectives.com/ntlast16.exe) C:\ntlast Administrator ZION ZION Wed Jan 19 04:10:13pm 2000 administrator ZION ZION Wed Jan 19 08:51:50am 2000 administrator ZION ZION Tue Jan 18 03:52:13pm 2000 Administrator ZION ZION Tue Jan 18 01:52:13pm 2000 Administrator ZION ZION Tue Jan 18 09:52:28am 2000 Etc& . omitted for brevity JV```K$>  PointsI was the last to log on at the console. The log has not been wiped out/reset Confirms no recorded, remote logon This points to a remote reboot. Ts``!hu!s#       Break Out The ToolsNow it's time to get serious, to bring in tools from a burnt copy of known good tools: c:>pslist PsList v1.1 - Process Information Lister Copyright (C) 1999-2000 Mark Russinovich Systems Internals - http://www.sysinternals.com Process information for ZION: Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time Idle 0 0 1 0 16 0:00:00.000 1:05:26.355 0:00:00.000 System 2 8 26 134 216 0:00:00.000 0:00:40.988 0:00:00.000 (Continued on Next Slide)\W``:hhWTbZ   '    I draw your attention to LOADWCHere, we make these observations about the LOADWC process currently active on our server: 1) In normal circumstances, LoadWC builds up no user time. As you can see, this guy is displaying unusual CPU usage (3rd column from the right) 2) LoadWC also has a usual size of 1.1 MB's, this guy is over 3MB's. 3)This guy has 4 threads, The real guy uses 2 (different process behavior can be a clue)r[`4`[q ,vq , Next: Let s netstat   CActive Connections Proto Local Address Foreign Address State TCP zion:smtp 0.0.0.0:0 LISTENING TCP zion:pop3 0.0.0.0:0 LISTENING TCP zion:1027 0.0.0.0:0 LISTENING . . TCP zion:49800 125.125.125.4:1340 CLOSE_WAIT << . . TCP zion:1025 0.0.0.0:0 LISTENING Fading connect fingerprint that we can possibly trace from our ISP. \D`/i(!/Y Tip New Tool By Foundstone  New Attack Possibility  !"What to Look For:#$% &' (!Points:)"Checking Out the Registry:*#+$,%Dump dll s-&.'/(Our Search Ends0)Win95/98 File System Notes1*NT File System Notes2+Wrap Up3,Wrap Up - Con t 4-To All, Thank You Very MuchP ` 3ff` ` ___>?" dF@0?n2d@uK FA@ " d`  n?" dd@   @@``PR   @ ` `PBp>> % ( = j2  B?   NTgֳgֳ ?  T Click to edit Master title style! !   Hgֳgֳ ?  y9Click to edit Master text styles Second Level Third Level!   :  Tgֳgֳ ?@  C*N  6޽h? ? ___ ,Generic (Standard).pot  % B: ( |  vB  N1?44j2  B?   N4gֳgֳ ?  l T Click to edit Master title style! !  Hgֳgֳ ?PP  l W#Click to edit Master subtitle style$ $  Ttgֳgֳ ?`p l A*  Tclgֳgֳ ?`  l C*  Ttflgֳgֳ ?`@ l C*N  6޽h? ?  ___4 0 @ ~( K   c $ P    ?* X   C        c $  @  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S   c $     A*    s *4 `P   ?*    s * `   A* N  6޽h? ? ̙33 |t08 ( p$" 8 8 c $ P    ?*  8 c $4     A*  8 s *t `P   ?*  8 s * `   A* H 8 0޽h ? ̙33 % 80P(  P   # lgֳgֳ ?0P  ^ &j  # lgֳgֳ ?   :By JD Glaser, Foundstone, Inc. http://www.foundstone.com ,:h,     c $Ppb 8Catching Greg Hoglund Part III aVirt Intrusion Revisited.9`(($,  B  s *޽h ? 33̙ff 8 % $`(     fgֳgֳ ?      # lgֳgֳ ?P   B  s *޽h ? 33̙ff  8 % p'(    # lTgֳgֳ ?0     c $t`   SRun a free console utility from SysInternals.com, Uptime. "This computer has been up for 0 days, 4 hours, 8 minutes, 13 seconds." No monitor/pager/reboot service in place I am the only one who has console access:`S`AHS x  C PA8C:\Temp\playfile\Image7.gif B  s *޽h ? 33̙ff 8 % ( $Qg    fgֳgֳ ?   l    ftgֳgֳ ?P  l B  s *޽h ? 33̙ff 8 % $ ( lMMM     fglgֳgֳ ?   l   # l4dlgֳgֳ ? ` l B  s *޽h ? 33̙ffz 8 % $(  AX $\ $ c $dl ( c:\>afind /f c:\winnt\system32\cmd.exe cmd.exe 20/01/2000 01:52:06 What this tells me is the last time that cmd.exe was accessed, 1:52AM this morning, Tip Rename cmd.exe to something else. This does two things: It preserves the last access time of cmd.exe It gives a clean way of starting to look at the system without changing too much. Avoidance Tip - If you start digging around with Explorer, you'll dirty the environment more than necessary. '````n`'V9 _ B3RB $ s *޽h ? 33̙ff 8 % }u(( * ( ( c $fl `  This 'last access' time stamp points very strongly to a remote overflow attack. I deduce this because I am not running NetBIOS/TCP, so a typical SMB file system attack is out. The only service this server is running is the aVirt mail service. Only ports 23 and 110 are connected to the outside world A shell I can't account for has been run recently A successful reboot has occurred It seems most likely to start looking for an entry into our server that came from an overflow in the mail service.B``s`s,x`B ( s *޽h ? 33̙ff 8 % $,( lg , ,  fblgֳgֳ ?  x  , # lxgֳgֳ ? x B , s *޽h ? 33̙ff 8 % ~0( g 0 0 c $dx` :SMSS 20 11 6 30 396 0:00:00.220 0:00:00.460 1:15:09.171 CSRSS 26 13 7 181 2020 0:00:00.600 0:00:05.708 6:14:50.714 WINLOGON 34 13 2 78 1924 0:00:00.330 0:00:01.922 6:14:47.610 SERVICES 40 9 15 180 2712 0:00:00.640 0:00:02.413 6:14:45.958 LSASS 43 9 13 87 2372 0:00:00.150 0:00:00.180 6:14:44.926 SPOOLSS 66 8 6 66 2196 0:00:00.020 0:00:00.150 6:14:32.759 RPCSS 77 8 6 84 1132 0:00:00.080 0:00:00.220 6:14:31.206 TAPISRV 80 8 9 70 2572 0:00:00.120 0:00:00.270 6:14:29.394 PSTORES 98 8 4 37 140 0:00:00.100 0:00:00.090 6:14:26.409 EXPLORER 124 8 7 85 1580 0:00:17.915 0:00:27.689 6:14:13.421 LOADWC 133 8 4 57 3540 0:00:01.140 0:00:00.413 5:40:17.958 <<< OSA 137 8 2 34 1700 0:00:00.040 0:00:00.190 1:14:10.306 TASKMGR 154 13 3 26 788 0:00:00.190 0:00:00.590 0:03:49.500 PSLIST 62 8 1 54 1992 0:00:00.130 0:00:00.320 0:00:00.510:;`N?B 0 s *޽h ? 33̙ff  @(  @l @ C Dx  x l @ C x x H @ 0޽h ? ___  D(  :@: :DP Dl D C x  x l D C dx x H D 0޽h ? ___  {H( :d H : Hl H C x   [ H c $xP }Use AT to periodically pipe netstat to file, this is a poor man's way of recording IP addresses connecting to your box. If you make a batch file that records the time and netstat output to a file, you can build yourself a database to backtrack against later. To keep it safe, if possible, mail it somewhere else. You would be very surprised at how effective this technique is. ~`~PU3QxT H <޽h޽h ? ___  \T L( X]y0d Ll L C $x   @ L c $dx c:\temp\injector /133 Injected pid: 133 Injection Complete... Port Count = 1 Found Port-> 49800 Handle-> 340 Type-> TCP Finished Injector, available from Foundstone, enumerates running processes and maps their open TCP/IP ports. http://www.foundstone.comL`~hcNw A 0H L 0޽h ? ___}  -%0P( H Pl P C x    P c $$x@  Q. How can an attacker run a daemon on an NT box with out leaving a file trace or a process trace? A. Create a Service Leach"`eH P 0޽h ? ___ RJ@T( ]] T T c $xp  VLet's axe this guy. His process id was 133, so C:.\>kill 133 Now, prevent him getting back in& Stop the mail service. Find how many LOADWC's actually exist on my box, then do a binary dump of loadwc.exe to see what we get. (`_nHv 3H T 0޽h ? ___ 2*PX( -@ X X c $xPh 6fC:\>dir /s /d loadwc.exe Volume in drive C has no label. Volume Serial Number is 047D-A9CC Directory of C:\Winnt\ loadwc.exe 1 File(s) 67,524 bytes Total Files Listed: 1 File(s) 67,524 bytes Directory of C:\Winnt\system32 loadwc.exe 1 File(s) 17,104 bytes Total Files Listed: 1 File(s) 17,104 bytes Hmm..why do I need 2 files? One LOADWC is bad enough. 80`7`05tWX H X 0޽h ? ___T  `\( P Pa \\ \ c $x Now let's check out path environment: C:\>path Path=c:\winnt;c:\winnt\system32,c:\reskit,& & There are 3 points to notice here: The directory 'c:\winnt' is first, which means that the loadwc.exe located there is found first. And we see that the Windows NT Resource Kit installed. We will now have to investigate this because there are many tools located in that directory that the intruder might have used. Let's dump the second one first, as I believe it to be the original since it's in it's original location. Note - For the benefit of those who don't have binary dump tools for NT, I'll include both dumps, the second is truncated for brevity. I'll only show the relevant diffs. Dumpbin is a binary file information dumper that ships with the MS SDK.L``*6& :H \ 0޽h ? ___ p`@( P P  ` ` c $x g Microsoft (R) COFF Binary File Dumper Version 6.00.8447 Copyright (C) Microsoft Corp 1992-1998. All rights reserved. Dump of file c:\winnt\system32\loadwc.exe File Type: EXECUTABLE IMAGE Section contains the following imports: ADVAPI32.dll 1001000 Import Address Table 1002F00 Import Name Table 0 time date stamp 0 Index of first forwarder reference BC GetUserNameA 12F RegCloseKey 146 RegOpenKeyExA 136 RegDeleteKeyA (Continued Next Slide),`` Rr   H ` 0޽h ? ___ E=d( `U0 d d c $xPP<8 I3159 RegSetValueExA 132 RegCreateKeyA 13A RegEnumKeyA 133 RegCreateKeyExA 14E RegQueryValueExA 145 RegOpenKeyA 14D RegQueryValueA KERNEL32.dll 1001030 Import Address Table 1002F30 Import Name Table 0 time date stamp 0 Index of first forwarder reference 19F LoadLibraryA 1A9 LocalFree (Continued Next Slide),4`   r  H d 0޽h ? ___ \Th(  h h c $DxP <8 `FB GetLastError 11F GetProcAddress 2C3 lstrcpynA 2C6 lstrlenA 73 ExpandEnvironmentStringsA 1A5 LocalAlloc 18 CloseHandle 2C0 lstrcpyA 2BA lstrcmpA 98 FormatMessageA 2BD lstrcmpiA 70 ExitProcess 107 GetModuleHandleA 131 GetStartupInfoA (Continued Next Slide),`         H h 0޽h ? ___ d\l( X l l c $x < h822E SetErrorMode B1 GetCommandLineA 2B7 lstrcatA 2A CreateDirectoryA EF GetFileAttributesA 15A GetWindowsDirectoryA 9D FreeLibrary 291 WinExec 156 GetVersionExA 1E0 RaiseException 18B InterlockedExchange USER32.dll 10010A0 Import Address Table 1002FA0 Import Name Table 0 time date stamp (Continued Next Slide),9`"   cH l 0޽h ? ___ p*(  p p c $Dx < @0 Index of first forwarder reference 228 SetDlgItemTextA 1C7 MsgWaitForMultipleObjects 1D9 PeekMessageA 1BB MessageBoxA 94 DispatchMessageA 27D TranslateMessage B6 EnableWindow 265 ShowWindow 100 GetDlgItem 22C SetForegroundWindow 1A8 LoadStringA 4E CreateDialogParamA 2E CharUpperA 27 CharPrevA (Continued Next Slide),A`*(        H p 0޽h ? ___ _Wt(  t t c $x< c;128 GetMessageA 58 CreateWindowExA 1EE RegisterClassA D4 FindWindowA 83 DefWindowProcA 24D SetTimer 1DD PostQuitMessage 192 KillTimer 24 CharNextA 8D DestroyWindow Section contains the following delay load imports: ole32.dll 0 Characteristics 1004088 Address of HMODULE (Continued Next Slide),<`%     :EH t 0޽h ? ___ {sx (  x x c $xPD>  1004048 Import Address Table 1002E58 Import Name Table 1002EA0 Bound Import Name Table 0 Unload Import Name Table 0 time date stamp 1002B24 CoCreateInstance 1002B36 OleInitialize 1002B04 OleUninitialize Summary 1000 .data 1000 .rsrc 3000 .text`P H x 0޽h ? ___> |~(  |F | c $$xP   *Now let's dump the second& . (some parts omitted for brevity) Microsoft (R) COFF Binary File Dumper Version 6.00.8447 Copyright (C) Microsoft Corp 1992-1998. All rights reserved. Dump of file loadwc.exe File Type: EXECUTABLE IMAGE Section contains the following imports: WSOCK32.dll Ordinal 102 Ordinal 10 Ordinal 103 Ordinal 115 Ordinal 101 NETAPI32.dll 448014E6 C4 NetWkstaGetInfo (Continued Next Slide)B`!qb[\QE H | 0޽h ? ___" b(  *  c $x   448016E0 B0 NetShareEnum 44802D3C B7 NetUseEnum 44802267 B8 NetUseGetInfo 4481E628 BE NetUserGetInfo 448015EE CA NetWkstaUserGetInfo 4480BD58 9F NetServerGetInfo 4480DFB3 9D NetServerEnum 44807D19 32 NetApiBufferReallocate 4480145D 30 NetApiBufferAllocate 44804ACB CC NetapipBufferAllocate 44801342 31 NetApiBufferFree MPR.dll 44724D4F 2C WNetGetLastErrorW 44721A12 C WNetCancelConnection2W (Continued Next Slide)"`            ;H  0޽h ? ___ 91(     c $x   =44721A63 27 WNetGetConnectionW 447210D5 6 WNetAddConnection2W 44724009 10 WNetCloseEnum 44723D68 40 WNetOpenEnumW 44723E9B 1C WNetEnumResourceW . . The netapi.dll and MPR.dll provide the NetBIOS functionality and the Wsock32.dll provides TCP/IP. This file is a network connection daemon.P``` +    <H  0޽h ? ___`  ( : l  C T(x  l   c $Tx , Things still to look for are: Files saved/deleted and keys abused in the registry. What back door has been left behind? (Note - I'm going to make of a free toolkit on my site called SFind, to locate hidden file streams) C:\>sfind Searching& C:\Program Files\avirt\adminwiz.exe:net.exe Size: 67524 Finished Only one hidden stream file, the intruders 'kit', appeared. N``yd8FP%_H  0޽h ? ___-  m(  5  c $ xPp Check for anything accessed between 1:30AM and 6AM. C:\ntreskit>afind /a 20/1/2000-1:30:00-20/1/2000-6:00:00 Searching... c:\ntreskit getmac.exe 20/01/2000 02:58:53 instsrv.exe 20/01/2000 03:16:02 srvinfo.exe 20/01/2000 02:21:17 at.exe 20/01/2000 03:29:48 . . . Finished Lz``` zb78DH  0޽h ? ___ 07(    c $4'xP0_  Getmac.exe tells our intruder whether we have multiple NIC cards. Instsrv.exe installs executables as services. SrvInfo.exe dumps the active service stats A directory listing also shows that touch.exe has been deleted. NOTE- Getting back to srvinfo.exe. This command should have failed to work for our intruder because it requires the Server service to run, and I had turned both of these services off.z`` 9 $ E t=& BH  0޽h ? ___P  @( $q X  c $4!x  VDumping the running services on my own, C:\>srvinfo Server Name: ZION Security: Users NT Type: NT Advanced Server Version: 4.0, Build = 1381, CSD = Service Pack 6 Domain: TRITON IP Address: 125.125.125.12 CPU[0]: x86 Family 5 Model 2 Stepping 12 Hotfixes: [Q147222]: Drive: [FileSys] [ Size ] [ Free ] C$ NTFS 1028 265 (Continued Next Slide)L(``h(>- <H  0޽h ? ___V P( @ ^  c $t&x  p ^Services: [Stopped] Alerter [Stopped] Computer Browser [Stopped] ClipBook Server [Stopped] DHCP Client [Running] EventLog [Running] Server [Stopped] Workstation [Stopped] TCP/IP NetBIOS Helper [Stopped] Messenger [Stopped] Network DDE [Stopped] Network DDE DSDM [Stopped] Net Logon [Stopped] NT LM Security Support Provider (Continued Next Slide)8_` :P% ' 8H  0޽h ? ___]  `(  e  c $'x  [Running] Plug and Play [Stopped] Remote Procedure Call (RPC) Locator [Running] Remote Procedure Call (RPC) Service [Running] Schedule [Running] Spooler [Stopped] UPS Network Card [0]: 3Com Fast EtherLink XL Adapter (3C905) Network Card [1]: 3Com Fast EtherLink XL Adapter (3C905) Protocol[0]: [NET0] WINS Client(TCP/IP) 4.0 System Up Time: 05 Hr 12 Min 56 Sec The system has been up for over 5 hrs now.j`*`j*, / H  0޽h ? ___C  p( "5% l  C (x  l   c $ x` This version of aVirt gives access by overflowing the service. This method will serve him until the vendor makes a patch and the administrator applies it. The intruder will most likely want more. Installing the LoadWC daemon, attacker gives himself additional control of the system.`,BH  0޽h ? ___  ?(   l  C #x  l   c $t x ^  ?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce :`ADR.8x  C PA8C:\Temp\playfile\Image8.gifPp' x  C PA8C:\Temp\playfile\Image9.gifP @#H  0޽h ? ___ |t (  R  c $!x0 xHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx All of these check out normal. Empty. 6y`H ',.(z  C RA:C:\Temp\playfile\Image10.gif P H  0޽h ? ___2 r( 0   c $&x ~ dLets check out AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Again empty. Warning - This key value becomes a registered kernel mode value and stay in effect until a reboot. 8`Hd,7z  C RA:C:\Temp\playfile\Image11.gif H  0޽h ? ___  ld(   l  C "x  l P  c $t)xpl xC:\>listdlls CSRSS.EXE pid: 26 Base Size Version Path 0x4a680000 0x5000 \??\C:\WINNT\system32\csrss.exe 0x77f60000 0x5e000 4.00.1381.0298 C:\WINNT\System32\ntdll.dll 0x5ff90000 0xb000 4.00.1381.0279 C:\WINNT\system32\CSRSRV.dll 0x5ffb0000 0x30000 4.00.1381.0298 C:\WINNT\system32\winsrv.dll 0x77e70000 0x55000 4.00.1381.0310 C:\WINNT\system32\USER32.dll (Continued Next Slide)J `U`h U - * %& &H  0޽h ? ___ ld( <:   c $x` pF0x77f00000 0x5e000 4.00.1381.0300 C:\WINNT\system32\KERNEL32.dll 0x77ed0000 0x2c000 4.00.1381.0298 C:\WINNT\system32\GDI32.dll 0x77dc0000 0x3f000 4.00.1381.0281 C:\WINNT\system32\ADVAPI32.dll 0x77e10000 0x57000 4.00.1381.0335 C:\WINNT\system32\RPCRT4.dll 0x77bf0000 0x7000 4.00.1381.0319 C:\WINNT\system32\rpcltc1.dll Here we see that no unaccountable DLLs are attached to this process space. Most likely, the AppInit key has not been exploited. There are myriad of other keys to check. I want to look at one key in particular and see if the intruder is headed where I think he is.8>` `>%&&&%]H  0޽h ? ___ 91( 8    c $!xP0 9Let's take a look at: Sure enough, there it is. This is most likely the cause of repeated boots. The following key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouting With a value of 1 permits the forwarding of IP packets over the dual NIC cards installed on this machine. :`$>  kz  C RA:C:\Temp\playfile\Image12.gif@  H  0޽h ? ___  .( PP l  C 4$x  x   c $xN .My current policy does not call for Police involvement at this point, and has predetermined that, once I conclude an internal breach from an external host, I should now: Bring down this host. Wipe it Not re-engage aVirt because I know it is faulty Notify my manager Contact the vendor Prepare for emergency mail services Don t deviate nowB```{H  0޽h ? ___5  u( &  l  C )x  x   c $'x  u3 Access date is not changed when: Rename a folder Use MSDOS mode to modify existing file created with Win95 Use MSDOS mode to rename a file. Doesn't matter if the file was created with DOS or Win95. Delete a file; Send file to recycle bin. Move a file with Win95, or a folder with files, to a new location.&"``4H  0޽h ? ___j  (  l  C g  x   c $gpP  `On SP3, Last access set on file close One hr reset on access  this was an  optimization Event notices are cached and grouped in 5 second batches  possible loss/possible DOS. `` H  0޽h ? ___  ZR(  l  C Th  x >  c $h 8 Evidence of intrusion based on a reported system uptime that did not check out Someone had recently made use of the original command shell Netstat, grabbed an IP address that we could verify against ISP logs should the need arise. Dumpbin examined the internals of suspected files. Looked at file access times to glimpse at what our attacker did during his intrusion on our server, `,T H  0޽h ? ___  `X ( 5 l  C i  x D  c $tip |Checked the state of our running services and noticed two of our services, Server and Schedule services, had been explicitly turned on. Learned that our intruder profiled our server and found it to be connected to an internal network and that the intruder attempted to exploit this by enabling IP Forwarding on our machine. Reviewed Win95/98 and NT file time stamping behavior$H`5},6H  0޽h ? ___C   ( - l  C P     c $  Greets go to: The ever so I Own You - Mr. Hoglund The ever so Stately - Chris Brenton The ever so Blue - Portland High Tech Crime Unit Sincerely, JD Glaser, FoundstoneZ`z``!`z!ZI H  0޽h ? ___rM-&=6:=A@DFjKkOR`2WXZ^lbdh%ltx&|?X{eʱ*C9vR-p4Oh+'0h hp|   0 < HT\  JD Glaser QD:\Program Files\Microsoft Office\Templates\Presentations\Generic (Standard).potr JD Glaser F30GMicrosoft PowerPoint 7.0t O@Dx@@yrG@0ͭ` G%  4&; &&#TNPPp0D x & TNPP &&TNPP   ; --- !@---&GB&--&&- $GGgg $gg- $- $- $- $- $%%- $%%DD- $DDdd- $dd- $- $- $- $- $"" $""BB&&&- &4$G HJ%M1Q=WH^Tf_oiyt~&O{ @@&&-&& &&-&&4$G HJ%M1Q=WH^Tf_oiyt~&O{ @@&&- $GGgg $gg- $- $- $- $- $%%- $%%DD- $DDdd- $dd- $- $- $- $- $"" $""BB&- --&&--m&-- (wwgw ( - --&E-- "Arial; wwgw; - . 2 ?hBy . .2 c JD Glaser,  . .2 cR Foundstone   . .2 c, Inc ."Arial )wwgw ) - . 2 c.y. .2  http://www.  . .2 ^ foundstone  . . 2 .com .--:--- "Arial; wwgw;  - .2 g5 Catching Greg  !. .2 g[ Hoglund  . .2 g Part IIIe  ."Arial *wwgw * - .2 5aVirt  . .%2  Intrusion Revisited      .-- "SystemwfL  -&TNPP &՜.+,D՜.+,h     On-screen ShowNT OBJECTives, Inc.R.j 2Arial Arial NarrowMonotype SortsGeneric (Standard).pot Overview The Day BeginsVerify Logon StatusPointsNo Slide TitleNo Slide TitleBreak Out The ToolsNo Slide Title I draw your attention to LOADWC Next: Lets netstat TipNew Tool By FoundstoneNew Attack PossibilityNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleWhat to Look For:No Slide TitleNo Slide TitleNo Slide TitleNo Slide TitleNo Slide TitlePoints:Checking Out the Registry:No Slide TitleNo Slide Title Dump dllsNo Slide TitleNo Slide TitleOur Search EndsWin95/98 File System NotesNT File System NotesWrap UpWrap Up - ContTo All, Thank You Very Much  Fonts UsedDesign Template Slide Titles.,(RZ _PID_GUID _PID_HLINKSAN{32C66391-073A-11D4-8824-0060082E9245}Aphttp://www.foundstone.com/Root EntrydO) gʴPicturesnCurrent UserGSummaryInformation(%_y AdministratorAdministrator  !"#$%&'()*+,-./012345679:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root EntrydO)PicturesnCurrent UserSummaryInformation(PowerPoint Document(8DocumentSummaryInformation8