Cyberdefenders – Hammered writeup

En esta ocasión vamos a resolver el reto de Hammered en cyberdefenders

Detalles del reto:

This challenge takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to this webserver honeypot using the logs from a possibly compromised server.

#1 Respuesta: ssh

Which service did the attackers use to gain access to the system?

Obtención de la evidencia

Según podemos apreciar por los logs descargados tenemos dos servicios que pueden ser susceptibles a ataque. Apache y ssh.

En primer lugar miramos el numero de login fallidos en el servicio de SSH

grep "Failed password" auth.log  | wc -l
20338

Como podemos observar, tenemos múltiples intentos de login fallidos empleando diferentes usuarios desde la misma dirección ip.

Apr 26 08:37:17 app-1 sshd[23277]: Failed password for invalid user raymond from 65.208.122.48 port 38293 ssh2
Apr 26 08:37:20 app-1 sshd[23279]: Failed password for invalid user usr from 65.208.122.48 port 40359 ssh2
Apr 26 08:37:23 app-1 sshd[23281]: Failed password for invalid user robert from 65.208.122.48 port 42476 ssh2
Apr 26 08:37:26 app-1 sshd[23283]: Failed password for invalid user laura from 65.208.122.48 port 44944 ssh2
Apr 26 08:37:29 app-1 sshd[23285]: Failed password for invalid user matt from 65.208.122.48 port 47000 ssh2
Apr 26 08:37:32 app-1 sshd[23287]: Failed password for invalid user mat from 65.208.122.48 port 48849 ssh2
Apr 26 08:37:36 app-1 sshd[23289]: Failed password for invalid user bogus from 65.208.122.48 port 50566 ssh2
Apr 26 08:37:39 app-1 sshd[23291]: Failed password for mysql from 65.208.122.48 port 53936 ssh2
Apr 26 08:37:43 app-1 sshd[23293]: Failed password for invalid user sasha from 65.208.122.48 port 56820 ssh2
Apr 26 08:37:46 app-1 sshd[23295]: Failed password for invalid user mark from 65.208.122.48 port 58767 ssh2
Apr 26 08:37:49 app-1 sshd[23297]: Failed password for invalid user flo from 65.208.122.48 port 61173 ssh2
Apr 26 08:37:52 app-1 sshd[23299]: Failed password for invalid user fabio from 65.208.122.48 port 30493 ssh2
Apr 26 08:37:55 app-1 sshd[23301]: Failed password for invalid user tomcat from 65.208.122.48 port 32664 ssh2
Apr 26 08:37:58 app-1 sshd[23303]: Failed password for invalid user kenneth from 65.208.122.48 port 34208 ssh2
Apr 26 08:38:01 app-1 sshd[23305]: Failed password for invalid user family from 65.208.122.48 port 36920 ssh2
Apr 26 08:38:04 app-1 sshd[23315]: Failed password for invalid user anderson from 65.208.122.48 port 38808 ssh2
Apr 26 08:38:07 app-1 sshd[23317]: Failed password for invalid user ron from 65.208.122.48 port 41130 ssh2
Apr 26 08:38:10 app-1 sshd[23319]: Failed password for invalid user magdalena from 65.208.122.48 port 42711 ssh2
Apr 26 08:38:13 app-1 sshd[23321]: Failed password for invalid user test2 from 65.208.122.48 port 44588 ssh2
Apr 26 08:38:16 app-1 sshd[23323]: Failed password for invalid user victor from 65.208.122.48 port 46430 ssh2
Apr 26 08:38:20 app-1 sshd[23325]: Failed password for invalid user demo from 65.208.122.48 port 48058 ssh2
Apr 26 08:38:23 app-1 sshd[23327]: Failed password for invalid user jan from 65.208.122.48 port 50722 ssh2
Apr 26 08:38:26 app-1 sshd[23329]: Failed password for invalid user leo from 65.208.122.48 port 53029 ssh2
Apr 26 08:38:29 app-1 sshd[23331]: Failed password for invalid user alexandre from 65.208.122.48 port 55286 ssh2
Apr 26 08:38:32 app-1 sshd[23333]: Failed password for invalid user install from 65.208.122.48 port 57081 ssh2
Apr 26 08:38:35 app-1 sshd[23335]: Failed password for invalid user tony from 65.208.122.48 port 59473 ssh2
Apr 26 08:38:38 app-1 sshd[23337]: Failed password for invalid user paul from 65.208.122.48 port 61215 ssh2
Apr 26 08:38:41 app-1 sshd[23339]: Failed password for invalid user pedro from 65.208.122.48 port 30736 ssh2
Apr 26 08:38:45 app-1 sshd[23341]: Failed password for invalid user ar from 65.208.122.48 port 32741 ssh2
Apr 26 08:38:49 app-1 sshd[23343]: Failed password for invalid user br from 65.208.122.48 port 35618 ssh2
Apr 26 08:38:52 app-1 sshd[23345]: Failed password for invalid user scanner from 65.208.122.48 port 38382 ssh2
Apr 26 08:38:55 app-1 sshd[23347]: Failed password for invalid user bill from 65.208.122.48 port 40787 ssh2
Apr 26 08:38:58 app-1 sshd[23349]: Failed password for invalid user rf from 65.208.122.48 port 43269 ssh2
Apr 26 08:39:02 app-1 sshd[23351]: Failed password for invalid user conrad from 65.208.122.48 port 45090 ssh2
Apr 26 08:39:05 app-1 sshd[23371]: Failed password for invalid user abby from 65.208.122.48 port 47092 ssh2
Apr 26 08:39:08 app-1 sshd[23373]: Failed password for invalid user amber from 65.208.122.48 port 48969 ssh2
Apr 26 08:39:12 app-1 sshd[23375]: Failed password for invalid user lala from 65.208.122.48 port 52107 ssh2
Apr 26 08:39:15 app-1 sshd[23377]: Failed password for invalid user doctor from 65.208.122.48 port 54279 ssh2
Apr 26 08:39:18 app-1 sshd[23379]: Failed password for invalid user stu from 65.208.122.48 port 56855 ssh2
Apr 26 08:39:21 app-1 sshd[23381]: Failed password for invalid user fedora from 65.208.122.48 port 59949 ssh2
Apr 26 08:39:24 app-1 sshd[23383]: Failed password for invalid user apollo from 65.208.122.48 port 29018 ssh2
Apr 26 08:39:28 app-1 sshd[23385]: Failed password for invalid user john from 65.208.122.48 port 30998 ssh2
Apr 26 08:39:31 app-1 sshd[23387]: Failed password for invalid user word from 65.208.122.48 port 33808 ssh2
Apr 26 08:39:35 app-1 sshd[23389]: Failed password for invalid user denise from 65.208.122.48 port 36681 ssh2
Apr 26 08:39:38 app-1 sshd[23391]: Failed password for invalid user diana from 65.208.122.48 port 38859 ssh2
Apr 26 08:39:42 app-1 sshd[23393]: Failed password for invalid user cam from 65.208.122.48 port 41458 ssh2
Apr 26 08:39:45 app-1 sshd[23395]: Failed password for invalid user com from 65.208.122.48 port 43501 ssh2
Apr 26 08:39:48 app-1 sshd[23397]: Failed password for invalid user elaine from 65.208.122.48 port 45471 ssh2
Apr 26 08:39:51 app-1 sshd[23399]: Failed password for invalid user danna from 65.208.122.48 port 47214 ssh2
Apr 26 08:39:55 app-1 sshd[23401]: Failed password for invalid user bettina from 65.208.122.48 port 49835 ssh2
Apr 26 08:39:58 app-1 sshd[23403]: Failed password for invalid user astro from 65.208.122.48 port 51968 ssh2
Apr 26 08:40:02 app-1 sshd[23405]: Failed password for invalid user diego from 65.208.122.48 port 53600 ssh2
Apr 26 08:40:05 app-1 sshd[23415]: Failed password for invalid user ashley from 65.208.122.48 port 56139 ssh2
Apr 26 08:40:08 app-1 sshd[23417]: Failed password for invalid user dausy from 65.208.122.48 port 58241 ssh2
Apr 26 08:40:12 app-1 sshd[23419]: Failed password for invalid user cecilia from 65.208.122.48 port 61001 ssh2
Apr 26 08:40:15 app-1 sshd[23421]: Failed password for invalid user al from 65.208.122.48 port 30310 ssh2
Apr 26 08:40:18 app-1 sshd[23423]: Failed password for invalid user erin from 65.208.122.48 port 32955 ssh2
Apr 26 08:40:22 app-1 sshd[23425]: Failed password for invalid user samuel from 65.208.122.48 port 35045 ssh2
Apr 26 08:40:26 app-1 sshd[23427]: Failed password for invalid user craig from 65.208.122.48 port 37585 ssh2
Apr 26 08:40:29 app-1 sshd[23429]: Failed password for invalid user foster from 65.208.122.48 port 40237 ssh2
Apr 26 08:40:33 app-1 sshd[23431]: Failed password for invalid user donald from 65.208.122.48 port 42305 ssh2

Mas información

#2 Respuesta: 4.2.4-1ubuntu3

What is the operating system version of the targeted system? (one word)

Obtención de la evidencia

Esta información la podemos obtener del log kern.log

grep "Linux version" kern.log 
Mar 16 08:09:58 app-1 kernel: [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Mar 18 09:41:44 app-1 kernel: [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Mar 18 09:48:54 app-1 kernel: [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Mar 18 09:50:23 app-1 kernel: [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Mar 18 09:54:25 app-1 kernel: [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Mar 22 13:49:47 app-1 kernel: : [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Mar 22 18:43:37 app-1 kernel: : [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Mar 22 18:45:24 app-1 kernel: : [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Mar 25 11:56:49 app-1 kernel: : [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Apr 14 14:44:32 app-1 kernel: : [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Apr 18 18:03:57 app-1 kernel: : [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Apr 24 20:21:21 app-1 kernel: : [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
Apr 28 07:34:22 app-1 kernel: : [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)
May  2 23:05:47 app-1 kernel: : [    0.000000] Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)) #1 SMP Tue Dec 1 18:26:43 UTC 2009 (Ubuntu 2.6.24-26.64-server)

#3 Respuesta: root

What is the name of the compromised account?

Obtención de la evidencia

Vemos que login correctos hemos tenido

cat auth.log | grep "Accepted password"
Mar 16 08:26:06 app-1 sshd[4894]: Accepted password for user3 from 192.168.126.1 port 61474 ssh2
Mar 16 10:14:02 app-1 sshd[5142]: Accepted password for user3 from 192.168.126.1 port 62897 ssh2
Mar 16 17:12:24 app-1 sshd[5513]: Accepted password for user3 from 192.168.126.1 port 63555 ssh2
Mar 18 09:42:22 app-1 sshd[4693]: Accepted password for user3 from 10.0.1.2 port 64721 ssh2
Mar 18 10:00:10 app-1 sshd[4764]: Accepted password for user1 from 76.191.195.140 port 35226 ssh2
Mar 18 10:00:30 app-1 sshd[4786]: Accepted password for user3 from 10.0.1.2 port 64950 ssh2
Mar 18 11:39:50 app-1 sshd[10158]: Accepted password for user2 from 71.132.129.212 port 34333 ssh2
Mar 18 11:40:56 app-1 sshd[10200]: Accepted password for user2 from 71.132.129.212 port 40961 ssh2
Mar 18 11:41:43 app-1 sshd[10224]: Accepted password for user2 from 71.132.129.212 port 41661 ssh2
Mar 18 11:48:16 app-1 sshd[10253]: Accepted password for user1 from 76.191.195.140 port 43613 ssh2
Mar 18 11:51:31 app-1 sshd[10294]: Accepted password for user2 from 71.132.129.212 port 41296 ssh2
Mar 18 11:59:43 app-1 sshd[10333]: Accepted password for user3 from 10.0.1.2 port 49873 ssh2
Mar 18 15:15:28 app-1 sshd[13419]: Accepted password for user1 from 76.191.195.140 port 46152 ssh2
Mar 18 16:25:51 app-1 sshd[14393]: Accepted password for user1 from 76.191.195.140 port 39656 ssh2
Mar 23 09:17:57 app-1 sshd[5478]: Accepted password for user3 from 10.0.1.2 port 58677 ssh2
Mar 23 12:12:11 app-1 sshd[6028]: Accepted password for user3 from 10.0.1.2 port 61047 ssh2
Mar 23 14:00:38 app-1 sshd[6266]: Accepted password for user1 from 76.191.195.140 port 34923 ssh2
Mar 23 14:07:23 app-1 sshd[6351]: Accepted password for user1 from 76.191.195.140 port 37018 ssh2
Mar 23 14:18:06 app-1 sshd[6627]: Accepted password for user1 from 76.191.195.140 port 33563 ssh2
Mar 23 18:02:29 app-1 sshd[7224]: Accepted password for user2 from 71.132.129.212 port 46820 ssh2
Mar 24 05:48:46 app-1 sshd[7477]: Accepted password for user1 from 208.80.69.74 port 33259 ssh2
Mar 24 06:37:11 app-1 sshd[15437]: Accepted password for user3 from 208.80.69.74 port 33333 ssh2
Mar 24 21:12:19 app-1 sshd[17916]: Accepted password for user1 from 76.191.195.140 port 36112 ssh2
Mar 24 21:19:02 app-1 sshd[17968]: Accepted password for user1 from 76.191.195.140 port 36804 ssh2
Mar 25 12:11:19 app-1 sshd[5305]: Accepted password for user3 from 10.0.1.2 port 50896 ssh2
Mar 26 14:58:37 app-1 sshd[9598]: Accepted password for user1 from 166.129.196.88 port 64620 ssh2
Mar 28 14:33:50 app-1 sshd[17128]: Accepted password for user3 from 10.0.1.2 port 60617 ssh2
Mar 29 13:17:53 app-1 sshd[21426]: Accepted password for user1 from 76.191.195.140 port 40738 ssh2
Mar 29 13:24:07 app-1 sshd[21494]: Accepted password for user3 from 10.0.1.2 port 51773 ssh2
Mar 29 13:27:26 app-1 sshd[21556]: Accepted password for root from 10.0.1.2 port 51784 ssh2
Mar 29 23:39:05 app-1 sshd[26248]: Accepted password for user1 from 76.191.195.140 port 40654 ssh2
Mar 30 13:30:17 app-1 sshd[28893]: Accepted password for user1 from 208.80.69.74 port 33042 ssh2
Apr  1 11:20:58 app-1 sshd[4168]: Accepted password for user1 from 67.164.72.181 port 63021 ssh2
Apr  1 16:23:04 app-1 sshd[5001]: Accepted password for user3 from 10.0.1.2 port 53337 ssh2
Apr  1 21:12:32 app-1 sshd[6684]: Accepted password for user1 from 76.191.195.140 port 47887 ssh2
Apr  2 07:20:50 app-1 sshd[10339]: Accepted password for user1 from 76.191.195.140 port 45649 ssh2
Apr  2 12:42:31 app-1 sshd[12534]: Accepted password for user1 from 76.191.195.140 port 34591 ssh2
Apr 14 14:46:01 app-1 sshd[5738]: Accepted password for user1 from 65.195.182.120 port 57897 ssh2
Apr 14 14:51:05 app-1 sshd[5816]: Accepted password for user3 from 65.195.182.120 port 52414 ssh2
Apr 15 12:02:55 app-1 sshd[9418]: Accepted password for user1 from 208.80.69.74 port 33553 ssh2
Apr 15 14:43:56 app-1 sshd[10122]: Accepted password for user1 from 208.80.69.74 port 33777 ssh2
Apr 15 14:47:53 app-1 sshd[10174]: Accepted password for user1 from 208.80.69.74 port 33737 ssh2
Apr 15 19:48:38 app-1 sshd[12230]: Accepted password for user1 from 76.191.195.140 port 33880 ssh2
Apr 15 20:19:03 app-1 sshd[12687]: Accepted password for user1 from 76.191.195.140 port 38422 ssh2
Apr 15 20:29:16 app-1 sshd[12813]: Accepted password for user1 from 76.191.195.140 port 39747 ssh2
Apr 16 09:35:19 app-1 sshd[15290]: Accepted password for user1 from 76.191.195.140 port 33041 ssh2
Apr 18 18:07:35 app-1 sshd[5152]: Accepted password for user3 from 10.0.1.2 port 49576 ssh2
Apr 18 18:08:46 app-1 sshd[5173]: Accepted password for user3 from 10.0.1.2 port 49587 ssh2
Apr 18 18:29:30 app-1 sshd[5302]: Accepted password for user3 from 10.0.1.4 port 61340 ssh2
Apr 18 20:35:34 app-1 sshd[5614]: Accepted password for user3 from 10.0.1.4 port 61902 ssh2
Apr 18 21:52:03 app-1 sshd[5836]: Accepted password for user3 from 10.0.1.4 port 62023 ssh2
Apr 18 21:53:28 app-1 sshd[5856]: Accepted password for user3 from 10.0.1.4 port 62027 ssh2
Apr 19 05:41:44 app-1 sshd[8810]: Accepted password for root from 219.150.161.20 port 51249 ssh2
Apr 19 05:42:27 app-1 sshd[9031]: Accepted password for root from 219.150.161.20 port 40877 ssh2
Apr 19 05:55:20 app-1 sshd[12996]: Accepted password for root from 219.150.161.20 port 55545 ssh2
Apr 19 05:56:05 app-1 sshd[13218]: Accepted password for root from 219.150.161.20 port 36585 ssh2
Apr 19 09:59:27 app-1 sshd[27143]: Accepted password for user1 from 76.191.195.140 port 40961 ssh2
Apr 19 09:59:35 app-1 sshd[27163]: Accepted password for user1 from 76.191.195.140 port 44689 ssh2
Apr 19 10:45:36 app-1 sshd[28030]: Accepted password for root from 222.66.204.246 port 48208 ssh2
Apr 19 10:46:50 app-1 sshd[28272]: Accepted password for user1 from 208.80.69.74 port 33544 ssh2
Apr 19 11:03:44 app-1 sshd[30277]: Accepted password for root from 201.229.176.217 port 54465 ssh2
Apr 19 11:15:26 app-1 sshd[30364]: Accepted password for root from 190.167.70.87 port 49497 ssh2
Apr 19 11:58:00 app-1 sshd[30837]: Accepted password for user3 from 208.80.69.69 port 37409 ssh2
Apr 19 14:28:32 app-1 sshd[32633]: Accepted password for user3 from 208.80.69.69 port 44041 ssh2
Apr 19 17:22:52 app-1 sshd[892]: Accepted password for user1 from 76.191.195.140 port 36639 ssh2
Apr 19 17:28:05 app-1 sshd[950]: Accepted password for user1 from 76.191.195.140 port 34472 ssh2
Apr 19 18:13:49 app-1 sshd[1158]: Accepted password for user3 from 10.0.1.2 port 59387 ssh2
Apr 19 22:37:24 app-1 sshd[2012]: Accepted password for root from 190.166.87.164 port 50753 ssh2
Apr 19 22:46:10 app-1 sshd[2060]: Accepted password for dhg from 190.166.87.164 port 50950 ssh2
Apr 19 22:54:06 app-1 sshd[2149]: Accepted password for root from 190.166.87.164 port 51101 ssh2
Apr 19 23:02:25 app-1 sshd[2210]: Accepted password for root from 190.166.87.164 port 51303 ssh2
Apr 19 23:04:46 app-1 sshd[2376]: Accepted password for dhg from 190.166.87.164 port 51304 ssh2
Apr 20 00:00:51 app-1 sshd[24440]: Accepted password for dhg from 190.166.87.164 port 52422 ssh2
Apr 20 00:55:05 app-1 sshd[24805]: Accepted password for dhg from 190.166.87.164 port 52812 ssh2
Apr 20 06:12:41 app-1 sshd[26686]: Accepted password for dhg from 190.166.87.164 port 53460 ssh2
Apr 20 06:13:03 app-1 sshd[26712]: Accepted password for root from 121.11.66.70 port 33828 ssh2
Apr 20 06:46:03 app-1 sshd[29540]: Accepted password for dhg from 190.166.87.164 port 53601 ssh2
Apr 20 07:22:01 app-1 sshd[29996]: Accepted password for dhg from 190.166.87.164 port 54059 ssh2
Apr 20 10:48:35 app-1 sshd[30616]: Accepted password for dhg from 190.166.87.164 port 58201 ssh2
Apr 20 12:02:48 app-1 sshd[30798]: Accepted password for dhg from 190.166.87.164 port 58839 ssh2
Apr 20 12:10:29 app-1 sshd[30820]: Accepted password for dhg from 190.166.87.164 port 58850 ssh2
Apr 20 12:26:08 app-1 sshd[30892]: Accepted password for dhg from 190.166.87.164 port 59033 ssh2
Apr 20 12:27:29 app-1 sshd[30896]: Accepted password for dhg from 190.166.87.164 port 59036 ssh2
Apr 20 19:16:57 app-1 sshd[32196]: Accepted password for dhg from 190.166.87.164 port 58137 ssh2
Apr 20 19:18:45 app-1 sshd[32210]: Accepted password for dhg from 190.166.87.164 port 58276 ssh2
Apr 20 21:38:52 app-1 sshd[32580]: Accepted password for dhg from 190.166.87.164 port 51379 ssh2
Apr 20 21:46:28 app-1 sshd[32611]: Accepted password for dhg from 190.166.87.164 port 51683 ssh2
Apr 21 08:08:14 app-1 sshd[1885]: Accepted password for dhg from 190.166.87.164 port 54769 ssh2
Apr 21 11:51:38 app-1 sshd[2649]: Accepted password for root from 193.1.186.197 port 38318 ssh2
Apr 21 11:56:37 app-1 sshd[2686]: Accepted password for root from 151.81.205.100 port 54272 ssh2
Apr 21 17:17:00 app-1 sshd[3542]: Accepted password for dhg from 190.166.87.164 port 54300 ssh2
Apr 21 17:31:16 app-1 sshd[3585]: Accepted password for dhg from 190.166.87.164 port 54374 ssh2
Apr 21 18:25:42 app-1 sshd[3747]: Accepted password for dhg from 190.166.87.164 port 54919 ssh2
Apr 22 01:30:27 app-1 sshd[4877]: Accepted password for root from 151.82.3.201 port 49249 ssh2
Apr 22 06:41:38 app-1 sshd[5876]: Accepted password for root from 151.81.204.141 port 59064 ssh2
Apr 22 08:29:12 app-1 sshd[7443]: Accepted password for user1 from 65.88.2.5 port 1459 ssh2
Apr 22 10:00:04 app-1 sshd[7709]: Accepted password for user1 from 65.88.2.5 port 51190 ssh2
Apr 22 11:02:15 app-1 sshd[7940]: Accepted password for root from 222.169.224.197 port 45356 ssh2
Apr 22 11:09:29 app-1 sshd[8490]: Accepted password for user1 from 65.88.2.5 port 12325 ssh2
Apr 22 12:34:19 app-1 sshd[9828]: Accepted password for user1 from 65.88.2.5 port 53044 ssh2
Apr 22 12:51:16 app-1 sshd[10196]: Accepted password for user1 from 65.88.2.5 port 17012 ssh2
Apr 23 03:11:03 app-1 sshd[13633]: Accepted password for root from 122.226.202.12 port 40892 ssh2
Apr 23 03:20:41 app-1 sshd[13930]: Accepted password for root from 122.226.202.12 port 40209 ssh2
Apr 23 07:33:49 app-1 sshd[15557]: Accepted password for user1 from 65.88.2.5 port 6358 ssh2
Apr 23 11:31:04 app-1 sshd[16761]: Accepted password for user3 from 10.0.1.2 port 50999 ssh2
Apr 24 11:36:19 app-1 sshd[24436]: Accepted password for root from 121.11.66.70 port 58832 ssh2
Apr 24 15:28:37 app-1 sshd[31338]: Accepted password for root from 61.168.227.12 port 43770 ssh2
Apr 24 16:33:36 app-1 sshd[31845]: Accepted password for root from 188.131.22.69 port 1844 ssh2
Apr 24 18:46:57 app-1 sshd[32211]: Accepted password for dhg from 190.167.74.184 port 60271 ssh2
Apr 24 19:15:54 app-1 sshd[32299]: Accepted password for root from 190.167.74.184 port 60992 ssh2
Apr 24 20:23:04 app-1 sshd[5764]: Accepted password for dhg from 190.167.74.184 port 65081 ssh2
Apr 25 10:38:56 app-1 sshd[9560]: Accepted password for root from 94.52.185.9 port 59821 ssh2
Apr 25 12:21:39 app-1 sshd[10826]: Accepted password for fido from 94.52.185.9 port 60189 ssh2
Apr 26 04:42:55 app-1 sshd[20096]: Accepted password for root from 188.131.23.37 port 3527 ssh2
Apr 26 04:59:02 app-1 sshd[20491]: Accepted password for root from 188.131.23.37 port 3561 ssh2
Apr 26 08:47:28 app-1 sshd[23501]: Accepted password for root from 188.131.23.37 port 4271 ssh2
Apr 26 08:51:50 app-1 sshd[23542]: Accepted password for root from 188.131.23.37 port 4280 ssh2
Apr 26 09:35:14 app-1 sshd[23968]: Accepted password for user1 from 208.80.69.70 port 33371 ssh2

#4 Respuesta: 6

Consider that each unique IP represents a different attacker. How many attackers were able to get access to the system?

Obtención de la evidencia

Conseguimos 18 direcciones ips las cuales han conseguido conectarse al usuario root.

cat auth.log | grep "Accepted password for root" | awk '{print $11}'  | sort -u 
10.0.1.2
121.11.66.70
122.226.202.12
151.81.204.141
151.81.205.100
151.82.3.201
188.131.22.69
188.131.23.37
190.166.87.164
190.167.70.87
190.167.74.184
193.1.186.197
201.229.176.217
219.150.161.20
222.169.224.197
222.66.204.246
61.168.227.12
94.52.185.9

Con las direcciones ips obtenidas creamos un pequeño script para que vayan comparando cuantos intentos fallidos hemos detectado en cada una de las direcciones ip

cat script.sh 
#!/bin/bash
IPS="ips.txt"


while IFS= read -r line; do
    fip=`cat auth.log | grep "authentication failure" | grep $line  | wc -l`
   if [ $fip -ne 0 ]; then
    echo "IP: $line Authentication failure:  $fip"
fi
done < "$IPS"

Como podemos observar, las direcciones 121.11.66.70, 122.226.202.12, 219.150.161.2, 222.169.224.197, 222.66.204.246 y 61.168.227.12 han tenido un numero significativo de intentos fallidos

./script.sh 
IP: 121.11.66.70 Authentication failure:  1435
IP: 122.226.202.12 Authentication failure:  513
IP: 188.131.23.37 Authentication failure:  2
IP: 190.166.87.164 Authentication failure:  3
IP: 219.150.161.20 Authentication failure:  9259
IP: 222.169.224.197 Authentication failure:  646
IP: 222.66.204.246 Authentication failure:  1573
IP: 61.168.227.12 Authentication failure:  213
IP: 94.52.185.9 Authentication failure:  1

#5 Respuesta: 219.150.161.20

Which attacker's IP address successfully logged into the system the most number of times?

Obtención de la evidencia

Utilizando el mismo script comprobamos la direcciones ips

#!/bin/bash
IPS="ips.txt"


while IFS= read -r line; do
   fip=`cat auth.log | grep "Accepted password for root" | grep $line  | wc -l`
   if [ $fip -ne 1 ]; then
    echo "IP: $line Accepted password:  $fip"
fi
done < "$IPS"
./script.sh 
IP: 121.11.66.70 Accepted password:  2
IP: 122.226.202.12 Accepted password:  2
IP: 188.131.23.37 Accepted password:  4
IP: 190.166.87.164 Accepted password:  3
IP: 219.150.161.20 Accepted password:  4

También podemos obtener de la siguiente forma:

grep sshd auth.log | grep Accepted | grep root | awk '{print $11}' | sort | uniq -c | sort -n
      1 10.0.1.2
      1 151.81.204.141
      1 151.81.205.100
      1 151.82.3.201
      1 188.131.22.69
      1 190.167.70.87
      1 190.167.74.184
      1 193.1.186.197
      1 201.229.176.217
      1 222.169.224.197
      1 222.66.204.246
      1 61.168.227.12
      1 94.52.185.9
      2 121.11.66.70
      2 122.226.202.12
      3 190.166.87.164
      4 188.131.23.37
      4 219.150.161.20

#6 Respuesta: 365

How many requests were sent to the Apache Server?

Obtención de la evidencia

Todas las requests realizadas el servicio de apache se registran en el log www-access.log, por lo tanto únicamente tenemos que ver cuantas líneas tiene.

cat apache2/www-access.log  | wc -l
365

#7 Respuesta: 6

How many rules have been added to the firewall?

Obtención de la evidencia

grep -rn iptables *
auth.log:16555:Apr 15 12:49:09 app-1 sudo:   user1 : TTY=pts/0 ; PWD=/opt/software/web/app ; USER=root ; COMMAND=/usr/bin/tee ../templates/proxy/iptables.conf
auth.log:16721:Apr 15 15:06:13 app-1 sudo:   user1 : TTY=pts/1 ; PWD=/opt/software/web/app ; USER=root ; COMMAND=/usr/bin/tee ../templates/proxy/iptables.conf
auth.log:16738:Apr 15 15:17:45 app-1 sudo:   user1 : TTY=pts/1 ; PWD=/opt/software/web/app ; USER=root ; COMMAND=/usr/bin/tee ../templates/proxy/iptables.conf
auth.log:16741:Apr 15 15:18:23 app-1 sudo:   user1 : TTY=pts/1 ; PWD=/opt/software/web/app ; USER=root ; COMMAND=/usr/bin/tee ../templates/proxy/iptables.conf
auth.log:94891:Apr 24 19:25:37 app-1 sudo:     root : TTY=pts/2 ; PWD=/etc ; USER=root ; COMMAND=/sbin/iptables -L
auth.log:94954:Apr 24 20:03:06 app-1 sudo:     root : TTY=pts/2 ; PWD=/etc ; USER=root ; COMMAND=/sbin/iptables -A INPUT -p ssh -dport 2424 -j ACCEPT
auth.log:94957:Apr 24 20:03:44 app-1 sudo:     root : TTY=pts/2 ; PWD=/etc ; USER=root ; COMMAND=/sbin/iptables -A INPUT -p tcp -dport 53 -j ACCEPT
auth.log:94960:Apr 24 20:04:13 app-1 sudo:     root : TTY=pts/2 ; PWD=/etc ; USER=root ; COMMAND=/sbin/iptables -A INPUT -p udp -dport 53 -j ACCEPT
auth.log:94967:Apr 24 20:06:22 app-1 sudo:     root : TTY=pts/2 ; PWD=/etc ; USER=root ; COMMAND=/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
auth.log:94972:Apr 24 20:11:00 app-1 sudo:     root : TTY=pts/2 ; PWD=/etc ; USER=root ; COMMAND=/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
auth.log:94979:Apr 24 20:11:08 app-1 sudo:     root : TTY=pts/2 ; PWD=/etc ; USER=root ; COMMAND=/sbin/iptables -A INPUT -p tcp --dport 113 -j ACCEP

#8 Respuesta: nmap

One of the downloaded files to the target system is a scanning tool. Provide the tool name.

Obtención de la evidencia

buscamos los softwares mas populares para realizar scan y comprobamos que se instalo mediante apt: nmap

grep -E "nmap|nessus|openvas|nikto" dpkg.log 
2010-04-24 19:38:15 install nmap <none> 4.53-3
2010-04-24 19:38:15 status half-installed nmap 4.53-3
2010-04-24 19:38:15 status unpacked nmap 4.53-3
2010-04-24 19:38:15 status unpacked nmap 4.53-3
2010-04-24 19:38:16 configure nmap 4.53-3 4.53-3
2010-04-24 19:38:16 status unpacked nmap 4.53-3
2010-04-24 19:38:16 status half-configured nmap 4.53-3
2010-04-24 19:38:16 status installed nmap 4.53-3

#9 Respuesta: 04/19/2019 05:56:05 AM

Obtención de la evidencia

Vemos todas las conexiones realizadas desde la dirección ip 219.150.161.20

grep sshd auth.log| grep Accepted | grep root | grep 219.150.161.20
Apr 19 05:41:44 app-1 sshd[8810]: Accepted password for root from 219.150.161.20 port 51249 ssh2
Apr 19 05:42:27 app-1 sshd[9031]: Accepted password for root from 219.150.161.20 port 40877 ssh2
Apr 19 05:55:20 app-1 sshd[12996]: Accepted password for root from 219.150.161.20 port 55545 ssh2
Apr 19 05:56:05 app-1 sshd[13218]: Accepted password for root from 219.150.161.20 port 36585 ssh2

Dado que tenemos que saber el año, comprobamos la fecha del log auth.log

s -lstha auth.log
9,9M -rw-r----- 1 root root 9,9M jul  3  2010 auth.log

10 Respuesta: mysql.user contains 2 root accounts without password!

The database displayed two warning messages, provide the most important and dangerous one.

Obtención de la evidencia

Tras no encontrar nada en el fichero de log: messages decido buscar dentro de daemon.log. Tras buscar por algunas palabras clave como: failed, error, critical… etc encuentro el siguiente mensaje

 grep -i warning daemon.log 
Mar 18 10:18:42 app-1 /etc/mysql/debian-start[7566]: WARNING: mysql.user contains 2 root accounts without password!
Mar 18 17:01:44 app-1 /etc/mysql/debian-start[14717]: WARNING: mysql.user contains 2 root accounts without password!
Mar 22 13:49:49 app-1 /etc/mysql/debian-start[5599]: WARNING: mysql.user contains 2 root accounts without password!
Mar 22 18:43:41 app-1 /etc/mysql/debian-start[4755]: WARNING: mysql.user contains 2 root accounts without password!
Mar 22 18:45:25 app-1 /etc/mysql/debian-start[4749]: WARNING: mysql.user contains 2 root accounts without password!
Mar 25 11:56:53 app-1 /etc/mysql/debian-start[4848]: WARNING: mysql.user contains 2 root accounts without password!
Apr 14 14:44:34 app-1 /etc/mysql/debian-start[5369]: WARNING: mysql.user contains 2 root accounts without password!
Apr 14 14:44:36 app-1 /etc/mysql/debian-start[5624]: WARNING: mysqlcheck has found corrupt tables
Apr 18 18:04:00 app-1 /etc/mysql/debian-start[4647]: WARNING: mysql.user contains 2 root accounts without password!
Apr 24 20:20:52 app-1 collectdmon[4971]: Warning: collectd was terminated by signal 11
Apr 24 20:21:24 app-1 /etc/mysql/debian-start[5427]: WARNING: mysql.user contains 2 root accounts without password!
Apr 28 07:34:26 app-1 /etc/mysql/debian-start[4782]: WARNING: mysql.user contains 2 root accounts without password!
Apr 28 07:34:27 app-1 /etc/mysql/debian-start[5032]: WARNING: mysqlcheck has found corrupt tables
Apr 28 07:34:27 app-1 /etc/mysql/debian-start[5032]: warning  : 1 client is using or hasn't closed the table properly
Apr 28 07:34:27 app-1 /etc/mysql/debian-start[5032]: warning  : 1 client is using or hasn't closed the table properly
Apr 28 09:35:31 app-1 collectdmon[5119]: Warning: collectd was terminated by signal 11
May  2 23:05:54 app-1 /etc/mysql/debian-start[4774]: WARNING: mysql.user contains 2 root accounts without password!

#11 Respuesta: wind3str0y

Multiple accounts were created on the target system. Which one was created on Apr 26 04:43:15?

Obtención de la evidencia

grep -I "useradd" auth.log  | grep "26 04:43:15"
Apr 26 04:43:15 app-1 useradd[20115]: new user: name=wind3str0y, UID=1004, GID=1005, home=/home/wind3str0y, shell=/bin/bash

#12 Respuesta: pxyscand/2.1

Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy?

Este es uno de los que mas me a costado encontrar

cat www-access.log | cut -d "\"" -f 6  | sort -n  | uniq -c | sort -n
      1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7
      1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1045 Safari/532.5
      1 Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19
      3 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1059 Safari/532.5
      3 pxyscand/2.1
      4 Mozilla/4.0 (compatible; NaverBot/1.0; http://help.naver.com/customer_webtxt_02.jsp)
      6 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
      8 -
     13 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
     15 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
     18 WordPress/2.9.2; http://www.domain.org
     20 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
    272 Apple-PubSub/65.12.1

:wq!

Deja una respuesta

Tu dirección de correo electrónico no será publicada.