bcit comp 8006 final project by wesley kenzie april 2010

BCIT Computer Systems Technology COMP 8006 Network and Administration Security 2 Final Practical Project Author: Arthur (Wesley) Kenzie A00242330 ______________________________________________________________________________

______________________________________________________________________________Copyright © 2010 Arthur (Wesley) Kenzie. All Rights Reserved. of 19

April 17, 2010 This assignment demonstrates an understanding of the principles of intrusion detection, packet analysis, and security auditing. Analysis was done on network traffic and other log file data that had previously been captured over a range of dates in May and June, 2007. This data was split into three separate directories representing 3 different groups of computers: Network 1, Network 2, and Network 3, as listed in Appendix A. It should be noted that not all log file data for these 3 different "networks" was provided. The snort and tcpdump log files, for example, contained evidence of more private IP addresses than log file data was provided for, resulting in some gaps in understanding. Also, boot logs were only provided for 2 computers, and so the allocation and use of IP addresses and network interfaces was not completely available for study. Firewall data, with one exception, was also missing, so the amount and type of traffic blocking and re-direction was unavailable. It is possible to make some inferences about the firewalls, but this report would be more complete if this data had been available. One firewall setup script was provided as part of the data for the Internal-IDS computer on Network 1, and it is presumed that the firewall on the external-facing computer on Network 1 was setup and operational based on this script. In general, the data provided shows evidence of a large amount of traffic, involving a few hundred different public and private IP addresses. But more than just quantity, there is also evidence that a significant portion of the traffic is intended either for reconnaissance or for malicious intent. This report provides a summary of the provided data, along with an analysis of the critical issues uncovered, and recommendations on what the administrator of these networks can do to improve the security and reduce the vulnerabilities that currently exist. Network 1 ....................................................................... page 2 Network 2 ....................................................................... page 3 Network 3 ....................................................................... page 4 Analysis - uncertain or uncategorized events ....................... page 5 Analysis - reconnaissance events ....................................... page 6 Analysis - malicious events ................................................ page 7 Recommendations ............................................................ page 8 Methodology .................................................................... page 9 Appendix ......................................................................... page 10



Network 1 The "Network 1" data was split between 7 separate computers (or VMware instances): "Desktop/Desktop1", "External-IDS", "Internal-IDS", "Redhat", "w2kPro", "w2kserver" and "webserver". The log files show the following likely setup:

Desktop and Desktop1 appear to be the same VMware instance with private IP address 192.168.0.103 on an internal subnet;

External-IDS appears to be an Internet facing Intel network interface having IP address 24.83.101.80 (ISP/Org Shaw Communications, Richmond, BC)

Internal-IDS is most likely on the 192.168.0.0/24 subnet, but it is unclear which private IP address or network interface it is using;

Redhat, w2kPro and w2kserver each appear to be a separate VMware instance on the internal subnet, and based on the firewall.sh script, their IP addresses are likely 192.168.0.8, 192.168.0.155, and 192.168.0.220, each running a web server on port 80; 192.168.0.8 appears to be running a "ModMylo" web server (see http://securityvulns.com/source/MODMYLO.html); 192.168.0.155 appears to be running a "BadBlue" web server (see http://www.badblue.com); and 192.168.0.220 appears to be running a "Mambo" CMS web server (see http://mambo-foundation.org);

webserver appears to be a VMware instance with private IP address of either (or both) 192.168.0.214 or 192.168.1.221 running another "Mambo" CMS web server on port 80 and an ftp server (called "Johnathan's ftp serv") on ports 20 and 21;



Network 2 The "Network 2" data was split between 3 separate computers (or VMware instances): "Ksusha", "Kyrsten" and "Natasha". The log files show the following likely setup:

Ksusha appears to be an IBM computer (possibly an IBM PS/2) with private IP address 192.168.0.120; this computer appears to be running Fedora Core 6.4 on a 32-bit Intel Pentium III 1.4GHz, with 896MB RAM, a 33GB SCSI hard drive, Mag XJ500T monitor, and Intel Pro/100 network interface;

Kyrsten appears to be a separate (likely generic "white box") computer with private IP address 192.168.0.140; it appears to be running Fedora Core 3.4.2 on a 32-bit Intel Pentium III 400Mhz with 256MB RAM, a 120GB IDE hard drive, generic VGA+ monitor, and Realtek Fast Ethernet network interface;

Natasha is likely on the same 192.168.0.0/24 subnet as Ksusha and Kyrsten, but it is unclear which private IP address or network interface it is using;

Ksusha's IP address actually started out as 192.168.0.105, but then changed to 192.168.0.107 on May 21, 2007 at 3:00:59, and then to 192.168.0.120 from May 28, 2007 at 11:43:34 onwards. In addition, although not provided as a separate set of log file data, there is evidence of a D-Link network interface with private IP address 192.168.0.1 acting as a dhcp server for this subnet. It is most likely a router out to the public Internet, but it is not clear what the public IP address for the router is. Other private IP addresses also show up in the log file data, but of these, the most significant one is 192.168.0.130. This computer has an IBM network interface with MAC address ending with 98:39:79 and it is possible that this is the Natasha computer discussed above. Whatever it is, it is significant because it appears to be the source of a number of malicious packets directed towards other computers on the same private subnet, towards other private subnets, and towards 6 public IP addresses.



Network 3 The "Network 3" data was split between 4 separate computers (or VMware instances): "External IDS", "Internal IDS", "Linux", "W3SVC1" and "W3SVC3". The log files show the following likely setup:

External IDS appears to have a public IP address of 24.84.106.218 (ISP/Org Shaw Communications, Burnaby, BC) on a Dell Computer network interface;

Internal IDS has no clear evidence of its network interface or IP address; Linux appears to have a private IP address of 192.168.2.103 as of June 1, 2007 15:37:12

and 192.168.1.101 as of June 8, 2007 23:38:03, on an unknown network interface; W3SVC1 and W3SVC3 are likely the same Windows 2000 computer running a IIS 5.0 web

server on private IP address 192.168.1.104; There is also evidence in the log files of a web server running on private IP address 10.0.0.3, with a Cisco/Linksys network interface on the internal private subnet. This may be the same computer as W3SVC1 and W3SVC3, or it may be a separate computer.



Analysis - uncertain or uncategorized events (1) Network 1 "webserver" is hosting a Mambo content management system web server (see http://mambo-foundation.org on the web and /data/network1/webserver/httpd/access_log on the enclosed DVD) with IP address 192.168.1.221. This CMS system was updated on June 8, 2007 at 13:41:14 with 3 new entries in the "mos_content" table in the "mambodb1" database, a new "tropy.txt.jpg" file copied to the "/html/images/stories" directory, 3 new entries posted to the "mos_messages" table, and the last login by "admin" user as shown in the "mos_users" table. (2) Network 2 "Kyrsten" is hosting a phpBB bulletin board forum system (see http://www.phpbb.com on the web and /data/network2/Kyrsten/log/httpd/access_log on the enclosed DVD) with IP address 192.168.0.140. This web server was found to be configured with "server_name" as 205.250.214.139 and running on port 8088. (3) Network 3 "Linux" shows user "team3" added then deleted 6 times in succession (see /data/network3/Log files/Linux/secure on the enclosed DVD) on June 10, 2007 starting at 18:55:33, and finally added without deleting at 19:50:12; (4) Network 3 "Linux" shows user "team1" added (see /data/network3/Log files/Linux/secure on enclosed DVD) on June 10, 2007 at 19:43:38 and its password set (or changed) at 19:45:30; (5) Network 3 "Linux" shows C programs "tty10" and "backdoor" compiled with /usr/bin/gcc on June 10, 2007 starting at 20:43:31 (see /data/network3/Log files/Linux/secure on enclosed DVD); (6) Network 1 "Desktop" ports 1026 and 1027 are often seen receiving packets from port 30979 and other ports on public IP addresses. There is no apparent reason for this and it is suspected that this computer may be infected by malware, or perhaps once was infected by malware (see /network1/Internal-IDS/tcpdump_by_ip on the enclosed DVD);



Analysis - reconnaissance events (1) Network 1 shows as the target of numerous probes from IP address 154.5.44.105 as per the spreadsheet summaries /data/network1/154.5.44.105.events and /data/network1/154.5.44.105.events_frequency. There were over 429,300 different events logged from this source, although a large portion of these events may actually be legitimate TCP traffic to the web server and ftp server running on 192.168.0.214, as per the spreadsheet summary /network1/webserver/tcpdump_by_ip.xlsx; (2) Network 2 shows 192.168.0.130 port 3389 (Windows RDP or Terminal Services port) as the target of numerous probes from 154.5.44.105 starting on June 8, 2007 at 18:49:38; (3) Network 1 shows 192.168.0.8 ports 45295 and 7001-7010 sending communications to targeted public IP addresses 24.86.126.16, 154.5.35.34, and a few others; (4) Network 1 shows significant volume of traffic from IP address 24.86.119.45 (see spreadsheet summaries /data/network1/24.86.119.45.events and /network1/24.86.119.45.events_frequency showing all log data originating from this IP address); (5) IP address 24.83.102.202 is doing reconnaissance on 192.168.0.103 on Network 1; (6) IP address 24.83.1.134 is doing reconnaissance on 192.168.0.103 and 192.168.0.214 on Network 1; (7) IP address 72.53.37.41 is doing reconnaissance on Network 3 192.168.0.130 port 3389; (8) many more are indicated in the various Excel spreadsheets included on the enclosed DVD;



Analysis - malicious events (1) Likely attack attempts against Network 1 "webserver" from 192.168.1.208 as indicated in /data/network1/webserver/access_log on June 3, 2007 starting at 16:23:10; (2) Likely attack attempts against Network 2 "Kyrsten" from 192.168.0.130 as indicated in /data/network2/Kyrsten/log/httpd/ssl_access_log.1 on June 10, 2007 at 0:52:09 and in /data/network2/Kyrsten/log/httpd/ssl_error_log.1 on 0:51:28; (3) Network 2 has 192.168.0.130 doing attacks or reconnaissance against other machines on its own internal, private subnet: specifically 192.168.0.140, 192.168.0.120 and 192.168.0.1 as per /data/network2/SnortSnarf/sig/sigsid-1122.html and /data/network2/SnortSnarf/192/168/0/src192.168.0.130.html); (4) Likely attempted attack from IP address 24.83.102.202 against Network 3 "Windows" computer on June 9, 2007 starting at 4:16:27 as shown in /data/network3/Log files/Windows/24.83.101.80 IIS LOG FILES.txt; also as per /data/network3/Log files/Windows/W3SVC1/ex070609.log; (5) Likely attempted attack from IP address 154.5.44.105 against Network 3 "Windows" computer starting on June 8, 2007 at 3:49:50 as per /data/network3/Log files/Windows/W3SVC1/ex070608.log; (An interesting consideration regarding this attempted attack is that the attacker at 154.5.44.105 was aware of the IIS web server using port 18080, and then switching to port 80 within a few minutes of it being changed by a local user "AMAN\Administrator". It seems likely that the attacker was at a minimum in communication with the local user just before this series of attempted attacks began. This theory is also supported by the fact that /data/network3/Log files/Windows/W3SVC1/ex070609.log shows a local user at 192.168.1.103 on June 6, 2007 3:15:43 also attempting to http "GET" some of the same files as remote users at both 154.5.44.105 and 24.83.102.202.) (6) Likely successful intrusion of Network3 "Windows" computer by IP address 24.83.102.202 on June 9, 2007 starting at 4:20:37 and ending at 7:45:40 as per /network3/Log files/Windows/W3SVC1/ex070609.log; also as per /data/network3/Internal IDS/snort_by_ip.xlsx where 10.0.0.3:1042 is shown as sending 18,262 packets to 24.83.102.202:5555;



Recommendations: (1) Firewalls need to be installed on Network 1 and Network 3 between the External and Internal IDS interfaces to halt inbound traffic to ports that are not essential. There is currently excessive traffic being allowed in from the public Internet to the private subnet(s) of these networks. No ports should be left open unless essential. (2) A firewall needs to be installed on Network 2 between the internal subnet and the public Internet to halt inbound traffic to ports that are not essential, as per Recommendation (1). (3) The Snort IDS installations on Networks 1 and 3 need to be updated to deny access to IP addresses that are found to be the source of attacks. Currently these Snort installations appear to be logging events to an "alert" log, but there is clear evidence of attacks that can and should be stopped, using post-detection "resp" and/or "react" rules. (4) A Snort IDS needs to be installed on Network 2 for the same purpose - to not only log attacks, but also to stop incoming attacks. (5) The Network 1 Desktop machine is suspected of being infected with some sort of malware. It must be taken offline immediately, and scanned for viruses, trojans, rootkits and everything else. It may be best to completely erase or destroy this computer/VMware instance in order to eradicate the malware. (6) Similar to Recommendation (5), the Network 2 computer at 192.168.0.130 is suspected of being infected with some sort of malware. It must be taken offline immediately, and scanned for viruses, trojans, rootkits and everything else. It may be best to completely erase or destroy this computer in order to eradicate the malware. (7) Similar to Recommendation (5), the Network 3 computer at 10.0.0.3 has been compromised and must be taken offline immediately for remediation or destruction.



Methodology A MySQL database was created to hold the majority of log file data. A custom C++ program was built to read the various Snort "alert" logs and export a series of comma-separated value ("csv") format text files that were imported into the database. The Snort log files and tcpdump log files were read into Wireshark and then exported to a series of csv format text files that were also then imported into the database. A particular challenge here was that Wireshark 64-bit for Windows would crash without warning when attempting to import pcap files that had more than about 2.5 million packets. The largest tcpdump log file amongst the provided data had over 20 million packets, and another had over 6 million. Wireshark 32-bit was somewhat better at providing an error message in these cases, but the eventual solution required using "editcap" to manually split the files into 2 million packet files so that Wireshark could read and export them. Some of the "secure" and "httpd" log files were editted by hand in Adobe Dreamweaver before using a LOAD DATA LOCAL command from within MySQL Workbench to load this data into the database. A spreadsheet was also created to capture much of the relevant Network 2 log files, since there was such a variety of formats amongst them. This spreadsheet was eventually exported to csv format and imported into the database too. Summaries in Excel format were created by exporting from the database to csv format files and then opening them in Excel. Once in Excel, these csv files were saved in xlsx format in order to get around the maximize limit of about 1 million rows per csv file.



APPENDIX The following files are included on the accompanying DVD: / (root directory) FinalProject.doc (this file) FinalProject.pdf (pdf version of this file) FinalProjMar-10.pdf (copy of assignment description) waiver.pdf (signed copy of waiver) /tools/alert_log_import/ (directory) Alert.h (c++ header file for Alert class prototypes) Alert.cpp (c++ source code for implementation of Alert class) AlertId.h (c++ header file for AlertId class prototypes) AlertId.cpp (c++ source code for implementation of AlertId class) globals.h (c++ header file for global functions and data structures) alert_log_import.cpp (c++ source code for main program) alert_log_import.exe (c++ program to process snort alert logs into csv text files) /tools/mysql/ (directory) analysis.* (MySQL MYISAM database table "analysis" with majority of combined log file data for network1, network2, and network3) /data/network1/ (directory) *.events.xlsx (Excel spreadsheet summaries of all events originating from specified IP addresses into network1) *.events_frequency.xlsx (Excel spreadsheet summaries of all events originating from specified IP addresses into network1 sorted by frequency) /data/network1/Desktop/ (directory) alert.ids.gz (snort alert log file provided for analysis; from June 8, 2007 20:32:01 to June 9, 2007 9:18:24) alert.ids.csv (comma-separated values version of alert.ids log file) alert.ids.xlsx (Excel spreadsheet version of alert.ids log file) alert.ids_summary*.xlsx (various Excel spreadsheet summaries of alert.ids log file) snort.log.1181359563.gz (snort log file provided for analysis; from June 8, 2007 20:32:01 to June 10, 2007 8:00:53) snort.xlsx (Excel spreadsheet version of snort.log file) snort_by_*.xlsx (various Excel spreadsheet summaries of snort "events")



/data/network1/Desktop1/ (directory) alert.ids.gz (snort alert log file provided for analysis; from June 9, 2007 17:06:13 to June 10, 2007 19:58:27) alert.ids.csv (comma-separated values version of alert.ids log file) alert.ids.xlsx (Excel spreadsheet version of alert.ids log file) alert.ids_summary*.xlsx (various Excel spreadsheet summary of alert.ids log file) snort.log.1181231020.gz (1st of 2 snort log files provided for analysis; from June 7, 2007 8:43:42 to 8:49:50) snort.log.1181433972.gz (2nd of 2 snort log file provided for analysis; from June 9, 2007 17:06:13 to June 10, 2007 19:58:31) snort.xlsx (Excel spreadsheet version of 2 combined snort log files) snort_by_*.xlsx (various Excel spreadsheet summaries of 2 combined snort "events") /data/network1/External-IDS/ (directory) alert.gz (snort alert log file provided for analysis; from June 8, 2007 20:07:42 to June 10, 2007 13:46:19) alert.csv (comma-separated values version of alert log file) alert.xlsx (Excel spreadsheet version of alert log file) alert_summary*.xlsx (various Excel spreadsheet summaries of alert log file) snort.log.1181358424.gz (snort log file provided for analysis; from June 8, 2007 20:07:42 to June 10, 2007 13:46:41) snort.xlsx (Excel spreadsheet version of snort.log file) snort_by_*.xlsx (various Excel spreadsheet summaries of snort.log file) tcpdump-fri-2006.gz (tcpdump log file provided for analysis; from June 9, 2007 0:38:57 to June 10, 2007 11:52:25; This log file proved to be too large to be read successfully by Wireshark and so it was split into 10 files tcpdump-fri-2006.000xx.pcap.gz with each holding a maximum of 2,000,000 packets. The combination of these 10 files is equal to the individual tcpdump log file.) tcpdump_xx.xlsx (Excel spreadsheet versions of tcpdump-fri-2006.xx.pcap files; each with a maximum of 1,000,000 rows each) tcpdump_by_*.xlsx (various Excel spreadsheet summaries of tcpdump log file) /data/network1/Internal-IDS/ (directory) alert.gz (snort alert log file provided for analysis; from June 8, 2007 21:20:34 to June 10, 2007 19:58:29) alert.csv (comma-separated values version of alert log file) alert.xlsx (Excel spreadsheet version of alert log file) alert_summary*.xlsx (various Excel spreadsheet summaries of alert log file) snort.log.1181362833.gz (snort log file provided for analysis; from June 8, 2007 21:20:34 to June 10, 2007 19:58:54) snort.xlsx (Excel spreadsheet version of snort.log file)



snort_by_*.xlsx (various Excel spreadsheet summaries of snort.log file) tcpdump-fri-2015.gz (tcpdump log file provided for analysis; from June 8, 2007 20:16:33 to June 10, 2007 20:01:59; This log file proved to be too large to be read successfully by Wireshark and so it was split into 6 files tcpdump-fri-2015.000xx.pcap.gz with each holding a maximum of 1,000,000 packets. The combination of these 6 files is equal to the individual tcpdump log file.) tcpdump_xx.xlsx (Excel spreadsheet versions of tcpdump-fri-2006.xx.pcap files; each with a maximum of 1,000,000 rows each) tcpdump_by_*.xlsx (various Excel spreadsheet summaries of tcpdump log file) firewall.sh (iptables firewall setup script) /data/network1/Redhat/ (directory) alert.gz (snort alert log file provided for analysis; from June 8, 2007 21:49:09 to June 10, 2007 17:44:52) alert.csv (comma-separated values version of alert log file) alert.xlsx (Excel spreadsheet version of alert log file) alert_summary*.xlsx (various Excel spreadsheet summaries of alert log file) snort.log.*.gz (snort log files provided for analysis; from June 8, 2007 21:49:09 to June 10, 2007 17:44:52) snort.xlsx (Excel spreadsheet version of snort.log file) snort_by_*.xlsx (various Excel spreadsheet summaries of snort.log file) tcpdump.log.gz (tcpdump log file provided for analysis; from June 8, 2007 20:03:51 to June 10, 2007 0:29:39; This log file was damaged. None of the packets after the last could be read.) tcpdump_xx.xlsx (Excel spreadsheet versions of tcpdump-fri-2006.xx.pcap files; each with a maximum of 1,000,000 rows each) tcpdump_by_*.xlsx (various Excel spreadsheet summaries of tcpdump log file) dave.log (apparent TCP server log file; from June 7, 2007 21:51:54 to June 10, 2007 17:50:48; This log file was cleaned up a bit because of missing line feeds on some messages.)



/data/network1/Redhat/httpd/ (directory) access_log* (Apache 1.3.23 httpd web server access log files provided for analysis; from June 8, 2007 20:02:45 to June 10, 2007 18:48:04) error_log* (Apache 1.3.23 httpd web server error log files provided for analysis; from June 8, 2007 19:55:06 to June 15, 2007 11:38:23) access_log_205_250_214_139.txt (portion of httpd access log file including only access from 1 IP address: 205.250.214.139) ssl_* (Apache 1.3.23 httpd web server ssl log file provided for analysis; all of these were empty, with no data) /data/network1/w2kPro/ (directory) alert.ids.gz (snort alert log file provided for analysis; from June 8, 2007 20:32:16 to June 10, 2007 18:24:47) alert.ids.csv (comma-separated values version of alert log file) alert.ids.xlsx (Excel spreadsheet version of alert log file) alert.ids_summary*.xlsx (various Excel spreadsheet summaries of alert log file) snort.log.*.gz (snort log file provided for analysis; from June 8, 2007 20:32:16 to June 10, 2007 18:24:47) snort.xlsx (Excel spreadsheet version of snort.log file) snort_by_*.xlsx (various Excel spreadsheet summaries of snort.log file) /data/network1/w2kserver/ (directory) alert.ids.gz (snort alert log file provided for analysis; from June 7, 2007 20:12:34 to June 9, 2007 18:24:49) alert.ids.csv (comma-separated values version of alert log file) alert.ids.xlsx (Excel spreadsheet version of alert log file) alert.ids_summary*.xlsx (various Excel spreadsheet summaries of alert log file) snort.log.*.gz (snort log file provided for analysis; from June 7, 2007 20:12:34 to June 9, 2007 18:24:49) snort.xlsx (Excel spreadsheet version of snort.log file) snort_by_*.xlsx (various Excel spreadsheet summaries of snort.log file)



/data/network1/webserver/ (directory) alert.gz (snort alert log file provided for analysis; from June 7, 2007 20:10:46 to June 8, 2007 22:58:57) alert.csv (comma-separated values version of alert log file) alert.xlsx (Excel spreadsheet version of alert log file) alert_summary*.xlsx (various Excel spreadsheet summaries of alert log file) snort.log.*.gz (snort log file provided for analysis; from June 7, 2007 20:10:46 to June 8, 2007 22:58:57) snort.xlsx (Excel spreadsheet version of snort.log file) snort_by_*.xlsx (various Excel spreadsheet summaries of snort.log file) tcpdump-fri-2010.gz (tcpdump log file provided for analysis; from June 7, 2007 20:09:32 to June 9, 2007 0:31:04) tcpdump.xlsx (Excel spreadsheet version of tcpdump-fri-2010 file) tcpdump_by_*.xlsx (various Excel spreadsheet summaries of tcpdump log file) mysqld.log (mysql 5.0.27 log file provided for analysis: from June 3, 2007 16:02:42 to June 7, 2007 20:08:45) /data/network1/webserver/html/ (directory) /data/network1/webserver/mysql/ (directory) *.* (numerous Mambo content management system web server and MySQL database files provided for analysis; these appear to have been installed on June 3, 2007 17:02:40 with database "mambodb1" user login "mambo342" and password "joom4access" and last updated on June 8, 2007 23:36:12)



/data/network2/ (directory) *.events.xlsx (Excel spreadsheet summaries of all events originating from specified IP addresses into network2) *.events_frequency.xlsx (Excel spreadsheet summaries of all events originating from specified IP addresses into network2 sorted by frequency) /data/network2/Ksusha/log/ (directory) acpid (acpid log file provided for analysis; from May 21, 2007 to June 8, 2007 18:28:01) anaconda* (anaconda installation log files provided for analysis; from May 21, 2007) boot.log* (boot log files provided for analysis; from May 21, 2007 to June 10, 2007) btmp* (failed login log files provided for analysis; from May 21, 2007 9:35 to June 13, 2007 18:55:26) cron* (cron log files provided for analysis; from May 21, 2007 to June 13, 2007) maillog* (mail log files provided for analysis; from May 27, 2007 to June 13, 2007) message* (system messages log files provided for analysis; from May 21, 2007 to June 13, 2007) rpmpkgs* (RedHat Package Manager log files provided for analysis; from May 26, 2007 to June 13, 2007) scrollkeeper* (scrollkeeper log files provided for analysis; from May 21, 2007) secure* (system authentication log files provided for analysis; from May 21, 2007 5:51:56 to June 13, 2007 18:55:32) spooler* (print spooler log files provided for analysis; from May 21, 2007 to June 10, 2007) wtmp* (successful login log files provided for analysis; from May 21, 2007 5:51:34 to June 13, 2007 18:53:26) Xorg* (X Windows log files provided for analysis; from May 28, 2007 to June 8, 2007) yum.log (yum log file provided for analysis; from May 28, 2007 to June 8, 2007) cups/access_log* (cups access log files provided for analysis) cups/error_log* (cups error log files provided for analysis) gdm/%3a0* (gdm log files provided for analysis) httpd/access_log* (Apache 2.2.3 httpd web server access log files provided for analysis) httpd/error_log* (Apache 2.2.3 httpd web server error log files provided for analysis) prelink/prelink.log (Linux prelink log file provided for analysis) /data/network2/Ksusha/3proxy/etc/ (directory) 3proxy.cfg (3proxy configuration file provided for analysis; 3proxy.log file was not provided for analysis; this configuration file appears to allow 3proxy to be used as an "open" proxy)



/data/network2/Ksusha/3proxy/sbin/ (directory) * (3proxy program "binaries" provided for analysis; these appear to have been installed on May 21, 2007 but there is no evidence that they were ever used or run) trophy.txt (text file provided for analysis: "Good job - you got the easiest one with the proxy shit!" Presume this was purposefully placed her for unknown reason.) /data/network2/Ksusha/3proxy/ (directory) trophy.txt (directory contains only this single text file; "This is a trophy for the exploit. The easy one! :)" Presume this was purposefully placed her for unknown reason.) /data/network2/Kyrsten/log/ (directory) anaconda* (anaconda installation log files provided for analysis; from June 9, 2007) boot.log* (boot log files provided for analysis; from June 9, 2007 8:15:39 to June 10, 2007 4:02:22) cron* (cron log files provided for analysis; from June 9, 2007 8:16:07 to June 13, 2007 18:01:01) maillog* (mail log files provided for analysis; from June 9, 2007 8:16:05 to June 13, 2007 4:02:12) message* (system messages log files provided for analysis; from June 9, 2007 8:15:39 to June 13, 2007 18:08:57) mysqld.log* (mysql database log files provided for analysis; from June 8, 2007 14:09:13 to June 10, 2007) prelink.log (Linux prelink log file provided for analysis) rpmpkgs* (RedHat Package Manager log files provided for analysis; from June 9, 2007 to June 13, 2007) scrollkeeper* (scrollkeeper log files provided for analysis; from June 9, 2007) secure* (system authentication log files provided for analysis; from June 8, 2007 13:17:52 to June 13, 2007 18:55:32) wtmp* (successful login log files provided for analysis; from June 8, 2007 to June 10, 2007) Xorg* (X Windows log files provided for analysis; from June 8, 2007) cups/access_log* (cups access log files provided for analysis) cups/error_log* (cups error log files provided for analysis) gdm/%3a0* (gdm log files provided for analysis) httpd/access_log* (Apache 2.2.3 httpd web server access log files provided for analysis) httpd/error_log* (Apache 2.2.3 httpd web server error log files provided for analysis) httpd/ssl_access_log* (Apache 2.2.3 httpd web server access log files provided for analysis) httpd/ssl_error_log* (Apache 2.2.3 httpd web server error log files provided for analysis) httpd/ssl_request_log* (Apache 2.2.3 httpd web server access log files provided for analysis)



/data/network2/Kyrsten/www/ (directory) /data/network2/Kyrsten/mysql/ (directory) *.* (numerous phpBB version 2 bulletin board forum system web server and MySQL database files provided for analysis; these appear to have been installed on June 8, 2007 16:45:22 with database "phpbb" user login "phpbb" and password "Pa$$word" and last updated on June 10, 2007 20:05:48) /data/network2/Kyrsten/www/usage/ (directory) *.* (webalizer generated files provided for analysis; created on June 11, 2007 5:11:24) /data/network2/Natasha - IDS/ (directory) alert.gz (snort alert log file provided for analysis; from June 8, 2007 18:46:46 to June 10, 2007 23:34:43) alert.csv (comma-separated values version of alert log file) alert.xlsx (Excel spreadsheet version of alert log file) alert_summary*.xlsx (various Excel spreadsheet summaries of alert log file) snort.log.*.gz (snort log file provided for analysis; from June 8, 2007 18:46:46 to June 10, 2007 23:34:43) snort.xlsx (Excel spreadsheet version of snort.log file) snort_by_*.xlsx (various Excel spreadsheet summaries of snort.log file) /data/network2/SnortSnarf/ (directory) *.* (various directories and files provided for analysis; appears to have been created by SnortSnarf software from snort alert log file data in "Natasha - IDS" directory on June 13, 2007 18:15:49)



/data/network3/ (directory) *.events.xlsx (Excel spreadsheet summaries of all events originating from specified IP addresses into network3) *.events_frequency.xlsx (Excel spreadsheet summaries of all events originating from specified IP addresses into network3 sorted by frequency) /data/network3/External IDS/ (directory) alert.gz (snort alert log file provided for analysis; from June 8, 2007 19:50:55 to June 10, 2007 20:11:47) alert.csv (comma-separated values version of alert log file) alert.xlsx (Excel spreadsheet version of alert log file) alert_summary*.xlsx (various Excel spreadsheet summaries of alert log file) snort.log.*.gz (snort log file provided for analysis; from June 8, 2007 17:06:04 to June 10, 2007 17:11:47) snort.xlsx (Excel spreadsheet version of snort.log file) snort_by_*.xlsx (various Excel spreadsheet summaries of snort.log file) /data/network3/Internal IDS/ (directory) alert.gz (snort alert log file provided for analysis; from June 8, 2007 21:09:55 to June 10, 2007 19:48:16) alert.csv (comma-separated values version of alert log file) alert.xlsx (Excel spreadsheet version of alert log file) alert_summary*.xlsx (various Excel spreadsheet summaries of alert log file) snort.log.*.gz (snort log file provided for analysis; from June 8, 2007 21:09:55 to June 10, 2007 19:48:16) snort.xlsx (Excel spreadsheet version of snort.log file) snort_by_*.xlsx (various Excel spreadsheet summaries of snort.log file) /data/network3/Log files/Linux/ (directory) .log (samba log file provided for analysis; from June 9, 2007 22:45:54 to June 11, 2007 22:09:19) smbd.log (another samba log file provided for analysis; from June 10, 2007 4:02:51 to June 11, 2007 22:04:24) log.nmbd (Netbios nameserver 2.2.7a log file provided for analysis; from May 31, 2007 23:42:44 to June 11, 2007 4:02:54) log.smbd (samba log file provided for analysis; from May 31, 2007 23:42:43 to June 11, 2007 2:39:35) secure* (system authentication log files provided for analysis; from June 6, 2007 2:34:50 to June 22, 2007 1:33:53)



/data/network3/Log files/Windows/ (directory) EXPLOI~1.RTF (rich-text format file provided for analysis; created June 15, 2007 23:25) 205 250 214 139 IIS LOG FILES.txt (text file provided for analysis; created June 15, 2007 23:27) 24.83.101.80 IIS LOG FILES.txt (text file provided for analysis; created June 15, 2007 23:27) /data/network3/Log files/Windows/W3SVC1/ (directory) ex070608.log (Microsoft IIS 5.0 log file provided for analysis; from June 8, 2007 3:20:56 to 6:00:51; some IP address or domain names appear to have been previously scrubbed, showing as xxxxxxx) ex070609.log (Microsoft IIS 5.0 log file provided for analysis; from June 9, 2007 2:58:35 to 21:24:26) /data/network3/Log files/Windows/W3SVC3/ (directory) ex070609.log (Microsoft IIS 5.0 log file provided for analysis; from June 9, 2007 21:15:22 to 23:30:12) ex070610.log (Microsoft IIS 5.0 log file provided for analysis; from June 10, 2007 2:41:20 to 23:49:36)

bcit comp 8006 final project by wesley kenzie april 2010

Documents