Task A.3a/b
/sbin/ipchains -L
Chain input (policy DENY):
target prot opt
source
destination
ports
DENY tcp
----l- ntec13
ntec238.fox.hkntec.net any -> ssh
ACCEPT all ------
127.0.0.0/8 anywhere
n/a
ACCEPT all ------
192.168.128.0/24 anywhere
n/a
ACCEPT all ------
192.168.64.0/24 anywhere
n/a
ACCEPT all ------
137.189.99.80/29 anywhere
n/a
ACCEPT tcp !y----
anywhere
anywhere
any -> any
ACCEPT udp ------
anywhere
anywhere
1024:65535 -> any
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
Log from /var/log/messages
Nov 6 17:14:00 ntec238 kernel: Packet log:
input DENY eth0 PROTO=6 192.168.64.13:1023 192.168.128.238:22 L=60 S=0x00
I=3563 F=0x4000 T=63 SYN (#1)
Nov 6 17:14:03 ntec238 kernel: Packet log:
input DENY eth0 PROTO=6 192.168.64.13:1023 192.168.128.238:22 L=60 S=0x00
I=3565 F=0x4000 T=63 SYN (#1)
Nov 6 17:14:09 ntec238 kernel: Packet log:
input DENY eth0 PROTO=6 192.168.64.13:1023 192.168.128.238:22 L=60 S=0x00
I=3570 F=0x4000 T=63 SYN (#1)
nmap output :
(The 1508 ports scanned but not shown below are in
state: closed)
Port State
Service
21/tcp open
ftp
22/tcp filtered
ssh
23/tcp open
telnet
25/tcp open
smtp
79/tcp open
finger
80/tcp open
http
98/tcp open
linuxconf
111/tcp open
sunrpc
113/tcp open
auth
513/tcp open
login
514/tcp open
shell
515/tcp open
printer
962/tcp open
unknown
980/tcp open
unknown
1024/tcp open
kdm
TCP Sequence Prediction: Class=random positive increments
Difficulty=3525789 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned
in 5 seconds
Task B.1.3
Files changed are :
Task B.1.4Note: Report is not encrypted.
Tripwire(R) 2.2.1 Integrity Check Report
Report generated by:
root
Report created on:
Thu 26 Oct 2000 11:39:21 AM HKT
Database last updated on:
Thu 26 Oct 2000 11:37:19 AM HKT
===============================================================================
Report Summary:
===============================================================================
Host name:
ntec238
Host IP address:
192.168.128.138
Host ID:
a8c08a80
Policy file used:
/usr/local/TSS/policy/tw.pol
Configuration file used:
/usr/local/TSS/bin/tw.cfg
Database file used:
/usr/local/TSS/db/ntec238.twd
Command line used:
./tripwire --check --interactive
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name
Severity Level Added Removed
Modified
---------
-------------- ----- -------
--------
* Configuration Files
0
0 0
2
(/etc)
Total objects scanned: 1441
Total violations found: 2
===============================================================================
Object Detail:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Severity Level: 0
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 2
----------------------------------------
Modified object name: /etc
Property:
Expected
Observed
-------------
-----------
-----------
* Modify Time
Thu 26 Oct 2000 11:36:37 AM HKT
Thu 26 Oct 2000 11:38:43 AM HKT
Modified object name: /etc/hosts
Property:
Expected
Observed
-------------
-----------
-----------
* Size
152
154
* Modify Time
Thu 26 Oct 2000 11:36:37 AM HKT
Thu 26 Oct 2000 11:38:43 AM HKT
* CRC32
CdxjDJ
B/Dmzm
* MD5
CuddkeRcGWpzsld2PdTwzm DyJSJkXNUofo8vyXqvmv0E
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Copyright (C) 1998-2000 Tripwire(R) Security Systems,
Inc.
Tripwire(R) is a registered trademark of the Purdue
Research
Foundation and is licensed exclusively to Tripwire(R)
Security
Systems, Inc.
Task B.2.2
**] spp_portscan: PORTSCAN DETECTED from 192.168.64.23
(THRESHOLD 4 connections exceed
ed in 0 seconds) [**]
11/06-17:06:44.800048
[**] Possible NMAP Fingerprint attempt [**]
11/06-17:06:45.070690 0:B0:D0:11:CB:4B -> 0:D0:9:1C:53:1B
type:0x800 len:0x4A
192.168.64.23:57477 -> 192.168.128.238:21 TCP TTL:49
TOS:0x0 ID:60037
**SF*P*U Seq: 0x7DEEF20C Ack: 0x0
Win: 0xC00
TCP Options => WS: 10 NOP MSS: 265 TS: 1061109567
0 EOL
[**] NMAP TCP ping! [**]
11/06-17:06:45.070760 0:B0:D0:11:CB:4B -> 0:D0:9:1C:53:1B
type:0x800 len:0x4A
192.168.64.23:57478 -> 192.168.128.238:21 TCP TTL:49
TOS:0x0 ID:34644
******A* Seq: 0x7DEEF20C Ack: 0x0
Win: 0xC00
TCP Options => WS: 10 NOP MSS: 265 TS: 1061109567
0 EOL
[**] NMAP TCP ping! [**]
11/06-17:06:45.070871 0:B0:D0:11:CB:4B -> 0:D0:9:1C:53:1B
type:0x800 len:0x4A
192.168.64.23:57480 -> 192.168.128.238:1 TCP TTL:49
TOS:0x0 ID:40219
******A* Seq: 0x7DEEF20C Ack: 0x0
Win: 0xC00
TCP Options => WS: 10 NOP MSS: 265 TS: 1061109567
0 EOL
Task B.2.3
[**] backdoor access! [**]
11/06-16:21:32.659929 0:D0:9:1C:53:1B -> 0:B0:D0:11:CB:4B
type:0x800 len:0x48
192.168.128.238:8080 -> 192.168.64.23:1429 TCP TTL:64
TOS:0x0 ID:8044 DF
*****PA* Seq: 0x232067D4 Ack: 0x23F7AEB5
Win: 0x7C70
TCP Options => NOP NOP TS: 112425795 16856168
[**] backdoor access! [**]
11/06-16:36:25.025165 0:D0:9:1C:53:1B -> 0:B0:D0:22:A:28
type:0x800 len:0x48
192.168.128.238:8080 -> 192.168.128.230:2232 TCP
TTL:64 TOS:0x0 ID:8740 DF
*****PA* Seq: 0x5BFDF03F Ack: 0x5B945921
Win: 0x7C70
TCP Options => NOP NOP TS: 112515039 707507339