John B. Baird

 

Computer Forensic Portfolio

Bradenton, FL

Currently Seeking Employment

Open to relocation

941-363-1144

johnbairdpc at gmail dot com

 

BRJ Software Case Notes

 

November 28th, 2012

 

11:44 AM Created BRJ case in EnCase

 

Note: Saved case and related files to “brj_software” on desktop for easier sharing of files

 

12:01 PM Opened Hash Tool

 

12:01 PM Verified MD5 hash value 3f274b39803068d69f8b62730e101d64 matches compressed drive image file

 

11:08 AM Extracted compressed GZ file of hard drive image

 

12:10 PM Verified MD5 hash value 4c576fa29dbc1f2e599c17d3ccd7c734 of extracted drive image

 

12:13 PM Added hard drive image to EnCase

 

12:14 PM Saved case and closed EnCase

 

12:15 PM Reopened EnCase and opened BRJ case

 

12:16 PM Locked computer

 

1:57 PM Unlocked computer

 

2:10 PM Added live response data

 

2:11 PM Saved case and closed EnCase

 

2:13 PM Booted Linux Backtrack

 

2:15 PM Determined portscan.log’s line count: 1552

 

2:22 PM Examined portscan.log’s contents, port scan attempts from 94.90.84.93 to 102.60.21.3 victim machine.

 

2:29 PM Examined s3.tcpdstat.txt, data from September 8, 2003 from 2:22:05 PM to 4:37:59 PM.

2:47 PM Analyzed s3.plc with Snort

 

2:50 PM Exploit detected, “EXPLOIT redhat 7.0 lprd overflow”

 

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0917

 

Attacking trying to exploit a printer sevice on port 515 TCP on 102.60.21.3.

 

15 more exploit messages found

 

2:56 PM Attack detected “ATTACK RESPONCES id check returned root”

 

http://www.snort.org/search/sid/498?r=1

 

“This event is generated by the use of a UNIX “id” command. This may be indicative of post-compromise behavior where the attacker is checking for super user privileges gained by a sucessful exploit against a vulnerable system.”

 

Attacker trying to exploit printer service on victim machine.

 

2:59 PM Failed log-in attempts detected, “TELNET login incorrect”, hundreds of alerts. Attacker trying to hack password to log into system.

 

3:03 PM Second attack detected “ATTACK RESPONCES id check returned root”

 

3:08 PM Examined s3.tcptrace.txt

 

Results show brute force attempt against port 515 from attacker.

 

Attacker appears successful in accessing port 515 from attacker’s port 2089.

 

Victim machine appears to have accepted attacker’s request for access.

 

Attacker appears to be accessing FTP services.

 

Attacker is now listening to SHH services on port 22 TCP.

 

3:21 PM  Backtrack suspended, case suspended.

 

December 1st, 2012

 

6:51 PM Analyzed s3.lpc using Tcpflow

 

6:56 PM Successful attack detected against port 2089

 

7:00 PM Backdoor detected

 

7:02 PM Attacker analyzing connections that are active

 

7:03 PM attacker analyzing directory listing

 

7:03 PM attacker created hidden directory “.kde”

 

7:04 PM attacker attempts to download all files beginning with the word “knark”

 

7:05 PM attacker tries to add a user called “lpd” with root access

 

7:06 PM Attacker uses the password “Own3d”

 

7:10 PM Backtrack suspended, case suspended.

 

December 2nd, 2012

 

12:00 PM Attacker verifies password file for user “lpd”

 

12:02 PM Attacker manually adds user “lpd” to password file

 

12:03 PM Attacker creates “.rhosts” file in root directory.

 

12:06 PM Attacker performed directory listing of root

 

12:07 PM Attacker enters password for “lpd” account

 

12:08 PM Attacker verifies he is now logged in with “lpd” account

 

12:09 PM Brute-force tool “Brutus” was running on system, attacker stops the program

 

12:12 PM Attacker creates “files.tar.gz”

 

12:14 PM Attacker uploads files “brutus.pl”, “Net-Telnet-3.03.tar.gz”, “allwords.txt”

 

12:15 PM Attacker downloads files “nat10.tar”, “john-1.6.tar.gz”

 

12:17 PM Attacker accesses program “datapipe.c” from attacker’s FTP site

 

*see page 159 for information on this case*

 

12:27 PM Backtrack closed, case suspended.

 

1:10 PM EnCase started, case opened.

 

1:20 PM Conducted search for keywords:

 

“files.tar.gz” 3 hits

 

“brutus.pl” 5 hits

 

“Net-Telnet-3.03.tar.gz” 1 hit

 

“allwords.txt” 1 hit

 

“nat10.tar” 1 hit

 

“john-1.6.tar.gz” 1 hit

 

“datapipe.c” 8 hits

 

1:34 PM Case saved, EnCase closed, computer locked.