Instrucciones del taller TM13  Lectura en voz alta.

Backtracing on a network, especially one such as the Internet, can provide significant challenges. It can be a very slow process and, usually, the intruder must be online in order for a search to succeed. Additionally, you often will need the assistance of telephone companies and Internet service providers (ISPs) that might require a warrant. This means that law enforcement will need to get involved, unless you can get the cooperation of intervening system (the systems between you and the intruder) managers.

There are several things you can look for when backtracing. The obvious ones are source IP addresses in your logs, source IP addresses in packets you capture using a sniffer, and information gathered by using tools, such as reverse finger, nslookup, and whois. Sadly, if your intruder is a real pro, most of these will be pretty worthless in and of themselves. But, at worst, they can provide a starting point for your backtrace.

The most important thing for you to do in catching an online intruder is to catch him or her in the act. Of equal importance is extensive logging. You need all of the information you can get about the intruder and his or her activities while online. The time to start logging is not after an intrusion. However, it seems to be a fact of life that we never have complete enough logs. We’ll discuss logs in more detail later, but, for now, let’s look at how, in general, they can help us backtrace.

It is likely that any competent intruder will have jumped to a site other than his or her own to launch the attack. This, whether you like it or not, is where you’ll need to start your backtrace. As starting points, look in your Unix logs for the following:

• Times of login and logout — use the LASTLOG.

• Anomalies in the LASTLOG — use a log analysis tool, such as CHKLASTLOG.

• Source IP address — use SYSLOG or any other logs you have that record IP addresses. SYSLOG must be configured for this type of information. It may produce any of several MESSAGES files. Other logs may be from TCP wrappers installed on critical services.

Similar information exists in NT logs. However, Windows95 and NetWare offer between little and no logging.

Once you have established the nearest site to you, you’ll need to work with the administrator of the site to jump back to the next step in the attacker’s path. If the attacker is still online, you can use tools like reverse finger to find where he or she is located. Reverse finger will take you back to the site from whence the intruder is attacking you. With luck, you’ll be able to get a source address for the next jump back. However, the intruder may be using a site which does not respond to the finger service. That could stop you.

Remember, however, that the intruder had to establish an account on the attack site. He or she could not simply “pass through.” That may mean that the intruder

has broken into the site, which should be of interest to the site administrator. It may also mean that the intruder is a legitimate user at that site. Examples are ISPs, universities, and large corporations. If that is the case, you have a legitimate com- plaint against the site administrator because he or she is usually considered to be responsible for monitoring the actions of the site’s users.

We had an experience with a large ISP which was the source of an attack against our system. The ISP security department took immediate action to identify the perpetrator. We were able to identify the source of the attack through the use of TCP wrappers on our telnet service. We prohibit telnet access except from very specific addresses. The wrappers log every attempt, legitimate or not, and reject attempts from disallowed addresses.

It is important to note that your logs may not reveal the actual user attacking you. You may have to be satisfied with the machine that is the source of the attack. In order to be successful at backtracing, you’ll need a very precise time of the attack, the machine from which the attack occurred, and the victim’s IP address.

If the attack is repeated, you may be able to capture it with a sniffer. Sniffers can be set to trigger on an event, such as a packet’s source address. Once triggered, they can record every transaction involving the IP address. Sophisticated sniffers may even allow you to set up attack scenarios that record all of the attacker’s actions in detail. An example of this type of program is RealSecure from Internet Security Systems. RealSecure depends upon attack profiles to identify suspected attack attempts. It can then take specified actions, including detailed logging. The logging is of sufficient detail to recreate the attack and can be used as evidence if the resulting logs are properly preserved.

Some intruder alert programs accomplish the same thing by reading logs in real time and applying action scripts. An example of that type of alert mechanism is ITA from AXENT Technologies. These programs are more focused on the hosts under attack, while sniffer type programs focus on the activity on the network. We usually install both types when we are tracing a repeat intruder.

In all cases, we are usually attempting to gather enough evidence to turn the attack over to law enforcement. It is likely that the intruder is, ultimately, accessing the first host in his or her string of sites via phone lines. Trap-and-trace over phone lines requires a warrant. This means involving law enforcement.

The first site used by the intruder is especially important if the intruder is using phone lines to access it. If the site is an ISP, there will usually be good records of the modem receiving the call. Most ISPs use modem pools with terminal servers that assign IP addresses randomly to callers as they dial the pool. However, given the time of the attack, there usually are logs that will tell what line the call came in on. From those records, the phone company can determine where the call came from. That’s the good news.

The bad news is that there is a subset of intruders who are very good at hacking phone systems. These crackers, called phone phreaks, or just phreakers, may start their attack by breaking into PBXs or independent long distance carriers to steal phone service. They will jump from one to another before beginning to jump around computer networks. In these cases, finding the call into the first ISP, university, or corporation may just be the end of the phone trail. You may have to backtrace the

phone activities just as you had to backtrace the network connections. For this, again, you will usually need law enforcement. Corporations are usually glad to help where they can. Long distance carriers may or may not be interested in helping, depending upon the size of the breach.

SOFTWARE FORENSIC ANALYSIS — WHO WROTE