We detailed above one of the ways to defeat the logging of a file transfer and its subsequent tracing to an attacker. Now let’s take that one step further and investigate some other ways intruders mask their actions. Most of this information comes directly from hacking resources on the Internet. It is available to anyone with the desire and patience to find it. Not all of these methods work all the time on all machines. However, enough of them work often enough so that they offer a considerable challenge to investigators. Also, these techniques apply only to Unix computers.
Masking Logins
There is a log in Unix called the lastlog. This log shows individual logins without much detail. However, the lastlog and the logs that feed it can contain the name of the machine that logged in even if they can’t record the username. Although most skilled intruders usually use other machines than their own to attack a victim, the names of computers along the way can be helpful in tracing an intrusion to its source. However, if the intruder masks his or her identity to the victim, the inves- tigator can’t get to the most recent computer in the attack chain to begin tracing backward to the source.
The intruder can use a simple method to mask his or her machine’s identity to the victim. If, on login to the victim’s computer, the hacker sees a notification to the effect that the last successful login by the owner of the stolen account the intruder is using was on such-and-such a date, the intruder simply performs an rlogin and supplies the stolen account’s password again. The rlogin program, intended for remote access from other computers (rlogin means “remote login”), also works perfectly well on the same computer. Since the login comes from the same machine, the lastlog will indicate that the login was from “localhost” (the name Unix com- puters use to refer to themselves), or from the machine name of the computer. While this may be obvious to the skilled administrator or investigator, it shows only that some hanky-panky has taken place. It does not reveal its nature or its real source.
A second trick used by skilled intruders is the shell change. Unix machines often have a history file which saves the commands of the user. An investigator can review
the history file, if present, and learn what occurred. Thus, the hacker needs to disable the history-gathering capability of the computer.
All Unix computers use a shell to allow the user to communicate with the operating system called the kernel. There are several different shells available for Unix machines. Usually a few of these different shells are available on the same computer. The shell that a user uses by default is determined by his or her profile. The first command a skilled hacker will enter on logging into a stolen account is, therefore, a shell change. This disables the history process. This works with the c- shell (CSH) and shell (SH) shells. Thus, an intruder will either switch from one to the other or from some other, different shell to another one of them.
Another method of detecting an intruder when he or she is still online is to type
who. This gives a list of users currently connected. The display will usually present not only the user but the address they logged in from. A simple shell script (a program similar to a DOS batch file) that performs a “who” periodically, and logs the results to a file for later reference, is an easy way to see if there were unknown users or users who were not supposed to be logged in at the time the who connected. If the who indicates a user is logged in from a computer which is not normal for that user, there is a likelihood the account has been hijacked by an intruder.
The skilled intruder will, after logging in with the stolen account, login again with the same logging ID and password without first logging off. This opens a second session for the account and shows the origin only as the port to which the intruder is connected as the source of the login. If performed during a time when the owner of the stolen account would normally log in, it is unlikely to arouse suspicion.
Each of these techniques offers the intruder a method of hiding his or her presence. Although the information is under the investigator’s nose, it is obfuscated sufficiently to prevent easy detection. The countermeasures for these obfuscations require a different approach to logging, often only available with third-party tools. Logging tools that collect IP addresses, for example, may be far more effective than the normal logging capabilities of unenhanced machines.
The investigator will, of course, be unable to take advantage of third-party tools after the fact. Thus, the question of installing such tools after the first attack and waiting for a possible second foray by the intruder comes up. We will discuss the issues surrounding that decision in a later chapter.
Masking Telnet
Telnet sessions may be performed in two ways. First, you can use the command
telnet victim.com
This command offers the intruder the disadvantage of information showing up as a parameter in the process list of a Unix computer. If the intruder has taken over a Unix host for the purpose of attacking another computer, the administrator may notice this entry and attempt to stop the intruder. Likewise, the connection may show up in logs if the host is logging completely, especially with third-party auditing tools.
However, if the intruder simply types
telnet
and then types these commands at the telnet prompt:
telnet> open victim.com
there is much less chance of being traced. Since a skilled intruder will usually move from computer to computer to cover his or her tracks during an attack, it is important that he or she avoid detection at each step of the way.
There is another technique that an intruder can use to mask a telnet session, or any other for that matter. This technique involves a change of identity, or at least part of an identity change.
When a user telnets from one host to another, some of the environmental variables travel along on some systems (systems that export environmental vari- ables). Skilled intruders will change the environmental variables on a machine used as an intermediate before attacking the next target. This will make it more difficult for the investigator to trace backward through each purloined account on intermediate machines to the actual source of the attack.