Tuesday, June 2, 2015

Compromised Server, Me and Few Layers Of Security

Well this is not a theory on the layer wise security. Everyone know the concept of layer wise security. Main gate- main door- rooms doors, this sums up what layer wise security is. It makes bad guys hard to reach your living room. Well, that not all. Few weeks ago I got an opportunity to look into the compromised server. I had to figure out the cause of incident and deliver incident report. Server was in the Amazon cloud and AWS support guys did their job by shutting down compromised server down, not exactly shutdown but they blocked every traffic out of the server. They detected DoS attack being conducted through that compromised server using UDP port 80 on an IP belonging to an enterprise. AWS support guys allowed SSH into the server and there I was checking everything I possibly could in AWS server. Looked into users, passwords, shadows, file permissions, history, netstat, nmap, apache access log, error log, auth log and what not. Must say "the blue team handbook" did come in good use that time.
I found nothing. Yes!! nothing and that kept me wondering for minutes, thinking what attack vectors I have missed and so on. I was not thinking well, because somewhere in my mind I already assumed an attack through Remote code execution, and after not seeing suspicious access log and error log in Apache,
I could not think more. Later after a sip of black coffee, I did malware scan on the server. Rootkit hunter was my first tool to use, then came the clamav antivirus, and Bingo!! there it was rootkit hiding inside /bin/netstat, /bin/ps.

And yes, i was using that netstat and ps command to find information. Felt stupid. But i was still unsure. And this time, host based IDS came into party which I had forgotten that it was already installed in the server. Little bit of log analysis and I found OSSEC HIDS did log and alert rootkit detection on the date when DoS attack was detected. I confirmed more with checking binary hashes and found it was different than the original.
Later I zipped those scripts,downloaded in my pc and did a scan with Avast. I got an alert and it was more detailed.

This incident made me realize the need layer wise security with different angle. Its not always about protecting but also about fighting back. I am not a malware analyst so I did not go through that part but what I'm trying to say is without IDS installed it would have been real difficult to figure out and keep analyze changes in the server.