After one time by DNS attack analysis

BY XUNDI

This article is after by the DNS attack system analysis, may understand aggressor's behavior through this analysis,
How can the very good understanding attack, after the attack, does is assorted and so on each behavior, is helpful you better maintenance system.

Original text author: lance@spitzner.net

Background

This article information by honeypot--http://www.enteract.com/~lspitz/honeypot.html
Related, Honeypot on REDHAT6.0 is a default service installment, its wording meaning is the honey cylinder,
Ha-ha, even if said that uses for to tempt certain…A trap, ha-ha. Following analysis all IP address
The user account, with strikes key's information is real, except the cryptographic information, is for like this a more direct understanding
Entire process. All SNIFF information is manifests through the SNORT form; http://www.snort.org/
SNORT is a commonly used sniffer, regarding the examination system invasion analysis is a good tool, I
Use in http://www.whitehats.com/'s MAX VISION IDS signature.

Aggressive behavior
In April 26, snort reminds my system to receive one ' noop'gongji, the information packing carries contains
the noops information, under this situation, SNORT surveyed attacks and has recorded the warning information to /var/log/messages
In the document (uses http://www.enteract.com/~lspitz/swatch.html--swatch monitoring),
Pays attention to this article 172.16.1.107's IP address includes the honeypot machine, other addresses are black-hat
(black hat) uses IP address.

Apr 26 06:43: 05 lisa snort[6283]: IDS181/nops-x86: 63.226.81.13: 1351 - > 172.16.1.107: 53

My honeypots accepts the innumerable surveys, the scanning and the inquiry, moreover an under warning information causes me to pay attention
To a system is possibly destroyed, the following system LOG information instructed that the aggressor was starting a connection
With the LOGIN system:

Apr 26 06:44: 25 victim7 PAM_pwdb[12509]: (login) session opened for user twin by (uid=0)
Apr 26 06:44: 36 victim7 PAM_pwdb[12521]: (su) session opened for user hantu by twin(uid=506)

From the above situation may see that the intruder already obtained the super user right and has controlled the overall system, but this
Is how to complete, our below starts to analyze:

Analysis

As soon as when analyzes attacks, the best position is starting the end, namely is the aggressor starts from where, aggressor
Generally starts is the gathering system information, may let him obtain the crack which the system exists, if your system is destroyed,
This indicated that the aggressor was not first time with yours system communication, the majority aggressors must pass to your system
The connection obtains the initialization the information.

Therefore we from most start the collection of information starts, may know from the first information
At the beginning of the attack in 53 ports, this expression has started a DNS attack on our system, therefore I pass me
snort alerts--http://www.enteract.com/~lspitz/probed.txt discovers some DNS