RootPrompt.org: Know Your Enemy: II - Tracking the movements of a Script KiddieMar 08, 2000, 19:16 (0 Talkback[s])
(Other stories by Lance Spitzner)
[ Thanks to Noel for this link. ]
"This article focuses on intelligence gathering. Specifically, how to figure out what the enemy is doing by reviewing your system logs. You will be surprised how much information you will find in your own log files. However, before we can talk about reviewing your logs, we first have to discuss securing your system logs. Your log files are worthless if you cannot trust the integrity of them. The first thing most black-hats do is alter log files on a compromised system. There are a variety of rootkits that will wipe out their presence from log files (such as cloak), or alter logging all together (such as trojaned syslogd binaries). So, the first step to reviewing your logs is securing your logs...."
"By looking at your log entries, you can usually determine if you are being port scanned. Most Script Kiddies scan a network for a single vulnerability. If your logs show most of your systems being connected from the same remote system, on the same port, this is most likely an exploit scan. Basically, the enemy has an exploit for a single vulnerability, and they are scanning your network for it. When they find it, they exploit it. For most Linux systems, TCP Wrappers is installed by default. So, we would find most of these connections in /var/log/secure. For other flavors of Unix, we can log all inetd connections by launching inetd with the "-t" flag, facility daemon. A typical exploit scan would look like something below. Here we have a source scanning for the wu-ftpd vulnerability...."
"Sometimes you can actually determine the tools being used to scan your network. Some of the more basic tools scan for a specific exploit, such as ftp-scan.c. If only a single port or vulnerability is being probed on your network, they are most likely using one of these "single mission" tools. However, there exist tools that probe for a variety of vulnerabilities or weaknesses, the two very popular tools are sscan by jsbach and nmap by Fyodor. I've selected these two tools because they represent the two "categories" of scanning tools. I highly recommend you run these tools against your own network, you may be surprised by the results :)"