RootPrompt.org: Know Your Enemy: II – Tracking the movements of a Script Kiddie

[ Thanks to Noel
for this link. ]

This article focuses on intelligence gathering.
Specifically, how to figure out what the enemy is doing by
reviewing your system logs. You will be surprised how much
information you will find in your own log files.
before we can talk about reviewing your logs, we first have to
discuss securing your system logs. Your log files are worthless if
you cannot trust the integrity of them. The first thing most
black-hats do is alter log files on a compromised system. There are
a variety of rootkits that will wipe out their presence from log
files (such as cloak), or alter logging all together (such as
trojaned syslogd binaries). So, the first step to reviewing your
logs is securing your logs….”

“By looking at your log entries, you can usually determine if
you are being port scanned. Most Script Kiddies scan a network for
a single vulnerability. If your logs show most of your systems
being connected from the same remote system, on the same port, this
is most likely an exploit scan. Basically, the enemy has an exploit
for a single vulnerability, and they are scanning your network for
it. When they find it, they exploit it. For most Linux systems, TCP
Wrappers is installed by default. So, we would find most of these
connections in /var/log/secure. For other flavors of Unix, we can
log all inetd connections by launching inetd with the “-t” flag,
facility daemon. A typical exploit scan would look like something
below. Here we have a source scanning for the wu-ftpd

“Sometimes you can actually determine the tools being used to
scan your network. Some of the more basic tools scan for a specific
exploit, such as ftp-scan.c. If only a single port or vulnerability
is being probed on your network, they are most likely using one of
these “single mission” tools. However, there exist tools that probe
for a variety of vulnerabilities or weaknesses, the two very
popular tools are sscan by jsbach and nmap by Fyodor. I’ve selected
these two tools because they represent the two “categories” of
scanning tools. I highly recommend you run these tools against your
own network, you may be surprised by the results :)”