In reading the various industry message boards, I have seen numerous questions and suggestions in regards to hacking and being hacked. I have myself done it, defended it, and helped others with their situations regarding it.I want to take a look at an example of ways to determine if you were hacked, how it was done, what to do about it and how to prevent it. I would like to start by saying that my company does DP (deep penetration) testing (not the kind you’re thinking of!), an analysis of your network which you can read about here.
The most obvious way to tell if your server has been compromised is when your index page has been defaced or changed. This should be of concern to you but most likely it is your best case scenario because it can be fixed easily. The only thing that you have lost, if anything, is some down time, and a hacker has bragged to his friends about cracking your box.

Now, if your server has been hacked into and they have taken control of your box, this is where your real problems lie. This means that the hacker has gained access to your htaccess files and all of your reports, and can use your box in any way he wants. An example would be setting up an illegal FTP server to distribute illegal pictures, documents on attacking the government, pirated software, and basically anything else he has a mind to do. Do you know who will ultimately be responsible? Not the person who hacked into your site, but you, the pornographer, will be subject to lawsuits and possible criminal charges even though you had nothing to do with it.

Here is an example of a situation that applies to this problem. After using nMap to footprint the external network, we focused our attention on an FTP server that was curiously installed outside the firewall. A port scan against the box returned extremely troubling results. In addition to the expected open port (port 21), we found a half dozen other open ports, including 139, 2184, 3437, and 14120.

• Port 139 was running NetBIOS and allowed extensive leaking of information via Null Session Enumeration.

• Port 2184 was running Microsoft Windows Telnet Server, which generally runs on port 23. Sometimes an administrator will run this on an odd port. However, in attempting to log in to Telnet with a valid username/password combination we obtained via Enumeration of port 139, it resulted in a hung Telnet session.

• Port 3437 was running a service that prompted for a password. If no valid password was given for three seconds or an invalid password was given, the connection would be terminated.

• Port 14120 was running a second FTP Service.

Some key details of our FTPing the site included:

• Two users were currently connected. In the past 24 hours, 23 users had connected.

• 190 MB had been downloaded since the last time the server was restarted.

• Anonymous logins were rejected and our attempts to guess the password were unsuccessful.

• Searches based on the hacker tags in the banner returned only links to listings of various hacked pubstores.

From this you can almost assume that access to this site was being traded via Internet Relay Chat (IRC).

Analyze Your System

You should review publicly available information relating to your site and company, including news releases, newspaper articles, annual reports, SEC filings, and the corporate Web site. I have been reading on chat boards about incorporating. It might be good for you to do in terms of financial matters, but it also opens you up to disclosing a lot of public information about yourself. Hackers commonly use these resources to gather potentially vital information relating to a company, including names of key employees, product lines/releases, key dates (such as the date a partnership was formed or a network administrator’s birthday), locations, hardware/software used, etc. This is where a good Webmaster will reverse engineer everything publicly available in terms of security.

The next step is assessing the facts. Before looking at the drive in this example, you can tell the following:

• An unauthorized FTP server had been installed by the hacker.

• This installation would have required administrator access.

• Microsoft Telnet server was running on TCP 2184 without NTLM authentication, enabling a malicious user to gain access to the system.

• An unknown service was running on TCP 3437.

• The penetration test manager advised that they had found directories within their FTP root they could not delete. There are a number of ways that hackers can hide directories and files. A simple way to make folders invisible in Windows is you set a folder’s property to +s[ystem] within Windows Explorer or via DOS. For example, although users may clear their Internet history, the data is still maintained in hidden files.

• Other methods include using device driver names such as “prn,” “con,” and “com1” or a special combination of characters such as “..–1” (dot dot dash dash 1).

Files that you should look at in an FTP root of the FTP server:

• 1kbtest.ptf

• 1mbtest.ptf

• space.asp

The first two files were used by the hacker to measure the available bandwidth of the server and gauge the efficacy of using this machine to conduct other attacks. The Space.asp Active Server Page is used to enumerate drives and available free space on the server. These files illustrate the dangers of anonymous uploads.

Determining How the Hack Happened

• The hacker scanned for machines with vulnerabilities in Microsoft SQL Server, IIS, or NetBIOS (Microsoft was used for this example, however, Linux isn’t exempt from vulnerabilities).

• Once a victim was located, he downloaded and executed a batch file, which performed numerous actions before deleting itself.

• He created an account called Admin, set the password, and added the account to the Administrator’s group.

• He FTP’ed necessary tools to the machine, creating directories within winnt\system32 to store them.

• He configured the Microsoft Telnet Service to run on port 2184, disabling NTLM authentication.

• He installed a WinShell Service on port 3437.

• He then installed the FTP daemon and configured directories.

• Then he installed an unsecured SOCKS proxy.

It was then patched to prevent other attackers from using the same exploits:

• Disabled WebDav on IIS HTTP.

• Set RestrictAnonymous=1 in an attempt to prevent Null Session Enumeration. (This value should be set to 2 to be effective.)

• Deleted administrative file shares.

Here are some files that should be studied and checked for closely:

• info.exe — An enumeration tool to detail information about the local server to the hacker.

• hlp32.exe — A renamed version of Bouncer v1.0.RC6, which is a proxy utility.

• jrun.exe — A renamed version of “Netcat,” the TCP/IP Swiss Army knife of hackers.

• kill.exe — A utility to allow the hacker to terminate processes that he did not want running on the box.

• pslist — A utility that provides process IDs for running processes (UNIX-like), which was likely used in concert with kill.exe.

• wshell.exe — A Windows shell application (Winshell) that provided the hacker with a remote graphical user interface (on TCP port 3437) which was password-protected.

• reg.exe — A utility to make it possible to edit the machine registry from a command line (DOS).

• service.exe — An IRC bot used to control the machine and notify that it’s online.

• sfind.exe — A command-line vulnerability scanner.

• X-Scan — A command-line and GUI scanner.

• IpcScan — A command-line and GUI Windows account cracker.

Ways to Catch Who Hacked Your System

Using the information from the last example, go in r_bot.ini to see the user settings, and go to the chat room and conduct a whois to obtain information regarding the owner/moderator of the chat room. This information will give you good idea as to where the hacker is connecting from. Provided the host legally belonged to the attacker, you can obtain his identity from his ISP. From the IRC site, you can find out if other systems have been compromised like yours. (You should notify the ISP and the owners of the IPs of your findings.)

Use nMap to identify the services running on the hacker’s system. This will show what type of machine he is running and where he is located in the world by doing a nslookup on his IP address. You should also run a port scan on his system to see what he is running. An example is a private FTP Daemon on TCP 1412, as well as a publicly available FTP service (port 21).

Based upon the information you can gather from this, you will be able to create specific Web queries to determine the attacker’s real identity.

• Full name

• Date of birth

• Town where he lives

• E-mail address

• Photograph

Should You Prosecute?

This is where things become sticky because you will need to work within the legal framework of forensic investigations. Most notably, it would be critical for the forensic data to be authenticated as genuine.

Many of the actions an individual might take, including rebooting the machine, copying files from the server, and reviewing security logs, can alter the drive data. This will impair your case against the hacker because it could damage file structure and evidence against your file logs.

A particularly important legal case, Gates Rubber Co. V. Bando Chemical Indus, Ltd, helped define the mandatory legal duty of a forensic investigator with regard to creating a mirror image copy of the hard drive in a manner that maintains chain of evidence and custody. In that case, the investigator’s decision to perform logical “file-by-file” copying to preserve the evidence precluded legal use of the data because the copying might have resulted in lost information and the creation of new temporary files on the media.

If this is the path you wish to take I recommend taking your server offline and implementing a new one from your most recent backup. The next step is purchasing something along the lines of Encase software, which is used extensively by law enforcement professionals, to gather a mirrored image of the drive. You then can mount the hacked hard drive into a system and gather your evidence by exploring the files and comparing them from your last good backup to determine what has been altered.

Cleaning Up the Mess

Consult with legal counsel regarding the liability associated with the hack and current legal responsibility (a very subjective area at this time).

• Consider reporting the hack to the appropriate agencies and affected parties, including:

A) The local office of the FBI who will probably be of little or no help;

B) The State Office of Information Technology;

C) The State Police’s High Technology Crimes Unit;

D) CERT;

E) Any software companies from which you illegally copied software;

F) Any governmental agency that may have been scanned or attacked from your box;

G) Clients regularly accessing the FTP server.

• Rebuild the FTP server.

• Move the FTP server behind the firewall and limit traffic to the FTP server to ports 20 and 21.

Don’t Make it Too Easy

Executing on the basics of IT security is not enough to ensure that your organization will not be hacked, but it will significantly reduce the likelihood. Further, if you are hacked, you’ll be able to recognize and remediate it before significant damage to the organization is done.

The basics for systems that need to be externally accessible (Web, e-mail, FTP) include these steps:

• Put them behind an appropriate firewall (preferably in a DMZ).

• Disable all services except those absolutely needed.

• Filter all except port-specific traffic to systems (e.g., 20/21 for FTP).

• Turn on system and firewall logs.

• Review the logs on a daily basis.

• Consider implementing intrusion prevention software for mission-critical boxes.

• Have Konnected IT do a DP test on your external or internal network regularly.

Erik (username Konnected) has been online since ’95 mostly in the networking and security field. He recently decided to take a stab at the adult industry.

He received his NT 4 MCSE before attending college where he studied M.I.S. While in college he began branching out into security forums learning more about the darker side of the computer industry.

After graduation he went to work for a fortune 100 company as a network analyst and then onto a major law firm as an information systems manager and then most recently at a medical software company as a Sr. Network engineer and security expert. It was there that he learned how to use the Macromedia MX suite which lead him to open his own consulting company.

To contact Erik, you can email him at erik@konnectedit.com or visit his web site at www.konnectedit.com.