Who moved my files in the anti-Black campaign ?, Battle

Who moved my files in the anti-Black campaign ?, Battle

Who moved my files in the anti-Black campaign?

I. Event background

This article describes the case of an IT manager, Mr. Li, who analyzed the switch, server log, and email header, and verified his speculation by using the log Content, finally, he summarized the clues and outlined the entire attack process. After reading the event description, do you know what clues are found in the FTP and SSH logs? The following story begins.

Mr. Li, the hero of the story, went to work at a Render Farm Film and special effects company. He was promoted to an IT manager not long ago. This was an exciting thing for him. At present, their company is making the stunt effect of a movie, and everyone is working together. He must have a cup of coffee every morning. Today, he walked to the office with his coffee. Tom and Tom are called into the meeting room. Then, Mr. Smith began to talk about the main points of the incident, but did not mention the names of any colleagues. Then Mr. Smith said to Mr. Li: "boss, some people spread the confidential information of a movie and published a one-minute-long film clip on a movie website ." Zhou attaches great importance to this. He asked us to find out who did it (these video effects were just completed later yesterday morning ).

Mr. Li is a little nervous. Now he realizes what has happened to them. Zhou said loudly: "The leaked clips are the content most expected by the audience, but they are now published to the public! Just one shot can make the company directly lose hundreds of thousands of yuan in economic losses !" Mr. Cao added that film production companies will no longer give their movie special effects to them unless they trace the matter and prevent it from happening again. Li understands that they have not only lost the special effect rendering work of the film, but also lost more opportunities if the message is sent.

2. Understand business processes

Mr. Li is only an IT staff and is not familiar with the animation rendering business. To clarify the company's business process, he immediately asked about all the film production processes and received the film from DreamWorks, until these films are moved back to the film production company. Zhou described the whole process one by one, because these were all completed under his supervision. The producer stores the film to be produced later (with special video effects that require non-linear editing) on the hard disk, and Mr. Smith copies the content on the hard disk to the RAID array, then, an email is sent to the post-production team to inform them that the film can be obtained.

The post-production team is working in shifts, so John wants to find out who handled the video of a movie yesterday. After the team completes post-production, the video files are placed in a directory on the server. When enough files are stored on the hard disk, Mr. Smith sent the files on the hard disk to the film production company. These files are then written to the disk array and saved offline. Currently, the video content of a movie has not been archived to the array.

3. What are the company's moles?

The investigation was carried out in the early morning of the next day, but there were still no valuable clues. Mr. Li believes it is necessary to have a conversation with Mr. Wang to learn more about the technical details. Mr. Li thought, "is it that Mr. Smith sold the video to the fans website? Is he that kind of person ?" Xiao Li must make a decision.

Mr. Wang has been working for many years since he was founded in the company. He is the system administrator of the post-production team. There is not much connection between Mr. Wang and Mr. Li because the post-production process is relatively independent. Mr. Smith once again explained all the processes to Mr. Li. He was willing to provide more technical details. Their disk array and Linux servers were directly connected, all clients connected to the server also use the Linux system. All post-production members use a Web browser to obtain the files they want to operate and pick out the files they are processing. That is to say, it is impossible for two people to simultaneously operate on the same film. These Web code was developed by the company two years ago and is very reliable.

Mr. Li believes from his conversation with Mr. Wang that he will not be the victim. First, he won't ruin his future for the sake of seeking immediate benefits. Second, Mr. Li appreciates his business capabilities.

Mr. Li returned to his office and thought about what to do next. This does not seem like an internal employee. The company has a good corporate culture. Assuming that the amazing "movie" can be a household name, rendering farm companies will welcome their own glory. Mr. Li decided to carefully study the network topology. As shown in the company's network topology 1, this was left by his predecessor before leaving, and may be able to find some inspiration.

 

 

Figure 1 case study Network Topology

This network topology does not seem to help Xiao Li too much. There are only a few VLANs in the LAN. There are firewalls, DMZ zones, and proxy servers between the company's Intranet and the Internet. Everything looks normal and the investigation is deadlocked. At this time, Mr. Wang came to Mr. Li's office and said that Mr. Jiang was the last employee to retrieve a film file yesterday. Xiao Li immediately took his notebook to look for Xiao Jiang and planned to find out the truth.

Mr. Jiang is a new employee of the company. Mr. Li once met him several times but did not talk to him. Mr. Jiang told Mr. Li the whole process of his work: He first downloads the video file from the server, edits it, and then submits the modified file to the server. When Xiao Li asked about the upload and download methods, Xiao Jiang said that he was using FTP for download. When Mr. Li heard this clue, he thought this might be the problem. Then he asked Mr. Jiang about the upload time after modifying the file. Xiao Jiang said at the meeting, "Yesterday was my wife's birthday, so it was very punctual to get off work at night. The time was between and ~ ".

Iv. Forensic Analysis

Mr. Li decided to first look for the FTP log on the server later. Mr. Wang was glad that the incident had made new progress. He helped Mr. Li query FTP log files and logged on to the post-production server.

# Grep xiaojiang xferlog

Mon Sept 10 04:48:18 2010 1 1.example.com 147456/var/ftp/pubinfo/bdsq/file2.jpg B _oa xiaojiang ftp 0 * I

"Okay, this indicates that Jack is uploading files normally. But Will someone retrieve it later ?"

# Grep jer xferlog

Mon Sept 10 04:48:18 2010 1 1.example.com 147456/completed/hawk. avi B _oa Jer ftp 0 * I

Xiao Li is a little confused. Xiao Jiang uploads files normally. No one has accessed the files since then, at least no one has accessed the files through FTP. Xiao Li returned to his office in a fog. Mr. Wang saw Mr. Li and stopped him. He hurriedly asked if there were any new discoveries. However, Xiao Li can only explain to him that he has discovered some suspicious things, but has not yet been confirmed. Xiao Li once again feels like an ant in a hot pot all day. At this time, Xiao Zhou came to Xiao Wang's office. The same thing happened! He hurriedly said: "another video with a sound title was published on a movie website ". When I saw such a situation as a manager, Mr. Wang and Mr. Li burst into the dark. Zhou said that the video file was created last night. How can it be leaked so quickly? At this time, Xiao Li wanted to contact the website administrator of a movie website to see who posted the video. After getting in touch with the network management, the Network Management said the information from a person claiming to be a Tom, his e-mail address is tom@yahoo.com.cn.

Here, Mr. Li began to use the mail header information of the email to find an example of his IP Address Email evidence identification. He found the following mail header information:

Received: from web15604.mail.cnb.yahoo.com ([2018.5.102.x]) by SNT0-MC3 -F14.Snt0.hotmail.com with Microsoft SMTPSVC (6.0.20.0.4675); Sat, 24 Sep 2010 08:17:50-0700

Received: from [122.246.51.2x] by web15604.mail.cnb.yahoo.com viaHTTP; Sat, 24 Sep 2010 23:17:48 CST

X-Mailer: YahooMailWebService/0.8.114.317681

Message-ID: <1316877468.60773.YahooMail-Neo@web15604.mail.cnb.yahoo.com>

Date: Sat, 24 Sep 2010 23:17:48 + 0800 (CST)

From: zhen tom@yahoo.com.cn

Reply-To: tom fei tom @ yahoo.com.cn

Subject: test by webmail

To: =? UTF-8? B? 6LS56ZyH5a6H? = Tom@hotmail.com

After careful analysis and verification, Mr. Li basically determined his IP address, and entered the email address using the Maltego CE tool in the OSINT tools toolbox. After simple configuration, the system starts searching for more information about this mailbox. Mr. Li came to Mr. Wang's desk and wondered if he could find some other information. Mr. Li asked Mr. Wang to check the FTP log again.

# Grep apple1.avi xfelog

Mon Sept 10 04:48:18 2010 1 postprod 147456/completed/apple1.avi B _oa \ lex ftp 0 * I

Similarly, no one has accessed these files after the staff has uploaded them. Mr. Li asked Mr. Wang if he had other methods to obtain these files. Mr. Wang explained that the host was configured with a firewall that only allowed access through ports 21, 22, and 80, that is, access through SSH, FTP, and Apache services. So Mr. Li asked Mr. Wang to check the SSH log files uploaded to the FTP server.

Sep 10 17:24:58 postprod sshd [3211]: Accepted password for wanglei from 192.168.0.3 port 49172 ssh2

Sep 10 18:03:18 postprod sshd [3211]: Accepted password for wanglei from 192.168.0.3 port 49172 ssh2

Sep 10 22:13:38 postprod sshd [3211]: Accepted password for wanglei from 192.168.0.3 port 49172 ssh2

As a result, Xiao Li felt very lost. The problem is that no one has ever accessed these files. How did these files leak out? Next, Mr. Wang had to check the Web server log file to see if he could find some clues.

# Grep hawk. avi/var/log/apache/

192.168.1.11 -- [10/Sep/2010: 23: 55: 36-0700] "GET/completed/hawk. avi HTTP/1.0" 200 2323336

Wang's eyes lit up, and Li opened his mouth with a big surprise. 192.168.1.11 is the company's intranet address. Maybe they found the "murderer "! They found an abnormal IP address, which he had never seen before (192.168.1.11. This IP address is not in the DHCP range, but belongs to a static Server Range. Mr. Li asked Mr. Smith if he knew which server used the IP address. He was not sure. However, this IP address must not belong to the VLAN where the server group is located. Xiao Li decided to carefully check the Web server log file. This time, he mainly looked at this suspicious IP Address:

# Grep '1970. 168.1.11 '/var/log/apache/

192.168.1.11 -- [10/Sep/2010: 23: 50: 36-0700] "GET/index.html HTTP/1.0" 200 2326

192.168.1.11 -- [10/Sep/2010: 23: 55: 36-0700] "GET/completed/index.html HTTP/1.0" 200 2378

192.168.1.11 -- [10/Sep/2010: 23: 51: 36-0700] "GET/completed/movie-cab.avi HTTP/1.0" 200 1242326

192.168.1.11 -- [10/Sep/2010: 23: 52: 24-0700] "GET/completed/hawk. avi HTTP/1.0" 200 2323336

192.168.1.11 -- [10/Sep/2010: 23: 55: 36-0700] "GET/completed/apple1.avi HTTP/1.0" 200 642326

192.168.1.11 -- [10/Sep/2010: 14: 00: 38-0700] "GET/completed/pool. avi HTTP/1.0" 200 662326

192.168.1.11 -- [10/Sep/2010: 23: 55: 36-0700] "GET/completed/less. avi HTTP/1.0" 200 2552326

Xiao Li found that someone browsed a lot of files. Before the company loses more files, Xiao Li must check what happened. Mr. Li told Mr. Wang about his progress. He was very happy with this, but he hoped that Mr. Li could find the final answer as soon as possible. Mr. Li returned to his seat and continued to track the suspicious IP addresses in the log. He is very excited because the "Suspect" is closer, even though he does not know where to start. He believes that the best way to find this IP address is to find the physical connection from where the IP address is connected to the network. To achieve this, you need to connect the machine to the port of the switch to match the MAC address of the machine.

5. Forgotten Squid Server

Xiao Li first ping the IP address and then obtains the MAC address of the machine from the ARP table.

1) trace illegal ports

John got important information and immediately logged on to the Cisco switch that the server was connected. After several attempts, a major breakthrough was made.

Run the ping command to check the MAC address of the NIC.

Interface: 192.168.3.41 on Interface 0x1000003

Internet Address Physical Address Type

192.168.1.1 00-30-ab-04-26-dd dynamic

192.168.1.11 00-0d-56-21-af-d6 dynamic

Check that the MAC address of the suspicious IP address is 00-0d-56-21-af-d6 from the ARP cache of the local machine. The address is still displayed when you log on to the vswitch.

BJ-SW # show arp | in 192.168.1.11

Internet 192.168.1.11 3 000d. 5621. afd6 ARPA Vlan20

Next, we need to know which switch machine the machine is connected.

BJ-SW # show mac-address-table dynamic address 000d. 5621. afd6

Unicast Entries

Vlan mac address type protocols port

------- + --------------- + -------- + --------------------- + --------------------

20 000d. 5621. afd6 dynamic ip, ipx GigabitEthernet3/2

The result shows that this is a gigabit port connection. Let's look at our neighbors (this is the second-level cascade switch of the core switch machine)

# Sh cdp neighbors BJ-SW-419-1-4

Capability Codes: R-Router, T-Trans Bridge, B-Source Route Bridge

S-Switch, H-Host, I-IGMP, r-Repeater, P-Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID

SW-419-2-3 Gig 3/4 152 s I WS-C3550-4Gig 0/2

SW-419-1-3 Gig 3/3 168 s I WS-C3550-4Gig 0/2

SW-440-1-4 Gig 3/1 173 s I WS-C3550-4Gig 0/2

SW-440-2-4 Gig 3/2 143 s I WS-C3550-2Gig 0/2

Finally found it, on the SW-440-2-4 Gig 3/2 143 SI WS-C3550-2Gig 0/2, below we log on directly to the SW-440-2-4 this switch, enter MAC look up.

SW-440-2-4 # show mac-address-table dynamic address 000d. 5621. afd6

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

----------------------------

20 000d. 5621. afd6 DYNAMIC Fa0/23

Total Mac Addresses for this criterion: 1

Then, the patch cord can be directly connected to the Machine Based on the patch cord table during cabling, and then the port is closed.

Note: As a manager, it is essential to quickly locate the switch port and find out the correspondence between the IP address and the MAC address. Familiar with the above methods can achieve twice the result with half the effort for troubleshooting at ordinary times.

Xiao Li discovered that the system was even on the 23rd ports of the server switch, so he rushed down the building and headed straight to the small data center. He quickly found port 23rd in front of the Catalyst switch, and then began to look at it. A wide range of messy Network cables can cause headaches at a glance. It takes a lot of time for Xiao Li to find problems. Finally, the connected host was found. Xiao Li found that the host had two NICs. He crawled out of the network cable heap and looked helplessly at the machine. The chassis was labeled with a yellow old label, which said Squid Proxy Server. At this time, Xiao Li immediately had a sense of nausea, because the server had not been used for at least a year and he had never used it since he got promoted.

At present, Xiao Li cannot determine where the hackers intrude into the system, and the proxy server poses another challenge for them to investigate. Mr. Wang provided some useful clues to Mr. Li. He handed over the server username and password list left by his former manager to Mr. Li. Mr. Li quickly returned to his seat and started his work. He logged on to the Squid Proxy Server and hoped to discover something this time.

6. Doubt Analysis

Xiao Li quickly opened the terminal, used SSH to log on to the server, and used the root user and password. Successfully logged on to the system. Xiao Li can easily find the access. log File. Now he can find anyone who has logged on to the server.

Squidbox #1 s-1/usr/local/squid/logs/access. log

-Rw-r -- 1 squid 2838159 Sep 11 0:25 access. log

The problem arises. Because the SQUID server has been working for a long time, the squid. log is very large and it is not easy to query an IP address. How can we extract the IP address of access. log? Xiao Li uses the following command:

Squidbox # awk '{print $3;}' access. log

Mr. Li saw what he was most reluctant to see-the last time the file was modified was this morning. Now we should look at this file:

Squidbox # tail/usr/local/squid/logs/access. log

892710014.016 14009 10.100.4x.5x TCP_MISS/304 126 GET http: // 192.168.2.3/completed/less. avi --

Apparently, people outside the company's network have used proxy servers to access post-production Web servers. Through the log files, Xiao Li knows clearly that hackers visited Hawk and Apple films last night. He hoped that the hacker could visit again tonight to catch the exception.

Mr. Li quickly ran to Mr. Wang's office and told him the news. After finding the "murderer", Mr. Wang felt much easier and hoped to find