Event Analysis: Detecting Compromises, Javascript, Backdoors, and more!

by Paul Asadoorian
March 3, 2011

There are a variety of indicators that a system has been compromised, ranging from the obvious to the very subtle.

If your web site looks like the above image, you may have been compromised

Less obvious indications of a compromise include increased bandwidth, subtle IDS alerts (such as those indicating anomalous behavior) and mysterious configuration changes on systems. The questions that are typically asked include "How did they get in?" and "What did they do?" Tenable's Passive Vulnerability Scanner (PVS) provides useful information for answering these questions. Following are some of the alerts PVS may generate during an intrusion:

x.y.z.1|8011/tcp|3389|NOTE|Feb 16 03:14:57 - The remote host is a proxy server. PVS has determined this due to the format of the HTTP request. PVS observed a client issuing this request:\nGET http://www.exampledomain.com HTTP/1.\n\nThe server replied with:\nProxy-Connection:XXXXXXXX\nExternal Access :\nThe PVS has observed connections to this port from hosts outside of the configured range of network addresses. This vulnerability is likely accessible from external network addresses.

The alert shown above was generated because a host on the compromised network was found to be an active proxy server. This means it was accepting connections from external hosts and proxying them out to the Internet. Proxy servers are used by attackers for several different reasons, including sending spam to forums, brute forcing public web applications and cheating "Pay-To-Click" advertising (more information on this topic can be found in the post from Zscaler Research titled Top Abuses of Open Web Proxies. Further investigation revealed that a web server made an outbound FTP connection request:

x.y.z.1|0/tcp|3377|NOTE|Feb 16 00:05:50 - The remote host is running an FTP client.

It’s interesting to see that attackers are still using FTP to transfer files. One of the cases I worked on early in my career analyzed a compromise where the attackers were using FTP to upload files and download rootkits to systems. In that particular case, they left the credentials to the FTP server in a plaintext file, which greatly aided in the investigation. Once attackers have installed their tools, it is possible to use PVS to detect so-called "backdoor" communications:|456/tcp|6|NOTE|Feb 15 12:56:33 - -> x.y.z.1:456|PVS has detected a port used for one or more inbound interactive sessions: there was a large number of small packets relative to the number of packets in the session and the timing characteristics of the packets match user keystroke frequencies

Backdoors come in many different flavors, including some that implement encryption or even protocol manipulation (such as the famed ICMP backdoor named "loki"). PVS was able to detect the backdoor in use by analyzing the traffic patterns described above. By analyzing the behavior rather than trying to fingerprint the protocol or simply identify the port being used, PVS increases the chances of detection regardless of the methods implemented by the backdoor. PVS also categorized several open source programs which had embedded software packages that were suspect:

x.y.z.1|80/tcp|5278|NOTE|Feb 15 15:56:06 - The remote web server utilizes JavaScript on its pages. Further, the web server seems to be using JavaScript from an external source. The source of the JavaScript is:\n<script src="http://exampledomain.com/sanitized.js" type="text/javascript"\n\n The JavaScript is embedded within the following web document:\nGET /sanitized.html HTTP/1.1 \nSolution :\n\nEnsure that loading client-side JavaScript from a 3rd party is authorized according to policies and guidelines.\n\nExternal Access :\nThe PVS has observed connections to this port from hosts outside of the configured range of network addresses. This vulnerability is likely accessible from external network addresses.

The PVS alert shown above found that not only was JavaScript being served from the web site, but that a third-party web server's JavaScript pages were included in the web site. This means that, in this case, users going to the web site were also running malicious JavaScript. This is a common practice and can be used by attackers for all types of malicious behavior, such as stealing users’ authentication cookies. PVS also noted a new service port that the site administrators had no knowledge of:|51323/tcp|9|NOTE|Feb 16 00:10:24 - -> x.y.z.1:51323|PVS detected a port used for one or more inbound encrypted sessions. The data in this session had a high degree of randomness. Most likely, this is normal legitimate network traffic, but a variety of backdoors and compromised tools will also utilize encryption

We are often concerned when attackers decide to use encryption. However, by observing behavioral changes, we can some times easily point out an attacker's backdoor channel. If you have an alert similar to the one above and you are not running a service on port 51323, further investigation into this encrypted channel is warranted.

For More Information

Tenable has written several dozen other articles on Event Analysis Training that include analysis of IP reputation, botnet activity, network anomaly detection and much more. These articles are all listed in the Event Analysis Training section of our blog. If you would like more information about Tenable’s set of Unified Security Monitoring products, please feel free to watch any of our video demos or contact our sales team.