Event Analysis: Detecting Compromises, Javascript, Backdoors, and more!
There are a variety of indicators that a system has been compromised, ranging from the obvious to the very subtle.
Less obvious indications of a compromise include increased bandwidth, subtle IDS alerts (such as those indicating anomalous behavior) and mysterious configuration changes on systems. The questions that are typically asked include "How did they get in?" and "What did they do?" Tenable's Passive Vulnerability Scanner (PVS) provides useful information for answering these questions. Following are some of the alerts PVS may generate during an intrusion:
| x.y.z.1|8011/tcp|3389|NOTE|Feb 16 03:14:57 - The remote host is a proxy server. PVS has determined this due to the format of the HTTP request. PVS observed a client issuing this request:\nGET http://www.exampledomain.com HTTP/1.\n\nThe server replied with:\nProxy-Connection:XXXXXXXX\nExternal Access :\nThe PVS has observed connections to this port from hosts outside of the configured range of network addresses. This vulnerability is likely accessible from external network addresses. |
The alert shown above was generated because a host on the compromised network was found to be an active proxy server. This means it was accepting connections from external hosts and proxying them out to the Internet. Proxy servers are used by attackers for several different reasons, including sending spam to forums, brute forcing public web applications and cheating "Pay-To-Click" advertising (more information on this topic can be found in the post from Zscaler Research titled Top Abuses of Open Web Proxies. Further investigation revealed that a web server made an outbound FTP connection request:
| x.y.z.1|0/tcp|3377|NOTE|Feb 16 00:05:50 - The remote host is running an FTP client. |
It’s interesting to see that attackers are still using FTP to transfer files. One of the cases I worked on early in my career analyzed a compromise where the attackers were using FTP to upload files and download rootkits to systems. In that particular case, they left the credentials to the FTP server in a plaintext file, which greatly aided in the investigation. Once attackers have installed their tools, it is possible to use PVS to detect so-called "backdoor" communications:
| 0.0.0.0|456/tcp|6|NOTE|Feb 15 12:56:33 - 0.0.0.0 -> x.y.z.1:456|PVS has detected a port used for one or more inbound interactive sessions: there was a large number of small packets relative to the number of packets in the session and the timing characteristics of the packets match user keystroke frequencies |
Backdoors come in many different flavors, including some that implement encryption or even protocol manipulation (such as the famed ICMP backdoor named "loki"). PVS was able to detect the backdoor in use by analyzing the traffic patterns described above. By analyzing the behavior rather than trying to fingerprint the protocol or simply identify the port being used, PVS increases the chances of detection regardless of the methods implemented by the backdoor. PVS also categorized several open source programs which had embedded software packages that were suspect:
| x.y.z.1|80/tcp|5278|NOTE|Feb 15 15:56:06 - The remote web server utilizes JavaScript on its pages. Further, the web server seems to be using JavaScript from an external source. The source of the JavaScript is:\n<script src="http://exampledomain.com/sanitized.js" type="text/javascript"\n\n The JavaScript is embedded within the following web document:\nGET /sanitized.html HTTP/1.1 \nSolution :\n\nEnsure that loading client-side JavaScript from a 3rd party is authorized according to policies and guidelines.\n\nExternal Access :\nThe PVS has observed connections to this port from hosts outside of the configured range of network addresses. This vulnerability is likely accessible from external network addresses. |
The PVS alert shown above found that not only was JavaScript being served from the web site, but that a third-party web server's JavaScript pages were included in the web site. This means that, in this case, users going to the web site were also running malicious JavaScript. This is a common practice and can be used by attackers for all types of malicious behavior, such as stealing users’ authentication cookies. PVS also noted a new service port that the site administrators had no knowledge of:
| 0.0.0.0|51323/tcp|9|NOTE|Feb 16 00:10:24 - 0.0.0.0 -> x.y.z.1:51323|PVS detected a port used for one or more inbound encrypted sessions. The data in this session had a high degree of randomness. Most likely, this is normal legitimate network traffic, but a variety of backdoors and compromised tools will also utilize encryption |
We are often concerned when attackers decide to use encryption. However, by observing behavioral changes, we can some times easily point out an attacker's backdoor channel. If you have an alert similar to the one above and you are not running a service on port 51323, further investigation into this encrypted channel is warranted.
For More Information
Tenable has written several dozen other articles on Event Analysis Training that include analysis of IP reputation, botnet activity, network anomaly detection and much more. These articles are all listed in the Event Analysis Training section of our blog. If you would like more information about Tenable’s set of Unified Security Monitoring products, please feel free to watch any of our video demos or contact our sales team.
Related Articles
Taking IBM QRadar SIEM One Step Further Using Tenable.ad
September 30, 2021If you can't continuously monitor Active Directory, it's impossible to achieve full visibility into your evolving attack surface. Here's how combining Tenable.ad with IBM QRadar can help. It's no sec...
PVS App for Splunk
August 22, 2014<p>Splunk Enterprise analyzes everything from customer clickstreams and transactions to network activity and call records, turning your machine data into valuable insights. The <a href="http://apps.splunk.com/app/1844/">Tenable™ PVS app for Splunk</a> increases the security threat intelligence of Splunk by sending it critical security-relevant information.</p>
Detecting Errata Security's Port 22 Internet-Wide Scan
September 18, 2013<p>The security researchers at Errata Security performed an Internet-wide port 22 scan to gather SSH daemon banner information. The scan happened on September 12th from 71.6.151.167 with a tool named masscan. If you run a SIM, a network IDS or any type of passive network monitoring, this is a really easy and safe "known" to go and see if your monitoring is configured correctly. It is the proverbial “shooting fish in a barrel” example where you can show that your network security monitoring is in fact working.</p>
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
- Event Monitoring
- Passive Network Monitoring