Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Event Analysis: Detecting Compromises, Javascript, Backdoors, and more!

There are a variety of indicators that a system has been compromised, ranging from the obvious to the very subtle.

fluffy-bunny.png
If your web site looks like the above image, you may have been compromised

Less obvious indications of a compromise include increased bandwidth, subtle IDS alerts (such as those indicating anomalous behavior) and mysterious configuration changes on systems. The questions that are typically asked include "How did they get in?" and "What did they do?" Tenable's Passive Vulnerability Scanner (PVS) provides useful information for answering these questions. Following are some of the alerts PVS may generate during an intrusion:



x.y.z.1|8011/tcp|3389|NOTE|Feb 16 03:14:57 - The remote host is a proxy server. PVS has determined this due to the format of the HTTP request. PVS observed a client issuing this request:\nGET http://www.exampledomain.com HTTP/1.\n\nThe server replied with:\nProxy-Connection:XXXXXXXX\nExternal Access :\nThe PVS has observed connections to this port from hosts outside of the configured range of network addresses. This vulnerability is likely accessible from external network addresses.

The alert shown above was generated because a host on the compromised network was found to be an active proxy server. This means it was accepting connections from external hosts and proxying them out to the Internet. Proxy servers are used by attackers for several different reasons, including sending spam to forums, brute forcing public web applications and cheating "Pay-To-Click" advertising (more information on this topic can be found in the post from Zscaler Research titled Top Abuses of Open Web Proxies. Further investigation revealed that a web server made an outbound FTP connection request:

x.y.z.1|0/tcp|3377|NOTE|Feb 16 00:05:50 - The remote host is running an FTP client.

It’s interesting to see that attackers are still using FTP to transfer files. One of the cases I worked on early in my career analyzed a compromise where the attackers were using FTP to upload files and download rootkits to systems. In that particular case, they left the credentials to the FTP server in a plaintext file, which greatly aided in the investigation. Once attackers have installed their tools, it is possible to use PVS to detect so-called "backdoor" communications:

0.0.0.0|456/tcp|6|NOTE|Feb 15 12:56:33 - 0.0.0.0 -> x.y.z.1:456|PVS has detected a port used for one or more inbound interactive sessions: there was a large number of small packets relative to the number of packets in the session and the timing characteristics of the packets match user keystroke frequencies

Backdoors come in many different flavors, including some that implement encryption or even protocol manipulation (such as the famed ICMP backdoor named "loki"). PVS was able to detect the backdoor in use by analyzing the traffic patterns described above. By analyzing the behavior rather than trying to fingerprint the protocol or simply identify the port being used, PVS increases the chances of detection regardless of the methods implemented by the backdoor. PVS also categorized several open source programs which had embedded software packages that were suspect:

x.y.z.1|80/tcp|5278|NOTE|Feb 15 15:56:06 - The remote web server utilizes JavaScript on its pages. Further, the web server seems to be using JavaScript from an external source. The source of the JavaScript is:\n<script src="http://exampledomain.com/sanitized.js" type="text/javascript"\n\n The JavaScript is embedded within the following web document:\nGET /sanitized.html HTTP/1.1 \nSolution :\n\nEnsure that loading client-side JavaScript from a 3rd party is authorized according to policies and guidelines.\n\nExternal Access :\nThe PVS has observed connections to this port from hosts outside of the configured range of network addresses. This vulnerability is likely accessible from external network addresses.

The PVS alert shown above found that not only was JavaScript being served from the web site, but that a third-party web server's JavaScript pages were included in the web site. This means that, in this case, users going to the web site were also running malicious JavaScript. This is a common practice and can be used by attackers for all types of malicious behavior, such as stealing users’ authentication cookies. PVS also noted a new service port that the site administrators had no knowledge of:

0.0.0.0|51323/tcp|9|NOTE|Feb 16 00:10:24 - 0.0.0.0 -> x.y.z.1:51323|PVS detected a port used for one or more inbound encrypted sessions. The data in this session had a high degree of randomness. Most likely, this is normal legitimate network traffic, but a variety of backdoors and compromised tools will also utilize encryption

We are often concerned when attackers decide to use encryption. However, by observing behavioral changes, we can some times easily point out an attacker's backdoor channel. If you have an alert similar to the one above and you are not running a service on port 51323, further investigation into this encrypted channel is warranted.

For More Information

Tenable has written several dozen other articles on Event Analysis Training that include analysis of IP reputation, botnet activity, network anomaly detection and much more. These articles are all listed in the Event Analysis Training section of our blog. If you would like more information about Tenable’s set of Unified Security Monitoring products, please feel free to watch any of our video demos or contact our sales team.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security