Unidad 3: El reto #MoocHackingMU

octubre 22, 2015 en gnu/linux, seguridad, Servers & DataCenters, Sin Categoría, SysAdmin por b3r2c0

TARÉA 1 ==== Grupo: Exploit Milenario ===

Se gesta el grupo a partir del Grupo de Facebook del Consejo Jedi y se crea un grupo privado de Whastapp con todos los integrantes. Se trata de repartir taréas aunque finalmente hay gente que no participa.

El contacto en el grupo, según avanzan los días es más escaso y en 3-4 días es prácticamente nulo.

En los primeros días se genera un excell en GoogleDrive dónde se van detectando las posibles vulnerabilidades del servidor y se van marcando las taréas para el grupo.

Se predefinen grupos de defensa/ataque y se comienzan las taréas básicas del servidor.

TARÉA 2 ==== Individual ====

Al ser el que mejor acceso tenía en el momento de la entrega del grupo se realiza una securización mínima del sistema, consistenta básicamente en:

– Revisión de repositorios
– Actualización del sistema
– Herramientas de integridad: rkhunter, chkrootkit, yasat
– Herramientas de bloqueo por acceso erróneo: fail2ban
– Herramientas de monitorización y registro: logwatch, le configuro con reenvío a una de mis cuentas de correo, insertando la taréa programada en cron.
– Revisión de puertos con nmap y filtrado con ufw.
– Se realizan cambios en el fichero de configuración de apache, securizando el acceso y despistando con la información pública que puede mostrar
(ej:)SecServerSignature “IIS 10.0 Express”
vim /etc/php5/apache2/php.ini expose_php = off

** Se valoran otras opciones que el grupo decide no adoptar: cambiar puerto ssh, anular acceso root, acceso por clave privada.

** Por motivos personales los siguientes días no dispongo de conexión al servidor y sigo la actividad del grupo en el grupo de whatsapp, comentando los avances y participando de consejos o acciones; se pierde el feedback y la comunicación en el grupo antes de finalizar el reto.

=== a destacar ===
– la cantidad de ataques por fuerza al servicio de ssh
– las sesiones www-data abiertas por cron
– los escalados de privilegios con los usarios ftp, www-data y mysql
– el número ips desde los que se ha intentado acceder, así cómo los usuarios erróneos.
Log ejemplo de los últimos días:
################### Logwatch 7.4.0 (05/02/12) ####################
Detail Level of Output: 10
Type of Output/Format: mail / text
Logfiles for Host: team-0066
##################################################################

——————— Cron Begin ————————

Commands Run:
User root:
cd / && run-parts –report /etc/cron.hourly: 24 Time(s)
[ -x /usr/lib/php5/maxlifetime ] && [ -x /usr/lib/php5/sessionclean ] && [ -d /var/lib/php5 ] && /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime): 48 Time(s)
/usr/sbin/check-integrity.sh: 4 Time(s)
test -x /etc/init.d/anacron && /usr/sbin/invoke-rc.d anacron start >/dev/null: 1 Time(s)
test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.daily ): 1 Time(s)
User www-data:
php –define suhosin.memory_limit=512M /usr/share/cacti/site/poller.php 2>&1 >/dev/null | if [ -f /usr/bin/ts ] ; then ts ; else tee ; fi >> /var/log/cacti/poller-error.log: 288 Time(s)

———————- Cron End ————————-
——————— httpd Begin ————————

0.01 MB transferred in 26 responses (1xx 0, 2xx 23, 3xx 0, 4xx 3, 5xx 0)
1 Images (0.00 MB),
12 Content pages (0.00 MB),
13 Other (0.00 MB)

Requests with error response codes
404 Not Found
/CFIDE/administrator/: 1 Time(s)
/favicon.ico: 1 Time(s)
/robots.txt: 1 Time(s)

A total of 1 ROBOTS were logged
– 1 Time(s)

———————- httpd End ————————-
——————— pam_unix Begin ————————

cron:
Sessions Opened:
www-data: 288 Time(s)
root: 78 Time(s)

sshd:
Authentication Failures:
root (213.172.86.5): 10409 Time(s)
root (218.65.30.92): 1207 Time(s)
root (43.229.53.20): 446 Time(s)
unknown (213.172.86.5): 412 Time(s)
root (125.65.245.146): 329 Time(s)
bin (125.65.245.146): 36 Time(s)
unknown (46.118.158.232): 36 Time(s)
www-data (213.172.86.5): 20 Time(s)
unknown (125.65.245.146): 15 Time(s)
unknown (178.62.173.36): 14 Time(s)
unknown (201.236.236.158): 9 Time(s)
unknown (193.201.227.109): 8 Time(s)
unknown (101.231.74.47): 7 Time(s)
unknown (123.59.58.229): 7 Time(s)
unknown (177.22.195.36): 7 Time(s)
unknown (187.141.82.87): 7 Time(s)
unknown (190.85.103.250): 7 Time(s)
unknown (190.95.191.67): 7 Time(s)
unknown (201.151.95.126): 7 Time(s)
unknown (201.249.200.109): 7 Time(s)
unknown (212.176.197.29): 7 Time(s)
unknown (na-148-243-232-115.static.avantel.net.mx): 7 Time(s)
unknown (nat69.udea.edu.co): 7 Time(s)
ftp (213.172.86.5): 6 Time(s)
root (46.118.158.232): 6 Time(s)
unknown (200.68.9.177): 6 Time(s)
nobody (213.172.86.5): 5 Time(s)
unknown (187-177-137-233.dynamic.axtel.net): 5 Time(s)
root (193.201.227.109): 4 Time(s)
unknown (190.7.218.26): 3 Time(s)
unknown (office.vinta.org): 3 Time(s)
unknown (186.225.138.146): 2 Time(s)
news (125.65.245.146): 1 Time(s)
root (138.186.95.154): 1 Time(s)
root (183.146.124.241): 1 Time(s)
root (68.234.117.169): 1 Time(s)
unknown (24.54.120.35): 1 Time(s)
unknown (adsl-98-84-220-253.gsp.bellsouth.net): 1 Time(s)
Invalid Users:
Unknown Account: 592 Time(s)
Unknown Entries:
service(sshd) ignoring max retries; 6 > 3: 201 Time(s)

su:
Sessions Opened:
root -> www-data: 8 Time(s)
root -> ftp: 4 Time(s)
root -> mysql: 4 Time(s)

vsftpd:
Authentication Failures:
unknown (127.0.0.1): 4 Time(s)
Invalid Users:
Unknown Account: 4 Time(s)

———————- pam_unix End ————————-
——————— Postfix Begin ————————

****** Summary *************************************************************************************

28.648K Bytes accepted 29,336
28.075K Bytes sent via SMTP 28,749
======== ==================================================

6 Accepted 100.00%
——– ————————————————–
6 Total 100.00%
======== ==================================================

7 Removed from queue
5 Sent via SMTP
2 Bounced (local)
1 Notifications sent

****** Detail (1) **********************************************************************************

5 Sent via SMTP —————————————————————————
4 mondragon.edu
1 gmail.com

2 Bounced (local) ————————————————————————-
2 5.4.4: Permanent failure: Network & routing status: Unable to route
2 mooc-hacking-team-xxx.mondragon.edu
2 Host or domain name not found. Name service error for name=mooc-hacking-team-…
2 root

1 Notifications sent ———————————————————————-
1 Non-delivery
1 sender

=== Delivery Delays Percentiles ============================================================
0% 25% 50% 75% 90% 95% 98% 100%
——————————————————————————————–
Before qmgr 0.01 0.01 0.01 0.01 0.93 1.62 2.03 2.30
In qmgr 0.00 0.00 0.00 0.01 0.01 0.01 0.01 0.01
Conn setup 0.01 0.08 0.17 0.22 0.51 0.72 0.85 0.93
Transmission 0.00 0.03 0.07 0.07 0.18 0.26 0.31 0.34
Total 0.02 0.14 0.29 0.66 1.72 2.26 2.58 2.80
============================================================================================

———————- Postfix End ————————-
——————— SSHD Begin ————————
Couldn’t resolve these IPs:
154.95.186.138.zaptelecom.com.br [138.186.95.154]: 1 Time(s)
186-225-138-146.customer.sinalbr.com.br [186.225.138.146]: 2 Time(s)
201-249-200-109.estatic.cantv.net [201.249.200.109]: 7 Time(s)
68-234-117-169.dsl.bluevalley.net [68.234.117.169]: 1 Time(s)
92.30.65.218.broad.xy.jx.dynamic.163data.com.cn [218.65.30.92]: 202 Time(s)
customer-187-141-82-87-sta.uninet-ide.com.mx [187.141.82.87]: 7 Time(s)
host-24-54-120-35.nctv.com [24.54.120.35]: 1 Time(s)
notirussell.russellbedford.mx [201.151.95.126]: 7 Time(s)
pei-201-236-ccxxxvi-clviii.une.net.co [201.236.236.158]: 9 Time(s)
sol-fttb.232.158.118.46.sovam.net.ua [46.118.158.232]: 42 Time(s)
telda-beloostrovskaya25-gw.rosprint.net [212.176.197.29]: 7 Time(s)

Didn’t receive an ident from these IPs:
104.207.152.194 (104.207.152.194.vultr.com): 1 Time(s)
158.69.195.221 (221.ip-158-69-195.net): 1 Time(s)
178.62.173.36: 1 Time(s)
183.13.216.219: 1 Time(s)
189.125.76.2 (seguro.pm.df.gov.br): 2 Time(s)
2.60.147.198 (host-2-60-147-198.pppoe.omsknet.ru): 1 Time(s)
46.118.158.232 (SOL-FTTB.232.158.118.46.sovam.net.ua): 1 Time(s)
68.234.117.169 (68-234-117-169.dsl.bluevalley.net): 1 Time(s)
88.204.200.180: 1 Time(s)
94.102.48.194 (no-reversedns.set): 1 Time(s)
94.241.167.109: 1 Time(s)

Disconnecting after too many authentication failures for user:
root : 201 Time(s)

Failed logins from:
43.229.53.20: 446 times
root/password: 446 times
46.118.158.232 (SOL-FTTB.232.158.118.46.sovam.net.ua): 6 times
root/password: 6 times
68.234.117.169 (68-234-117-169.dsl.bluevalley.net): 1 time
root/password: 1 time
125.65.245.146: 366 times
root/password: 329 times
bin/password: 36 times
news/password: 1 time
138.186.95.154 (154.95.186.138.zaptelecom.com.br): 1 time
root/password: 1 time
183.146.124.241: 1 time
root/password: 1 time
193.201.227.109: 4 times
root/password: 4 times
213.172.86.5: 10440 times
root/password: 10409 times
www-data/password: 20 times
ftp/password: 6 times
nobody/password: 5 times
218.65.30.92 (92.30.65.218.broad.xy.jx.dynamic.163data.com.cn): 1207 times
root/password: 1207 times

Illegal users from:
undef: 592 times
test [preauth]: 128 times
nagios [preauth]: 66 times
guest [preauth]: 47 times
zabbix [preauth]: 46 times
testtest [preauth]: 28 times
admin [preauth]: 21 times
zxin10 [preauth]: 20 times
apache [preauth]: 13 times
prueba [preauth]: 13 times
test1 [preauth]: 13 times
pruebas [preauth]: 12 times
zhaowei [preauth]: 12 times
tomcat [preauth]: 9 times
ubuntu [preauth]: 9 times
web [preauth]: 8 times
weblogic [preauth]: 8 times
cacti [preauth]: 7 times
squid [preauth]: 7 times
Test [preauth]: 6 times
webadmin [preauth]: 6 times
oracle [preauth]: 5 times
apache2 [preauth]: 4 times
httpd [preauth]: 4 times
java [preauth]: 4 times
jboss [preauth]: 4 times
r00t [preauth]: 4 times
support [preauth]: 4 times
sysadmin [preauth]: 4 times
manager [preauth]: 3 times
nginx [preauth]: 3 times
wangyi [preauth]: 3 times
blank [preauth]: 2 times
gast [preauth]: 2 times
login [preauth]: 2 times
nologin [preauth]: 2 times
ubnt [preauth]: 2 times
123 [preauth]: 1 time
123456 [preauth]: 1 time
666666 [preauth]: 1 time
888888 [preauth]: 1 time
Admin [preauth]: 1 time
Cisco [preauth]: 1 time
NONE [preauth]: 1 time
NpC [preauth]: 1 time
alexandr [preauth]: 1 time
anatoly [preauth]: 1 time
apache1 [preauth]: 1 time
apc [preauth]: 1 time
app [preauth]: 1 time
bash [preauth]: 1 time
boot [preauth]: 1 time
cactiuser [preauth]: 1 time
daniil [preauth]: 1 time
danil [preauth]: 1 time
dff [preauth]: 1 time
etho [preauth]: 1 time
ftp1 [preauth]: 1 time
ftpd [preauth]: 1 time
ftpuser [preauth]: 1 time
ghost [preauth]: 1 time
git [preauth]: 1 time
gleb [preauth]: 1 time
guestadmin [preauth]: 1 time
guestuser [preauth]: 1 time
guestx [preauth]: 1 time
htet [preauth]: 1 time
httpd2 [preauth]: 1 time
httpdocs [preauth]: 1 time
iraf [preauth]: 1 time
javaprg [preauth]: 1 time
kostya [preauth]: 1 time
last [preauth]: 1 time
mp3 [preauth]: 1 time
msr [preauth]: 1 time
nagiosadmin [preauth]: 1 time
nagiosuser [preauth]: 1 time
network [preauth]: 1 time
nikolai [preauth]: 1 time
nmrsu [preauth]: 1 time
oliver [preauth]: 1 time
operator [preauth]: 1 time
pimg [preauth]: 1 time
plesk [preauth]: 1 time
production [preauth]: 1 time
recovery [preauth]: 1 time
resin [preauth]: 1 time
sirsi [preauth]: 1 time
superuser [preauth]: 1 time
supervisor [preauth]: 1 time
svn [preauth]: 1 time
swsoft [preauth]: 1 time
system [preauth]: 1 time
tech [preauth]: 1 time
webmail [preauth]: 1 time
yaroslav [preauth]: 1 time
zhangyan [preauth]: 1 time
zhenya [preauth]: 1 time
24.54.120.35 (host-24-54-120-35.nctv.com): 1 time
ubnt: 1 time
46.118.158.232 (SOL-FTTB.232.158.118.46.sovam.net.ua): 36 times
admin: 17 times
manager: 3 times
blank: 2 times
login: 2 times
666666: 1 time
888888: 1 time
Admin: 1 time
Cisco: 1 time
NONE: 1 time
apc: 1 time
operator: 1 time
recovery: 1 time
superuser: 1 time
supervisor: 1 time
tech: 1 time
test: 1 time
98.84.220.253 (adsl-98-84-220-253.gsp.bellsouth.net): 1 time
ubnt: 1 time
101.231.74.47: 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
123.59.58.229: 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
125.65.245.146: 15 times
NpC: 1 time
app: 1 time
etho: 1 time
ftpuser: 1 time
ghost: 1 time
htet: 1 time
last: 1 time
mp3: 1 time
msr: 1 time
network: 1 time
nmrsu: 1 time
nologin: 1 time
oracle: 1 time
pimg: 1 time
plesk: 1 time
148.243.232.115 (na-148-243-232-115.static.avantel.net.mx): 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
177.22.195.36: 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
178.62.173.36: 14 times
gast: 2 times
guest: 2 times
oracle: 2 times
iraf: 1 time
nagios: 1 time
oliver: 1 time
production: 1 time
sirsi: 1 time
svn: 1 time
swsoft: 1 time
test: 1 time
186.225.138.146 (186-225-138-146.customer.sinalbr.com.br): 2 times
test: 2 times
187.141.82.87 (customer-187-141-82-87-sta.uninet-ide.com.mx): 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
187.177.137.233 (187-177-137-233.dynamic.axtel.net): 5 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
190.7.218.26: 3 times
test: 2 times
testtest: 1 time
190.85.103.250: 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
190.95.191.67: 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
193.201.227.109: 8 times
admin: 4 times
support: 4 times
200.24.16.69 (nat69.udea.edu.co): 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
200.68.9.177: 6 times
test: 2 times
testtest: 2 times
prueba: 1 time
test1: 1 time
201.151.95.126 (notirussell.russellbedford.mx): 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
201.236.236.158 (pei-201-236-ccxxxvi-clviii.une.net.co): 9 times
alexandr: 1 time
anatoly: 1 time
daniil: 1 time
danil: 1 time
gleb: 1 time
kostya: 1 time
nikolai: 1 time
yaroslav: 1 time
zhenya: 1 time
201.249.200.109 (201-249-200-109.estatic.cantv.net): 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
212.13.101.82 (office.vinta.org): 3 times
test: 2 times
testtest: 1 time
212.176.197.29 (Telda-Beloostrovskaya25-gw.rosprint.net): 7 times
test: 2 times
testtest: 2 times
prueba: 1 time
pruebas: 1 time
test1: 1 time
213.172.86.5: 412 times
test: 96 times
nagios: 65 times
zabbix: 46 times
guest: 45 times
zxin10: 20 times
apache: 13 times
zhaowei: 12 times
tomcat: 9 times
ubuntu: 9 times
web: 8 times
weblogic: 8 times
cacti: 7 times
squid: 7 times
Test: 6 times
webadmin: 6 times
apache2: 4 times
httpd: 4 times
java: 4 times
jboss: 4 times
r00t: 4 times
sysadmin: 4 times
nginx: 3 times
wangyi: 3 times
oracle: 2 times
123: 1 time
123456: 1 time
apache1: 1 time
bash: 1 time
boot: 1 time
cactiuser: 1 time
dff: 1 time
ftp1: 1 time
ftpd: 1 time
git: 1 time
guestadmin: 1 time
guestuser: 1 time
guestx: 1 time
httpd2: 1 time
httpdocs: 1 time
javaprg: 1 time
nagiosadmin: 1 time
nagiosuser: 1 time
nologin: 1 time
resin: 1 time
system: 1 time
webmail: 1 time
zhangyan: 1 time

Received disconnect:
11: [preauth]
218.65.30.92 : 1 Time(s)
43.229.53.20 : 149 Time(s)
11: Bye Bye [preauth]
101.231.74.47 : 7 Time(s)
123.59.58.229 : 7 Time(s)
125.65.245.146 : 381 Time(s)
148.243.232.115 : 7 Time(s)
177.22.195.36 : 7 Time(s)
178.62.173.36 : 14 Time(s)
186.225.138.146 : 2 Time(s)
187.141.82.87 : 7 Time(s)
187.177.137.233 : 5 Time(s)
190.7.218.26 : 3 Time(s)
190.85.103.250 : 7 Time(s)
190.95.191.67 : 7 Time(s)
200.24.16.69 : 7 Time(s)
200.68.9.177 : 5 Time(s)
201.151.95.126 : 7 Time(s)
201.236.236.158 : 9 Time(s)
201.249.200.109 : 7 Time(s)
212.13.101.82 : 3 Time(s)
212.176.197.29 : 7 Time(s)
213.172.86.5 : 10846 Time(s)
3: org.vngx.jsch.userauth.AuthCancelException: User authentication canceled by user [preauth]
193.201.227.109 : 12 Time(s)

**Unmatched Entries**
PAM service(sshd) ignoring max retries; 6 > 3 : 201 time(s)

———————- SSHD End ————————-
——————— vsftpd-messages Begin ————————
Failed FTP Logins:
(127.0.0.1): anonymous – 4 Time(s)

———————- vsftpd-messages End ————————-
——————— Disk Space Begin ————————

Filesystem Size Used Avail Use% Mounted on
/dev/disk/by-label/DOROOT 20G 1.8G 17G 10% /
udev 10M 4.0K 10M 1% /dev

———————- Disk Space End ————————-
###################### Logwatch End #########################