Re: forensics on a trojaned machine

From: Arthur Corliss <acorliss@nevaeh-linux.org>
Date: Mon Dec 03 2007 - 12:51:46 AKST

On Mon, 3 Dec 2007, jonr@destar.net wrote:

> Art,
>
> Would you mind posting your firewall rules and the pertinent config =20
> changes in the daemons, i.e http, dns, dhcp and echo, or maybe all of =20
> them? And can you make a short story long? This excercise that you =20
> went through would be great knowledge to any of us that have to work =20
> on borked windows voxes.
>
> Jon

Everything is pretty straight forward with perhaps the firewall and DNS
zone. In short, here's a firewall dump that can be restored via
iptables-restore:

# Start file
#
# Filter Rules
*filter
:INPUT ACCEPT
:OUTPUT ACCEPT
:FORWARD DROP
COMMIT
#
# NAT Rules
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
#
# Allow DHCP to work normally
-A PREROUTING -i eth0 -p udp --dport 67 -j ACCEPT
#
# Allow echo services to work normally
-A PREROUTING -i eth0 -d 192.168.0.1 -p udp --dport 7 -j ACCEPT
-A PREROUTING -i eth0 -d 192.168.0.1 -p tcp --dport 7 -j ACCEPT
#
# DNAT all DNS requests to local DNS
-A PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to 192.168.0.1:53
-A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 192.168.0.1:53
#
# DNAT all HTTP requests to local apache
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80
#
# DNAT all L3 icmp requests to local icmp
-A PREROUTING -i eth0 -p icmp -j DNAT --to 192.168.0.1
#
# DNAT all other connections to udp/tcp echo
-A PREROUTING -i eth0 -p tcp -j DNAT --to 192.168.0.1:7
-A PREROUTING -i eth0 -p udp -j DNAT --to 192.168.0.1:7
#
COMMIT
# End file

Here's the forward DNS zone:

$ORIGIN .
$TTL 3D
@ IN SOA everything. root.everything. (
         2004110601 ; serial (yyyymmddvv)
         86400 ; refresh (1 day)
         7200 ; retry (2 hours)
         604800 ; expire (1 week)
         86400 ; ttl (1 day)
         )

@ IN NS ns.everything.

ns IN A 192.168.0.1

@ IN A 192.168.0.1
* IN A 192.168.0.1

And the relevant portion of named.conf:

// Catch everything
zone "." {
   type master;
   file "master/db.everything";
};

This does require commenting out the root hints stanza. Pretty simple, eh?

Everything else is pretty much vanilla configs. If you need more, let me
know.

         --Arthur Corliss
           Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Dec 3 12:52:00 2007

This archive was generated by hypermail 2.1.8 : Mon Dec 03 2007 - 12:52:00 AKST