0x640

Log Files

One of the two most obvious signs of intrusion is the log file. The log file kept

by the tinyweb daemon is one of the first places to look into when trouble-

shooting a problem. Even though the attacker's exploits were successful,

the log file keeps a painfully obvious record that something is up.

tinywebd Log File

reader@hacking:~/booksrc $ sudo cat /var/log/tinywebd.log

07/25/2007 14:55:45> Starting up.

07/25/2007 14:57:00> From 127.0.0.1:38127 "HEAD / HTTP/1.0" 200 OK

07/25/2007 17:49:14> From 127.0.0.1:50201 "GET / HTTP/1.1" 200 OK

07/25/2007 17:49:14> From 127.0.0.1:50202 "GET /image.jpg HTTP/1.1" 200 OK

07/25/2007 17:49:14> From 127.0.0.1:50203 "GET /favicon.ico HTTP/1.1" 404 Not Found

07/25/2007 17:57:21> Shutting down.

08/01/2007 15:43:08> Starting up..

08/01/2007 15:43:41> From 127.0.0.1:45396 "

jfX 1 CRj j jfXCh

f T$ fhzifS j QV C I ? Iy Rh//shh/bin R S $ $ $ $ $ $

$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $

$ $ $ $ $ $ $ $ " NOT HTTP!

r eader@hacking:~/booksrc $

Of course in this case, after the attacker gains a root shell, he can just edit

the log file since it's on the same system. On secure networks, however, copies

of logs are often sent to another secure server. In extreme cases, logs are sent

to a printer for hard copy, so there is a physical record. These types of counter-

measures prevent tampering with the logs after successful exploitation.

0x641

Blend In with the Crowd

Even though the log files themselves cannot be changed, occasionally what

gets logged can be. Log files usually contain many valid entries, whereas

exploit attempts stick out like a sore thumb. The tinyweb daemon program

can be tricked into logging a valid-looking entry for an exploit attempt.

Look at the source code and see if you can figure out how to do this before

continuing on. The idea is to make the log entry look like a valid web request,

like the following:

07/22/2007 17:57:00> From 127.0.0.1:38127 "HEAD / HTTP/1.0" 200 OK

07/25/2007 14:49:14> From 127.0.0.1:50201 "GET / HTTP/1.1" 200 OK

07/25/2007 14:49:14> From 127.0.0.1:50202 "GET /image.jpg HTTP/1.1" 200 OK

0 7/25/2007 14:49:14> From 127.0.0.1:50203 "GET /favicon.ico HTTP/1.1" 404 Not Found

This type of camouflage is very effective at large enterprises with extensive

log files, since there are so many valid requests to hide among: It's easier to

blend in at a crowded mall than an empty street. But how exactly do you hide

a big, ugly exploit buffer in the proverbial sheep's clothing?