Event Analysis: Detecting Compromises, Javascript, Backdoors, and more!
There are a variety of indicators that a system has been compromised, ranging from the obvious to the very subtle.
Less obvious indications of a compromise include increased bandwidth, subtle IDS alerts (such as those indicating anomalous behavior) and mysterious configuration changes on systems. The questions that are typically asked include "How did they get in?" and "What did they do?" Tenable's Passive Vulnerability Scanner (PVS) provides useful information for answering these questions. Following are some of the alerts PVS may generate during an intrusion:
| x.y.z.1|8011/tcp|3389|NOTE|Feb 16 03:14:57 - The remote host is a proxy server. PVS has determined this due to the format of the HTTP request. PVS observed a client issuing this request:\nGET http://www.exampledomain.com HTTP/1.\n\nThe server replied with:\nProxy-Connection:XXXXXXXX\nExternal Access :\nThe PVS has observed connections to this port from hosts outside of the configured range of network addresses. This vulnerability is likely accessible from external network addresses. |
The alert shown above was generated because a host on the compromised network was found to be an active proxy server. This means it was accepting connections from external hosts and proxying them out to the Internet. Proxy servers are used by attackers for several different reasons, including sending spam to forums, brute forcing public web applications and cheating "Pay-To-Click" advertising (more information on this topic can be found in the post from Zscaler Research titled Top Abuses of Open Web Proxies. Further investigation revealed that a web server made an outbound FTP connection request:
| x.y.z.1|0/tcp|3377|NOTE|Feb 16 00:05:50 - The remote host is running an FTP client. |
It’s interesting to see that attackers are still using FTP to transfer files. One of the cases I worked on early in my career analyzed a compromise where the attackers were using FTP to upload files and download rootkits to systems. In that particular case, they left the credentials to the FTP server in a plaintext file, which greatly aided in the investigation. Once attackers have installed their tools, it is possible to use PVS to detect so-called "backdoor" communications:
| 0.0.0.0|456/tcp|6|NOTE|Feb 15 12:56:33 - 0.0.0.0 -> x.y.z.1:456|PVS has detected a port used for one or more inbound interactive sessions: there was a large number of small packets relative to the number of packets in the session and the timing characteristics of the packets match user keystroke frequencies |
Backdoors come in many different flavors, including some that implement encryption or even protocol manipulation (such as the famed ICMP backdoor named "loki"). PVS was able to detect the backdoor in use by analyzing the traffic patterns described above. By analyzing the behavior rather than trying to fingerprint the protocol or simply identify the port being used, PVS increases the chances of detection regardless of the methods implemented by the backdoor. PVS also categorized several open source programs which had embedded software packages that were suspect:
| x.y.z.1|80/tcp|5278|NOTE|Feb 15 15:56:06 - The remote web server utilizes JavaScript on its pages. Further, the web server seems to be using JavaScript from an external source. The source of the JavaScript is:\n<script src="http://exampledomain.com/sanitized.js" type="text/javascript"\n\n The JavaScript is embedded within the following web document:\nGET /sanitized.html HTTP/1.1 \nSolution :\n\nEnsure that loading client-side JavaScript from a 3rd party is authorized according to policies and guidelines.\n\nExternal Access :\nThe PVS has observed connections to this port from hosts outside of the configured range of network addresses. This vulnerability is likely accessible from external network addresses. |
The PVS alert shown above found that not only was JavaScript being served from the web site, but that a third-party web server's JavaScript pages were included in the web site. This means that, in this case, users going to the web site were also running malicious JavaScript. This is a common practice and can be used by attackers for all types of malicious behavior, such as stealing users’ authentication cookies. PVS also noted a new service port that the site administrators had no knowledge of:
| 0.0.0.0|51323/tcp|9|NOTE|Feb 16 00:10:24 - 0.0.0.0 -> x.y.z.1:51323|PVS detected a port used for one or more inbound encrypted sessions. The data in this session had a high degree of randomness. Most likely, this is normal legitimate network traffic, but a variety of backdoors and compromised tools will also utilize encryption |
We are often concerned when attackers decide to use encryption. However, by observing behavioral changes, we can some times easily point out an attacker's backdoor channel. If you have an alert similar to the one above and you are not running a service on port 51323, further investigation into this encrypted channel is warranted.
For More Information
Tenable has written several dozen other articles on Event Analysis Training that include analysis of IP reputation, botnet activity, network anomaly detection and much more. These articles are all listed in the Event Analysis Training section of our blog. If you would like more information about Tenable’s set of Unified Security Monitoring products, please feel free to watch any of our video demos or contact our sales team.
Related Articles
Cybersecurity Snapshot: Guide Unpacks Event-Logging Best Practices, as FAA Proposes Stronger Cyber Rules for Airplanes
August 23, 2024Looking to sharpen your team’s event logging and threat detection? A new guide offers plenty of best practices. Plus, the FAA wants airplanes to be more resilient to cyberattacks. Meanwhile, check out the critical vulnerabilities Tenable discovered in two Microsoft AI products. And get the latest on ransomware trends, vulnerability management practices and election security!
Taking IBM QRadar SIEM One Step Further Using Tenable.ad
September 30, 2021If you can't continuously monitor Active Directory, it's impossible to achieve full visibility into your evolving attack surface. Here's how combining Tenable.ad with IBM QRadar can help. It's no sec...
Recap: Geeking Out II with Marcus
April 15, 2013Ron and I spent most of the webcast rotating around the theme of detection algorithms: how do you determine what is normal and what is not? We started off with one of my favorite questions, "Are there...
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Event Monitoring
- Passive Network Monitoring