Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: WhqUr3s577
New Today: 1
New Yesterday: 2
Overall: 29415

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics
 Unallocated clustered as court evidence
 Encryption
 I know how to recover ost file 2016

Computer Forensics World Forums


Pages Served
We received
53012996
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Assistance In Deciphering SysLog?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Assistance In Deciphering SysLog?

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
Iceysparks
Newbie
Newbie


Joined: Oct 18, 2014
Posts: 4
Location: New York

PostPosted: Tue Dec 02, 2014 7:44 am    Post subject: Assistance In Deciphering SysLog? Reply with quote

Good evening,

I am working on a final project for my digital forensic applications class, and one portion is to examine a linux server image for any sign of compromise attempt, attack vector, and what was taken, etc… The system found is Ubuntu V. 12.04.3 Precise Pangolin. I have scoured the Apache Error and Access logs and have detected sql injection, and traces of the PII that may have been taken.

I was looking in the syslog but am confused on whether or not there may be signs of brute force, or the log simply represents routine items. This is an excerpt:

Nov 13 22:07:26 VUbuntu anacron[23638]: Normal exit (1 job run)
Nov 13 22:07:31 VUbuntu dhclient: DHCPREQUEST of 192.168.1.3 on eth0 to 192.168.1.1 port 67
Nov 13 22:08:39 dhclient: last message repeated 5 times
Nov 13 22:09:00 VUbuntu dhclient: DHCPREQUEST of 192.168.1.3 on eth0 to 192.168.1.1 port 67
Nov 13 22:09:01 VUbuntu CRON[25333]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)
Nov 13 22:09:12 VUbuntu dhclient: DHCPREQUEST of 192.168.1.3 on eth0 to 192.168.1.1 port 67
Nov 13 22:10:14 dhclient: last message repeated 5 times
Nov 13 22:11:22 dhclient: last message repeated 4 times
Nov 13 22:12:22 dhclient: last message repeated 5 times
Nov 13 22:13:22 dhclient: last message repeated 5 times
Nov 13 22:14:22 dhclient: last message repeated 4 times
Nov 13 22:15:23 dhclient: last message repeated 4 times
Nov 13 22:16:23 dhclient: last message repeated 3 times
Nov 13 22:17:01 dhclient: last message repeated 4 times


Upon searching the internet and various places it was mentioned that a DHCPACK should at one point be returned. I do no see that here, could this be indicative of the attacker trying to gain access as the time intervals are so frequent? Any assistance, or a link to literature that may assist is greatly appreciated.


Thanks,
Jessica
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Dec 03, 2014 2:13 am    Post subject: Reply with quote

Quote:
(root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)


This appears to be a "scheduled task" run as root that is cleaning up stale php sessions. If you look in crontab, will probably find it there. Should have been added automagically when PHP was installed.

Quote:
DHCPREQUEST of 192.168.1.3 on eth0 to 192.168.1.1 port 67


Is the server attempting to get the ip address of 192.168.1.3 from the router located at 192.168.1.1.

In my opinion, "These are not the droids you are looking for".
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 239

PostPosted: Wed Dec 03, 2014 3:49 am    Post subject: Reply with quote

cybercop wrote:


Quote:
DHCPREQUEST of 192.168.1.3 on eth0 to 192.168.1.1 port 67


Is the server attempting to get the ip address of 192.168.1.3 from the router located at 192.168.1.1.


If that behaviour can be seen elsewhere in the logs, it's probably normal. But if this is the only place where it appears ... I can't help wondering a) who got the .3 address lease, and b) what address did the server use during that time if it wasn't .3?
Back to top
View user's profile
Iceysparks
Newbie
Newbie


Joined: Oct 18, 2014
Posts: 4
Location: New York

PostPosted: Wed Dec 03, 2014 10:43 am    Post subject: Reply with quote

Thanks for the reply, I should have taken the CRON out. After some research I found out it was a scheduled task. I was so hoping to find something, much appreciated!


cybercop wrote:
Quote:
(root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)


This appears to be a "scheduled task" run as root that is cleaning up stale php sessions. If you look in crontab, will probably find it there. Should have been added automagically when PHP was installed.

Quote:
DHCPREQUEST of 192.168.1.3 on eth0 to 192.168.1.1 port 67


Is the server attempting to get the ip address of 192.168.1.3 from the router located at 192.168.1.1.

In my opinion, "These are not the droids you are looking for".
Back to top
View user's profile
Iceysparks
Newbie
Newbie


Joined: Oct 18, 2014
Posts: 4
Location: New York

PostPosted: Wed Dec 03, 2014 10:49 am    Post subject: Reply with quote

The same line is in the logs 3 times total. All of the others read as such:

VUbuntu dhclient: DHCPREQUEST of 192.168.1.3 on eth0 to 255.255.255.255 port 67.

I know this is a limited broadcast address… is it odd that it shows up here?


athulin wrote:
cybercop wrote:


Quote:
DHCPREQUEST of 192.168.1.3 on eth0 to 192.168.1.1 port 67


Is the server attempting to get the ip address of 192.168.1.3 from the router located at 192.168.1.1.


If that behaviour can be seen elsewhere in the logs, it's probably normal. But if this is the only place where it appears ... I can't help wondering a) who got the .3 address lease, and b) what address did the server use during that time if it wasn't .3?
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 239

PostPosted: Sat Dec 06, 2014 8:23 am    Post subject: Reply with quote

Iceysparks wrote:
The same line is in the logs 3 times total. All of the others read as such:

VUbuntu dhclient: DHCPREQUEST of 192.168.1.3 on eth0 to 255.255.255.255 port 67.

I know this is a limited broadcast address… is it odd that it shows up here?


Not sure -- many DHCP requests are sent to 255.255.255.255. The sender doesn't have an IP (probably because it was recently booted), and doesn't know where the DHCP server is -- so it 'shouts' for a DHCP address.
That it is asking for a specified IP address could be that it 'knows' what the last DHCP lease was. I'm more use to see a request for any IP address at all in broadcasts, but ...

If it sends the request to a specified address, it would usually be because it is trying to renew a DHCP lease -- that is, nothing suspicious at all. Unless it's doing it too early, perhaps. Forget my questions -- i think I got my brain in a twist over who was talking to whom .

It might be odd that it tries so many times -- why doesn't the DHCP server respond? But that depends on what is normal on this particular network.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.