Linux Forensics Technique: Brute Force Method System logs Analyse

Second Part of Linux DF/IR Related to user Login. 

To illustrate Linux forensic techniques, we will analyze the compromised web server image provided at OSDFCon 2019, specifically focusing on user login attempts. This practical session will demonstrate the critical role of user and bash login analysis, which aligns with the principles outlined in our previous blog post, 'Linux DF/IR Related to User Login'.

During our examination of the workshop materials, we encountered the question: 'Was the user successful in obtaining access using a brute force method? Explain with proof.' Through a meticulous analysis of the system logs, we determined that the server was successfully compromised via the 'service user' account. This analysis will include a detailed explanation of each relevant log entry, enabling you to interpret similar logs and apply this understanding to detect anomalies in your production environment.

1. Evidence of Brute-Force Attempts

The log shows multiple failed login attempts for the root user from the IP address 192.168.210.131. These attempts are characteristic of a brute-force attack, where an attacker tries multiple username/password combinations to gain access.

• Pattern: Repeated Failed password messages for the root user.
• IP Address: All attempts originate from 192.168.210.131.
• Behavior: The attacker exceeds the maximum authentication attempts, triggering disconnections.

2. Evidence of Successful Access

After multiple failed attempts, the attacker successfully logs in as the mail user. This suggests that the attacker may have switched to a different username (mail) after failing to brute-force the root account.

• Successful Login: The log shows an Accepted password for the mail user from the same IP address (192.168.210.131).
• Session Opened: A session is successfully opened for the mail user.

 3. Privilege Escalation

Once logged in as the mail user, the attacker escalates privileges to root using the sudo command. This indicates that the mail user had sudo privileges, allowing the attacker to gain full control of the system.

• Privilege Escalation: The mail user executes sudo su - to switch to the root user.
• Root Access: A session is opened for the root user, giving the attacker full administrative control.

4. Additional Evidence

The attacker continues to use the mail account to log in and escalate privileges multiple times, indicating persistent access:

 5. Conclusion

• Brute-Force Attempt: The attacker attempted to brute-force the root account but failed due to the system's security measures (e.g., maximum authentication attempts).
• Successful Access: The attacker successfully logged in as the mail user, likely because the mail account had a weaker password or was targeted after failing to access root.
• Privilege Escalation: The attacker escalated privileges to root using sudo, gaining full control of the system.

Proof of Compromise

1. Failed Brute-Force Attempts:
• Multiple Failed password entries for root from 192.168.210.131.
•  Logs show disconnections due to "Too many authentication failures."
2. Successful Login:
• Accepted password for mail from the same IP address (192.168.210.131).
3. Privilege Escalation:
• sudo su - executed by the mail user to gain root access.

Will continue this blog with service user vulnerability and security. Stay tuned.