(BTW: I am sending you a copy of the original attack complaint that I sent to YOU guys on this matter. Please reply acknowledging that you have deleted this complaint from our file, and have sent it to the REAL attackers).

A copy of this file will be available at: http://www.bcgreen.com/readlog.html .


Lesson 6: reading a log file

(this is a repeat of lessons 1 thru 5. Those of you who are laughing at the person who tried to pin this AUP violation on me are free to skip to lesson 20.
(lesson numbers 7 thru 19 are reserved for people who continue to manage to fail this lesson, repeatedly).

This is both a general lesson on reading log files, and a specific lesson on reading log files generated by my programs.

In the sample attack log below, the lines are numbered for easy reference:

  1. The machine alb-10-161-0-88.attack-domain.com. appears to be the source of a Nimda
  2. type scan. Please inform the affected user that (s)he needs to update
  3. the system, and remove the virus (or stop scanning prople).
  4.  
  5. possible nimda scan detected from IP 10.161.0.88 (alb-10-161-0-88.attack-domain.com.) at 08/07/2002 17:26:56
  6.  
  7. (for further clarity, alb-10-161-0-88.attack-domain.com. is the ATTACKING system)
  8.  
  9. NOTE: Firewall log times are GMT
  10.  
  11.  
  12. 08/07/2002 17:26:56 10.161.0.88.3549 > 192.168.93.250.http: S 1976574437:1976574437(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
  13. 08/07/2002 17:26:57 10.161.0.88.3597 > 192.168.93.250.http: S 1979108571:1979108571(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
  14. 08/07/2002 17:26:58 10.161.0.88.3602 > 192.168.93.250.http: S 1979506844:1979506844(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
  15.  
  16. ______________________________________
  17. from apache access log:
  18.  
  19. 10.161.0.88 - - [08/Jul/2002:10:26:57 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 281 "-" "-"
  20. 10.161.0.88 - - [08/Jul/2002:10:26:58 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 279 "-" "-"
  21. 10.161.0.88 - - [08/Jul/2002:10:26:58 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 "-" "-"
  22. ==================================================
  23. ==================================================
  24.  
  25. attack from machine name:: alb-10-161-0-88.attack-domain.com. ip:: 10.161.0.88

Note that both lines 1 and lines 25 explicitly name the machine doing the attack.
I try to be pretty obvious about which machine is doing the attacking.

Lines 5 and 7 try to pretty much hit you over the the head with a 2 by 4
as to which machine is doing the attacking. (Given that only two IP addresses
are mentioned in this report, this implies that my machine is the defender).

To the best of my knowledge, failing to sucumb to an attempted worm infection
is NOT a violation of the AUP, nor is attempting to report such an attack.

Line 9 gives the timezone of the report. Since we are in the PDT timezone
(GMT -7) 7 hours must be subtracted from the reports to get local times.
(note to self: change 7 to 8 when we switch from PDT to PST).

Lines 12 - 14 are firewall logs.
At this point, I pause to give a short lesson on TCP/IP.

When you attempt to open a connection to a remote machine (whether legitimate,
or an attack), you will open a random port on the source machine, and attempt to send
a packet to the well-known-service port on the remote (destination) machine.
This means that port 80 (http) will be will be associated with the receiving
machine (defender) for Microsoft IIS worms, and port 1433 for MS-SQL server worms.

The attacking machine will generally have random port addresses -- Usually these
port numbers will be above 2048, but that's not necessarily the case.

Lines 12 - 14 are generated by tcpdump. With tcpdump, the first machine name
is the source of the packet, and the second machine is the destination.
The S in column 6 indicates that this is an attempt to open a connection.
Another indication that my machine ( 192.168.93.250 ) is the DEFENDING machine,
since it was the recipient of an open request.

Columns after the 'S' are for advanced use only. (and thus beyond the intended
audience of this primer)

Lines 19 through 21 are apache log file data.
the first column of the apache log file is the SOURCE address of the machine
making the (worm) request. In this case, it means that 10.161.0.88 is the
ATTACKING system (and, thus -- by process of elimination, my machine
(192.168.93.250) is the DEFENDER.

Apache log files are in local time with the offset from GMT explicitly
indicated. In this case, the attacks arrived at 10:26AM local time, with
local time being 7 hours behind GMT time (-0700) adding those 7 hours back
in gives 5:26PM GMT time (17:26) -- which jives with the (GMT) firewall times.

After the TimeStamps are the actuall HTTP requests.

Finally, line 25 makes one last try to beat it into the skull of anybody
who hasn't gotten it yet, that the attacking machine is the source of the
attack.

==============================
There are two possible explanations as to why this attack has been eroniously
been pinned on my box as the attacking system:

1) The abuse people at ___________ really don't know how to read a pretty
blatent attack log, and forwarded the complaint to you, trying to fob me
off as the attacker... When they did so, the peeled off so much identifying
information that it wasn't quite so blatently obvious that the attacking
machine was not the defender.

The shaw person who managed to misread the truncated attack logs should be
heartily laughed at.

2) The full complaint log was forwareded to shaw, and -- despite some pretty
blatent attempts to make it clear as to who was the attacker and who was
the defender, AND notices in the abuse records at shaw, an abuse person
at shaw STILL managed to conclude that my machine was the attacker.

Any person who manages to ignore so many attempts at preventing this mistake
needs to be hung by the toenails and beaten unconscious with an organic carrot.

(any similarly degrading punnishment would also be acceptable).
Pictures would be appreciated.

==============================
Peter William Lent wrote:
> Hi,
>
> I've run the following Symantec virus checkers on these viruses on ALL of my
> Windows 2000 computers as your email suggested: W32.Nimda.A@mm,
> W32.Nimda.E@mm and Code Red worm. All my computers were reported FREE of
> these viruses by the virus checkers, the viruses were NOT found... All the
> computers were reported "not vulnurable" to the Code Red virus.
>
> My roommate Steve Samuel still has to report on the status of his computers
> (which are connected to shaw independently from mine but on the same shaw
> modem, i.e. we each have our own firewalls and don't have shared Windows
> file shares).
>
> Mistaken Report of Virus?
> Is this another case of the automatic "virus reports" from Steve Samuel, who
> also lives here? His /script/system generates virus attack reports of
> attacks against our computers and automatically reports to them via email to
> an abuse site, which then forwards them to shaw. His reports should be clear
> that they are reporting attacks against our computers, please check the
> source of the reported attacks and verify that they are not Steve Samuel's
> reports of attacks against our computer.
>
> Please send us details of the attacks, ip addresses, ports, date and time,
> and any other details. We are computer professionals so we can use this info
> to find out what is going on.
>
> All the best,
>
> Peter William Lent
>
.....>
>>>----- Original Message -----
>>>From: "Internet Abuse" <internet.abuse@shaw.ca>
>>>To: <plent@shaw.ca>
>>>Sent: Monday, July 08, 2002 7:22 AM
>>>Subject: Acceptable use policy violation 3409407
>>>
>>>
>>>
>>>
>>>>Dear Shaw Internet Customer
>>>>
>>>>*** Please note: we ask that you provide confirmation by reply email
>>>>(keeping the subject line intact) that you have received this email and
>>>
>>>will
>>>
>>>
>>>>be acting upon the information contained below. If no reply is received
>>>
> a
>
>>>>temporary service interruption may be implemented as a protective
>>>
> measure.
>
>>>>Thank you in advance for your assistance in this matter. ***
>>>>
>>>>We're contacting you to advise that we have received reports of system
>>>>probes originating from your Shaw High Speed Internet Service
>>>
> connection.
>
>>>>Your computer is likely infected with either the W32.Nimda.A@mm or
>>>>W32.Nimda.E@mm worm as well as the Code Red worm.
>>>>W32.Nimda.A@mm or W32.Nimda.E@mm viruses are designed to perpetrate
>>>
>>>through
>>>
>>>
>>>>systems previously infected with the Code Red Worm. It is critical that
>>>>both viruses be removed from your system in order to restore your system
>>>>security. Below is information regarding the viruses and remedies that
>>>
>>>are
>>>
>>>
>>>>available.
>>>>
>>>>Code Red was originally designed to affect IIS versions 4.0 and 5.0. In
>>>>order to rid the system of worm infection (and prevent further
>>>>re-infection), the users must install the appropriate security patch
>>>
> from
>
>>>>Microsoft and reboot the computer.
>>>>
>>>>Additional Security Warning!! The latest variant of the Code Red Worm
>>>>contains a trojan that allows the perpetrator to obtain remote access to the
>>>
>>>
>>>>infected system.

--
Stephen Samuel +1(604)736-2266 samuel@bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.