IOC:
File Name (and Dir Path); /valid_directory/client_file.zip
IP:192.168.0.1:
Search Query: index=main source=UDP_514 sourcetype=syslog host="192.168.0.2" OR host="192.168.0.3" vsftpd 192.168.0.1 "/"
above showed 37 events starting on "Jan 25 13:17:02" and ending on "Jan 25 13:25:33"
Focusing on the time range and changing the filter
index=main source=UDP_514 sourcetype=syslog host="192.168.0.2" OR host="192.168.0.3" vsftpd AND NOT 10.0.0.1
405 events (11/26/14 1:10:00.000 PM to 11/26/14 1:25:00.000 PM)
Jan 25 13:15:24
User connected to 192.168.0.3
Jan 25 13:15:24 192.168.0.3 vsftpd: Wed Jan 25 13:15:27 2014 [pid 3336] CONNECT: Client "192.168.0.1"
Jan 25 13:15:24
Try to authenticate but Password failed for user "anonymous"
- Jan 25 13:15:24 192.168.0.3 vsftpd: Wed Jan 25 13:15:27 2014 [pid 3336] FTP command: Client "192.168.0.1", "USER anonymous"
- Jan 25 13:15:24 192.168.0.3 vsftpd: Wed Jan 25 13:15:27 2014 [pid 3336] [anonymous] FTP response: Client "192.168.0.1", "331 - Please specify the password.
Jan 25 13:15:24 192.168.0.3 vsftpd: Wed Jan 25 13:15:27 2014 [pid 3335] [anonymous] FAIL LOGIN: Client "192.168.0.1"
Jan 25 13:15:53
User attempted to authenticate again with a blank username
Login failed as no user was specified
- Jan 25 13:15:53 192.168.0.3 vsftpd: Wed Jan 25 13:15:55 2014 [pid 3338] FTP command: Client "192.168.0.1", "USER"
- Jan 25 13:15:53 192.168.0.3 vsftpd: Wed Jan 25 13:15:56 2014 [pid 3338] FTP response: Client "192.168.0.1", "503 Login with USER first."
Jan 25 13:16:20
user connected again
Tried to authenticate with username "anonymous"
- Jan 25 13:16:20 192.168.0.3 vsftpd: Wed Jan 25 13:16:23 2014 [pid 3340] FTP command: Client "192.168.0.1", "USER anonymous"
Jan 25 13:16:20
For unknown reasons the previous connection attempt was not completed as the user did not specify a password
The user connected again
Tried to authenticate with username "anonymous"
User then entered 2 separate passwords but both failed
Authentication was not successful
- Jan 25 13:16:20 192.168.0.3 vsftpd: Wed Jan 25 13:16:23 2014 [pid 3342] CONNECT: Client "192.168.0.1"
- Jan 25 13:16:22 192.168.0.3 vsftpd: Wed Jan 25 13:16:25 2014 [pid 3342] [anonymous] FTP response: Client "192.168.0.1", "530 Login incorrect."
- Jan 25 13:16:22 192.168.0.3 vsftpd: Wed Jan 25 13:16:25 2014 [pid 3340] [anonymous] FTP response: Client "192.168.0.1", "530 Login incorrect."
Jan 25 13:16:28
User reconnected with username "anonymous"
Authentication failed twice as the "login" was "incorrect"
- Jan 25 13:16:28 192.168.0.3 vsftpd: Wed Jan 25 13:16:30 2014 [pid 3346] CONNECT: Client "192.168.0.1"
Jan 25 13:17:02
user connected again and this time was able to authenticate successfully with username "anonymous"
- Jan 25 13:17:02 192.168.0.3 vsftpd: Wed Jan 25 13:17:04 2014 [pid 3350] FTP command: Client "192.168.0.1", "USER anonymous"
- Jan 25 13:17:02 192.168.0.3 vsftpd: Wed Jan 25 13:17:05 2014 [pid 3349] [ftp] OK LOGIN: Client "192.168.0.1", anon password "ftpPassword"
- Jan 25 13:17:02 192.168.0.3 vsftpd: Wed Jan 25 13:17:05 2014 [pid 3351] [ftp] FTP response: Client "192.168.0.1", "230 Login successful."
Once successful the user the user did the following:
"SYST" - Check the system type
- The system reported it was UNIX
"PWD" - Print the current working directory
- the system returned "/"
"SIZE" - The user then tried to get the size of the file but this failed
"CWD" - Changed working directory to "/"
"LIST -l" - List the files in the directory, nothing showed.
User then quit the connection
- Jan 25 13:17:03 192.168.0.3 vsftpd: Wed Jan 25 13:17:06 2014 [pid 3351] [ftp] FTP response: Client "192.168.0.1", "221 Goodbye."
- Jan 25 13:17:03 192.168.0.3 vsftpd: Wed Jan 25 13:17:06 2014 [pid 3351] [ftp] FTP command: Client "192.168.0.1", "QUIT"
Jan 25 13:17:22
User connected once again
- Jan 25 13:17:22 192.168.0.3 vsftpd: Wed Jan 25 13:17:24 2014 [pid 3353] CONNECT: Client "192.168.0.1" Attempt to authenticate with username "anonymous failed"
Jan 25 13:17:24
User reonnected once again
- Jan 25 13:17:24 192.168.0.3 vsftpd: Wed Jan 25 13:17:27 2014 [pid 3355] CONNECT: Client "192.168.0.1" User authenticated successfully with user "anonymous"
In addition to reruning most of the previous commands this time the user ran
"SIZE /non_existent_directory" - get the size of the backup folder - this failed
"CWD /non_existent_directory/" - Change directory to backup - This was successful
"LIST -l" - List the directory - however nothing was returned
The user then quit the session
Jan 25 13:17:44
User reconnected
- Jan 25 13:17:44 192.168.0.3 vsftpd: Wed Jan 25 13:17:47 2014 [pid 3358] CONNECT: Client "192.168.0.1" authentication failed for user "anonymous"
Jan 25 13:17:47
User connected again
- Jan 25 13:17:47 192.168.0.3 vsftpd: Wed Jan 25 13:17:49 2014 [pid 3360] CONNECT: Client "192.168.0.1" authentication was successful for user "anonymous"
Most of the commands in the 2 previous command list were rerun
user exited
Jan 25 13:18:12
User reconnected
- Jan 25 13:18:12 192.168.0.3 vsftpd: Wed Jan 25 13:18:15 2014 [pid 3363] CONNECT: Client "192.168.0.1" Authentication was successful
Once again most of the commands in the previous command list were rerun
this time the current working directory was changed to "/valid_directory/"
- "CWD /valid_directory/"
- "LIST -l" - tried to view the files in the directory but this failed
client exited
Jan 25 13:18:51
user reconnected
- Jan 25 13:18:51 192.168.0.3 vsftpd: Wed Jan 25 13:18:54 2014 [pid 3368] CONNECT: Client "192.168.0.1" authentication was successful for user "anonymous"
similar to previous times a number of system commands was run
- "LIST" - tried to view the directory this was unsuccessful
Connection failed to establish
- Jan 25 13:18:52 192.168.0.3 vsftpd: Wed Jan 25 13:18:55 2014 [pid 3372] [ftp] FTP response: Client "192.168.0.1", "425 Failed to establish connection."
After a couple of reconnects and disconnects, we have the following
changing the search filter to focus in on PID 3385 and expanding the time to 13:59
index=main source=UDP_514 sourcetype=syslog host="192.168.0.2" OR host="192.168.0.3" vsftpd AND NOT 10.0.0.1 "pid 3385"
75 events (11/26/14 1:10:00.000 PM to 11/26/14 1:59:00.000 PM)
Jan 25 13:23:57
The user was able to login successful with username "anonymous"
- Jan 25 13:23:57 192.168.0.3 vsftpd: Wed Jan 25 13:23:59 2014 [pid 3385] [ftp] FTP response: Client "192.168.0.1", "230
Login successful."
The user ran most of the commands that he did previously
Focusing on the commands relevant to session with PID: 3385
"CWD /valid_directory/" - change directory to "/valid_directory/"
- Jan 25 13:24:06 192.168.0.3 vsftpd: Wed Jan 25 13:24:09 2014 [pid 3385] [ftp] FTP command: Client "192.168.0.1", "CWD /valid_directory/"
- Jan 25 13:24:06 192.168.0.3 vsftpd: Wed Jan 25 13:24:09 2014 [pid 3385] [ftp] FTP response: Client "192.168.0.1", "257 "/valid_directory/"" "LIST" - The command was unsuccessful
"CWD bin" - tried to change to the bin directory but this failed
- Jan 25 13:24:21 192.168.0.3 vsftpd: Wed Jan 25 13:24:23 2014 [pid 3385] [ftp] FTP response: Client "192.168.0.1", "550 Failed to change directory."
- Jan 25 13:24:21 192.168.0.3 vsftpd: Wed Jan 25 13:24:23 2014 [pid 3385] [ftp] FTP command: Client "192.168.0.1", "CWD bin"
The user got exited to "/" root directory and then changed directory again to "/valid_directory/"
Once in the "/valid_directory/" directory, the user then did
- "SIZE client_file.zip" - checked the size of the file "client_file.zip"
The system returned the size as 4342 bytes
- Jan 25 13:25:32 192.168.0.3 vsftpd: Wed Jan 25 13:25:35 2014 [pid 3385] [ftp] FTP response: Client "192.168.0.1", "213 4342" Once the size information was received, the file was retrieved
- Jan 25 13:25:33 192.168.0.3 vsftpd: Wed Jan 25 13:25:35 2014 [pid 3385] [ftp] FTP command: Client "192.168.0.1", "RETR client_file.zip"
- Jan 25 13:25:33 192.168.0.3 vsftpd: Wed Jan 25 13:25:35 2014 [pid 3385] [ftp] FTP response: Client "192.168.0.1", "150 Opening BINARY mode data connection for client_file.zip (4342 bytes)."
- Jan 25 13:25:33 192.168.0.3 vsftpd: Wed Jan 25 13:25:35 2014 [pid 3385] [ftp] OK /valid_directory/: Client "192.168.0.1", "/valid_directory/client_file.zip", 4342 bytes, 10928.44Kbyte/sec
- Jan 25 13:25:33 192.168.0.3 vsftpd: Wed Jan 25 13:25:35 2014 [pid 3385] [ftp] FTP response: Client "192.168.0.1", "226 File send OK."
----- Completion of splunk investigation -----
In trying to obtain additional information to support whether or not this was a malicious attempt checks were made for other sources of the file.
An email was found with a file with a different (but similar name)
-- The attachment in this mail was:
"emailed_file.zip"
running a "dir" on this file shows that it has the same size as reported by the FTP server which is 4342 bytes
C:\tmp>fciv emailed_file.zip
//
// File Checksum Integrity Verifier version 2.05.
//
abe8b06f6d2670c74efa477b7d19bb77 emailed_file.zip
dir emailed_file.zip
....
11/25/2014 03:40 PM 4,342 emailed_file.zip
1 File(s) 4,342 bytes
Conclusion
In the end this was considered a false positive, as there was enough information to suggest there was nothing malicious about this download. However, as stated many times before, the objective when investigating a potential incident is to find enough information to support your case. These information can be from sources such as packet captures, logs, emails, tickets, inventory, etc, etc.
Hope you enjoyed this post on using splunk for your investigation
Reference:
http://www.nsftools.com/tips/RawFTP.htm
No comments:
Post a Comment