Forensic Analysis of the AWS server provided in the email

[vinmittal]

Can someone publish a forensic report of the linux server that i have mentioned in the email. the server is running in the amazon?

thanks vineet

[harshdattani]

Are Issue #1 and #2 interlinked?

[vinmittal]

Not yet, the objective is that my amazon linux machine has been unprotected with a lot of things open on the public IP on the internet. You are a forensic detective. You have been asked to examine the server and see what you can dig up. for example past logins, history, break in attempts etc.

[harshdattani]

Upon examining the Auth.log file in /var/log directory, I found many login attempts, they were kind of Bruteforce unsuccessful attempts and many unsuccessful attempts were there in which no .pem key was attached.

[harshdattani]

Also /var/log/btmp in the Amazon VM shows all Login attempts with Date and Time in a seperated manner, so it is easy to read and analyse.

[vinmittal]

@harshdattani Please check in all the logs that you tabulate the attempts to login. I need to present this result tomorrow in a cloud meeting. also look for if any network services were also probed. check if some one ran a vulnerability scan on this server. Please submit scripts, analysis doc at https://github.com/vinmittal/SecurityTrainingPub/tree/master/forensicinvestigations/aws even if it is one line, please submit.

[DDhwanil]

@vinmittal , I have created Python Linux Auth log parser and have parsed Auth.log of AWS server. Here is script. https://github.com/DDhwanil/Linux-Auth-Log-Parser

[vinmittal]

Well done dhwanil, it looks very good.

[vinmittal]

Dwanil, can you expand the script to see if the IP addresses were from botnets? the list can come from http://www.malwaredomains.com/ there are other sources as well .

[DDhwanil]

@vinmittal, I have updated my python script according to your instruction. Here is script. https://github.com/DDhwanil/Linux-Auth-Log-Parser