Scan 15 Results

Scan 15 - Eric Severance <esev@esev.com>

Show step by step how you identify and recover the deleted rootkit from the / partition.

The first step in finding the deleted rootkit is to find a utility that allows the user to examine of the details of an ext2 filesystem. One such program is debugfs. debugfs can be used to display numerous information about the provided filesystem. debugfs can be started with the following command:

> /sbin/debugfs ./honeypot.hda8.dd debugfs 1.19, 13-Jul-2000 for EXT2 FS 0.5b, 95/08/09 debugfs:

The first task for debugfs is to locate the inodes of any files which have been recently deleted. The command lsdel is used for this purpose. Executing lsdel gives the following:

debugfs: lsdel 29 deleted inodes found. Inode Owner Mode Size Blocks Time deleted 56231 0 100644 33135 13/ 13 Thu Mar 15 06:17:36 2001 16110 0 100644 239 1/ 1 Thu Mar 15 06:20:25 2001 2058 0 100755 53588 54/ 54 Thu Mar 15 20:45:02 2001 30188 0 100755 66736 67/ 67 Thu Mar 15 20:45:02 2001 30191 0 100555 60080 60/ 60 Thu Mar 15 20:45:02 2001 48284 0 100755 42736 43/ 43 Thu Mar 15 20:45:02 2001 2047 0 100755 4060 4/ 4 Thu Mar 15 20:45:03 2001 2049 0 100600 540 1/ 1 Thu Mar 15 20:45:03 2001 2051 0 100600 512 1/ 1 Thu Mar 15 20:45:03 2001 2053 0 100700 8268 9/ 9 Thu Mar 15 20:45:03 2001 2059 0 100700 75 1/ 1 Thu Mar 15 20:45:03 2001 2060 0 100644 708 1/ 1 Thu Mar 15 20:45:03 2001 2061 0 100755 632066 622/ 622 Thu Mar 15 20:45:03 2001 23 0 100644 520333 512/ 512 Thu Mar 15 20:45:05 2001 2039 0 100755 611931 602/ 602 Thu Mar 15 20:45:05 2001 2040 0 100644 1 1/ 1 Thu Mar 15 20:45:05 2001 2041 0 100700 3713 4/ 4 Thu Mar 15 20:45:05 2001 2042 0 100644 796 1/ 1 Thu Mar 15 20:45:05 2001 2043 0 100755 1345 2/ 2 Thu Mar 15 20:45:05 2001 2044 0 100644 3278 4/ 4 Thu Mar 15 20:45:05 2001 2045 0 100755 79 1/ 1 Thu Mar 15 20:45:05 2001 2046 0 100644 11407 12/ 12 Thu Mar 15 20:45:05 2001 2048 0 100644 880 1/ 1 Thu Mar 15 20:45:05 2001 2050 0 100644 344 1/ 1 Thu Mar 15 20:45:05 2001 2052 0 100644 688 1/ 1 Thu Mar 15 20:45:05 2001 2054 0 100755 4620 5/ 5 Thu Mar 15 20:45:05 2001 2038 1031 40755 0 1/ 1 Thu Mar 15 20:46:09 2001 8097 0 40700 0 1/ 1 Fri Mar 16 05:03:12 2001 8100 0 100644 16329 177/ 177 Fri Mar 16 05:03:12 2001 debugfs:

Now that we have a listing of all the inodes that have been recently deleted we need to determine which inode contains file information for the rootkit. There isn't any straight forward way of locating that inode, the best you can to is form an educated guess. I came up with two methods for locating the rootkit: 1) Look for inodes that are at the beginning of a sequence; 2) Knowing that rootkits are normally tar-gzipped and not executable, look for a large file with 644 permissions. Using these two methods, the most logical choice is inode 23. The dump command can be used within debugfs to recover a deleted inode. I will dump inode 23 into the file test.tar.gz:

debugfs: dump <23> test.tar.gz debugfs: quit

Now, on the command line, lets see if my guess was correct:

>tar -xzvf test.tar.gz last/ tar: Archive contains future timestamp 2002-02-08 08:08:13 last/ssh last/pidfile last/install last/linsniffer last/cleaner last/inetd.conf last/lsattr last/services last/sense last/ssh_config last/ssh_host_key last/ssh_host_key.pub last/ssh_random_seed last/sshd_config last/sl2 last/last.cgi last/ps last/netstat last/ifconfig last/top last/logclear last/s last/mkxfs

Sure enough, the rootkit has now been recovered from inode 23 on the compromised filesystem.

What files make up the deleted rootkit?

The files associated with this rootkit are listed below along with their inodes and an MD5 hash:

inode filename MD5

2058 last/top 8ff0939cd49a0b2ef3156c7876afca4b

2047 last/sense 464dc23cac477c43418eb8d3ef087065

2049 last/ssh_host_key c2c1b08498ed71a908c581d634832672

2051 last/ssh_random_seed ad265d3c07dea3151bacb6930e0b72d3

2053 last/sl2 4cfae8c44a6d1ede669d41fc320c7325

2059 last/logclear 5f22ceb87631fbcbf32e59234feeaa5b

2060 last/s 06d04fa3c4941b398756d029de75770e

2061 last/mkxfs 18a2d7d3178f321b881e7c493af72996

23 lk.tar.gz -or- lk.tgz 115f438631de8d0a7c03c9d458eb7257

2039 last/ssh 21ed3ca31a9c9b51a757f1644e26f2f7

2040 last/pidfile 68b329da9893e34099c7d8ad5cb9c940

2041 last/install 964db5da8cf89810a54659b6fdb81958

2043 last/cleaner 12e8748c19abe7a44e67196c22738e9b

2044 last/inetd.conf b63485e42035328c0d900a71ff2e6bd7

2045 last/lsattr dfb2eeea2a5ba23eb6a2b9d0cff9d82f

2046 last/services 54e41f035e026f439d4188759b210f07

2048 last/ssh_config 5fd2ce512e0eba4d090191e8a1518808

2050 last/ssh_host_key.pub e76cd5baaab7b4f28c999946a9cb4dcc

2052 last/sshd_config 312de877e5180678cd54606e1c25af40

2054 last/last.cgi 202a51b16ac8d1b4dc75de89e7344ed4

2038 last

2057 last/ifconfig 086394958255553f6f38684dad97869e

last/linsniffer 6c0f96c1e43a23a21264f924ae732273

2056 last/netstat 2b07576213c1c8b942451459b3dc4903

2055 last/ps 7728c15d89f27e376950f96a7510bf0f

inode	filename	MD5
2058	last/top	8ff0939cd49a0b2ef3156c7876afca4b
2047	last/sense	464dc23cac477c43418eb8d3ef087065
2049	last/ssh_host_key	c2c1b08498ed71a908c581d634832672
2051	last/ssh_random_seed	ad265d3c07dea3151bacb6930e0b72d3
2053	last/sl2	4cfae8c44a6d1ede669d41fc320c7325
2059	last/logclear	5f22ceb87631fbcbf32e59234feeaa5b
2060	last/s	06d04fa3c4941b398756d029de75770e
2061	last/mkxfs	18a2d7d3178f321b881e7c493af72996
23	lk.tar.gz -or- lk.tgz	115f438631de8d0a7c03c9d458eb7257
2039	last/ssh	21ed3ca31a9c9b51a757f1644e26f2f7
2040	last/pidfile	68b329da9893e34099c7d8ad5cb9c940
2041	last/install	964db5da8cf89810a54659b6fdb81958
2043	last/cleaner	12e8748c19abe7a44e67196c22738e9b
2044	last/inetd.conf	b63485e42035328c0d900a71ff2e6bd7
2045	last/lsattr	dfb2eeea2a5ba23eb6a2b9d0cff9d82f
2046	last/services	54e41f035e026f439d4188759b210f07
2048	last/ssh_config	5fd2ce512e0eba4d090191e8a1518808
2050	last/ssh_host_key.pub	e76cd5baaab7b4f28c999946a9cb4dcc
2052	last/sshd_config	312de877e5180678cd54606e1c25af40
2054	last/last.cgi	202a51b16ac8d1b4dc75de89e7344ed4
2038	last
2057	last/ifconfig	086394958255553f6f38684dad97869e
	last/linsniffer	6c0f96c1e43a23a21264f924ae732273
2056	last/netstat	2b07576213c1c8b942451459b3dc4903
2055	last/ps	7728c15d89f27e376950f96a7510bf0f

Bonus Question: Was the rootkit ever actually installed on the system? How do you know?

To answer this question one must discover what this rootkit actually installs. To do this, take a look at the last/install script. Below is a decomposition of what the install script modifies.

File Description Evidence Installed?

/sbin/ifconfig

-and-

/bin/netstat

-and-

/bin/ps The script removes the original versions of these files and replaces them with a modified version. 1. MD5(sbin/ifconfig)= 086394958255553f6f38684dad97869e
MD5(bin/netstat)= 2b07576213c1c8b942451459b3dc4903
MD5(bin/ps)= 7728c15d89f27e376950f96a7510bf0f

2. The inodes for these files are in the same sequence as the rootkit. Yes

/usr/bin/top The script removes the original file and replaces it with a modified version. There is no evidence of this because we do not have the /usr partition. Unknown

/usr/bin/lsattr The script removes the original file and replaces it with a modified version. The script then executes this new version. By examining the modified lsattr it can be seen that this file appends the output of linsniffer to /dev/ida/.drag-on/tcp.log Looking inside this file we find:

cr272065-a.wlfdle1.on.wave.home.com => asdf1 [21] ----- [Timed Out] ns2.giant.net => asdf1 [23] da#da,~daO~daO~daU~ #'da[~dac~!dan~da~? Yes

/dev/rpm The script creates a /dev/rpm file and inserts the following data into that file:

3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc > cat dev/rpm 3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc Yes

/dev/last The script creates a /dev/last file and inserts the following data into that file:

1 193.231.139 1 213.154.137 1 193.254.34 3 48744 3 3666 3 31221 3 22546 4 48744 4 2222 > cat dev/last 1 193.231.139 1 213.154.137 1 193.254.34 3 48744 3 3666 3 31221 3 22546 4 48744 4 2222 Yes

/dev/ida/.drag-on

-and-

"/dev/ida/.. " These two directories are created and the following files (from the rootkit) are placed within them: linsniffer, logclear, sense, sl2, mkxfs, s, ssh_host_key, ssh_random_seed. Also a file named tcp.log is created within the directories MD5(dev/ida/.drag-on/linsniffer)=
    6c0f96c1e43a23a21264f924ae732273
MD5(dev/ida/.drag-on/logclear)=
    5f22ceb87631fbcbf32e59234feeaa5b
MD5(dev/ida/.drag-on/mkxfs)=
    18a2d7d3178f321b881e7c493af72996
MD5(dev/ida/.drag-on/s)=
    06d04fa3c4941b398756d029de75770e
MD5(dev/ida/.drag-on/sense)=
    464dc23cac477c43418eb8d3ef087065
MD5(dev/ida/.drag-on/sl2)=
    4cfae8c44a6d1ede669d41fc320c7325
MD5(dev/ida/.drag-on/ssh_host_key)=
    c2c1b08498ed71a908c581d634832672
MD5(dev/ida/.drag-on/ssh_random_seed)=
    97df00e63da3efd62fac4f84802370f0
MD5(dev/ida/.drag-on/tcp.log)=
    7754ec4105e2b56a4ec6721f522d580d
MD5(dev/ida/.. /linsniffer)=
    6c0f96c1e43a23a21264f924ae732273
MD5(dev/ida/.. /logclear)=
    5f22ceb87631fbcbf32e59234feeaa5b
MD5(dev/ida/.. /mkxfs)=
    18a2d7d3178f321b881e7c493af72996
MD5(dev/ida/.. /s)=
    06d04fa3c4941b398756d029de75770e
MD5(dev/ida/.. /sense)=
    464dc23cac477c43418eb8d3ef087065
MD5(dev/ida/.. /sl2)=
    4cfae8c44a6d1ede669d41fc320c7325
MD5(dev/ida/.. /ssh_host_key)=
    c2c1b08498ed71a908c581d634832672
MD5(dev/ida/.. /ssh_random_seed)=
    ad265d3c07dea3151bacb6930e0b72d3
MD5(dev/ida/.. /tcp.log)=
    d41d8cd98f00b204e9800998ecf8427e Yes

/etc/inetd.conf

-and-

/etc/services These two files are replaced by the files from the rootkit MD5(etc/inetd.conf)= b63485e42035328c0d900a71ff2e6bd7
MD5(etc/services)= 54e41f035e026f439d4188759b210f07 Yes

/etc/rc.d/rc.sysinit The script adds the following line to the end of /etc/rc.d/rc.sysinit: /usr/bin/lsattr -t1 -X53 -p > tail -2 etc/rc.d/rc.sysinit /usr/bin/lsattr -t1 -X53 -p Yes

Conclusion: Based on the evidence shown in the table, the rootkit has been installed on this system.

Inode	Owner	Mode	Size	Blocks		Time deleted
56231	0	100644	33135	13/	13	Thu Mar 15 06:17:36 2001
16110	0	100644	239	1/	1	Thu Mar 15 06:20:25 2001
2058	0	100755	53588	54/	54	Thu Mar 15 20:45:02 2001
30188	0	100755	66736	67/	67	Thu Mar 15 20:45:02 2001
30191	0	100555	60080	60/	60	Thu Mar 15 20:45:02 2001
48284	0	100755	42736	43/	43	Thu Mar 15 20:45:02 2001
2047	0	100755	4060	4/	4	Thu Mar 15 20:45:03 2001
2049	0	100600	540	1/	1	Thu Mar 15 20:45:03 2001
2051	0	100600	512	1/	1	Thu Mar 15 20:45:03 2001
2053	0	100700	8268	9/	9	Thu Mar 15 20:45:03 2001
2059	0	100700	75	1/	1	Thu Mar 15 20:45:03 2001
2060	0	100644	708	1/	1	Thu Mar 15 20:45:03 2001
2061	0	100755	632066	622/	622	Thu Mar 15 20:45:03 2001
23	0	100644	520333	512/	512	Thu Mar 15 20:45:05 2001
2039	0	100755	611931	602/	602	Thu Mar 15 20:45:05 2001
2040	0	100644	1	1/	1	Thu Mar 15 20:45:05 2001
2041	0	100700	3713	4/	4	Thu Mar 15 20:45:05 2001
2042	0	100644	796	1/	1	Thu Mar 15 20:45:05 2001
2043	0	100755	1345	2/	2	Thu Mar 15 20:45:05 2001
2044	0	100644	3278	4/	4	Thu Mar 15 20:45:05 2001
2045	0	100755	79	1/	1	Thu Mar 15 20:45:05 2001
2046	0	100644	11407	12/	12	Thu Mar 15 20:45:05 2001
2048	0	100644	880	1/	1	Thu Mar 15 20:45:05 2001
2050	0	100644	344	1/	1	Thu Mar 15 20:45:05 2001
2052	0	100644	688	1/	1	Thu Mar 15 20:45:05 2001
2054	0	100755	4620	5/	5	Thu Mar 15 20:45:05 2001
2038	1031	40755	0	1/	1	Thu Mar 15 20:46:09 2001
8097	0	40700	0	1/	1	Fri Mar 16 05:03:12 2001
8100	0	100644	16329	177/	177	Fri Mar 16 05:03:12 2001

File	Description	Evidence	Installed?
/sbin/ifconfig -and- /bin/netstat -and- /bin/ps	The script removes the original versions of these files and replaces them with a modified version.	1. MD5(sbin/ifconfig)= 086394958255553f6f38684dad97869e MD5(bin/netstat)= 2b07576213c1c8b942451459b3dc4903 MD5(bin/ps)= 7728c15d89f27e376950f96a7510bf0f 2. The inodes for these files are in the same sequence as the rootkit.	Yes
/usr/bin/top	The script removes the original file and replaces it with a modified version.	There is no evidence of this because we do not have the /usr partition.	Unknown
/usr/bin/lsattr	The script removes the original file and replaces it with a modified version. The script then executes this new version.	By examining the modified lsattr it can be seen that this file appends the output of linsniffer to /dev/ida/.drag-on/tcp.log Looking inside this file we find: `cr272065-a.wlfdle1.on.wave.home.com => asdf1 [21] ----- [Timed Out] ns2.giant.net => asdf1 [23] da#da,~daO~daO~daU~ #'da[~dac~!dan~da~?`	Yes
/dev/rpm	The script creates a /dev/rpm file and inserts the following data into that file: `3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc`	`> cat dev/rpm 3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc`	Yes
/dev/last	The script creates a /dev/last file and inserts the following data into that file: `1 193.231.139 1 213.154.137 1 193.254.34 3 48744 3 3666 3 31221 3 22546 4 48744 4 2222`	`> cat dev/last 1 193.231.139 1 213.154.137 1 193.254.34 3 48744 3 3666 3 31221 3 22546 4 48744 4 2222`	Yes
/dev/ida/.drag-on -and- "/dev/ida/.. "	These two directories are created and the following files (from the rootkit) are placed within them: linsniffer, logclear, sense, sl2, mkxfs, s, ssh_host_key, ssh_random_seed. Also a file named tcp.log is created within the directories	MD5(dev/ida/.drag-on/linsniffer)= 6c0f96c1e43a23a21264f924ae732273 MD5(dev/ida/.drag-on/logclear)= 5f22ceb87631fbcbf32e59234feeaa5b MD5(dev/ida/.drag-on/mkxfs)= 18a2d7d3178f321b881e7c493af72996 MD5(dev/ida/.drag-on/s)= 06d04fa3c4941b398756d029de75770e MD5(dev/ida/.drag-on/sense)= 464dc23cac477c43418eb8d3ef087065 MD5(dev/ida/.drag-on/sl2)= 4cfae8c44a6d1ede669d41fc320c7325 MD5(dev/ida/.drag-on/ssh_host_key)= c2c1b08498ed71a908c581d634832672 MD5(dev/ida/.drag-on/ssh_random_seed)= 97df00e63da3efd62fac4f84802370f0 MD5(dev/ida/.drag-on/tcp.log)= 7754ec4105e2b56a4ec6721f522d580d MD5(dev/ida/.. /linsniffer)= 6c0f96c1e43a23a21264f924ae732273 MD5(dev/ida/.. /logclear)= 5f22ceb87631fbcbf32e59234feeaa5b MD5(dev/ida/.. /mkxfs)= 18a2d7d3178f321b881e7c493af72996 MD5(dev/ida/.. /s)= 06d04fa3c4941b398756d029de75770e MD5(dev/ida/.. /sense)= 464dc23cac477c43418eb8d3ef087065 MD5(dev/ida/.. /sl2)= 4cfae8c44a6d1ede669d41fc320c7325 MD5(dev/ida/.. /ssh_host_key)= c2c1b08498ed71a908c581d634832672 MD5(dev/ida/.. /ssh_random_seed)= ad265d3c07dea3151bacb6930e0b72d3 MD5(dev/ida/.. /tcp.log)= d41d8cd98f00b204e9800998ecf8427e	Yes
/etc/inetd.conf -and- /etc/services	These two files are replaced by the files from the rootkit	MD5(etc/inetd.conf)= b63485e42035328c0d900a71ff2e6bd7 MD5(etc/services)= 54e41f035e026f439d4188759b210f07	Yes
/etc/rc.d/rc.sysinit	The script adds the following line to the end of /etc/rc.d/rc.sysinit: `/usr/bin/lsattr -t1 -X53 -p`	`> tail -2 etc/rc.d/rc.sysinit /usr/bin/lsattr -t1 -X53 -p`	Yes