From niels.heinen@ubizen.com Wed May 23 07:25:39 2001 Date: Wed, 23 May 2001 09:34:25 +0200 From: Niels Heinen To: project@honeynet.org Subject: Scan of the month submission. Hi Lance, Here is my submission =)Thanks for the fun and it was very interesting ! Regards, Niels Heinen [ Part 1.2: "Attached Text" ] 1.Show step by step how you identify and recover the deleted rootkit from the / partition. I took a fresh installed linux box to do the analysis on. After downloading the partition on this system I first installed lsof (unix diagnostic tool) which is recommended in the TCT readme files. Then I installed the Coroners Toolkit in order to recover the files from the partition and did the following steps: - Unpacked the partition tar -zxvf honeynet.tar.gz - Mounted this partition mount -o loop /tmp/honeynet/honeynetpot.hda8.dd /mnt/honey/ - Execute grave-robber script; grave-robber -v /mnt/honey/ - unmounted the partition umount /tmp/honeynet/honeynetpot.hda8.dd - Executed unrm unrm /tmp/honeynet/honeynetpot.hda8.dd > /tmp/unrm.output - Executed lazarus lazarus -h /tmp/unrm.output Lazarus reconstructed the data and created an html (-h) output. I started lazarus right before going home from work and the next morning it was finished. And so that evening I continued with analysing the output generated by lazarus. 2.What files make up the deleted rootkit? The following files where deleted from the root directory: A shell script that installed the rootkit. This shell script can be used later on to locate other files installed by the rootkit. After all backdoor files are at place, the shell script creates the file "computer" that contained system information. This file is mailed to two email accounts: last@linuxmail.org and bidi_damm@yahoo.com. Below is the email I recovered from the disk: -------------- snip email ------------- To: last@linuxmail.org Subject: placinte * Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown * Hostname : asdf1 * IfConfig : inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0 inet addr:172.16.1.108 Bcast:172.16.1.255 Mask:255.255.255.0 * Uptime : 7:45pm up 8:23, 0 users, load average: 0.00, 0.00, 0.00 * Cpu Vendor ID : vendor_id : GenuineIntel * Cpu Model : model : 4 model name : Pentium MMX * Cpu Speed: cpu MHz : 200.457171 * Bogomips: bogomips : 399.77 * Spatiu Liber: Filesystem Size Used Avail Use% Mounted on /dev/hda8 251M 33M 205M 14% / /dev/hda1 23M 2.4M 19M 11% /boot /dev/hda6 1.6G 2.1M 1.5G 0% /home /dev/hda5 1.6G 367M 1.2G 23% /usr /dev/hda7 251M 5.3M 232M 2% /var -------------- snip email ------------- The rootkit replaces ifconfig, netstat, ps and top with fixed versions in order to limit the chance of being detected. It also copies the file mkxfs to /usr/bin. Two files are created: /dev/rpm and /dev/last. These files contain configuration information that are used by the above described programs to hide processes, backdoors and IP-addresses: Content of /dev/last: 1 193.231.139 1 213.154.137 1 193.254.34 3 48744 3 3666 3 31221 3 22546 4 48744 4 2222 As you can see this file contains 3 subnets and several ports that should be hidden. Content of /dev/rpm: 3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc These are the names of the processes that have to be hidden by the replaced binaries. After doing this the rootkit is installed at 2 positions: First in /dev/ida/.drag-on/ and then in /dev/ida/.. / the files linsniffer , logclear , sense , sl2 , mkxfs , s , ssh_host_key , ssh_random_seed are then copied in those directories. Now again it replaces a program to hide its existence. The program targetted is lsattr which is a utility that can list file attributes on a Linux second extended file system. The file is replaced with a backdoor that listens on port 53. This backdoor gets executed at startup because the script adds the following line to rc.sysinit: /usr/bin/lsattr -t1 -X53 -p In the end the rootkit looks for the existence of several cgi-bin directories. If it finds some, the rootkit will copy a CGI backdoor (last.cgi) to these directories and will then clean up by deleting: last, lk.tgz, computer, and lk.tar.gz. Romanian text was found several times in this rootkit. I have not seen this rootkit before but I believe it has been created out of several other kits. The sauber shell script for example has been included in several rootkits already. The system was probably compromised by a massrooter. Massrooters are semi worms that scan Class B networks for vulnerable hosts. The scanner often invokes an exploit when it finds a potential vulnerable host. If the exploit succeeds a rootkit is uploaded to the system and often an email with system information is sent to a free hosting email account which is owned by the hacker. The creators of these kits often do not realize what kind of noise they make when searching for vulnerable hosts and because all of this is done with a large amount of systems in a short amount of time these hackers make ALOT of mistakes ;) Since most of these massrooters are based upon existing exploits using well known vulnerabilities keeping up to date with the latest patches often should be enough to counter them. Bonus Question: Was the rootkit ever actually installed on the system? How do you know? The rootkit was installed in /dev/ida/.darg-on and /dev/ida/.. /. In these directories, the files linsniffer, logclear, mkxfs, s, sense, sl2, ssh_host_key, ssh_random_seed and tcp.log where installed. I found a tcp.log file found in one of these directory that contained some sniffed data so it is very likely that the rootkit was installed successfully. Regards, Niels Heinen [ Part 2, "S/MIME Cryptographic Signature" ] [ Application/X-PKCS7-SIGNATURE 4KB. ] [ Unable to print this part. ]