Honeynet May Challenge: Analysis Results ======================================== Copyright (C) 2001 Nick Brawn All Rights Reserved Email: nick@rakurai.net May 17th, 2001 == Table of Contents: 1. Summary of findings 2. Forensic programs/utilities used 3. Finding the rootkit 4. Recovering the deleted rootkit 5. What was in the rootkit? 6. Was the rootkit installed? == 1. Summary of findings The rootkit downloaded to the "/" directory was called "lk.tgz". A search of Google, the Lycos "Advanced FTP Search" engine and the Packetstorm archive did not turn any matches. This may indicate the rootkit used is not one that is widely disseminated. The rootkit was identified and recovered using programs from "The Coroner's Toolkit" (TCT) and TCTUTILS. The rootkit recovered was also found to have been installed on the disk image. == 2. Forensic programs/utilities used In the analysis of the may challenge, the following programs were used: - TCT: http://www.fish.com/tct - TCTUTILS: http://www.cerias.purdue.edu/homes/carrier/forensics/ The platform used to perform the analysis on was RedHat 7.0/i386. == 3. Finding the rootkit After downloading and unpacking the may challenge's archive, the disk image was mounted by the following command: # mount -o ro,noexec,loop honeynet/honeypot.hda8.dd root # ls -alF total 14193 drwx--S--- 5 root wheel 4096 May 17 23:50 ./ drwx--S--- 3 root wheel 4096 May 17 19:24 ../ drwxr-x--- 2 nick nick 4096 Apr 27 07:45 honeynet/ -rw------- 1 root wheel 13491266 May 17 23:26 honeynet.tar.gz drwxr-xr-x 18 root root 1024 Mar 16 12:45 root/ # ls -aFi root 2 ./ 26105 etc/ 38153 mnt/ 22089 tmp/ 278550 ../ 60258 floppy/ 44177 opt/ 12049 usr/ 30121 bin/ 8033 home/ 20081 proc/ 16065 var/ 4017 boot/ 34137 lib/ 46185 root/ 24097 dev/ 11 lost+found/ 48193 sbin/ The flags used with ls show all entries ('a'), appended each entry with an indicator ('F'), and showed the inode of each entry ('i'). # /usr/local/tctutils/bin/fls honeynet/honeypot.hda8.dd 2 d 11: lost+found d 4017: boot d 8033: home d 12049: usr d 16065: var d 20081: proc d 22089: tmp d 24097: dev d 26105: etc d 30121: bin d 34137: lib d 38153: mnt d 44177: opt d 46185: root d 48193: sbin d 60258: floppy r * 23: lk.tgz d * 2038: last # The arguments supplied to the fls command were the image name and the inode of the "/" directory. "fls" is a program from TCTUTILS. The output above displays the type of each file entry ("d" directory, "r" regular), the inode number, and the name. In the case of "lk.tgz" and "last", an asterisk "*" is shown, indicating that both have been deleted. It appears that the rootkit has been found: lk.tgz. However it is listed as having been deleted. Was it possible to recover the file? == 4. Recovering the deleted rootkit A few of the utilities from both TCT and TCTUTILS (primarily the unrm and lazarus utilities from TCT) were used to try to recover the file. NOTE: When unrm and lazarus were tried, they only managed to retrieve a truncated copy of what was assumed to be the lk.tgz file. Using gzip with the -dc command enabled the retrieval of some of the content. It was thought that the problem might lie with the blocksize used with the lazarus command. This wasn't confirmed, as the next utility was found to perform the task without needing any extra configuration. The icat utility (from TCT) was found to be the best tool (in this instance) to recover the file. It copies files by inode number: # /usr/local/tct/bin/icat honeynet/honeypot.hda8.dd 23 > lk.tgz The supplied arguments were the image name and the inode of the deleted file. The output is the recovered file (compressed data in this case), so it was redirected into a file. == 5. What was in the rootkit? # ls -l lk.tgz -rw------- 1 root wheel 520333 May 18 00:16 lk.tgz # tar zxvf lk.tgz last/ tar: Archive contains future timestamp 2002-02-09 00:08:13 last/ssh last/pidfile last/install last/linsniffer last/cleaner last/inetd.conf last/lsattr last/services last/sense last/ssh_config last/ssh_host_key last/ssh_host_key.pub last/ssh_random_seed last/sshd_config last/sl2 last/last.cgi last/ps last/netstat last/ifconfig last/top last/logclear last/s last/mkxfs == 6. Was the rootkit installed on the system? A list was made of all the files modified or created by the rootkit's installation. In the case of modified files (such as ifconfig), MD5 checksums were compared, whereas the existance of files and directories unique to the installation of the rootkit was deemed sufficient evidence the rootkit had been installed. NOTE: This list does not include files copies to filesystems other than "/". This list is shown below: sbin/ifconfig bin/netstat bin/ps dev/rpm dev/last dev/ida/.drag-on dev/ida/.drag-on/linsniffer dev/ida/.drag-on/logclear dev/ida/.drag-on/sense dev/ida/.drag-on/sl2 dev/ida/.drag-on/mkxfs dev/ida/.drag-on/s dev/ida/.drag-on/ssh_host_key dev/ida/.drag-on/ssh_random_seed dev/ida/.drag-on/tcp.log dev/ida/..\ / dev/ida/..\ /linsniffer dev/ida/..\ /logclear dev/ida/..\ /sense dev/ida/..\ /sl2 dev/ida/..\ /mkxfs dev/ida/..\ /s dev/ida/..\ /ssh_host_key dev/ida/..\ /ssh_random_seed dev/ida/..\ /tcp.log etc/inetd.conf etc/services # cat ../install.list | xargs ls -ldct -rw-r--r-- 1 root root 138 Mar 17 03:28 dev/ida/.drag-on/tcp.log -rw------- 1 root root 512 Mar 17 01:45 dev/ida/.drag-on/ssh_random_seed drwxr-xr-x 2 root root 1024 Mar 16 12:45 dev/ida/.. / -rwxr-xr-x 1 root root 632066 Mar 16 12:45 dev/ida/.. /mkxfs -rw-r--r-- 1 root root 708 Mar 16 12:45 dev/ida/.. /s -rw------- 1 root root 540 Mar 16 12:45 dev/ida/.. /ssh_host_key -rw------- 1 root root 512 Mar 16 12:45 dev/ida/.. /ssh_random_seed -rw-r--r-- 1 root root 0 Mar 16 12:45 dev/ida/.. /tcp.log drwxr-xr-x 2 root root 1024 Mar 16 12:45 dev/ida/.drag-on -rw-r--r-- 1 root root 3278 Mar 16 12:45 etc/inetd.conf -rw-r--r-- 1 root root 11407 Mar 16 12:45 etc/services -rwxr-xr-x 1 root root 35300 Mar 16 12:45 bin/netstat -rwxr-xr-x 1 root root 33280 Mar 16 12:45 bin/ps -rwx------ 1 root root 7165 Mar 16 12:45 dev/ida/.. /linsniffer -rwx------ 1 root root 75 Mar 16 12:45 dev/ida/.. /logclear -rwxr-xr-x 1 root root 4060 Mar 16 12:45 dev/ida/.. /sense -rwx------ 1 root root 8268 Mar 16 12:45 dev/ida/.. /sl2 -rwx------ 1 root root 7165 Mar 16 12:45 dev/ida/.drag-on/linsniffer -rwx------ 1 root root 75 Mar 16 12:45 dev/ida/.drag-on/logclear -rwxr-xr-x 1 root root 632066 Mar 16 12:45 dev/ida/.drag-on/mkxfs -rw-r--r-- 1 root root 708 Mar 16 12:45 dev/ida/.drag-on/s -rwxr-xr-x 1 root root 4060 Mar 16 12:45 dev/ida/.drag-on/sense -rwx------ 1 root root 8268 Mar 16 12:45 dev/ida/.drag-on/sl2 -rw------- 1 root root 540 Mar 16 12:45 dev/ida/.drag-on/ssh_host_key -rw-r--r-- 1 root root 87 Mar 16 12:45 dev/last -rw-r--r-- 1 root root 71 Mar 16 12:45 dev/rpm -rwxr-xr-x 1 root root 19840 Mar 16 12:45 sbin/ifconfig # NOTE: Without the use of the -c flag with ls(1), the rootkit's ifconfig, netstat and ps binaries (which were moved to their location) indicate a date of Februrary 27th (dependant on TZ). This is due to mv(1) preserving the mtime. The output from comparing MD5 checksums is below: # pwd /usr/local/forensics/challenge/may/root # cat ../modified.list | xargs md5sum 086394958255553f6f38684dad97869e ../last/ifconfig 086394958255553f6f38684dad97869e sbin/ifconfig 2b07576213c1c8b942451459b3dc4903 ../last/netstat 2b07576213c1c8b942451459b3dc4903 bin/netstat 7728c15d89f27e376950f96a7510bf0f ../last/ps 7728c15d89f27e376950f96a7510bf0f bin/ps 6c0f96c1e43a23a21264f924ae732273 ../last/linsniffer 6c0f96c1e43a23a21264f924ae732273 dev/ida/.drag-on/linsniffer 5f22ceb87631fbcbf32e59234feeaa5b ../last/logclear 5f22ceb87631fbcbf32e59234feeaa5b dev/ida/.drag-on/logclear 464dc23cac477c43418eb8d3ef087065 ../last/sense 464dc23cac477c43418eb8d3ef087065 dev/ida/.drag-on/sense 4cfae8c44a6d1ede669d41fc320c7325 ../last/sl2 4cfae8c44a6d1ede669d41fc320c7325 dev/ida/.drag-on/sl2 18a2d7d3178f321b881e7c493af72996 ../last/mkxfs 18a2d7d3178f321b881e7c493af72996 dev/ida/.drag-on/mkxfs 06d04fa3c4941b398756d029de75770e ../last/s 06d04fa3c4941b398756d029de75770e dev/ida/.drag-on/s c2c1b08498ed71a908c581d634832672 ../last/ssh_host_key c2c1b08498ed71a908c581d634832672 dev/ida/.drag-on/ssh_host_key ad265d3c07dea3151bacb6930e0b72d3 ../last/ssh_random_seed 97df00e63da3efd62fac4f84802370f0 dev/ida/.drag-on/ssh_random_seed 6c0f96c1e43a23a21264f924ae732273 ../last/linsniffer 6c0f96c1e43a23a21264f924ae732273 dev/ida/.. /linsniffer 5f22ceb87631fbcbf32e59234feeaa5b ../last/logclear 5f22ceb87631fbcbf32e59234feeaa5b dev/ida/.. /logclear 464dc23cac477c43418eb8d3ef087065 ../last/sense 464dc23cac477c43418eb8d3ef087065 dev/ida/.. /sense 4cfae8c44a6d1ede669d41fc320c7325 ../last/sl2 4cfae8c44a6d1ede669d41fc320c7325 dev/ida/.. /sl2 18a2d7d3178f321b881e7c493af72996 ../last/mkxfs 18a2d7d3178f321b881e7c493af72996 dev/ida/.. /mkxfs 06d04fa3c4941b398756d029de75770e ../last/s 06d04fa3c4941b398756d029de75770e dev/ida/.. /s c2c1b08498ed71a908c581d634832672 ../last/ssh_host_key c2c1b08498ed71a908c581d634832672 dev/ida/.. /ssh_host_key ad265d3c07dea3151bacb6930e0b72d3 ../last/ssh_random_seed ad265d3c07dea3151bacb6930e0b72d3 dev/ida/.. /ssh_random_seed b63485e42035328c0d900a71ff2e6bd7 ../last/inetd.conf b63485e42035328c0d900a71ff2e6bd7 etc/inetd.conf 54e41f035e026f439d4188759b210f07 ../last/services 54e41f035e026f439d4188759b210f07 etc/services # >From the information above, it can safely be stated that the rootkit was installed. EOF