From ken@epenguin.com Thu May 24 13:18:12 2001 Date: Thu, 24 May 2001 09:26:26 -0700 From: Kenneth Zhao To: project@honeynet.org Subject: Submission [ Part 1, Text/PLAIN (charset: Unknown "x-user-defined") 118 lines. ] [ Unable to print this part. ] [ The following text is in the "x-user-defined" character set. ] [ Your display is set for the "ISO-8859-1" character set. ] [ Some characters may be displayed incorrectly. ] Hello,   The following is my first submission for the scan of the month challenge. I have been reading the past submissions and really enjoyed them.   Thanks for this platform that I can put forward my analysis.   Best Reguards,   Kenneth Zhao ken@epenguin.com   ========================================================================== 1. Show step by step how you identify and recover the deleted rootkit from    the / partition. ==========================================================================      [I will use my debian/woody i386 linux box to conduct the analysis]   (1)  First download the compressed image.   (2)  Upon unpacking the gzipped tarball, there are two files  - honeypot.hda8.dd  - README      The first one is the image of root partition for the compromised system.      The accompanying README file shows the partition structure for the      system.  One can verify the validity with the fstab file in this image.        Run 'file' command on the image file.  It shows that it is an 'ext2'      filesystem image.   (3)  Login as root.  In the same directory of the image file, create a      local directory "./mnt".  Use the following command to mount the image      over "./mnt":    mount -t ext2 -o loop ./honeypot.hda8.dd ./mnt   (4)  Check with ./mnt/etc/passwd file.  It shows that the root has      the home directory /root.  Change our working directory to      './mnt/root'.  Exam the .bash_history file.  Someone did came      in as root.  In addition, the person started an FTP session      with ftp.home.ro.  Later he/she built the EnergyMech IRC bot (version 2.8)      and started the bot.  After that, he/she made modification to      /etc/ftpaccess on the machine and exit.        This part doesn't provide any meaningful info about the rootkit.   (5)  We then ran the following command:    find ./mnt -type d -print        This generates a list of the directories on the mounted partition.        Upon examing the list, this entry './mnt/dev/ida/.drag-on' caught      my attention.  Let's check it out!   (6)  Ran 'ls -la' over the directory shows the following:   total 660 drwxr-xr-x    2 root     root         1024 Mar 16 09:45 . drwxrwxr-x    4 root     root        12288 Mar 16 09:45 .. -rwx------    1 root     root         7165 Mar 16 09:45 linsniffer -rwx------    1 root     root           75 Mar 16 09:45 logclear -rwxr-xr-x    1 root     root       632066 Mar 16 09:45 mkxfs -rw-r--r--    1 root     root          708 Mar 16 09:45 s -rwxr-xr-x    1 root     root         4060 Mar 16 09:45 sense -rwx------    1 root     root         8268 Mar 16 09:45 sl2 -rw-------    1 root     root          540 Mar 16 09:45 ssh_host_key -rw-------    1 root     root          512 Mar 16 22:45 ssh_random_seed -rw-r--r--    1 root     root          138 Mar 17 00:28 tcp.log        Now it's interesting!   (7)  Let's see what are these: # file * linsniffer:      ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped logclear:        ASCII text mkxfs:           ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped s:               ASCII text sense:           perl script text executable sl2:             ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped ssh_host_key:    data ssh_random_seed: data tcp.log:         ASCII text   (8)  This 'mkxfs' smells bad.  Run 'strings mkxfs' over it.      It's a SSH based backdoor.   (9)  Now go back to the root of the mounted image.  Let's see if there      is another copy of this 'mkxfs'.  Surely,  find . -name mkxfs -print      reveals that another copy is at ./dev/ida/.. /mkxfs   (10) Run 'ls -la' over directory ./dev/ida/.. / and shows:   total 659 drwxr-xr-x    2 root     root         1024 Mar 16 09:45 . drwxrwxr-x    4 root     root        12288 Mar 16 09:45 .. -rwx------    1 root     root         7165 Mar 16 09:45 linsniffer -rwx------    1 root     root           75 Mar 16 09:45 logclear -rwxr-xr-x    1 root     root       632066 Mar 16 09:45 mkxfs -rw-r--r--    1 root     root          708 Mar 16 09:45 s -rwxr-xr-x    1 root     root         4060 Mar 16 09:45 sense -rwx------    1 root     root         8268 Mar 16 09:45 sl2 -rw-------    1 root     root          540 Mar 16 09:45 ssh_host_key -rw-------    1 root     root          512 Mar 16 09:45 ssh_random_seed -rw-r--r--    1 root     root            0 Mar 16 09:45 tcp.log        From the time stamp, it looks like that the original copy is      kept in './dev/ida/.. ' and a copy is made to './dev/ida/.drag-on'      and ran from later.   ============================================================================ 2. What files make up the deleted rootkit? ============================================================================      The rootkit contains the following files:   linsniffer  This is the sniffer (version 0.03 [BETA]) from  Mike Edulla (medulla@infosoc.com). You can find its         source code at packetstorm.   logclear  A shell script used to kill the current sniffer process,  clean up the log and restart the sniffing process.   mkxfs  A ssh based backdoor.   s  sshd configuration text file.  The file has specified  that it should listen for all incoming request, with  the host key at /dev/ida/.drag-on/ssh_host_key and  the random seed at /dev/ida/.drag-on/ssh_random_seed.    Further, it specified that the ssh daemon pid file  should be located at /dev/ida/.inet/pid.  However,  we failed to find that directory.    This configuration also instruct the sshd to allow  empty password   sense  A perl script used to parse and sort the sniffer log   sl2  Not very clear about this.  It maybe some kind of  transmitting agent.   ssh_host_key  The host key for the sshd daemon.  It was for the host  dil2.datainfosys.net, which is owned by Data Infosys Ltd         of India.   ssh_random_seed  SSH daemon random seed file   tcp.log  Log file from the sniffer   ============================================================================ Bonus Question: Was the rootkit ever actually installed on the system? How do you know? ============================================================================     Yes the rootkit was installed.  Compare the file modification timestap   and the size of the files on both './dev/ida/.. /' and './dev/ida/.drag-on'   directories, one noticed that     (1) the random seed file got updated; and     (2) the log file 'tcp.log' shows that sniffer was activated.