From bhallakapil@yahoo.com Tue May 22 22:36:47 2001 Date: Thu, 3 May 2001 11:32:35 +0530 From: Kapil Bhalla To: challenge@honeynet.org Subject: May Challenge Recovering Deleted RootKit 1. Show step by step how you identify and recover the deleted rootkit from the / partition. For recovering deleted files tool used is debugfs.[From Ext2-Undeletion-HOWTO]. Steps: $ mkdir $HOME/analysis Getting the list of deleted inodes from file system: $ echo lsdel | debugfs honeypot.hda8.dd > $HOME/analysis/lsdel.out For getting deleted inodes only: $ cut -c1-6 lsdel.out | grep "[0-9]" | tr -d " " > $HOME/analysis/inodes debugfs can take list of command from a file. "dump filename" dumps the contents of the inode to file. $ i=0 $ while read line; do echo "dump <$line> $HOME/analysis/reco.$i" \ >>$HOME/analysis/getit; i=$[ i + 1]; done < $HOME/analysis/inodes Following command will get the contents of inodes in $HOME/analysis dir: $ debugfs -f $HOME/analysis/getit honeypot.hda8.dd For finding file-types : $ for i in $HOME/analysis/reco*; do file $i; done reco.12 is gzip compressed data, which is the rootkit. 2. What files make up the deleted rootkit? Contents of the rootkit: $ tar ztvvf reco.12 drwxr-xr-x 1031/users 0 2001-02-27 02:10:30 last/ tar: Archive contains future timestamp 2002-02-08 18:38:13 -rwxr-xr-x 1031/users 611931 2002-02-08 18:38:13 last/ssh -rw-r--r-- 1031/users 1 2001-02-26 20:59:58 last/pidfile -rwx------ 1031/users 3713 2001-03-03 08:38:37 last/install -rwx------ 1031/users 7165 2001-02-26 20:52:50 last/linsniffer -rwxr-xr-x 1031/users 1345 1999-09-09 21:27:11 last/cleaner -rw-r--r-- 1031/users 3278 2001-01-27 20:41:32 last/inetd.conf -rwxr-xr-x 1031/users 79 2001-02-26 20:58:40 last/lsattr -rw-r--r-- 1031/users 11407 2001-01-27 20:41:44 last/services -rwxr-xr-x 1031/users 4060 2001-02-26 20:52:55 last/sense -rw-r--r-- 1031/users 880 2000-10-23 00:59:44 last/ssh_config -rw------- 1031/users 540 2000-10-23 00:59:44 last/ssh_host_key -rw-r--r-- 1031/users 344 2000-10-23 00:59:44 last/ssh_host_key.pub -rw------- 1031/users 512 2000-10-23 00:59:44 last/ssh_random_seed -rw-r--r-- 1031/users 688 2001-02-26 20:59:51 last/sshd_config -rwx------ 1031/users 8268 2001-02-26 20:52:59 last/sl2 -rwxr-xr-x 1031/users 4620 2001-02-26 20:53:10 last/last.cgi -rwxr-xr-x 1031/users 33280 2001-02-26 20:53:33 last/ps -rwxr-xr-x 1031/users 35300 2001-02-26 20:53:42 last/netstat -rwxr-xr-x 1031/users 19840 2001-02-26 20:53:47 last/ifconfig -rwxr-xr-x 1031/users 53588 2001-02-26 20:53:55 last/top -rwx------ 1031/users 75 2001-02-26 20:54:03 last/logclear -rw-r--r-- root/root 708 2001-03-03 08:35:12 last/s -rwxr-xr-x 1031/users 632066 2001-02-26 20:16:04 last/mkxfs Bonus Question: 3. Was the rootkit ever actually installed on the system? How do you know? Yes. Evidence: install is the shell-script which is executed. 1. Following files are from the rootkit which are on the hard disk: /sbin/ifconfig /bin/netstat /bin/ps /etc/inetd.conf /etc/services 2. The install script creates following files which are there: /dev/rpm /dev/last 3. It creates the following directories to hide the contents of rootkit: /dev/ida/.drag-on "/dev/ida/.. " 4. It has appened to /etc/rc.d/rc.sysinit the following lines: /usr/bin/lsattr -t1 -X53 -p followed by a blank line. Files in /usr /home cannot be retrived as they are mounted on different partitions. -- Kapil Bhalla (bhallakapil@yahoo.com)