From pingouin@igloo.intranet.kin-aix.com Tue May 22 22:38:52 2001 Date: Fri, 11 May 2001 02:40:32 +0200 From: pingouin@igloo.intranet.kin-aix.com To: project@honeynet.org Subject: Submission for the scan of the mounth (May) [ Header ] Author : Marechal Simon Date : 9/05/2001 [ Text ] 1. Show step by step how you identify and recover the deleted rootkit from the / partition. * Rootkit intaller discovery * 1st step : I run lazarus (from the TCT) on the disk image 2nd step : I run sort_lazarus.sh (i wrote that one, sorts lazarus files with the 'file' utility, still some bugs, www.banquise.net/utility/sort_lazarus.sh ). 3rd step : I look into the shell script directories, that's where rootkit install scripts are hidden 4th step : I find the winner, 9086.p.txt ! (Actually there seems to be a few occurences of that file). 5th step : I tried to write a program that looks for gzipped files on the binary image, and only found that gzip file with the file last/ssh (308.z.txt). It seems to be our rootkit archive. 2. What files make up the deleted rootkit? Looking in the installer script, and the sauber script, it looks like there are those files : Trojanned binaries : ifconfig netstat ps top mkxfs lsattr (runs the whole thing) Scripts : sauber script (9097.t.txt) rootkit installer (308.z.txt) Files intalled in /dev/ida/.drag-on and "/dev/ida/.drag-on/.. " : linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed Misc : inetd.conf services last.cgi * How do I know what the rootkit is? * I'm afraid I have no idea, it seems all the rootkits have almost the same files, and kiddies likes to put their names instead of the real author's name. That rootkit cleans the logs, hides itself and runs a custom ssh daemon (listening on port 1 I guess) at startup with lsattr. 3. Was the rootkit ever actually installed on the system? How do you know? We know the system is redhat 6.2. md5sum on the could-be-trojaned files show they don't match. Using strings on them shows weird things like ifconfig version : 1.22 (1996-05-09), that's quite a long time before the 6.2 was released. In the /dev/ida directory we find the .drag-on and '.. ' directories. It's pretty sure that the rootkit was installed successfully. 4. Additional notes The installer script should have created a computer temporary file. However, by grepping the output of strings on the partition image, it looks like it's unrecoverable. However, the two emails sent are still on the disk (90418.m.txt - a cleaned up version is included with this post). The blackhat might be the owner of the mail accounts last@linuxmail.org and bidi_damm@yahoo.com (if he's l33t enough to edit that script :) !!). We can notice that the uptime shows 0 users, that could mean that the black hat is hidden or that the script was launched while no one was logged. This is likely and would explain why the script sends mails. My guess is that this rootkit was launched by an auto-rooter, probably exploiting a rpc vulnerability. [ Infos ] Time spent : 5 hours, mostly spent by lazarus. [ Part 1.2, Text/PLAIN 39 lines. ] [ Unable to print this part. ] [ Part 2, Application/PGP-SIGNATURE 257bytes. ] [ Unable to print this part. ]