From cursor@cas.zaz.com.br Tue May 22 22:38:58 2001 Date: Fri, 11 May 2001 09:50:56 -0300 From: Fernando Amatte To: project@honeynet.org Subject: Scan of the Month to: project@honeynet.org Subject: scan of the month - May --------------------------------------------------------------------- The Challenge --------------------------------------------------------------------- On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was download to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB, (honeynet.tar.gz) MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e. #First I instaled TCT and TCTutils and create two directories # /tmp/recover # /tmp/rootkit ------------------------------------------------------------------------------------------ 1.Show step by step how you identify and recover the deleted rootkit from the / partition. ------------------------------------------------------------------------------------------ [root@localhost bin]# ./fls -dr /honeynet/honeypot.hda8.dd 2 r * 22103: /tmp/ccypSy1G.c r * 22104: /tmp/ccM1STTd.o r * 22105: /tmp/ccsQgrMK.ld r * 22106: /tmp/ccbbVj4g.c r * 22107: /tmp/ccSZCa5n.o r * 22108: /tmp/ccRD854u.ld r * 38330: /etc/X11/fs/config- r * 4060: /etc/rc.d/rc0.d/K83ypbind d * 8097: /etc/rc.d/rc1.d/K83ypbind l * 12107: /etc/rc.d/rc2.d/K83ypbind r * 16132: /etc/rc.d/rc3.d/K83ypbind l * 20883: /etc/rc.d/rc4.d/K83ypbind l * 28172: /etc/rc.d/rc5.d/K83ypbind l * 32184: /etc/rc.d/rc6.d/K83ypbind r * 16115: /etc/pam.d/passwd- r * 26478: /etc/mtab.tmp r * 26461: /etc/mtab~ r * 23: /lk.tgz d * 2038: /last # Ok. in / I have /lk.tgz initial inode 23 and /last initial inode 2038 # I decide to run fls using -m to get some time stamp and mac information. [root@localhost bin]# ./fls -m "/" /honeynet/honeypot.hda8.dd 2 * Mar 16 01 11:48:42 0 mac -rw------- 0 0 /tmp/ccypSy1G.c * Mar 16 01 11:48:42 0 mac -rw------- 0 0 /tmp/ccM1STTd.o * Mar 16 01 11:48:42 0 mac -rw-r--r-- 0 0 /tmp/ccsQgrMK.ld * Mar 16 01 11:47:56 0 mac -rw------- 0 0 /tmp/ccbbVj4g.c * Mar 16 01 11:47:56 0 mac -rw------- 0 0 /tmp/ccSZCa5n.o * Mar 16 01 11:47:56 0 mac -rw-r--r-- 0 0 /tmp/ccRD854u.ld * Mar 15 01 08:19:17 769 m.c -rw-r--r-- 0 0 /etc/X11/fs/config- * Mar 15 01 14:22:56 769 .a. -rw-r--r-- 0 0 /etc/X11/fs/config- * Mar 15 01 08:20:28 45 m.c -rw-r--r-- 0 0 /etc/rc.d/rc0.d/K83ypbind * Mar 15 01 14:22:44 45 .a. -rw-r--r-- 0 0 /etc/rc.d/rc0.d/K83ypbind * Mar 16 01 07:03:12 0 m.c drwx------ 0 0 /etc/rc.d/rc1.d/K83ypbind * Mar 16 01 07:02:01 0 .a. drwx------ 0 0 /etc/rc.d/rc1.d/K83ypbind * Mar 15 01 08:19:37 16 ma. lrwxrwxrwx 0 0 /etc/rc.d/rc2.d/K83ypbind * Mar 15 01 08:20:25 16 ..c lrwxrwxrwx 0 0 /etc/rc.d/rc2.d/K83ypbind * Mar 15 01 08:20:25 437 m.c -rw-r--r-- 0 0 /etc/rc.d/rc3.d/K83ypbind * Mar 16 01 13:28:30 437 .a. -rw-r--r-- 0 0 /etc/rc.d/rc3.d/K83ypbind * Mar 15 01 08:19:37 16 ma. lrwxrwxrwx 0 0 /etc/rc.d/rc4.d/K83ypbind * Mar 15 01 08:20:25 16 ..c lrwxrwxrwx 0 0 /etc/rc.d/rc4.d/K83ypbind * Mar 15 01 08:19:37 16 ma. lrwxrwxrwx 0 0 /etc/rc.d/rc5.d/K83ypbind * Mar 15 01 08:20:25 16 ..c lrwxrwxrwx 0 0 /etc/rc.d/rc5.d/K83ypbind * Mar 15 01 08:20:29 27 mac lrwxrwxrwx 0 0 /etc/rc.d/rc6.d/K83ypbind * Mar 15 01 08:20:25 250 m.c -rw-r--r-- 0 0 /etc/pam.d/passwd- * Mar 15 01 08:20:27 250 .a. -rw-r--r-- 0 0 /etc/pam.d/passwd- * Mar 15 01 14:31:18 200 m.c -rw-r--r-- 0 0 /etc/mtab.tmp * Mar 16 01 07:03:12 200 .a. -rw-r--r-- 0 0 /etc/mtab.tmp * Mar 15 01 22:45:02 71 mac -rw-r--r-- 0 0 /etc/mtab~ * Mar 15 01 22:36:48 520333 m.. -rw-r--r-- 0 0 /lk.tgz * Mar 15 01 22:44:50 520333 .a. -rw-r--r-- 0 0 /lk.tgz * Mar 15 01 22:45:05 520333 ..c -rw-r--r-- 0 0 /lk.tgz * Mar 15 01 22:45:05 0 mac drwxr-xr-x 1031 100 /last # Ok, I find a directory called last, and a file called lk.tgz # Now I decided to use debugfs [root@localhost /]# echo lsdel | debugfs /honeynet/honeypot.hda8.dd > /tmp/recover/lsdel.out [root@localhost /]# vi /tmp/recover/lsdel.out debugfs: 29 deleted inodes found. Inode Owner Mode Size Blocks Time deleted 56231 0 100644 33135 13/ 13 Thu Mar 15 08:17:36 2001 16110 0 100644 239 1/ 1 Thu Mar 15 08:20:25 2001 2058 0 100755 53588 54/ 54 Thu Mar 15 22:45:02 2001 30188 0 100755 66736 67/ 67 Thu Mar 15 22:45:02 2001 30191 0 100555 60080 60/ 60 Thu Mar 15 22:45:02 2001 48284 0 100755 42736 43/ 43 Thu Mar 15 22:45:02 2001 2047 0 100755 4060 4/ 4 Thu Mar 15 22:45:03 2001 2049 0 100600 540 1/ 1 Thu Mar 15 22:45:03 2001 2051 0 100600 512 1/ 1 Thu Mar 15 22:45:03 2001 2053 0 100700 8268 9/ 9 Thu Mar 15 22:45:03 2001 2059 0 100700 75 1/ 1 Thu Mar 15 22:45:03 2001 2060 0 100644 708 1/ 1 Thu Mar 15 22:45:03 2001 2061 0 100755 632066 622/ 622 Thu Mar 15 22:45:03 2001 23 0 100644 520333 512/ 512 Thu Mar 15 22:45:05 2001 2039 0 100755 611931 602/ 602 Thu Mar 15 22:45:05 2001 2040 0 100644 1 1/ 1 Thu Mar 15 22:45:05 2001 2041 0 100700 3713 4/ 4 Thu Mar 15 22:45:05 2001 2042 0 100644 796 1/ 1 Thu Mar 15 22:45:05 2001 2043 0 100755 1345 2/ 2 Thu Mar 15 22:45:05 2001 2044 0 100644 3278 4/ 4 Thu Mar 15 22:45:05 2001 2045 0 100755 79 1/ 1 Thu Mar 15 22:45:05 2001 2046 0 100644 11407 12/ 12 Thu Mar 15 22:45:05 2001 2048 0 100644 880 1/ 1 Thu Mar 15 22:45:05 2001 2050 0 100644 344 1/ 1 Thu Mar 15 22:45:05 2001 2052 0 100644 688 1/ 1 Thu Mar 15 22:45:05 2001 2054 0 100755 4620 5/ 5 Thu Mar 15 22:45:05 2001 2038 1031 40755 0 1/ 1 Thu Mar 15 22:46:09 2001 8097 0 40700 0 1/ 1 Fri Mar 16 07:03:12 2001 8100 0 100644 16329 177/ 177 Fri Mar 16 07:03:12 2001 # fls show 2 interesting entries in the second inode, now debugfs show me 29 deleted entries... # I decided to try to recover the file called lk.tgz # I know the start inode <23> and the size is the same in fls and debugfs [root@localhost /]# debugfs /honeynet/honeypot.hda8.dd debugfs 1.19, 13-Jul-2000 for EXT2 FS 0.5b, 95/08/09 debugfs: dump <23> /tmp/recover/lk.tgz debugfs: quit [root@localhost /]# ls -l /tmp/lk.tgz -rw-r--r-- 1 root root 520333 May 2 22:54 /tmp/lk.tgz # I tried to ungzip and untar the file, and I had no errors, only a warning about time stamp int the future. [root@localhost /]# cd /tmp/rootkit/ [root@localhost rootkit]# tar -xzf /tmp/lk.tgz tar: last/ssh: time stamp 2002-02-08 11:08:13 is 24317454 s in the future [root@localhost rootkit]# ls -l total 520 drwxr-xr-x 2 1031 users 4096 May 2 23:17 last [root@localhost rootkit]# ls -l last | more total 1472 -rwxr-xr-x 1 1031 users 1345 Sep 9 1999 cleaner -rwxr-xr-x 1 1031 users 19840 Feb 26 12:23 ifconfig -rw-r--r-- 1 1031 users 3278 Jan 27 13:11 inetd.conf -rwx------ 1 1031 users 3713 Mar 3 00:08 install -rwxr-xr-x 1 1031 users 4620 Feb 26 12:23 last.cgi -rwx------ 1 1031 users 7165 Feb 26 12:22 linsniffer -rwx------ 1 1031 users 75 Feb 26 12:24 logclear -rwxr-xr-x 1 1031 users 79 Feb 26 12:28 lsattr -rwxr-xr-x 1 1031 users 632066 Feb 26 11:46 mkxfs -rwxr-xr-x 1 1031 users 35300 Feb 26 12:23 netstat -rw-r--r-- 1 1031 users 1 Feb 26 12:29 pidfile -rwxr-xr-x 1 1031 users 33280 Feb 26 12:23 ps -rw-r--r-- 1 root root 708 Mar 3 00:05 s -rwxr-xr-x 1 1031 users 4060 Feb 26 12:22 sense -rw-r--r-- 1 1031 users 11407 Jan 27 13:11 services -rwx------ 1 1031 users 8268 Feb 26 12:22 sl2 -rwxr-xr-x 1 1031 users 611931 Feb 8 2002 ssh -rw-r--r-- 1 1031 users 880 Oct 22 2000 ssh_config -rw-r--r-- 1 1031 users 688 Feb 26 12:29 sshd_config -rw------- 1 1031 users 540 Oct 22 2000 ssh_host_key -rw-r--r-- 1 1031 users 344 Oct 22 2000 ssh_host_key.pub -rw------- 1 1031 users 512 Oct 22 2000 ssh_random_seed -rwxr-xr-x 1 1031 users 53588 Feb 26 12:23 top [root@localhost rootkit]# # what I have here are all files from the original rootkit. # Using the information from lsdel on debugfs ( /tmp/recover/lsdel.out ) # I decided to make another file trying to do a cross reference, using file size # Now I have /tmp/recover/lsdel2.out with this information [root@localhost rootkit]# cp /tmp/recover/lsdel.out /tmp/recover/lsdel2.out [root@localhost rootkit]# vi /tmp/recover/lsdel2.out debugfs: 29 deleted inodes found. Inode Owner Mode Size Blocks Time deleted 56231 0 100644 33135 13/ 13 Thu Mar 15 08:17:36 2001 16110 0 100644 239 1/ 1 Thu Mar 15 08:20:25 2001 2058 0 100755 53588 54/ 54 Thu Mar 15 22:45:02 2001 top 30188 0 100755 66736 67/ 67 Thu Mar 15 22:45:02 2001 30191 0 100555 60080 60/ 60 Thu Mar 15 22:45:02 2001 48284 0 100755 42736 43/ 43 Thu Mar 15 22:45:02 2001 2047 0 100755 4060 4/ 4 Thu Mar 15 22:45:03 2001 sense 2049 0 100600 540 1/ 1 Thu Mar 15 22:45:03 2001 ssh_hots_key 2051 0 100600 512 1/ 1 Thu Mar 15 22:45:03 2001 ssh_random_seed 2053 0 100700 8268 9/ 9 Thu Mar 15 22:45:03 2001 sl2 2059 0 100700 75 1/ 1 Thu Mar 15 22:45:03 2001 logclear 2060 0 100644 708 1/ 1 Thu Mar 15 22:45:03 2001 s 2061 0 100755 632066 622/ 622 Thu Mar 15 22:45:03 2001 mkxfs 23 0 100644 520333 512/ 512 Thu Mar 15 22:45:05 2001 /lk.tgz 2039 0 100755 611931 602/ 602 Thu Mar 15 22:45:05 2001 ssh 2040 0 100644 1 1/ 1 Thu Mar 15 22:45:05 2001 pidfile 2041 0 100700 3713 4/ 4 Thu Mar 15 22:45:05 2001 install 2042 0 100644 796 1/ 1 Thu Mar 15 22:45:05 2001 2043 0 100755 1345 2/ 2 Thu Mar 15 22:45:05 2001 cleaner 2044 0 100644 3278 4/ 4 Thu Mar 15 22:45:05 2001 inetd.conf 2045 0 100755 79 1/ 1 Thu Mar 15 22:45:05 2001 lsattr 2046 0 100644 11407 12/ 12 Thu Mar 15 22:45:05 2001 services 2048 0 100644 880 1/ 1 Thu Mar 15 22:45:05 2001 ssh_config 2050 0 100644 344 1/ 1 Thu Mar 15 22:45:05 2001 ssh_host_key.pub 2052 0 100644 688 1/ 1 Thu Mar 15 22:45:05 2001 sshd_config 2054 0 100755 4620 5/ 5 Thu Mar 15 22:45:05 2001 last.cgi 2038 1031 40755 0 1/ 1 Thu Mar 15 22:46:09 2001 /last 8097 0 40700 0 1/ 1 Fri Mar 16 07:03:12 2001 8100 0 100644 16329 177/ 177 Fri Mar 16 07:03:12 2001 # I'll try to recover all this files [root@localhost rootkit]# awk '{print $1}' /tmp/recover/lsdel.out > /tmp/recover/inodes.txt [root@localhost rootkit]# vi /tmp/recover/inodes # I deleted the first two lines and the last line # and add a coma (,) and the file name that I think is right # for the Inodes with no file name I'll use as name the first Inode. # Now I have ... 56231,56231 16110,16110 2058,top 30188,30188 30191,30191 48284,48284 2047,sense 2049,ssh_host_key 2051,ssh_randon_seed 2053,sl2 2059,logclear 2060,s 2061,mkxfs 23,lk.tgz 2039,ssh 2040,pidfile 2041,install 2042,2042 2043,cleaner 2044,inetd.conf 2045,lsattr 2046,services 2048,ssh_config 2050,ssh_host_key.pub 2052,sshd_config 2054,last.cgi 2038,last 8097,8097 8100,8100 # so I write a little perl program to recover the files and test with the ones that lk.tgz gave to me. cat /tmp/recover/re.pl #!/usr/bin/perl open (ARQ,"inodes.txt"); while () { chop; ($inode,$name)=split (/,/); $string = `echo \"dump <$inode> -p /tmp/recover/$name\" | debugfs /honeynet/honeypot.hda8.dd 2>&1`; $sun = `md5sum /tmp/rootkit/last/$name ; md5sum /tmp/recover/$name `; print $sun; } close(ARQ); # As I have 2 copies of each file ( one that came from lk.tgz and the other from debugfs dump ) I decided to compare bouth to see if debugfs made a good work [root@localhost recover]# ./re.pl > test.txt md5sum: /tmp/rootkit/last/56231: No such file or directory md5sum: /tmp/rootkit/last/16110: No such file or directory md5sum: /tmp/rootkit/last/30188: No such file or directory md5sum: /tmp/rootkit/last/30191: No such file or directory md5sum: /tmp/rootkit/last/48284: No such file or directory md5sum: /tmp/rootkit/last/ssh_randon_seed: No such file or directory md5sum: /tmp/rootkit/last/lk.tgz: No such file or directory md5sum: /tmp/rootkit/last/2042: No such file or directory md5sum: /tmp/rootkit/last/last: No such file or directory md5sum: /tmp/rootkit/last/8097: No such file or directory md5sum: /tmp/rootkit/last/8100: No such file or directory # running it you'll get some erros from files that don't appear in bouth directories # Now lest take a look at test.txt 3bfc6509b2fba0d38c09342ab5c0cfe5 /tmp/recover/56231 64667476147123224d23f7224eb94d93 /tmp/recover/16110 8ff0939cd49a0b2ef3156c7876afca4b /tmp/rootkit/last/top 8ff0939cd49a0b2ef3156c7876afca4b /tmp/recover/top f174e862d00d0998c3fa4ccd632019b5 /tmp/recover/30188 5e1725f2734365fef9e55398785f3033 /tmp/recover/30191 b52af438845c776cde94f67e19cd037a /tmp/recover/48284 464dc23cac477c43418eb8d3ef087065 /tmp/rootkit/last/sense 464dc23cac477c43418eb8d3ef087065 /tmp/recover/sense c2c1b08498ed71a908c581d634832672 /tmp/rootkit/last/ssh_host_key c2c1b08498ed71a908c581d634832672 /tmp/recover/ssh_host_key ad265d3c07dea3151bacb6930e0b72d3 /tmp/recover/ssh_randon_seed 4cfae8c44a6d1ede669d41fc320c7325 /tmp/rootkit/last/sl2 4cfae8c44a6d1ede669d41fc320c7325 /tmp/recover/sl2 5f22ceb87631fbcbf32e59234feeaa5b /tmp/rootkit/last/logclear 5f22ceb87631fbcbf32e59234feeaa5b /tmp/recover/logclear 06d04fa3c4941b398756d029de75770e /tmp/rootkit/last/s 06d04fa3c4941b398756d029de75770e /tmp/recover/s 18a2d7d3178f321b881e7c493af72996 /tmp/rootkit/last/mkxfs 18a2d7d3178f321b881e7c493af72996 /tmp/recover/mkxfs 115f438631de8d0a7c03c9d458eb7257 /tmp/recover/lk.tgz 21ed3ca31a9c9b51a757f1644e26f2f7 /tmp/rootkit/last/ssh 21ed3ca31a9c9b51a757f1644e26f2f7 /tmp/recover/ssh 68b329da9893e34099c7d8ad5cb9c940 /tmp/rootkit/last/pidfile 68b329da9893e34099c7d8ad5cb9c940 /tmp/recover/pidfile 964db5da8cf89810a54659b6fdb81958 /tmp/rootkit/last/install 964db5da8cf89810a54659b6fdb81958 /tmp/recover/install 928c5f9a4b4068a5db47dfdc65ea6cde /tmp/recover/2042 12e8748c19abe7a44e67196c22738e9b /tmp/rootkit/last/cleaner 12e8748c19abe7a44e67196c22738e9b /tmp/recover/cleaner b63485e42035328c0d900a71ff2e6bd7 /tmp/rootkit/last/inetd.conf b63485e42035328c0d900a71ff2e6bd7 /tmp/recover/inetd.conf dfb2eeea2a5ba23eb6a2b9d0cff9d82f /tmp/rootkit/last/lsattr dfb2eeea2a5ba23eb6a2b9d0cff9d82f /tmp/recover/lsattr 54e41f035e026f439d4188759b210f07 /tmp/rootkit/last/services 54e41f035e026f439d4188759b210f07 /tmp/recover/services 5fd2ce512e0eba4d090191e8a1518808 /tmp/rootkit/last/ssh_config 5fd2ce512e0eba4d090191e8a1518808 /tmp/recover/ssh_config e76cd5baaab7b4f28c999946a9cb4dcc /tmp/rootkit/last/ssh_host_key.pub e76cd5baaab7b4f28c999946a9cb4dcc /tmp/recover/ssh_host_key.pub 312de877e5180678cd54606e1c25af40 /tmp/rootkit/last/sshd_config 312de877e5180678cd54606e1c25af40 /tmp/recover/sshd_config 202a51b16ac8d1b4dc75de89e7344ed4 /tmp/rootkit/last/last.cgi 202a51b16ac8d1b4dc75de89e7344ed4 /tmp/recover/last.cgi d41d8cd98f00b204e9800998ecf8427e /tmp/recover/last d41d8cd98f00b204e9800998ecf8427e /tmp/recover/8097 7f2773292953e077f022ce4296b0a76f /tmp/recover/8100 # This proves that files in this case are 100% recovered ( comparing with the original ones ) ------------------------------------------------------------------------------------------ 2.What files make up the deleted rootkit? ------------------------------------------------------------------------------------------ [root@localhost last]# ls -l total 1472 -rwxr-xr-x 1 1031 users 1345 Sep 9 1999 cleaner -rwxr-xr-x 1 1031 users 19840 Feb 26 12:23 ifconfig -rw-r--r-- 1 1031 users 3278 Jan 27 13:11 inetd.conf -rwx------ 1 1031 users 3713 Mar 3 00:08 install -rwxr-xr-x 1 1031 users 4620 Feb 26 12:23 last.cgi -rwx------ 1 1031 users 7165 Feb 26 12:22 linsniffer -rwx------ 1 1031 users 75 Feb 26 12:24 logclear -rwxr-xr-x 1 1031 users 79 Feb 26 12:28 lsattr -rwxr-xr-x 1 1031 users 632066 Feb 26 11:46 mkxfs -rwxr-xr-x 1 1031 users 35300 Feb 26 12:23 netstat -rw-r--r-- 1 1031 users 1 Feb 26 12:29 pidfile -rwxr-xr-x 1 1031 users 33280 Feb 26 12:23 ps -rw-r--r-- 1 root root 708 Mar 3 00:05 s -rwxr-xr-x 1 1031 users 4060 Feb 26 12:22 sense -rw-r--r-- 1 1031 users 11407 Jan 27 13:11 services -rwx------ 1 1031 users 8268 Feb 26 12:22 sl2 -rwxr-xr-x 1 1031 users 611931 Feb 8 2002 ssh -rw-r--r-- 1 1031 users 880 Oct 22 2000 ssh_config -rw-r--r-- 1 1031 users 688 Feb 26 12:29 sshd_config -rw------- 1 1031 users 540 Oct 22 2000 ssh_host_key -rw-r--r-- 1 1031 users 344 Oct 22 2000 ssh_host_key.pub -rw------- 1 1031 users 512 Oct 22 2000 ssh_random_seed -rwxr-xr-x 1 1031 users 53588 Feb 26 12:23 top [root@localhost last]# ------------------------------------------------------------------------------------------ Bonus Question: Was the rootkit ever actually installed on the system? How do you know? ------------------------------------------------------------------------------------------ # Yes. The rootkit is still installed on the system. # where I untar the original rootkit I find a file named "install" # so I mounted the original image (honeypot.hda8.dd) file in a dir called /t # and I compared the md5sum between the file find in the mounted image and # the file that came from the original rootkit. # The md5sum checksum was the same. # I used ">" to show the text from install file and the results are show above. [root@localhost /]# mount -o ro,loop /honeynet/honeypot.hda8.dd /t >rm -rf /sbin/ifconfig >mv ifconfig /sbin/ifconfig >rm -rf /bin/netstat >mv netstat /bin/netstat >rm -rf /bin/ps >mv ps /bin/ps [root@localhost /]# md5sum /t/sbin/ifconfig 086394958255553f6f38684dad97869e /t/sbin/ifconfig [root@localhost /]# md5sum /tmp/rootkit/last/ifconfig 086394958255553f6f38684dad97869e /tmp/rootkit/last/ifconfig [root@localhost /]# md5sum /t/bin/netstat 2b07576213c1c8b942451459b3dc4903 /t/bin/netstat [root@localhost /]# md5sum /tmp/rootkit/last/netstat 2b07576213c1c8b942451459b3dc4903 /tmp/rootkit/last/netstat [root@localhost /]# md5sum /t/bin/ps 7728c15d89f27e376950f96a7510bf0f /t/bin/ps [root@localhost /]# md5sum /tmp/rootkit/last/ps 7728c15d89f27e376950f96a7510bf0f /tmp/rootkit/last/ps >touch /dev/rpm >>/dev/rpm >echo "3 sl2" >>/dev/rpm >echo "3 sshdu" >>/dev/rpm >echo "3 linsniffer" >>/dev/rpm >echo "3 smurf" >>/dev/rpm >echo "3 slice" >>/dev/rpm >echo "3 mech" >>/dev/rpm >echo "3 muh" >>/dev/rpm >echo "3 bnc" >>/dev/rpm >echo "3 psybnc" >> /dev/rpm [root@localhost usr]# cat /t/dev/rpm 3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc >touch /dev/last >>/dev/last >echo "1 193.231.139" >>/dev/last >echo "1 213.154.137" >>/dev/last >echo "1 193.254.34" >>/dev/last >echo "3 48744" >>/dev/last >echo "3 3666" >>/dev/last >echo "3 31221" >>/dev/last >echo "3 22546" >>/dev/last >echo "4 48744" >>/dev/last >echo "4 2222" >>/dev/last [root@localhost usr]# cat /t/dev/last 1 193.231.139 1 213.154.137 1 193.254.34 3 48744 3 3666 3 31221 3 22546 4 48744 4 2222 >mkdir -p /dev/ida/.drag-on >mkdir -p /dev/ida/".. " >echo "* Copiem ssh si alea" >cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/.drag-on/ >cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/".. " >rm -rf linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed >touch /dev/ida/.drag-on/tcp.log >touch /dev/ida/".. "/tcp.log [root@localhost /]# ls -l /t/dev/ida/".. " total 646 -rwx------ 1 root root 7165 Mar 15 22:45 linsniffer -rwx------ 1 root root 75 Mar 15 22:45 logclear -rwxr-xr-x 1 root root 632066 Mar 15 22:45 mkxfs -rw-r--r-- 1 root root 708 Mar 15 22:45 s -rwxr-xr-x 1 root root 4060 Mar 15 22:45 sense -rwx------ 1 root root 8268 Mar 15 22:45 sl2 -rw------- 1 root root 540 Mar 15 22:45 ssh_host_key -rw------- 1 root root 512 Mar 15 22:45 ssh_random_seed -rw-r--r-- 1 root root 0 Mar 15 22:45 tcp.log [root@localhost /]# ls -l /t/dev/ida/.drag-on/ total 647 -rwx------ 1 root root 7165 Mar 15 22:45 linsniffer -rwx------ 1 root root 75 Mar 15 22:45 logclear -rwxr-xr-x 1 root root 632066 Mar 15 22:45 mkxfs -rw-r--r-- 1 root root 708 Mar 15 22:45 s -rwxr-xr-x 1 root root 4060 Mar 15 22:45 sense -rwx------ 1 root root 8268 Mar 15 22:45 sl2 -rw------- 1 root root 540 Mar 15 22:45 ssh_host_key -rw------- 1 root root 512 Mar 16 11:45 ssh_random_seed -rw-r--r-- 1 root root 138 Mar 16 13:28 tcp.log >cp -f inetd.conf /etc >cp -f services /etc b63485e42035328c0d900a71ff2e6bd7 /t/etc/inetd.conf [root@localhost /]# md5sum /tmp/rootkit/last/inetd.conf b63485e42035328c0d900a71ff2e6bd7 /tmp/rootkit/last/inetd.conf [root@localhost /]# md5sum /t/etc/services 54e41f035e026f439d4188759b210f07 /t/etc/services [root@localhost /]# md5sum /tmp/rootkit/last/services 54e41f035e026f439d4188759b210f07 /tmp/rootkit/last/services -------------------------------------------------------------------------- <'D / C / Fernando Pompeo Amatte ()-^ --+-\\ cursor at cas dot zaz dot com dot br / > | \ --------------------------------------------------------------------------