From pat@csh.rit.edu Fri Jun 22 08:47:25 2001 Date: Fri, 15 Jun 2001 10:37:29 -0400 From: Patrick Stein To: project@honeynet.org Subject: Fwd: Scan 16 Begin forwarded message: > From: Patrick Stein > Date: Fri Jun 15, 2001 10:23:45 US/Eastern > To: project@honeypot.org > Subject: Scan 16 > > > 1. This file used the ``flip all of the bits'' encryption algorithm > a.k.a. ``XOR each byte with 0xFF''. > > 2. I used ``od -x'' I noticed that every single byte had the high > bit set. I wrote a three line C program to strip the top byte. > That didn't pan out, but it made it look structured like ASCII > text. So, I hacked the program to flip all the bits instead. > Then, it definitely looked like ASCII. > > 3. As mentioned above, I decrypted it with a simple C program: > > int cc; > > while ( ( cc = fgetc( stdin ) ) != EOF ) { > fputc( ( ~cc & 0xFF ), stdout ); > } > > The decrypted file appears at the end of this submission. > > 4. I'm not very familiar with Solaris adminning, so I'm not sure if this > is some sort of patch configuration file or what. It definitely > looks like the point here are to install some rogue commands from > its crafty hiding spot in /dev/pts/01 (a place that will probably > be ignored by both root folk and detection scripts that look for > things like directories called '...' and the like). By patching > find, du, ls, ps, netstat, su, and passwd, it looks like a very > complete way to cover ones tracks.... you can ensure that you can > su to root without getting in the logs, without showing what > machine you connected from, without showing your processes, and > without revealing any of the other files you've added to the > system. I'm not sure what the patch on ping gains though. > > 5. It takes very little scrambling at all to throw off grep(1) and the > like. It would be hard to scan the file system and stumble > upon this. > > 6. It took a few seconds with od(1), a minute to write my first > attempt, another few seconds with od(1), and another minute to > write the second attempt. It has taken me five times longer to > write this e-mail than it did to crack the encryption. > > Bonus question: > Nope, sorry.... *shrug* > > alter, > Patrick > > =====================================Cut Here======================= > [file] > find=/dev/pts/01/bin/find > du=/dev/pts/01/bin/du > ls=/dev/pts/01/bin/ls > file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER > > [ps] > ps=/dev/pts/01/bin/psr > ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys > lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01, > sn.l,prom,lsof,psbnc > > [netstat] > netstat=/dev/pts/01/bin/netstat > net_filters=47018,6668 > > [login] > su_loc=/dev/pts/01/bin/su > ping=/dev/pts/01/bin/ping > passwd=/dev/pts/01/bin/passwd > shell=/bin/sh > > su_pass=l33th4x0r > =====================================And Here======================= >