From jamesm@radical.ca Fri Jun 22 08:47:28 2001 Date: Fri, 15 Jun 2001 10:20:15 -0700 From: Mark James To: project@honeynet.org Subject: June Scan of the Month 1) The bytes of the file are exclusive or'd with 0xff. 2) First, I just looked at the file with "less", and noticed that most of the characters were special. A quick check with "od -x" showed that all the high bits were set. Since all the high bits in normal text are clear, this suggested an XOR scheme. I wrote this quick program to check: #include char buf[1024]; int main(int argc, char*argv[]) { FILE* fp = fopen("somefile", "r"); int size = fread(buf, 1, 1024, fp); int key; int ch; for(key = 128; key <= 255; key++) { printf("\n\nKey: %d\n", key); for(ch = 0; ch < size; ch++) { putchar(buf[ch] ^ key); } } } As I was typing this in, I guessed that 255 was probably the key. 3) The above program prints this out at the end: Key: 255 [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r 4) It appears that the tools in this kit are used to hide a compromise. It replaces standard tools like ps, ls, and netstat with hacked versions which filter their output to hide the intrusion. My guess is the originals are stored in /dev/pts/01/bin/... 5) XOR encryption is weak. :) 6) The decryption took about 10 minutes. I don't know the answer to the bonus question. M.