From moose@bestiary.com Fri Jun 22 08:49:34 2001 Date: Wed, 20 Jun 2001 16:58:19 -0400 From: Pete Bevin To: project@honeynet.org Subject: Scan of the month 1. The file is encrypted by reversing each bit. 2. I determined the encryption method by doing a hex dump of the encrypted file. Every byte had the highest bit set, which suggested an XOR encryption on an ASCII file. To determine the byte used to XOR, I looked at the last character, and assumed it was a newline (0x0a). The last byte in the file is 0xf5, which is 0x0a XOR 0xff. To test this guess, I ran the file through the following program: #include main() { int c; while ((c = getchar()) != EOF) { putchar(c ^ 0xff); } return 0; } 3. The decrypted file is: [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,s n.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r 4. This is a configuration file that specifies file locations and TCP/IP ports. Presumably it was encrypted to avoid detection on the host system. 5. I learned from this that (a) cracker encryption is easier to break than one might suspect, and that (b) a remote nmap of a system could be useful to detect compromises (e.g., if port 47018 is open). 6. The challenge took about half an hour: 10 minutes to decrypt the file, and 20 minutes to figure out some of the details of the configuration options. Bonus: The file seems to come from a DDOS kit called 'carko' - at least, the config file seems to match information at http://www.cert.org/incident_notes/IN-2001-04.html Pete.