From anakata@tg.eyeque.org Fri Jun 22 08:42:38 2001
Date: Tue,  5 Jun 2001 11:18:56 +0200 (CEST)
From: anakata@tg.eyeque.org
To: project@honeynet.org
Subject: Scan of the Month June submission

Looking at the character distribution of the file it was very likely that it was encrypted
with a simple monoalphabetic cipher. Guessing that it was XOR (as it's very common) I first
tried the old trick of guessing which character is space, which works fine with normal text.
When that failed, I simply wrote a small script to bruteforce the key, and at 0xff it
outputed valid text and thus I let it decrypt the whole file, which contained:
[file]
find=/dev/pts/01/bin/find
du=/dev/pts/01/bin/du
ls=/dev/pts/01/bin/ls
file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER

[ps]
ps=/dev/pts/01/bin/psr
ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys
lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc

[netstat]
netstat=/dev/pts/01/bin/netstat
net_filters=47018,6668

[login]
su_loc=/dev/pts/01/bin/su
ping=/dev/pts/01/bin/ping
passwd=/dev/pts/01/bin/passwd
shell=/bin/sh

su_pass=l33th4x0r

This is obviously the configuration for a rootkit - I recognize the configuration file format
from the kit that Dor@ircnet uses, and it's adopted for IRC activity (ports 6667, 6668 and
47018 hidden. 6667 and 6668 are common IRC ports, while 47018 might presumably(sp?) be
the port of a bouncer (process bnclp and file psbnc hidden)). It also reveals stacheldraht
adoption as it hides the process lpsched which is stacheldraht's default argv[0].
It was obviously encrypted to prevent revealing it's internals to an admin, and it also
contains a non-hashed password to make normal user -> root.
This was a very simple crypto - but cryptographically secure cryptos implemented in this
way can be cracked easily as well by disassembling, reverse engineering, etc.
I didn't learn anything particular - it was a lame crypto, old kit, etc.
It didn't take long to crack - the time required is difficult to estimate as it was done
during class time with lots of pauses and such.