From marcow@jena.eng.sun.com Fri Jun 22 08:42:56 2001 Date: Wed, 6 Jun 2001 00:34:36 -0700 From: Marco Walther To: project@honeynet.org Subject: Scan 16 Hi, this was easy;-) 1. It's a simple `xor 0xff' for every character. 2. I looked at the file and realized that all the char's are >7f. So I expected something like bit-magic. After I started to count the occurence of the different char's I decided to get a little help;-) --------------------------------------------------------------------------- /* gcc -o count count.c ./count < */ #include int main(int argc, char *argv[]) { int c; int print; char array[256]; for (c = 0; c < 256; c++) { array[c] = 0; } while ((c = getchar()) != EOF) { array[(unsigned char)c]++; } for (c = 0, print = 0; c < 256; c++) { if (array[c] != 0) { print = 1; printf("%02x\t%d\n", (unsigned char)c, array[c]); } else if (print != 0) { printf("*\n"); } } return 0; } --------------------------------------------------------------------------- This little program will print the following: --------------------------------------------------------------------------- 86 1 87 1 88 2 89 11 8a 7 8b 28 8c 52 8d 11 8e 1 8f 34 90 10 91 29 92 2 93 28 * * 96 24 97 6 98 3 99 14 9a 24 9b 18 9c 12 9d 14 9e 9 * a0 6 * a2 4 * a4 4 * * * * * aa 1 * ac 1 ad 1 * * * * * * * * * * * * ba 1 * * * * * * * c2 14 * * c5 4 * c7 3 c8 2 c9 9 ca 1 cb 2 cc 3 cd 2 ce 13 cf 18 d0 45 d1 5 * d3 30 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * f5 22 * * * * * * * * * * --------------------------------------------------------------------------- Once you realize that 0xf5 ^ 0xff --> 0x0a --> '\n' you're basically there. I did two or three other convertions by hand and than wrote the next little program to help;-) --------------------------------------------------------------------------- /* gcc -o convert convert.c ./convert < */ #include int main(int argc, char *argv[]) { int c; while ((c = getchar()) != EOF) { putchar((unsigned char)c ^ 0xff); } return 0; } --------------------------------------------------------------------------- 3. ./convert < somefine --------------------------------------------------------------------------- [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r --------------------------------------------------------------------------- 4. I think this file is the configuration (hide) script of the `SunOS Rootkit v2.5 (C) 1997-2001 Tragedy/Dor' (or a similar) rootkit. It's original name should have been `uconf.inv'. This file tells the various trojaned binaries what to hide from the user. This easy encryption is a way to hide it's real purpose from somebody who may stumple over it but does not need a lot of effort to read for the binaries it's intended for. 5. Keep your eyes open. Not everything uses military grade encryptions and can still be effective. 6. Around one hour. Bonus question: I would not call this thing a `security toolkit'. Since you stated that this was from a Solaris box, this would be the `SunOS Rootkit v2.5 (C) 1997-2001 Tragedy/Dor' or similar. Some references: http://archives.neohapsis.com/archives/sf/sun/2001-q2/0088.html http://archives.neohapsis.com/archives/incidents/2001-01/0154.html http://www.tek-tips.com/gpviewthread.cfm/lev2/3/lev3/20/pid/60/qid/75974 There is also a Linux rootkit which looks like it's using the same mechanism: http://www.sans.org/y2k/the_compromise.htm Thanks, -- Marco --