From jct@EdelWeb.fr Fri Jun 22 08:43:00 2001
Date: Wed, 06 Jun 2001 18:10:31 +0200
From: Jean-Christophe Touvet <jct@EdelWeb.fr>
To: project@honeynet.org
Subject: Scan of the Month submission - June, 2001


 OK folks, this is my first submission to your challenge.

----- Begin

1. Identify the encryption algorithim used to encrypt the file.

 XOR 0xFF

2. How did you determine the encryption method? 

 It looked like an xored ASCII text because there was only 45 different chars
in the file. The high bits were easy to guess, then I tried 255 and bingo !

3. Decrypt the file, be sure to explain how you decrypted the file.

% perl -pe 's/./pack(C,unpack(C,$&)^0xFF)/ge' somefile
[file]
find=/dev/pts/01/bin/find
du=/dev/pts/01/bin/du
ls=/dev/pts/01/bin/ls
file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER
 
[ps]
ps=/dev/pts/01/bin/psr
ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys
lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc
 
[netstat]
netstat=/dev/pts/01/bin/netstat
net_filters=47018,6668
 
[login]
su_loc=/dev/pts/01/bin/su
ping=/dev/pts/01/bin/ping
passwd=/dev/pts/01/bin/passwd
shell=/bin/sh
 
su_pass=l33th4x0r
%

4. Once decrypted, explain the purpose/function of the file and why it was
encrypted

 It is a rootkit parameters file. It is encrypted because it defines wich
files / processes / ports should be hidden from ls / ps / netstat etc. It
gives also the path of trojaned binaries. The kind of file a system
administrator shoud not be able to find easily.

 It also contains the hacker's trojan 'su' password.

5. What lesson did you learn from this challenge ?

 Solaris rootkits are becoming as powerful as Linux rootkits !

6. How long did this challenge take you ?

 15 minutes + several hours trying to find the rootkit's source.

Bonus Question: This encryption method and file are part of of a security
toolkit. Can you identify this toolkit ?

 I found some references about a similar rootkit in securityfocus archive and
in the following paper:
	http://www.sans.org/y2k/the_compromise.htm

 'somefile' was probably the 'uconf.inv' file referenced in this paper as the
Adore rootkit configuration file. However, I could not find the version of
Adore using this syntax (latest version I found was 0.38). 

----- End

 That was very interesting, many thanks for the good work.

 Cheers,

    -JCT-

--
Jean-Christophe Touvet   EdelWeb S.A.   Groupe ON-X   +33 1 41 20 31 55
mailto:jct@edelweb.fr    http://www.edelweb.fr/    http://www.on-x.com/