From Ralf.Hildebrandt@innominate.com Sun Sep 23 07:51:36 2001 Date: Mon, 10 Sep 2001 16:25:21 +0200 From: Ralf Hildebrandt To: project@honeynet.org Subject: Scan of the month First I decoded the binary dump using: % snort -d -r snort-0315@0005.log -l /tmp/data -A fast 1) The attackers used rpc.statd attack to get into the system. What modifications did they make to the break-in-process to both automate and make the process faster? They queried the portmapper via port 111 to find out if a rpc.statd is running, before trying the exploit: 03/16-03:21:24.995382 211.185.125.124:790 -> 172.16.1.108:111 UDP TTL:43 TOS:0x0 ID:29784 IpLen:20 DgmLen:84 Len: 64 41 26 95 DA 00 00 00 00 00 00 00 02 00 01 86 A0 A&.............. 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................ ^^^^^^^^^^^^^^ RPC portmap request status 2) What system/country did the badguys come in from? 211.185.125.124, see 172.16.1.108/TCP:39168-4450 It contains a recorded telnet session that shows what he did to install the rootkit. Also, 211.185.125.124 is the source of the packets sent to port 111 of the victim machine (see packets traces in 211.185.125.124) 211.185.125.124 is in the KRNIC netblock (Korea) 3) What nationality are the badguys, and how were you able to determine this? Romania. They fetched "lk.tgz" from FTP.HOME.RO [193.231.236.41] In the mail the rootkit sends to bidi_damm@yahoo.com there's some Romanian language bits (e.g. "Spatiu Liber" for "free space") I wouldn't use a Romanian Language rootkit, if I wasn't Romanian... 4) What do the answers to questions #1 and #2 tell us about the tactics the badguys are using? They use hacked machines as platforms for further expliots. 5) What did you learn from this challenge? 6) How long did this challenge take you? Bonus Question: 7) Can you recover the blackhat's rootkit from the Snort binary log file? If so, how? Yes, by processing the data stream from 172.16.1.108/TCP:1027-20 % egrep "^([0-9A-F]{2} ){8,16}.*" 172.16.1.108/TCP:1027-20 > datenstrom.new and then use some python to re-assemble the binary data from the ascii dump. -- Ralf.Hildebrandt@innominate.com innominate AG +49.(0)30.308806-62 fax: -77 networking people The only "intuitive" interface is the nipple. After that, it's all learned.