From kriss@fnal.gov Sun Sep 23 07:53:06 2001 Date: Wed, 19 Sep 2001 16:44:42 -0500 (CDT) From: Michael Kriss To: project@honeynet.org Subject: Scan 18 1.The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster? It seems that the attackers scan all hosts on the network for the RPC portmapper process. If a host responds to the TCP probe on the sunrpc port the attackers immediately query the portmapper for the statd port. Once the statd port is obtained from the portmapper the exploit is launced at the statd port. The exploit code appears to be a slight modification to the code posted to Bugtraq on Aug 5, 2000 from ron1n . The first UDP packet to hit 172.16.1.108 causes a core dump. Since the client receives no reply from the dead rpc.statd, the client retries twice more (2 second delay before each resend). Finally, after a 5 second pause (coded into the client exploit code), the attacker connects to TCP port 39168 where a root shell awaits. An initial scan from baccess-01-182.magna.com.au established a TCP connection to the portmapper port on host 172.16.1.103 but no exploit was attempted. Perhaps that scan was able to identify the OS as Solaris 2.7 and the attackers only had the Linux exploit. The successful attackers (from 211.185.125.124) also unsuccessfully attempted to exploit 172.16.1.103. 2.What system/country did the badguys come in from? The attacking system was 211.185.125.124. According to http://whois.nic.or.kr/whois/webapisvc, this system belongs to: # ENGLISH IP Address : 211.185.125.0-211.185.125.127 Network Name : KSPURIM-E Connect ISP Name : PUBNET Connect Date : 20001120 Registration Date : 20001129 [ Organization Information ] Orgnization ID : ORG147082 Org Name : Kyongsan Purim Elementary School State : KYONGBUK Address : 171 puki-1ry jinrang-eup kyongsan-ci Zip Code : 712-830 [ Admin Contact Information] Name : DAEDUN KYUN Org Name : Kyongsan Purim Elementary School State : KYONGBUK Address : 171 puki-1ry jinrang-eup kyongsan-ci Zip Code : 712-830 Phone : +82-53-851-9523 Fax : +82-53-851-9522 E-Mail : gum@hanmail.net [ Technical Contact Information ] Name : DAEDUN KYUN Org Name : Kyongsan Purim Elementary School State : KYONGBUK Address : 171 puki-1ry jinrang-eup kyongsan-ci Zip Code : 712-830 Phone : +82-53-851-9523 Fax : +82-53-851-9522 E-Mail : gum@hanmail.net 3.What nationality are the badguys, and how were you able to determine this? I don't suspect that the badguys are Korean. All indications seem to point to them being Romanian. The ftp server that housed the root kit is a .ro site. The rootkit itself inserts Romanian IP addresses (193.231.139, 213.154.137, 193.254.34) into /dev/last. Finally some of the words in the install script appear to be Romanian. 4.What do the answers to questions #1 and #2 tell us about the tactics the badguys are using? If my answer to #1 is correct the attackers may successfully exploit all vulnerable systems on a subnet in a short period of time. #2 tells me the attackers are trying to cover their tracks (attack originating from Korea rather than Romania). 5.What did you learn from this challenge? This challenge, specifically the Bonus Question, was an excellent review in how TCP works (sequence numbers, retransmissions, etc.). I also learned much about tcpdump and many of its options. 6.How long did this challenge take you? To answer questions 1-5 took about 8 hours. Most of the time was spent scanning the snort log. I looked at time stamps, TCP connection establishment, TCP connection termination, etc. To recreate the root kit from the snort log took longer (maybe 40 hours). Now that I know what I'm doing I believe I could retrieve the file in a much shorter period (1-2 hours?). Bonus Question Can you recover the blackhat's rootkit from the Snort binary log file? If so, how? Yes. I started out by stripping out the ftp-data packets from the snort log file: % tcpdump -x -S -r snort-0315@0005.log -w ftp-data src port ftp-data >From here I hacked at the tcpdump source code. Knowing where the TCP data payload started allowed me to simply write to a binary file all of the TCP data. I used the TCP sequence numbers to properly position within my file before writing the data. With this seeking, all out-of-order packets and retransmissions were written correctly. % ./tcpdump -x -S -r ftp-data > /dev/null % ls -tl lk.tgz -rw------- 1 kriss bp001 520333 Sep 19 16:39 lk.tgz % file lk.tgz % lk.tgz: gzip compressed data, deflated, last modified: Fri Mar 2 21:09:06 2001, os: Unix % tar ztvf lk.tgz drwxr-xr-x 1031/users 0 2001-02-26 14:40:30 last/ -rwxr-xr-x 1031/users 611931 2002-02-08 07:08:13 last/ssh -rw-r--r-- 1031/users 1 2001-02-26 09:29:58 last/pidfile -rwx------ 1031/users 3713 2001-03-02 21:08:37 last/install -rwx------ 1031/users 7165 2001-02-26 09:22:50 last/linsniffer -rwxr-xr-x 1031/users 1345 1999-09-09 10:57:11 last/cleaner -rw-r--r-- 1031/users 3278 2001-01-27 09:11:32 last/inetd.conf -rwxr-xr-x 1031/users 79 2001-02-26 09:28:40 last/lsattr -rw-r--r-- 1031/users 11407 2001-01-27 09:11:44 last/services -rwxr-xr-x 1031/users 4060 2001-02-26 09:22:55 last/sense -rw-r--r-- 1031/users 880 2000-10-22 14:29:44 last/ssh_config -rw------- 1031/users 540 2000-10-22 14:29:44 last/ssh_host_key -rw-r--r-- 1031/users 344 2000-10-22 14:29:44 last/ssh_host_key.pub -rw------- 1031/users 512 2000-10-22 14:29:44 last/ssh_random_seed -rw-r--r-- 1031/users 688 2001-02-26 09:29:51 last/sshd_config -rwx------ 1031/users 8268 2001-02-26 09:22:59 last/sl2 -rwxr-xr-x 1031/users 4620 2001-02-26 09:23:10 last/last.cgi -rwxr-xr-x 1031/users 33280 2001-02-26 09:23:33 last/ps -rwxr-xr-x 1031/users 35300 2001-02-26 09:23:42 last/netstat -rwxr-xr-x 1031/users 19840 2001-02-26 09:23:47 last/ifconfig -rwxr-xr-x 1031/users 53588 2001-02-26 09:23:55 last/top -rwx------ 1031/users 75 2001-02-26 09:24:03 last/logclear -rw-r--r-- root/root 708 2001-03-02 21:05:12 last/s -rwxr-xr-x 1031/users 632066 2001-02-26 08:46:04 last/mkxfs michael