Scan of the Month Challenge September 2001 project.honeynet.org Target: 172.16.1.108 Source: 211.185.125.124 Initially thought baccess-01-182.magna.com.au (203.111.78.182) as they ran a rpc.statd scan, but didn't follow. The hackers overflowed rpc.statd and caused a root uid shell to be listening on port 39168. They then downloaded a rootkit from ftp.home.ro (s1.home.ro) and uncompress/tarred it into a directory .last. This is then installed where upon it emails back to base (and presumably installs a sniffer and cleans some logs and sets up an sshd listening, judging by the file names,) 1. The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster? Some sort of scanner to scan a range of IPs for rpcstatd vulnerability. It looks to automatically then try and exploit rpc.statd if it finds the port open. This I gleaned from the fact it tried the same thing on 172.16.1.103 so it looks to be automated. 2. What system/country did the badguys come in from? Korea. IP Address : 211.185.125.0 - 211.185.125.127 Org Name : Kyongsan Purim Elementary School Country : Korea 3. What nationality are the badguys, and how were you able to determine this? Several possibilities: Korean? They came from a korean machine. It was an elementary school, this doesn't look like primary school kids. Also so many Korean boxes are compromised so they probably just bounced through there. Doubtful American? An email goes to a yahoo.com email address. They also (or someone) tried to send and email to walterworks.com (a Texas hosting company) at the same time. Still anyone can create a yahoo.com address. If not for further evidence this would be my guess. Romanian? This guess because the preference of using a .ro server, but everyone uses .ro because of the lax monitoring/security. The convincing thing though is the email and rootkit appear to be in Romanian (and a mix of English). Therefore my most educated guess would be - Romanian 4. What do the answers to questions #1 and #2 tell us about the tactics the badguys are using? Smarter than the average script kiddie, as they look to have written some custom rootkit stuff. The scan and exploit are automated. As well as possibly the ftp download and install. This would indicate it isn't a malicious attack but just a scan and compromise style operation. The email back to base, presumably to collect a database of available shells, is further confirmation of this. 5. What did you learn from this challenge? That new boxes should be secured before connecting to the net (actually old knowledge 8) Romanians shouldn't be trusted 8) There is a lot of 'noise' also in logs while trying to look for hack attempts. (again old knowledge) 6. How long did this challenge take you? About 45 minutes (mostly typing this file while going through the snort log) Bonus Question: Can you recover the blackhat's rootkit from the Snort binary log file? If so, how? Yes you can. Easy way: use the ftp user and password from the data, connect to ftp.home.ro and download it for yourself. Hard way: take all the ftp data (port 20 stuff) and re-assemble it into one big file. If done correctly you should be able to then untar it for yourself. Tools used: Ethereal V0.8.17 (on Windows 2000) www.ethereal.com UltraEdit-32 to create this file. - Luke Butcher