Honeynet Scan of the month - September 2001

After I had downloaded & extracted the snort dump, I used ethereal to analyze the dump (snort logs its data in tcpdump format). Ethereal is very good for analyzing small dumps like this, although as it reads all data into memory when you load a file, it can be unwieldy for large dumps.

I also used snort, with it's ability to reprocess the dump file to break out the various connections into IP specific directories and text files. This gives you a good handle on which IP's have been producing the most traffic.

1. The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?

The attackers appeared to use an automated tool to scan & compromise a range of IP addresses. You can see a range of attempted connections across the whole IP address range covered by the honeynet. Using ethereal you can see that the system at 172.16.1.103 replies to the portmap connection with the port for the rpc.statd service and the tool attempts the attack against this machine, but it does not look like it was successful. The system at 172.16.1.108 does fall victim to the attack. Y which opens a remote shell on port 39168. It is only seconds later when an inbound connection appears on this shell, and a command is sent to the shell. It is however several minutes before a is sent, and the shell runs the commands. You could assume that an automated tool has been run, which scans an IP address range looking for the rpc.statd vulnerability, and opens remote shells to those systems it compromises. It then sends a command, and waits for human intervention.

The commands are,

cd /; uname -a; id;

You can see the system sends the results back to the attacker. The system is a Linux 2.2.14 machine. The attacker is suid=0(root) gid=0(root) The attacker then uses ftp to connect to ftp.home.ro, login as user soane and downloads the file lk.tgz

The attacker then extracts this file

tar -zxvf lk.tgz

They then change directory into the extracted files (cd last) and install it (./install).

This done, they disconnect.

As a side note, the install script of the root kit bundles up some information from the system, and mails it to a couple of email addresses.

last@linuxmail.org
bidi_damm@yahoo.com

The attempt to send to the linuxmail address is unsuccessful, although the yahoo account works.

2. What system/country did the badguys come in from?

They connected from 211.185.125.124 which is an APNIC address. A look at the whois information for that IP address tells me that it is an Korean address. It is most likely that the machine is an already compromised machine that is being used to scan for other vulnerable machines. The attacker will be hoping that they will not be able to be traced if they do not use their own machine to perform the attack.

3. What nationality are the badguys, and how were you able to determine this?

The root kit has messages in what looks like Romanian, and the home.ro address is a Romanian web site. So it appears that the attackers could be Romanian. This is not certain though, they could have just been using someone else's root kit. As the attack came from a Korean IP address, it is not certain what nationality they are.

4. What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?

The attackers are performing automated mass scans and attacks in order to compromise (own) as many machines as possible. They are attempting to cover their tracks be using machines they have already compromised to launch scans for other vulnerable machines. The information that is returned to the attacker on the installation of the rootkit will help them decide what to do with the machine. If it has enough bandwidth & disk space, it could be used as a throw away ftp site for warez, or mp3 storage or any other use you could put a well connected machine to. There is a good chance it could be used to perform DDOS attacks.

5. What did you learn from this challenge?

A successful attack can take a very short amount of time. I was quite surprised that the attack had been automated to such an extent. With a little bit more work the attack could have been fully automated, with the attacker able to install the root kit completely automatically. They would be able to set it going, and come back the next day to a list of fully compromised machines.

6. How long did this challenge take you?

The analysis and write-up took about 4 hours. I already had the tools on my machine, and I was familiar with their usage. I used snort & ethereal to perform this analysis.

Bonus Question: Can you recover the blackhat's rootkit from the Snort binary log file? If so, how?

Using the TCP Stream reconstruction tool in ethereal I can pull the data channel out of the dump file, and save it to an external file. This was partially successful. I was able to save the tgz file, and the size matched that observed during the attack (520333 bytes), but the tar file it contained had some errors on extraction. I am unsure what the errors in the file are, as the extracted file list matches that seen in the attackers connection.

The lk.tgz rootkit