Analysis by: Abraham Lincoln Hao
e-mail:Abraham@nssolution.net
Introduction:
- Analysis was performed on both Linux and windows Operating system.
1] Check md5Checksum snort-0315@0005.log.tar.gz and extracting the file.
[root@IDS forensic]# md5 snort-0315@0005.log.tar.gz
9b68e8ffade74bbf5ce0296a1977d111 snort-0315@0005.log.tar.gz
[root@IDS forensic]# tar -xzvf snort-0315@0005.log.tar.gz
snort-0315@0005.log
2] Tools used for the
analysis:
- TcpDump - http://www.tcpdump.org
- Snort - http://www.snort.org
- Shellutil package GNU development tool
- Nmap - http://www.insecure.org
3] Decoded datas from
snort Binary log (snort-0315@0005.log)
- Packet
dump of snort-0315@0005.log Binary
- Strings
inside snort-0315@0005.log
Question and Answer:
1] The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?
-They used a rpc vulnerability scanner to scan range of IP w/ rpc port 111 open and used rpc.statd exploit to break in to the system. And they downloaded the rootkit from home.ro using the compromised server.
2] What system/Country did the badguys from?
- Based on the Hosts collected
from packet logs the attackers came from Australia (.au) and Korea (.kr)
BUT it is possible that the attackers came from
ROMANIA coz` they downloaded the rootkit from HOME.RO a romanian
domain and the content of the site is Pure Romanian
language But is is also possible that the account used in home.ro ftp server
is a compromised account..
- The attackers are using Linux OS
- The following information are gathered thru samspade.org whois and DNS query And system has been determined thru nmap and Manual port connection.
Possible Country the badguys came from: Romania, Australia and Korea
Collected attackers Hosts and System:
A] Host: baccess-01-182.magna.com.au
- 203.111.78.182
System: Linux
(probably
redhat linux)
B] Host : Kyongsan Purim Elementary
School - 211.185.125.124
System: Redhat Linux
A] baccess-01-182.magna.com.au - 203.111.78.182
Query: 203.111.78.182
Registry: whois.apnic.net
Results:
inetnum: 203.111.0.0 -
203.111.127.255
netname: DAVNET
descr: Davnet
Telecommunications
descr: Level
7, 209 Castlereagh Street
descr: Sydney
NSW 2000
country: AU
admin-c: DR15-AP
tech-c: DR15-AP
notify: routemaster@magna.com.au
mnt-by: APNIC-HM
mnt-lower: MAINT-AU-DAVNET
changed: em@magna.com.au
20001018
source: APNIC
person: DavTel Routemaster
address: 209 Castlereagh
St
address: Sydney
NSW 2000
address: -
address: Spam & Abuse
: abuse@davnet.com.au
country: AU
phone: +61-2-9272-9600
fax-no: +61-2-9272-9664
e-mail: routemaster@davnet.com.au
nic-hdl: DR15-AP
mnt-by: MAINT-AU-DAVNET
changed: emilia.lambros@davnet.com.au
20010219
source: APNIC
B] Kyongsan Purim Elementary School - 211.185.125.124
Query: 211.185.125.124
Registry: whois.nic.or.kr
Results:
Korea Internet Information Service V1.0 ( created
by KRNIC, 2001.6 )
IP Address
: 211.185.125.0-211.185.125.127
Network Name
: KSPURIM-E
Connect ISP Name : PUBNET
Connect Date
: 20001120
Registration Date : 20001129
[ Organization Information ]
Orgnization ID : ORG147082
Org Name
: Kyongsan Purim Elementary School
State
: KYONGBUK
Address
: 171 puki-1ry jinrang-eup kyongsan-ci
Zip Code
: 712-830
[ Admin Contact Information]
Name
: DAEDUN KYUN
Org Name
: Kyongsan Purim Elementary School
State
: KYONGBUK
Address
: 171 puki-1ry jinrang-eup kyongsan-ci
Zip Code
: 712-830
Phone
: +82-53-851-9523
Fax
: +82-53-851-9522
E-Mail
: gum@hanmail.net
[ Technical Contact Information ]
Name
: DAEDUN KYUN
Org Name
: Kyongsan Purim Elementary School
State
: KYONGBUK
Address
: 171 puki-1ry jinrang-eup kyongsan-ci
Zip Code
: 712-830
Phone
: +82-53-851-9523
Fax
: +82-53-851-9522
E-Mail
: gum@hanmail.net
3] What nationality are the badguys, and how were you able to determine this?
- Based on the Data that has
been gathered attackers Hosts came from Korea (.kr) and Australia (.au)
so i assume that
the attackers are based in Korea (.Kr)
and Australia (.Au) BUT it is possible that this servers are compromised
and used to perform another attack to other Servers for them to be able
to bounce there Attack and .kr and .au domains are both using Linux OS.
This method is very common to blackhat community and even used to perform
DOS attack.
- One thing i've noticed is that the Attacker downloaded the LK.TGZ rootkit at home.ro FTP server i assumed that the Attacker is based in ROMANIA (.ro) Why? coz` home.ro is a romanian based Domain and if u try to visit Home.ro the language used or the content of the site is Pure Romanian language so i assume that the attacker came from .ro or it is also possible that the account used in home.ro w/c is USERname is soane is also a compromised account.
Possible nationality: Romanian, Australian and Korean.
4] What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?
- The tactics that the
badguys used are pretty straight forward and common to most attackers (script
kids or not)
The Tactics being used by the badguys are 1st
it is Possible that they Bounce there attacks from other hosts for them
to spoof
there ip's or attackers hosts 2nd they are using
hosts that they have been compromised to Scan vulnerable hosts 3rd
The attackers used a rpc vulnerability scanner to scan a certain
range of IP's w/ port rpc 111 open and 4th the Attackers used rpc.statd
exploit to compromise the server.
5] What did you learn from this challenge?
- I've learned how to analyze well packets from packet logs and how to extract the contents of the packet logs, What tool or exploit used to compromise the server, what type of rootkit has been used, Vulnerability scanner used, What type of rootkits has been installed and what the attackers done to the system after compromised.
- The Main lesson learned always install latest security patch in your system, Be aware about latest vulnerabilites and Be Proactive..
6] How long did this challenge take you?
- It takes me 4 Hours to finish this challenge including extracting snort log in binary format and answering all the questions.
Bonus Question:
Can you recover the blackhat's rootkit from the Snort binary log file?
If so, how?
- NO, coz` the binary log is purely packet logs
in application layer and logs all what the attackers have done to the system
including how he compromise, what commands did the attacker used
etc... (correct me if im wrong ;).
References and Resources:
http://www.snort.org
http://project.honeynet.org/scans/scan15/
-
Scan15 Recover a deleted rootkit
http://www.samspade.org
http://www.tcpdump.org
http://www.insecure.org
=====================================================================================
Name: Abraham Lincoln Hao
Contact: Abraham@nssolution.net
/
KnowledgeBase@lycos.com
IRC: Undernet #DDN #IDS #nssolution
(Abraham@nssolution.net)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDuUiH8RBAC9yxaoa4PoqxUBwX3JzIsMV6rt3CVMzaBQgqGydL5M3CLN/4K2
JIBG+d8QBcviCNk824TpNbNPSl/MQ2y0u7sv9eK99xAgjCOdl5ohhz+DhpRsFWn2
dWHBmQWuL/nU+2PVR3EJ3KZUkfpFgvAsyx7grA0qPugR8GsojV4HJmRCHwCg82U5
gWdTy0ZL3P5rxKvAUXQI7FEEAI/1+H/1ul+phQlxQsBFfibb7bB2KrqRwQyaomFR
ezHwoZ+UKQqgXMyK11lQNRe5UcrGku3dj2Dz7OdrS20VFtX+4mtMWqpCOgC4NxFx
SHeRaRaqHpUysZYnKHk7ECm5VyO648GWUfYpX5V16Zm1gPucJokrSf0FhgWM9Zp8
g0gQA/9EGGqsgD5tfDTehVNsSylfd5T6HYWmWfj94Iump1K6QByzSUbzQCX80VKK
Ji/evBSdOIrYxE0AkC37puBZXntMUVAGAxAGrlC/LrbzsuZPDwjHLvmPg7K4jx/Z
jpDwfksQQ17Zhsgu/HKeAMAwr892xLgM/rNQblVfuCo+m1L81rRQQWJyYWhhbSBM
aW5jb2xuIChJbnRlcm5ldCBJbmZvcm1hdGlvbiBTZWN1cml0eSBBbmFseXN0KSA8
YWJyYWhhbUBuc3NvbHV0aW9uLm5ldD6IVgQTEQIAFgUCO5SIfwQLCgQDAxUDAgMW
AgECF4AACgkQFDnDF1a5DLOa7ACgt2vfs1SRFOClJgp0NHxKo/YcsE4AoKeL3tKg
e1BKZg8aKKiHjuiGbYERuQENBDuUiIMQBADKxxxMjbbMU2fdvdeHAAUEoFiWHO0w
KUoqvYeLoNFyPHdQ1ifv7mEuCq91d3fkvyfgXTETVqGtmHekDzBjm66Lp6B0FWw9
DJAg99bGZ33qbboe/q84JEkvtmcLXZmqEv+TnFR9e3KK6zc/hEWgCwCbg8X3Lv3K
H16w/wD0cjvPCwADBQP/dBnzxMx4Gw3ZS+e6hKbedDakYs3werEBCIZTxVTd0p0h
d1IHKU75Rn4t2mdJOrCv56bgLp0mlMeJaIM4ByYt0O5f7e6dNBe78LVRVe+QIi1a
toWkJDqfODhVxqhbecxpRhQfmRAASOLWkkpmW8zbKHv3Gx9b2gLQakxoh84zfJeI
RgQYEQIABgUCO5SIgwAKCRAUOcMXVrkMsyqhAJ9SLnlF7nEgD/YAUWcK9FS/MTOz
ZACfaXapExk9DfmjqwLMr2fhzxQ2GuCZAaIEO5SFcxEEAKS65td6i8kXR0X0bIz8
/PkxtjHHFvH9ktf1iM8Tn9P84vvXhrdTycFNj4wmSDv4/NVPXk/sPn0v57tkO8gN
Oi4TTcDXiljIi9zD6GzcvC1PtiSsUYHejOI8XN2654848UXgELOc4F2+0UW1JFCi
evBTceKisxjYfDI3bSTbIyEzAKCaKfkWTQ36Upy/LYLeOldffXkY0QQAlRg89ssP
aZJO94IYO5GumxPQG3xVl2QMcLyxUfGy8WE9fVKrfmr0mGGlr1tdWsTy08m8DMek
nRwAnfgbjwqx+8ZwL7iRT27QEnPF1rrQWupETqBb7V2yZm5pX9IA0O6V3DrABaZM
rC8O9U2nTEnhSJydRtLYa+GqMxdQTPQnNl0D/26c4p+ZCqER8n2V5aaHdYzTZ1qi
DmXkGM+kAtLkjk5zfNJkoA925pS5BqQ7vAUIfu4VLD3gS/Vt4syx8nWXRVquYSqU
Y19IXqToV+bSCUzOMnFYMRilMOZBrr5FW9IhGYu6++b5LUc/58AQ45GFg1wyOuZl
a9E5YxqP1k1QhAUatFNBYnJhaGFtIExpbmNvbG4gSGFvIChJbnRlcm5ldCBJbmZv
cm1hdGlvbiBTZWN1cml0eSBBbmFseXN0KSA8YW1oYW9AaXRzLWludGwuY29tLnBo
PohWBBMRAgAWBQI7lIVzBAsKBAMDFQMCAxYCAQIXgAAKCRCOO08SNA36bR6FAJ9F
VVZRHZ3VeOvRrGmKW7EDxFJ6PwCaA700ZMXO/8bo5jYwEIJFb4DgJCq5AQ0EO5SF
3hAEAMeoZzcCJG1Nu7vqQ9l2My60BUy+PY6YY2sXE8aDhi2DIyPN1/Bymcxi4Q1A
K/V6FmjruwN2+9karUzbl3E5xvVPl6C/7mL/NcjejkPOtNvnsMiVI5K59K5LXOUV
a+Fuyr977796FndcZaI9MUxtWH8dyv4S6ozugK7tuYoKs4hnAAURBACLuhSBt1f3
BvBNkBywi+fqlVr8igVA7AY7AuIb96+qQg82vNhCOAOR/+QSXfA1ypNNCgd3aRhn
5NbT2Giwfw6ziqWTjMRtk4oVXL8jPFoVpjD1kN+vV0UhRm/eB95JUSCJC5Czxy4e
u8p7tm0WpIBGkvDJZF04Fps/LICmP1wbx4hGBBgRAgAGBQI7lIXeAAoJEI47TxI0
DfptfsIAn3No6SpZtDR9unornqfDdLaxJ/k1AJ0aVgdfuBkKUs88dO0Wql2BMNUG
Ig==
=hmHq
-----END PGP PUBLIC KEY BLOCK-----