In the last section, we listed every file that had been deleted and that is still present on the partition, but they are
presented by inode number instead of the friendly filenames. To discover which filename goes with which inode number, we must
read the content of the root directory inode table. To know what inode number has the root directory inode table, we mount the partition and check with ls -il
.
[gfk@cesam honeynet]$ su Password: [root@cesam honeynet]# mount -o ro,loop,nodev,noexec honeypot.hda8.dd mnt [root@cesam honeynet]# exit [gfk@cesam honeynet]$ ls -il total 265313 49249 -rw-r----- 1 gfk gfk 471 Apr 26 17:45 README 49248 -rw-r----- 1 gfk gfk 271401984 Mar 16 12:43 honeypot.hda8.dd 2 drwxr-xr-x 18 root root 1024 Mar 15 20:45 mnt
We can see that folder mnt
has inode number 2 and has been last modified on March 15th at 20:45 (8:45 PM).
All we have to do is to list the content of inode 2 to have every infos about the content of the root directory.
Since we know that the rootkit we are looking for is on the root directory, we can hope that we will discover its name and
inode number by looking into the root directory inode table.
However, the data contained in the inode table is contained in raw binary, which makes it harder to read.
The easiest way to read the content of the inode is to pass it into od
. Here we make two tries, one with the -c
flag, to print the output in characters (ASCII), and the other with the -h
flag, to print the output in hexadecimal.
[gfk@cesam scan15]$ tct-1.06/bin/icat honeynet/honeypot.hda8.dd 2|od -c 0000000 002 \0 \0 \0 \f \0 001 002 . \0 \0 \0 002 \0 \0 \0 0000020 \f \0 002 002 . . \0 \0 \v \0 \0 \0 024 \0 \n 002 0000040 l o s t + f o u n d \0 \0 017 \0 \0 0000060 \f \0 004 002 b o o t a 037 \0 \0 \f \0 004 002 0000100 h o m e 021 / \0 \0 \f \0 003 002 u s r \0 0000120 > \0 \0 \f \0 003 002 v a r \0 q N \0 \0 0000140 \f \0 004 002 p r o c I V \0 \0 \f \0 003 002 0000160 t m p \0 ! ^ \0 \0 \f \0 003 002 d e v \0 0000200 e \0 \0 \f \0 003 002 e t c \0 u \0 \0 0000220 \f \0 003 002 b i n \0 Y 205 \0 \0 \f \0 003 002 0000240 l i b \0 \t 225 \0 \0 \f \0 003 002 m n t \0 0000260 221 \0 \0 \f \0 003 002 o p t \0 i \0 \0 0000300 \f \0 004 002 r o o t A \0 \0 \f \0 004 002 0000320 s b i n b \0 \0 , 003 006 002 f l o p 0000340 p y \0 \0 027 \0 \0 \0 034 003 006 001 l k . t 0000360 g z \0 \0 \a \0 \0 \f 003 004 002 l a s t 0000400 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 * 0002000 [gfk@cesam scan15]$ tct-1.06/bin/icat honeynet/honeypot.hda8.dd 2|od -x 0000000 0002 0000 000c 0201 002e 0000 0002 0000 0000020 000c 0202 2e2e 0000 000b 0000 0014 020a 0000040 6f6c 7473 662b 756f 646e 0000 0fb1 0000 0000060 000c 0204 6f62 746f 1f61 0000 000c 0204 0000100 6f68 656d 2f11 0000 000c 0203 7375 0072 0000120 3ec1 0000 000c 0203 6176 0072 4e71 0000 0000140 000c 0204 7270 636f 5649 0000 000c 0203 0000160 6d74 0070 5e21 0000 000c 0203 6564 0076 0000200 65f9 0000 000c 0203 7465 0063 75a9 0000 0000220 000c 0203 6962 006e 8559 0000 000c 0203 0000240 696c 0062 9509 0000 000c 0203 6e6d 0074 0000260 ac91 0000 000c 0203 706f 0074 b469 0000 0000300 000c 0204 6f72 746f bc41 0000 000c 0204 0000320 6273 6e69 eb62 0000 032c 0206 6c66 706f 0000340 7970 0000 0017 0000 031c 0106 6b6c 742e 0000360 7a67 0000 07f6 0000 030c 0204 616c 7473 0000400 0000 0000 0000 0000 0000 0000 0000 0000 * 0002000
Okay, this is still pretty hard to read, but we can start to see some filenames in the ascii output. To decorticate the content of this inode, we must first understand what it is (duh), to do so, we could buy an expensive book about the Second Extended File System (ext2fs), but since we are poor (well at least I am) and that the Net is so nice and that we don't want to kill a tree, we search an online ext2 documentation and found what we are looking for.
Directories are special files that are used to create access path to the files on disk. It is very important to understand that an inode may have many access paths. Since the directories are essential part of the file system, they have a specific structure. A directory file is a list of entries of the following format:
struct ext2_dir_entry { unsigned long inode; unsigned short rec_len; unsigned short name_len; char name[EXT2_NAME_LEN]; };
inode points to the inode of the file. rec_len length of the entry record. name_len length of the file name. name name of the file.
There is such an entry in the directory file for each file in the directory. Since ext2fs is a Unix file system the first two entries in the directory are file `.' and `..' which points to the current directory and the parent directory respectively.
Knowing this, we can try to reformat the dump so that it is more readable.
002 \0 \0 \0 \f \0 001 002 . \0 \0 \0 0002 0000 000c 0201 002e 0000 (inode=2) 0002 \0 \0 \0 \f \0 002 002 . . \0 \0 0002 0000 000c 0202 2e2e 0000 (inode=2) \v \0 \0 \0 024 \0 \n 002 l o s t + f o u n d \0 \0 000b 0000 0014 020a 6f6c 7473 662b 756f 646e 0000 (inode=11) 017 \0 \0 \f \0 004 002 b o o t 0fb1 0000 000c 0204 6f62 746f (inode=4017) a 037 \0 \0 \f \0 004 002 h o m e 1f61 0000 000c 0204 6f68 656d (inode=8033) 021 / \0 \0 \f \0 003 002 u s r \0 2f11 0000 000c 0203 7375 0072 (inode=12049) > \0 \0 \f \0 003 002 v a r \0 3ec1 0000 000c 0203 6176 0072 (inode=16065) q N \0 \0 \f \0 004 002 p r o c 4e71 0000 000c 0204 7270 636f (inode=20081) I V \0 \0 \f \0 003 002 t m p \0 5649 0000 000c 0203 6d74 0070 (inode=22089) ! ^ \0 \0 \f \0 003 002 d e v \0 5e21 0000 000c 0203 6564 0076 (inode=24097) e \0 \0 \f \0 003 002 e t c \0 65f9 0000 000c 0203 7465 0063 (inode=26105) u \0 \0 \f \0 003 002 b i n \0 75a9 0000 000c 0203 6962 006e (inode=30121) Y 205 \0 \0 \f \0 003 002 l i b \0 8559 0000 000c 0203 696c 0062 (inode=34137) \t 225 \0 \0 \f \0 003 002 m n t \0 9509 0000 000c 0203 6e6d 0074 (inode=38153) 221 \0 \0 \f \0 003 002 o p t \0 ac91 0000 000c 0203 706f 0074 (inode=44177) i \0 \0 \f \0 004 002 r o o t b469 0000 000c 0204 6f72 746f (inode=46185) A \0 \0 \f \0 004 002 s b i n bc41 0000 000c 0204 6273 6e69 (inode=48193) b \0 \0 , 003 006 002 f l o p p y \0 \0 eb62 0000 032c 0206 6c66 706f 7970 0000 (inode=60258) 027 \0 \0 \0 034 003 006 001 l k . t g z \0 \0 0017 0000 031c 0106 6b6c 742e 7a67 0000 (inode=23) \a \0 \0 \f 003 004 002 l a s t \0 \0 07f6 0000 030c 0204 616c 7473 0000 (inode=2038) \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 0000 0000 0000 0000 0000 0000 0000
If we compare this to the files that are still present:
[gfk@cesam mnt]$ ls -i 30121 bin 60258 floppy 38153 mnt 48193 sbin 4017 boot 8033 home 44177 opt 22089 tmp 24097 dev 34137 lib 20081 proc 12049 usr 26105 etc 11 lost+found 46185 root 16065 var
We can see that the files lk.tgz
and last
were deleted. By looking at the inode table (directory), we see that the inode for the file lk.tgz
is 0x0017, that is 23 in decimal, and that folder last
had the inode 0x07f6, that is 2038 in decimal.