Hi.

These are my results for Scan of the month October 2001 (Scan 19)

Regards,
Ichinin
_________________________________________________________________________________________________


Scan of the month; October 2001 (Scan19)

1.Which vulnerability did the intruder exploit? It looks like WUFTP attack. The exploit spawned a shell under UID(0) that allow... well, pretty much anything the intruder wants to do; Like modifying the "Nobody" account to have a blank password ("passwd nobody -d") and creating a backup account "Dns", also with a blank password. ( See below; the /etc/passwd and /etc/shadow files were modified ) 2.What ways, and in what order, did the intruder use to connect and run commands on the system? A) First there are many probes on different ports from a range of systems, this could indicate that a distributed scan is taking place, using many compromised hosts. Intresting is that i saw no web exploits beeing used(!) B) Then there was the initial compromise; the WUFTP server was toasted. C) The telnet session from 217.156.93.166 to 192.168.1.102 did the rest; the download, compilation, installation of the rootkit and the other tools. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 3.How did the intruder try to hide his edits from the MAC times? The intruder used a logcleaner that was supposed to clear all the logs, except for the SYSLOG (which were not stored on the compromised system. I think he/she became aware of the remote logging when this happened.) I *THINK*, i'm not sure, that a virtual device (/dev/rd/sdc0/Zer0) was used to store the rootkits so that it would not be detected so easily. (I admit - I'm too windows damaged) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 4.The intruder downloaded rootkits, what were they called? Are they new/custom rootkits? Yupp. "Zer0.tar.gz" archive contains a rootkit: "ADORE" (v0.33) and "tornKit". "copy.tar.gz" archive contains various tools: (Smurf Amp., SSH client, FTP scanner etc.) The rootkits did the usual "reporting back to base" -> SMTP session to hotmail: hatcheryhatched@hotmail.com _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 5.Recover (tell how you did it too) the rootkits from the snort binary capture I loaded the Snort log into Ethereal (That takes, say, forever) I select "Follow tcp thread" on FTP Data (TCP/20), and save as .TGZ, I found that there were 2 separate downloads: Zer0.zip (139711 bytes, ZIP compressed) copy.zip (265189 bytes, ZIP compressed) (now: I COULD have ftp'd into teleport.go.ro and fetched the files easily, but that would make me a criminal.) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 6.What does the rootkit do to hide the presence of the attacker on the system? It contain a function that remote entries from certain files: File: Managed to Delete records?: "boot.log" Unsuccessful "boot.log.1" Successful "cron" Successful "cron.1" Successful "dmesg" Successful "htmlaccess.log" Unsuccessful "maillog" Unsuccessful "maillog.1" Successful "messages" Unsuccessful "messages.1" Successful "netconf.log" Unsuccessful "secure" Unsuccessful "secure.1" Successful "sendmail.st" Unsuccessful "spooler" Unsuccessful "spooler.1" Unsuccessful "xferlog" Unsuccessful "xferlog.1" Unsuccessful _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 7.What did you learn from this exercise? To load the snort binary logs into Ethereal and get WAY MORE info than i would get by just loading it into notepad(!) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 8.How long did this challenge take you? 2 Hours research. 3 Hours writeup. 1 Hour rechecking. = 6 hours. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ References: - SYSLOG = "slog2.log" - SNORTLOG = "newdat3.log" Tools used: - Ethereal v?.? (latest version from the site) - Arjfolder v3.65 (Can view uncompress Tar and GZip files under Windows) - Notepad v?.?

My "fluff" now follows:

First: I'm VERY confused as to the use of gnutella-ACK packets, NS1 answer these with RST+ACK. Except for confusing the hell out of us, i cannot find any logical conclusion for this kind of traffic. What would an ACK scan accomplish?!?!!?! ___________________________________________________________________________________________ - A Rootkit was installed (Adore), intresting is that it was compiled on site; it allowed customisation of the code according to this: "Since version 0.33 Adore requires 'authentication' for its services. You will be prompted for a password now and this password will be compiled into 'adore' and 'ava' so no further actions by you are required. This procedure will save adore from scanners." * Where the intruder choosed "labutza". * It looks like this one features a sniffer as well: "sniffer running!" (Would not be surprising, since it's dead easy to write a packet sniffer under linux, in contrast to windows.) The intruder did 3 compilations to get it up and running: cc -c -I/usr/src/linux/include -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS adore.c -o adore.o cc -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS ava.c libinvisible.c -o ava cc -I/usr/src/linux/include -c -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS cleaner.c ___________________________________________________________________________________________ Involved systems: IP Name Instance Source --------------------------------------------------------------------------------- 24.17.45.29 (@home) ISAKMP SNORTLOG 24.248.173.56 (@home) DNS SNORTLOG 63.168.30.92 (Sprint) NBName SNORTLOG 128.175.106.24 (Was assigned to Gnutella SNORTLOG host106-24.student.edel.edu when i looked) 138.86.152.104 (Univnorthco.edu) Netbios SNORTLOG 172.136.23.164 (AC8817A4.ipt.aol.com) FTP Session SYSLOG 192.168.1.102 (ns1) Many sessions SNORTLOG 206.75.218.84 (Istar/Videotron) Telnet SNORTLOG 207.35.251.172 (GRICS, BLine Tech Svc) Many Sessions SYSLOG 207.50.37.225 (C&W, TAC Communications) NBName SNORTLOG 208.179.195.130 (Pajo grp, SantaMaria produce) Dns SNORTLOG 210.114.220.46 (Yeomyong Cable broadcasting) Portmapper SNORTLOG (http://whois.nic.or.kr/english/index.html) 217.156.93.166 (MIDO, IPMEX (romania)) Telnet Session SYSLOG 193.231.236.42 (Romaina Datasystems) FTP Session BOTH (aka: Teleport.go.ro) Note: ----- 217.156.93.166 = Manual input detected (i.e. telnet). 207.35.251.172 = executed WUFTP exploit. Please compare: --------------- 193.231.236.42 teleport.go.ro, this months romanian ftp server. to 193.231.236.41 ftp.home.ro, last months romanian ftp server. ___________________________________________________________________________________________ I suspect like [SYSLOG:Packet56] suspects: "FingerD[8690]: Client hungup - probable port-scan " The sheer number of Portprobes and different IP's could suggest a distributed portprober (i.e. proxy based) However, in [SNORTLOG], there is a [SYN] + [ACK/RST] sequence with incremental port numbers, that could very well be a portscan as well. ___________________________________________________________________________________________ [SYSLOG:Packet7] reports: ----------------------- A connection from: AC8817A4.ipt.aol.com [172.136.23.164] rpc.statd[318]: gethostbyname error for "^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿bffff71080497109090909068746567 6274736f6d616e797265206520726f7220726f66" <- RPC.Statd Exploit ??? (21 junk bytes+overflow code in hex) + SPACES (chr 32) <-DELETED ff ff 71 08 04 97 10 90 <- todo: check with x86 asm code. 90 90 90 68 74 65 67 62 74 73 6f 6d 61 6e 79 72 65 20 65 20 72 6f 72 20 72 6f 66 ___________________________________________________________________________________________ [SYSLOG:Packet71] indicated that the intruder changed the password for "nobody" to a null password(!) ___________________________________________________________________________________________ SNORTLOG:Packet indicated that an another account "DNS" was created with a blank password. ___________________________________________________________________________________________ The SMTP session over hotmail (hatcheryhatched@hotmail.com) transmits some system info: "ns1 RKstatus: 24 Name: Linux ns1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown IfConfig: inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:25= 5.255.255.0 inet addr:127.0.0.1 Mask:255.0.0.0 Uptime: 5:01am up 3 days, 11:10, 1 user, load average: 0.04, 0.04, 0= =2E00 Cpu Vendor ID: vendor_id : GenuineIntel Cpu Speed: cpu MHz : 327.909610 Bogomips: bogomips : 187.19 Hard disk free space: Filesystem Size Used Avail Use% Mounted= on /dev/hda1 421M 369M 30M 92% /" The "/etc/passwd" file: "root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false named:x:25:25:Named:/var/named:/bin/false postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash john:x:500:500:John:/home/john:/bin/bash dns:x:0:0::/bin:/bin/bash" Now, what looks like the "/etc/shadow" file: root:$1$SC5o0bc.$hD0izKXWmEZWK3ZZQOg9z1:11577:0:99999:7:-1:-1:134539276 bin:*:11577:0:99999:7::: daemon:*:11577:0:99999:7::: adm:*:11577:0:99999:7::: lp:*:11577:0:99999:7::: sync:*:11577:0:99999:7::: shutdown:*:11577:0:99999:7::: halt:*:11577:0:99999:7::: mail:*:11577:0:99999:7::: news:*:11577:0:99999:7::: uucp:*:11577:0:99999:7::: operator:*:11577:0:99999:7::: games:*:11577:0:99999:7::: gopher:*:11577:0:99999:7::: ftp:*:11577:0:99999:7::: nobody::11577:0:99999:7:-1:-1:134532692 xfs:!!:11577:0:99999:7::: named:!!:11577:0:99999:7::: postgres:!!:11577:0:99999:7::: john:$1$yxVGaPxi$l49rrYul6ZuSXjjPkTBrX0:11577:0:99999:7:-1:-1:134539276 dns::11581:0:99999:7:-1:-1:4 What we can see here is that the "Nobody" and "DNS" accounts have a blank (::) password, i.e. telnet into the server and it won't even ask for one. ___________________________________________________________________________________________ ** FTP session 217.156.93.166 [?] -> via NS1 [192.168.1.102] -> teleport.go.ro [193.231.236.42] USER "teleport" PASS "gunoierul" Files accessed: "Zer0.tar.gz" (139711 bytes) "copy.tar.gz" (265189 bytes) Intresting: A script named TLS (in tls.tgz in zer0.tar.gz) installs a (possibly) vulnerable version of WU Ftp server. v2.6.0: rpm -Fhv ftp://194.109.6.22/pub/mirror/redhat/updates/6.2/ en/os/i386/wu-ftpd-2.6.0-14.6x.i386.rpm Perhaps the rest of the files are vulnerable too, or our intruder are getting security conscious to make sure that noone will root the system after him/her... if the latter is the case, the system have never been more secure than now :o) ___________________________________________________________________________________________ It also looks like the intruder have started wondering why he/she can compromise the honeynet systems so easily. Beware; Soon you won't be able to trust your own syslog servers(!) "checking for remote logging... holy guacamole batman REMOTE LOGGING DETECTED I hope you can get to these other computer(s): 000.000.00.000 cuz this computer is LOGGING to it..." ______________________________________________________________________________ Files were placed on /dev/rd/sdc0/Zer0: .t0rn/ .t0rn/shhk .t0rn/shrs .t0rn/shhk.pub .t0rn/shsml .t0rn/sharsed .t0rn/shdcf2 .t0rn/shhash ______________________________________________________________________________