Scan of The Month – September 2001
This month’s challenge is to analyse the compromise of a system using the well-known RPC.Statd exploit. To perform the analysis, I used of course SNORT 1.8, and Ethereal to get more details at the packet level, and for the ease of use to filter the traffic by IP, port number etc…
The attackers are running a small SYN scan before launching the attack to check that the server is running the PORTMAP Service, and then only do the Portmap Request and Statd Exploit. That definitely makes it faster, as the exploit is tried only on machines that may have the vulnerability.
Traffic came in from several country, but we can guess that the bad guy who successfully exploited the Statd service cam in from a computer in Korea:
Name: Unknown
IP Address: 211.185.125.124
Location: Unknown
Network: KRNIC-KR
The source IP Address couldn't be easily spoofed as a reply back from the server was required for the attacker to know the status of the attack.
The machine of the attacker is a UNIX system. That is indicated bye the FTP Server, when he connected to retrieve the rootkit…
But the machine has also been scanned by
Name: baccess-01-182.magna.com.au
IP Address: 203.111.78.182
Location: 24.900S, 133.000E
Network: DAVNET
Level 7, 209 Castlereagh St
Sydney
NSW 2000
AU
And
Name: Unknown
IP Address: 211.180.229.190
Location: Unknown
Network: KRNIC-KR
But no ACK has been recorded in the log file, so I’ll ignore them for them, and concentrate on 211.185.125.124
I guess the attackers are from Romania, as the rootkit was downloaded from a Romanian FTP server:
Name: s1.home.ro~
IP Address: 193.231.236.41
Location: BUCURESTI (44.390N, 26.090E)
Network: RDSNET
Also the language in the Install of the rootkit looks like it could be Romanian, or at least east European… Just guessing though…
J
The bad guys seem good enough to attack a target from a remote location, probably a previously hacked machine. That makes them hard to track down, especially when you deal with Korea, as they are not very responsive to complaints most of the time. Also, they are using automated tools, so they are probably scanning several network at once, and then get the data of the compromised system to a yahoo mail account.
General Overview: 30 minutes
Detailed Analysis: 1:30 H
Rootkit Retrieval: 30 Minutes
TOTAL: 2:30
To retrieve the rootkit, there were probably other solutions, but I used Ethereal TCP STREAM Feature, to follow the TCP RETR command. Here are a couple of screenshots:
This is the main Ethereal screen with the FTP DATA traffic.
And this is the FTP DATA Stream that I used to recover the lk.tar.gz file. When opening it with WinRAR, I got a CRC Error, but I was still able to open it, extract document, and recompress them. The file can be found