Analysis provided by Jerome Poggi, Hervé Schauer Consultants (HSC)
The Honeynet Project
The Challenge:
Bonus Questions:
The Analyse:
The first step is to download the file and confirm the MD5 Checksum, this validates the integrity of the file. Then the analysis can begin.
1. Which vulnerability did the intruder exploit?
2. What ways, and in what order, did the intruder use to connect and run commands on the system?
3. How did the intruder try to hide his edits from the MAC times?
The intruder try to hide his edits from MAC times in saving the MAC times of /etc and /etc/passwd. The problem is that he don't save the MAC time from /etc/shadow. He use the directory /etc/X11/applnk/Internet/.etc and /etc/X11/applnk/Internet/.etcpasswd to save the MAC time. He don't remove this to directory.
4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
The Intruder download his rootkit to /dev/rd/scd0 from he host in Romania (ftp://teleport:gunoierul@teleport.go.ro).i
5. Recover (tell how you did it too) the rootkits from the snort binary capture
For recoverring the root kit I use tcpflow
6. What does the rootkit do to hide the presence of the attacker on the system?
We can find in file 192.168.001.102.00023-217.156.093.166.61216 the complete trace of what the intruder received when download rootkit and install it.
7. What did you learn from this exercise?
How to read correctly a tcpdump files and how a intruder really "work".
8. How long did this challenge take you?
It take to me a time near to two day (cummulative time).
Bonus question. write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.
We admit that the IP of the compromize computer was 192.168.1.102 even it's a private addresse.
On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same
intruder. The honeynet is VMware based and uses a modified bash to log to
syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP has
been replaced). The compromised system has an IP of 192.168.1.102. After
successfully breaking into the box, the attacker ended up using 3 modes of
connecting and running commands (some of which is encrypted). The attacker
also tried to hide some of his edits from the MAC times.
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.
$wget http://project.honeynet.org/scans/scan19/scan19.tar.gz
$md5 scan19.tar.gz
11e0be295d138df14111796a7733a5d2 scan19.tar.gz
$tar -zxvf scan19.tar.gz
Our data was correct, so we can begin to analyse them.
For convinience I use tcpflow to extract all data from newdat2.log, now I have a file for each stream (couple of IP.port and computer)
For getting information on tcp stream I use tethereal and ethereal.
The intruder use a remote root exploit (SITE EXEC).
Advisory :
The program used here is 7350wu-v5.tar.gz. We can find also in the file copy.tar.gz with the name zxploit.
A ls -lt /etc give :
-r-------- 1 root root 678 Sep 16 04:40 shadow
-rw------- 1 root root 5 Sep 16 04:40 group.lock
-rw------- 1 root root 5 Sep 16 04:40 gshadow.lock
-rw-r--r-- 1 root root 728 Sep 16 04:40 passwd-
-r-------- 1 root root 667 Sep 16 04:40 shadow-
-rw-r--r-- 1 root root 728 Sep 16 04:31 passwd
We can date exactly his attak.
He download 3 files :
It's a rootkit made with a lot of different root-kit, he personnalize it.
$ tcpflow -v -r newdat3.log port 20
tcpflow[22438]: tcpflow version 0.20 by Jeremy Elson
We have now 3 files, but we don't know the real name.
$tcpflow -v -r newdat3.log dst port 21 and host 193.231.236.042
tcpflow[22546]: tcpflow version 0.20 by Jeremy Elson
0x0402 = 1026 so 193.231.236.042.00020-192.168.001.102.01026 is Zer0.tar.gz
0x0403 = 1027 so 193.231.236.042.00020-192.168.001.102.01027 is copy.tar.gz
0x0404 = 1028 so 193.231.236.042.00020-192.168.001.102.01028 is ooty.tar.gz
Message to the administrator of the computer that had the IP 217.156.93.166 :
I had a lot of informations that help me to think that your computer was compromised by a hacker and use it to compromise my computer (IP: 192.160.1.102).
Here you can find some information, evidence and logs :
229 2001-09-17 01:55:45.1987 207.35.251.172 -> 192.168.1.102 TCP 74 2243 > 21 [SYN] Seq=3480775092 Ack=0 Win=32120 Len=0
230 2001-09-17 01:55:45.2016 192.168.1.102 -> 207.35.251.172 TCP 74 21 > 2243 [SYN, ACK] Seq=3956112893 Ack=3480775093 Win=32120 Len=0
231 2001-09-17 01:55:45.2361 207.35.251.172 -> 192.168.1.102 TCP 66 2243 > 21 [ACK] Seq=3480775093 Ack=3956112894 Win=32120 Len=0
245 2001-09-17 01:55:52.5527 207.35.251.172 -> 192.168.1.102 FTP 482 Request: SITE EXEC 7 mmmmnnnn%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f|%08x|%08x|
416 2001-09-17 01:56:01.4916 207.35.251.172 -> 192.168.1.102 FTP 70 Request: id;
417 2001-09-17 01:56:01.5388 192.168.1.102 -> 207.35.251.172 TCP 66 21 > 2243 [ACK] Seq=3956149945 Ack=3480792757 Win=32120 Len=0
418 2001-09-17 01:56:01.7424 192.168.1.102 -> 207.35.251.172 FTP 105 Response: uid=0(root) gid=0(root) groups=50(ftp)
419 2001-09-17 01:56:01.8020 207.35.251.172 -> 192.168.1.102 TCP 66 2243 > 21 [ACK] Seq=3480792757 Ack=3956149984 Win=31856 Len=0
Ports Open:telnet 23/tcp (discover at 02:44:54.2737)
trojan 1024/tcp (discover at 02:44:58.2773)
ftp 21/tcp (discover at 02:45:06.2565)
who 513/udp (discover at 02:45:15.5809)
smtp 25/tcp (discover at 02:45:17.6521)
auth 113/tcp (discover at 02:45:18.1396)
linuxconf 98/tcp (discover at 02:45:29.2826)
rpc 111/tcp (discover at 02:45:32.4353)
printer 515/tcp (discover at 02:45:38.8030)
unknow 921/tcp (discover at 02:45:41.8367)
finger 79/tcp (discover at 02:46:02.1268)
23392 2001-09-17 02:56:12.4702 207.35.251.172 -> 192.168.1.102 TCP 66 2243 > 21 [FIN, ACK] Seq=3480793419 Ack=3956202690 Win=31856 Len=0
23393 2001-09-17 02:56:12.5182 192.168.1.102 -> 207.35.251.172 TCP 66 21 > 2243 [ACK] Seq=3956202690 Ack=3480793420 Win=32120 Len=0
23394 2001-09-17 02:56:15.3943 192.168.1.102 -> 207.35.251.172 TCP 66 21 > 2243 [FIN, ACK] Seq=3956202690 Ack=3480793420 Win=32120 Len=0
23395 2001-09-17 02:56:15.4731 207.35.251.172 -> 192.168.1.102 TCP 66 2243 > 21 [ACK] Seq=3480793420 Ack=3956202691 Win=31856 Len=0
Please do all the procedure to reinstall your computer and do some investigation to obtain the maximum of information to know how your computer was compromise.
Sincerly.