Scan of The Month – September 2001

  1. Intro
  2. This month’s challenge is to analyse the compromise of a system using the well-known RPC.Statd exploit. To perform the analysis, I used of course SNORT 1.8, and Ethereal to get more details at the packet level, and for the ease of use to filter the traffic by IP, port number etc…

  3. Challenge Questions
  4.  

    1. The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?
    2. The attackers are running a small SYN scan before launching the attack to check that the server is running the PORTMAP Service, and then only do the Portmap Request and Statd Exploit. That definitely makes it faster, as the exploit is tried only on machines that may have the vulnerability.

       

    3. What system/country did the badguys come in from ?
    4.  

      Traffic came in from several country, but we can guess that the bad guy who successfully exploited the Statd service cam in from a computer in Korea:

      Name: Unknown

      IP Address: 211.185.125.124
      Location: Unknown
      Network: KRNIC-KR

      The source IP Address couldn't be easily spoofed as a reply back from the server was required for the attacker to know the status of the attack.

      The machine of the attacker is a UNIX system. That is indicated bye the FTP Server, when he connected to retrieve the rootkit…

       

      But the machine has also been scanned by

      Name: baccess-01-182.magna.com.au
      IP Address: 203.111.78.182
      Location: 24.900S, 133.000E
      Network: DAVNET
      Level 7, 209 Castlereagh St
      Sydney
      NSW 2000
      AU

      And

      Name: Unknown
      IP Address: 211.180.229.190
      Location: Unknown
      Network: KRNIC-KR

      But no ACK has been recorded in the log file, so I’ll ignore them for them, and concentrate on 211.185.125.124

       

    5. What nationality are the badguys, and how were you able to determine this?
    6. I guess the attackers are from Romania, as the rootkit was downloaded from a Romanian FTP server:

      Name: s1.home.ro~
      IP Address: 193.231.236.41
      Location: BUCURESTI (44.390N, 26.090E)
      Network: RDSNET

      Also the language in the Install of the rootkit looks like it could be Romanian, or at least east European… Just guessing though…J

       

    7. What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?
    8. The bad guys seem good enough to attack a target from a remote location, probably a previously hacked machine. That makes them hard to track down, especially when you deal with Korea, as they are not very responsive to complaints most of the time. Also, they are using automated tools, so they are probably scanning several network at once, and then get the data of the compromised system to a yahoo mail account.

    9. What did you learn from this challenge?
    10.  

    11. How long did this challenge take you?
    12. General Overview: 30 minutes

      Detailed Analysis: 1:30 H

      Rootkit Retrieval: 30 Minutes

      TOTAL: 2:30

       

    13. Bonus Question:
      Can you recover the blackhat's rootkit from the Snort binary log file? If so, how?

To retrieve the rootkit, there were probably other solutions, but I used Ethereal TCP STREAM Feature, to follow the TCP RETR command. Here are a couple of screenshots:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This is the main Ethereal screen with the FTP DATA traffic.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

And this is the FTP DATA Stream that I used to recover the lk.tar.gz file. When opening it with WinRAR, I got a CRC Error, but I was still able to open it, extract document, and recompress them. The file can be found here.