next up previous
Next: About this document ... Up: Analysis of HoneyNet's scan Previous: Looks like...

Bonus Question

We can verify that the rootkit worked by looking at the files created by the rootkit:


[gfk@cesam honeynet]$ su
Password: 
[root@cesam honeynet]# mount -o ro,loop,nodev,noexec honeypot.hda8.dd mnt
[root@cesam honeynet]# exit
[gfk@cesam honeynet]$ cd mnt
[gfk@cesam mnt]$ cat dev/rpm
3 sl2
3 sshdu
3 linsniffer
3 smurf
3 slice
3 mech
3 muh
3 bnc
3 psybnc
[gfk@cesam mnt]$ cat dev/last
1 193.231.139
1 213.154.137
1 193.254.34
3 48744
3 3666
3 31221
3 22546
4 48744
4 2222
[gfk@cesam mnt]$ cd dev/ida/.drag-on/
[gfk@cesam .drag-on]$ ls -l
total 647
-rwx------   1 root     root         7165 Mar 15 20:45 linsniffer
-rwx------   1 root     root           75 Mar 15 20:45 logclear
-rwxr-xr-x   1 root     root       632066 Mar 15 20:45 mkxfs
-rw-r--r--   1 root     root          708 Mar 15 20:45 s
-rwxr-xr-x   1 root     root         4060 Mar 15 20:45 sense
-rwx------   1 root     root         8268 Mar 15 20:45 sl2
-rw-------   1 root     root          540 Mar 15 20:45 ssh_host_key
-rw-------   1 root     root          512 Mar 16 09:45 ssh_random_seed
-rw-r--r--   1 root     root          138 Mar 16 11:28 tcp.log
[gfk@cesam .drag-on]$ cd "../.. "
[gfk@cesam .. ]$ ls -l
total 646
-rwx------   1 root     root         7165 Mar 15 20:45 linsniffer
-rwx------   1 root     root           75 Mar 15 20:45 logclear
-rwxr-xr-x   1 root     root       632066 Mar 15 20:45 mkxfs
-rw-r--r--   1 root     root          708 Mar 15 20:45 s
-rwxr-xr-x   1 root     root         4060 Mar 15 20:45 sense
-rwx------   1 root     root         8268 Mar 15 20:45 sl2
-rw-------   1 root     root          540 Mar 15 20:45 ssh_host_key
-rw-------   1 root     root          512 Mar 15 20:45 ssh_random_seed
-rw-r--r--   1 root     root            0 Mar 15 20:45 tcp.log



Guillaume Filion
2001-05-21