Hi.
These are my results for Scan of the month October 2001 (Scan 19)
Regards,
Ichinin
_________________________________________________________________________________________________
Scan of the month; October 2001 (Scan19)
1.Which vulnerability did the intruder exploit?
It looks like WUFTP attack. The exploit spawned a shell under UID(0) that
allow... well, pretty much anything the intruder wants to do; Like modifying
the "Nobody" account to have a blank password ("passwd nobody -d") and
creating a backup account "Dns", also with a blank password.
( See below; the /etc/passwd and /etc/shadow files were modified )
2.What ways, and in what order, did the intruder use to connect and run
commands on the system?
A) First there are many probes on different ports from a range of systems, this
could indicate that a distributed scan is taking place, using many compromised
hosts. Intresting is that i saw no web exploits beeing used(!)
B) Then there was the initial compromise; the WUFTP server was toasted.
C) The telnet session from 217.156.93.166 to 192.168.1.102 did the rest;
the download, compilation, installation of the rootkit and the other
tools.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
3.How did the intruder try to hide his edits from the MAC times?
The intruder used a logcleaner that was supposed to clear all
the logs, except for the SYSLOG (which were not stored on the
compromised system. I think he/she became aware of the remote
logging when this happened.)
I *THINK*, i'm not sure, that a virtual device (/dev/rd/sdc0/Zer0) was used to
store the rootkits so that it would not be detected so easily. (I admit - I'm too
windows damaged)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
4.The intruder downloaded rootkits, what were they called? Are they new/custom
rootkits?
Yupp.
"Zer0.tar.gz" archive contains a rootkit:
"ADORE" (v0.33) and "tornKit".
"copy.tar.gz" archive contains various tools:
(Smurf Amp., SSH client, FTP scanner etc.)
The rootkits did the usual "reporting back to base" -> SMTP session to hotmail:
hatcheryhatched@hotmail.com
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
5.Recover (tell how you did it too) the rootkits from the snort binary capture
I loaded the Snort log into Ethereal (That takes, say, forever)
I select "Follow tcp thread" on FTP Data (TCP/20), and save as .TGZ, I found that
there were 2 separate downloads:
Zer0.zip (139711 bytes, ZIP compressed)
copy.zip (265189 bytes, ZIP compressed)
(now: I COULD have ftp'd into teleport.go.ro and fetched the files easily, but
that would make me a criminal.)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
6.What does the rootkit do to hide the presence of the attacker on the system?
It contain a function that remote entries from certain files:
File: Managed to Delete records?:
"boot.log" Unsuccessful
"boot.log.1" Successful
"cron" Successful
"cron.1" Successful
"dmesg" Successful
"htmlaccess.log" Unsuccessful
"maillog" Unsuccessful
"maillog.1" Successful
"messages" Unsuccessful
"messages.1" Successful
"netconf.log" Unsuccessful
"secure" Unsuccessful
"secure.1" Successful
"sendmail.st" Unsuccessful
"spooler" Unsuccessful
"spooler.1" Unsuccessful
"xferlog" Unsuccessful
"xferlog.1" Unsuccessful
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
7.What did you learn from this exercise?
To load the snort binary logs into Ethereal and get WAY MORE info
than i would get by just loading it into notepad(!)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
8.How long did this challenge take you?
2 Hours research.
3 Hours writeup.
1 Hour rechecking.
=
6 hours.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
References:
- SYSLOG = "slog2.log"
- SNORTLOG = "newdat3.log"
Tools used:
- Ethereal v?.? (latest version from the site)
- Arjfolder v3.65 (Can view uncompress Tar and GZip files under Windows)
- Notepad v?.?
My "fluff" now follows:
First: I'm VERY confused as to the use of gnutella-ACK packets, NS1 answer these
with RST+ACK. Except for confusing the hell out of us, i cannot find any logical
conclusion for this kind of traffic. What would an ACK scan accomplish?!?!!?!
___________________________________________________________________________________________
- A Rootkit was installed (Adore), intresting is that it was
compiled on site; it allowed customisation of the code according to this:
"Since version 0.33 Adore requires 'authentication' for
its services. You will be prompted for a password now and this
password will be compiled into 'adore' and 'ava' so no further actions
by you are required.
This procedure will save adore from scanners."
* Where the intruder choosed "labutza".
* It looks like this one features a sniffer as well:
"sniffer running!"
(Would not be surprising, since it's dead easy to write a packet sniffer
under linux, in contrast to windows.)
The intruder did 3 compilations to get it up and running:
cc -c -I/usr/src/linux/include -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30
-DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS adore.c -o adore.o
cc -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30 -DCURRENT_ADORE=39
-DADORE_KEY=\"labutza\" -DMODVERSIONS ava.c libinvisible.c -o ava
cc -I/usr/src/linux/include -c -O2 -Wall -DELITE_CMD=107613 -DELITE_UID=30
-DCURRENT_ADORE=39 -DADORE_KEY=\"labutza\" -DMODVERSIONS cleaner.c
___________________________________________________________________________________________
Involved systems:
IP Name Instance Source
---------------------------------------------------------------------------------
24.17.45.29 (@home) ISAKMP SNORTLOG
24.248.173.56 (@home) DNS SNORTLOG
63.168.30.92 (Sprint) NBName SNORTLOG
128.175.106.24 (Was assigned to Gnutella SNORTLOG
host106-24.student.edel.edu
when i looked)
138.86.152.104 (Univnorthco.edu) Netbios SNORTLOG
172.136.23.164 (AC8817A4.ipt.aol.com) FTP Session SYSLOG
192.168.1.102 (ns1) Many sessions SNORTLOG
206.75.218.84 (Istar/Videotron) Telnet SNORTLOG
207.35.251.172 (GRICS, BLine Tech Svc) Many Sessions SYSLOG
207.50.37.225 (C&W, TAC Communications) NBName SNORTLOG
208.179.195.130 (Pajo grp, SantaMaria produce) Dns SNORTLOG
210.114.220.46 (Yeomyong Cable broadcasting) Portmapper SNORTLOG
(http://whois.nic.or.kr/english/index.html)
217.156.93.166 (MIDO, IPMEX (romania)) Telnet Session SYSLOG
193.231.236.42 (Romaina Datasystems) FTP Session BOTH
(aka: Teleport.go.ro)
Note:
-----
217.156.93.166 = Manual input detected (i.e. telnet).
207.35.251.172 = executed WUFTP exploit.
Please compare:
---------------
193.231.236.42 teleport.go.ro, this months romanian ftp server.
to
193.231.236.41 ftp.home.ro, last months romanian ftp server.
___________________________________________________________________________________________
I suspect like [SYSLOG:Packet56] suspects:
"FingerD[8690]: Client hungup - probable port-scan "
The sheer number of Portprobes and different IP's could suggest
a distributed portprober (i.e. proxy based)
However, in [SNORTLOG], there is a [SYN] + [ACK/RST] sequence with
incremental port numbers, that could very well be a portscan as
well.
___________________________________________________________________________________________
[SYSLOG:Packet7] reports:
-----------------------
A connection from: AC8817A4.ipt.aol.com [172.136.23.164]
rpc.statd[318]: gethostbyname error for "^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿bffff71080497109090909068746567
6274736f6d616e797265206520726f7220726f66" <- RPC.Statd Exploit ???
(21 junk bytes+overflow code in hex) + SPACES (chr 32) <-DELETED
ff ff 71 08 04 97 10 90 <- todo: check with x86 asm code.
90 90 90 68 74 65 67 62
74 73 6f 6d 61 6e 79 72
65 20 65 20 72 6f 72 20
72 6f 66
___________________________________________________________________________________________
[SYSLOG:Packet71] indicated that the intruder changed the password for
"nobody" to a null password(!)
___________________________________________________________________________________________
SNORTLOG:Packet indicated that an another account "DNS" was created with a
blank password.
___________________________________________________________________________________________
The SMTP session over hotmail (hatcheryhatched@hotmail.com) transmits some system info:
"ns1
RKstatus: 24
Name: Linux ns1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown
IfConfig: inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:25=
5.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
Uptime: 5:01am up 3 days, 11:10, 1 user, load average: 0.04, 0.04, 0=
=2E00
Cpu Vendor ID: vendor_id : GenuineIntel
Cpu Speed: cpu MHz : 327.909610
Bogomips: bogomips : 187.19
Hard disk free space: Filesystem Size Used Avail Use% Mounted=
on
/dev/hda1 421M 369M 30M 92% /"
The "/etc/passwd" file:
"root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
john:x:500:500:John:/home/john:/bin/bash
dns:x:0:0::/bin:/bin/bash"
Now, what looks like the "/etc/shadow" file:
root:$1$SC5o0bc.$hD0izKXWmEZWK3ZZQOg9z1:11577:0:99999:7:-1:-1:134539276
bin:*:11577:0:99999:7:::
daemon:*:11577:0:99999:7:::
adm:*:11577:0:99999:7:::
lp:*:11577:0:99999:7:::
sync:*:11577:0:99999:7:::
shutdown:*:11577:0:99999:7:::
halt:*:11577:0:99999:7:::
mail:*:11577:0:99999:7:::
news:*:11577:0:99999:7:::
uucp:*:11577:0:99999:7:::
operator:*:11577:0:99999:7:::
games:*:11577:0:99999:7:::
gopher:*:11577:0:99999:7:::
ftp:*:11577:0:99999:7:::
nobody::11577:0:99999:7:-1:-1:134532692
xfs:!!:11577:0:99999:7:::
named:!!:11577:0:99999:7:::
postgres:!!:11577:0:99999:7:::
john:$1$yxVGaPxi$l49rrYul6ZuSXjjPkTBrX0:11577:0:99999:7:-1:-1:134539276
dns::11581:0:99999:7:-1:-1:4
What we can see here is that the "Nobody" and "DNS" accounts have a blank (::)
password, i.e. telnet into the server and it won't even ask for one.
___________________________________________________________________________________________
**
FTP session 217.156.93.166 [?] -> via NS1 [192.168.1.102] -> teleport.go.ro [193.231.236.42]
USER "teleport"
PASS "gunoierul"
Files accessed:
"Zer0.tar.gz" (139711 bytes)
"copy.tar.gz" (265189 bytes)
Intresting: A script named TLS (in tls.tgz in zer0.tar.gz)
installs a (possibly) vulnerable version of WU Ftp server.
v2.6.0:
rpm -Fhv ftp://194.109.6.22/pub/mirror/redhat/updates/6.2/
en/os/i386/wu-ftpd-2.6.0-14.6x.i386.rpm
Perhaps the rest of the files are vulnerable too, or our
intruder are getting security conscious to make sure that
noone will root the system after him/her... if the latter
is the case, the system have never been more secure than
now :o)
___________________________________________________________________________________________
It also looks like the intruder have started wondering why he/she can
compromise the honeynet systems so easily. Beware; Soon you won't be
able to trust your own syslog servers(!)
"checking for remote logging...
holy guacamole batman
REMOTE LOGGING DETECTED
I hope you can get to these other computer(s):
000.000.00.000
cuz this computer is LOGGING to it..."
______________________________________________________________________________
Files were placed on /dev/rd/sdc0/Zer0:
.t0rn/
.t0rn/shhk
.t0rn/shrs
.t0rn/shhk.pub
.t0rn/shsml
.t0rn/sharsed
.t0rn/shdcf2
.t0rn/shhash
______________________________________________________________________________