By Albert Bendicho, May 2001
mail: bendi#at#redestb.es
The purpose of our work is to recover the rootkit on the disk. We will also look at the rootkit and study if it was installed. In the conclusion section we will summarize all the information while answering the questions of the challenge.
First on "Steps to recover the toolkit" we explain how we find deleted files by using "ils" and "icat". This utility is part of "The Coroner's Toolkit" (TCT) by Dan Farmer and Wietse Venema.
Next we analyze the files found through this process to try to find the rootkit. Giving a fast look at those files we find what seems to be the rootkit.
Then on "Analysis done on the rootkit" we analyze the contents of the rootkit and its behavior.
In "Analyzing the other files" we do some analysis on the other recovered files while taking advantage of what we know from the rootkit so far.
Next on "Analysis done on the disk" we mount the disk and look for more traces of the installation of the rootkit.
Finally on "Advanced research" we show some extra recovered information that even that's not needed for the purpose of our task (recovering the toolkit and checking if it was installed) it gives us some extra information.
All we need is the image to analyze and TCT on a Linux machine. We are using RedHat 7.0 with a 2.2.16-22 kernel (using a 2.4 kernel gave problems trying to mount honeypot.hda8.dd).
Note: It would have been better to use RedHat 6.2, since it was the system installed on the honeypot, but I had none at hand. This would have helped to compare files.
We do that by executing;
/path/to/TCT/bin/ils honeypot.hda8.dd > deleted-info.txtA quick look at deleted-info.txt tells us that we can recover several files, so we try to do it with "icat"
We can do it by issuing the following command;
awk -F'|' 'BEGIN {print "#!/bin/sh"} /^[0-9]+/ {print "echo " $1; print "/path/to/TCT/bin/icat honeypot.hda8.dd " $1 " > recovered" $1 ".txt" }' deleted-info.txt > recoverall.sh
We give execution privileges to recoverall.sh by issuing;
chmod u+x recoverall.sh
and then we execute it;
./recoverall.sh
we get
23 : other inodes recovered 12107 /home/bendicho/forensic/tct-1.06/bin/icat: read (512@1807052486656): Success 16110 20883 /home/bendicho/forensic/tct-1.06/bin/icat: read (512@1807052486656): Success 22103 : other inodes recovered 28172 /home/bendicho/forensic/tct-1.06/bin/icat: read (512@1807052486656): Success 30188 : other inodes recoveredSo it seems that all but inodes 12107, 20883 and 18172 have been recovered. A look at the corresponding "recovered###.txt" files shows that these three inodes have created a file with a 0 length. We won't look further to those files unless needed.
Next we try to see what have we recovered. We execute "file" on all of those files;
file recovered*We get;
The most interesting file here is "recovered23.txt". We gunzip it by issuing;recovered12107.txt: empty recovered16110.txt: ASCII text recovered2038.txt: empty recovered2039.txt: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped recovered2040.txt: ASCII text recovered2041.txt: Bourne shell script text recovered2042.txt: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped recovered2043.txt: Bourne-Again shell script text recovered2044.txt: English text recovered2045.txt: Bourne shell script text recovered2046.txt: English text recovered2047.txt: perl commands text recovered2048.txt: English text recovered2049.txt: data recovered2050.txt: ASCII text recovered2051.txt: data recovered2052.txt: ASCII text recovered2053.txt: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped recovered2054.txt: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped recovered2058.txt: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped recovered2059.txt: ASCII text recovered2060.txt: ASCII text recovered2061.txt: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped recovered20883.txt: empty recovered22103.txt: empty recovered22104.txt: empty recovered22105.txt: empty recovered22106.txt: empty recovered22107.txt: empty recovered22108.txt: empty recovered23.txt: gzip compressed data, deflated, last modified: Sat Mar 3 04:09:06 2001, os: Unix recovered28172.txt: empty recovered30188.txt: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped recovered30191.txt: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped recovered48284.txt: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped recovered56231.txt: ASCII text recovered8097.txt: empty recovered8100.txt: English textcp recovered23.txt recovered23.gz gunzip recovered23We then look at the resulting file with
file recovered23and we get
recovered23: GNU tar archiveSo we untar it with;
tar -xvf recovered23And we get
So it seems we got the rootkit!!last/ tar: Archive contains future timestamp 2002-02-08 14:08:13 last/ssh last/pidfile last/install last/linsniffer last/cleaner last/inetd.conf last/lsattr last/services last/sense last/ssh_config last/ssh_host_key last/ssh_host_key.pub last/ssh_random_seed last/sshd_config last/sl2 last/last.cgi last/ps last/netstat last/ifconfig last/top last/logclear last/s last/mkxfs
We take a look at the "install" file to know what we have to expect when we analyze the other recovered files and the mounted disk. We get an idea of what gets removed, copied, moved or created during the installation.
Let's see what have we found with "ils" and "icat". We, obviously, won't cover the empty files and will only comment the ones that seem related to the rootkit. We check the file size and compare with the files on the "last" directory and then we compare them to make sure they're the same. Let's see the first file;
recovered2039.txt; Size 611.931 bytes. Same size as last/ssh. With a;
cmp recovered2039.txt last/sshand see that the files are identical. We proceed with all the other files and get the following relations;
recovered2039.txt last/ssh recovered2040.txt last/pidfile recovered2041.txt last/install recovered2043.txt last/cleaner recovered2044.txt last/inetd.conf recovered2045.txt last/lsattr recovered2046.txt last/services recovered2047.txt last/sense recovered2048.txt last/ssh_config recovered2049.txt last/ssh_host_key recovered2050.txt last/ssh_host_key.pub recovered2051.txt last/ssh_random_seed recovered2052.txt last/sshd_config recovered2053.txt last/sl2 recovered2054.txt last/last.cgi recovered2058.txt last/top recovered2059.txt last/logclear recovered2060.txt last/s recovered2061.txt last/mkxfs
We can see that we have a sequence of inode numbers that relates exactly to the order of extraction of the "recovered23" file with the following exceptions;
recovered2042.txt should correspond to "last/linsniffer", but a comparison gives differences. If we look at the file deleted-info.txt created at the beginning we can see that the "st_block0" of the entry for inode 2042 is the same as for entry 2053. Now if we do a "cmp" with "recovered2053.txt" and "recovered2042.txt";
cmp recovered2053.txt recovered2042.txt
we get
cmp: EOF on recovered2042.txt
confirming that they point to the same blocks (just 2042 is shorter).
We're missing "recovered2055.txt", "recovered2056.txt" and "recovered2057.txt". This would correspond to the files
last/ps last/netstat last/ifconfig
But if we look at the installation script we see that these files are moved, not copied, to the new location. We leave as a task to be done later to find out if the inode where /bin/ps, /bin/netstat and /sbin/ifconfig are 2055, 2056 and 2057 respectively.
Finally we check what we have on the other recovered files. We find;
- recovered8100.txt is part of a text file. Looks like the output of an "apropos" command.
- recovered16110.txt is a PAM configuration file. It has to be noted that allows null passwords (nullok). No further investigation done.
- recovered30188.txt is an executable. Doing a "strings" on it it looks like "netstat"
- recovered30191.txt is an executable. Doing a "strings" on it it looks like "ps"
- recovered48284.txt is an executable. Doing a "strings" on it it looks like "ifconfig"
- recovered56231.txt is a file filled with 0's
The "netstat", "ps" and "ifconfig" we're seeing are, with a high probability, the orignal ones that were replaced by the versions on the rootkit.
We have seen most of the parts of the kits on the recovered files of the disk, but we're going to analyze now the mounted disk. We mount it with;
mkdir/t mount -o nodev,loop,noexec,ro honeypot.hda8.dd /tChecking for the presence of files related to the rootkit we can still find (considering that we only have the / partition and are missing many other partitions);
/t/dev/ida/.drag-on directory with it's rootkit components /t/dev/ida/".. " directory with it's rootkit components /t/sbin/ifconfig /t/bin/netstat /t/bin/ps /t/etc/inetd.conf /t/etc/servicesMost of these files have the creation time of "Mar 16 02:45"
All these files are still the same the rootkit installs except for;
/t/dev/ida/.drag-on/ssh_random_seed, changed contents and date "Mar 16 15:45"
/t/dev/ida/.drag-on/tcp.log, has some content and date of "Mar 16 17:28"
Doing an
ls -i /t/bin/ps /t/bin/netstat /t/sbin/ifconfigWe get
2056 /t/bin/netstat 2055 /t/bin/ps 2057 /t/sbin/ifconfigConfirming that they're on inodes 2055, 2056 and 2057
So far we've done everything to answer completely the questions, but we can still dig a little further. By using "unrm" and we can try to find more things. For example we can recover the mails that the install script sent to the hacker. Here they are;
But "unrm" in conjunction with "lazarus" can also help in other circumstances. For example suppose that we don't have the information provided by "ils" (that could happen if the hacker hacked that information to try to cover himself or if for some reason this information is trashed). Then "unrm" and "lazarus" can recover the rootkit too. We include a description of a way to recover the rootkit by using only "unrm" and "lazarus".To: last@linuxmail.org Subject: placinte * Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown * Hostname : asdf1 * IfConfig : inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0 inet addr:172.16.1.108 Bcast:172.16.1.255 Mask:255.255.255.0 * Uptime : 7:45pm up 8:23, 0 users, load average: 0.00, 0.00, 0.00 * Cpu Vendor ID : vendor_id : GenuineIntel * Cpu Model : model : 4 model name : Pentium MMX * Cpu Speed: cpu MHz : 200.457171 * Bogomips: bogomips : 399.77 * Spatiu Liber: Filesystem Size Used Avail Use% Mounted on /dev/hda8 251M 33M 205M 14% / /dev/hda1 23M 2.4M 19M 11% /boot /dev/hda6 1.6G 2.1M 1.5G 0% /home /dev/hda5 1.6G 367M 1.2G 23% /usr /dev/hda7 251M 5.3M 232M 2% /var To: bidi_damm@yahoo.com Subject: roote * Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown * Hostname : asdf1 * IfConfig : inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0 inet addr:172.16.1.108 Bcast:172.16.1.255 Mask:255.255.255.0 * Uptime : 7:45pm up 8:23, 0 users, load average: 0.00, 0.00, 0.00 * Cpu Vendor ID : vendor_id : GenuineIntel * Cpu Model : model : 4 model name : Pentium MMX * Cpu Speed: cpu MHz : 200.457171 * Bogomips: bogomips : 399.77 * Spatiu Liber: Filesystem Size Used Avail Use% Mounted on /dev/hda8 251M 33M 205M 14% / /dev/hda1 23M 2.4M 19M 11% /boot /dev/hda6 1.6G 2.1M 1.5G 0% /home /dev/hda5 1.6G 367M 1.2G 23% /usr /dev/hda7 251M 5.3M 232M 2% /var
Another advanced research we can do is execute "mactime" (part of TCT) to have a better feeling of what happened. With;
/path/to/TCT/bin/mactime -Rd /t 01/01/1999 >mactimeoutput.txt
We get a first impression of what happened. And it seems (at first glance) that on March 16th, at 02:45 the hacker began the installation of the rootkit. The same day at 15:39 there's some activity until 15:53, then from 17:22 until 17:28 and finally at 18:20. There's some activity at 11:02 and 18:01, but seems to be generated by the "cron" or "anacron" daemons. We will not investigate further because not having the other partitions (/home, /usr and /var) would make it too hard and because it's not our goal.
1.Show step by step how you identify and recover the deleted rootkit from the / partition.
We've explained it on the "Steps to recover the toolkit" section.
2.What files make up the deleted rootkit?
last/ssh last/pidfile last/install last/linsniffer last/cleaner last/inetd.conf last/lsattr last/services last/sense last/ssh_config last/ssh_host_key last/ssh_host_key.pub last/ssh_random_seed last/sshd_config last/sl2 last/last.cgi last/ps last/netstat last/ifconfig last/top last/logclear last/s last/mkxfsLook at the "Analysis done on the rootkit" to have a description of all these files.
Bonus Question:
Was the rootkit ever actually installed on the system? How do you know?
Yes, We've seen some of the necessary files still on their place as seen in the "Analysis done on the disk" section while most of the unnecessary ones have been found on the recovered files found by "ils" and "icat" as explained on the "Analyzing the other files" section.
It's also important to mention that the sequence of inodes of the found files perfectly matches the behaviour that could be expected of the uncompression/untaring of the rootkit.
On the "Advanced research" section we've seen the actual mails sent to the hacker by the installation script. From the analysis on the "mactime" output we can also suggest that the hacker loged in to the server and had some activity. More investigation could be done to confirm this specially with the other volumes available.