1.The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster? -------------------------------------------------------------- Their attack tool appears to automatically put them in /, collect some information about what they've gained (eg: an "id" and a "uname -a" are execute. It is unknown if this is actually being read by the remote end to determine which rootkits to fetch and install, or if the compromise actually obtained root access, but it's probably not a bad idea for us to assume that it does. Their attack tool then fetches a linux rootkit from ftp.home.ro, (username "soane", password "i2ttgcj1d") unpacks it, and executes the install script contained inside. The most important thing this does is to execute and install a trojan'ed version of sshd 1.2.30 on tcp port 5. The password for this trojan appears to be "Frunza14". they also installed a backdoor cgi binary to execute commands on the system as well as a sniffer. They included a new inetd.conf and services file without making useful modifications to the same. This is also exceptionally dangerous behavior if the admin is actually using services out of inetd other than the telnet and pop3 that this config file enables. One has to wonder why they would do this. Finally, they send mail to themselves (or others?) about the machine that they have compromised. This would tell me that this is an automated process and these kids don't know that they have broken into a system, or that they break into so many of them that they can't keep track of them all. One might surmise that these email dropboxes are shared amongst small groups as a sort of primitive database. This is only conjecture, however. 2.What system/country did the badguys come in from? --------------------------------------------------- The system that performed the compromise is from Kyongsan Purim Elementary School in Korea. 3.What nationality are the badguys, and how were you able to determine this? ---------------------------------------------------------------------------- My guess is that they are romanian. They used ftp.home.ro as their staging ground; Their rootkit messages are in Romainian (googling for "Instalarea" supports this theory); 4.What do the answers to questions #1 and #2 tell us about the tactics the badguys are using? ---------------------------------------------------------------------- The badguys are compromising a lot of systems across international boundaries and using these to evade detection of their true nationality and location. This also serves very well to hinder prosecution. 5.What did you learn from this challenge? ----------------------------------------- That kids will install just about anything (see new inetd.conf and services) without understanding what it is that they're up to as long as it gets them what they want. They also don't appear to use the machine to actually do anything, at least not right away (and certainly not in the logs that we have available to analyze) but that they're collecting them. 6.How long did this challenge take you? --------------------------------------- An hour or so, judging from the timestamps of files that I created during this little exercise, but I was also watching TV at the time. ;) Bonus Question: Can you recover the blackhat's rootkit from the Snort binary log file? If so, how? ---------------------------------------------------------------------- Yeah. This was pretty easy. Ethereal. "Follow TCP Stream". "Save As..." It's a life-saver, i tell ya...