Scan 15 challenge was to recover a deleted rootkit from a compromised Linux partition. This month's scan it to decode and analyze the Snort binary capture of that same attack. All submissions are due no later then 17:00 CST, Friday, 21 September. Results will be released Monday, 24 September.
They used a script like statdx.c, the same used in Scan of March, 2001 luckstatdx.c,
with some changes in the commands used to get the tar file.
The commands used to get in the infected system can be seen in the file command.log
Searching the web for the prefix 211.180.* and 211.185.* we can see that almost all sites are from Korea. Since we can tell that the addresses 211.185.125.124 and 211.180.229.190 are from Korea
Bonus Question:
Can you recover the blackhat's rootkit from the Snort binary log file? If so, how?
Yes.
I used The Ethereal Network Analyzer tool to recover the tar file. This tool has a function that follow the TCP Stream, and I used this to recreate the lk.tgz file. The first time the file created was not able to untar. After some analises, I found some tcp nodes with invalid checksums. I made a rule to discard the invalid nodes (frame.number < 913 or frame.number > 915) and then I saved the snort log, only with the displayed nodes. After that I opened the saved snort log again and the tcp stream, now generated the correct file.
Sorry for the errors in my english!! It's not so good.
Davi Gugelmin
Dgugelmin@usa.net