Scan 18

Scan 15 challenge was to recover a deleted rootkit from a compromised Linux partition. This month's scan it to decode and analyze the Snort binary capture of that same attack. All submissions are due no later then 17:00 CST, Friday, 21 September. Results will be released Monday, 24 September.


  1. The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?

    They used a script like statdx.c, the same used in Scan of March, 2001 luckstatdx.c, with some changes in the commands used to get the tar file.
    The commands used to get in the infected system can be seen in the file command.log

  2. What system/country did the badguys come in from?
  3. Searching the web for the prefix 211.180.* and 211.185.* we can see that almost all sites are from Korea. Since we can tell that the addresses 211.185.125.124 and 211.180.229.190 are from Korea

  4. What nationality are the badguys, and how were you able to determine this?

  5. Looking the comments in the install procedure used we can say that the bad guys are from Romania since the language used seens to be Romanian and the ftp site where the rootkit was downloaded, was also from Romania

  6. What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?

  7. About question #1 we can say they are using Script-kiddies to search the web for vulnerabilities and attack in this case to a RedHat system and with the question #2, they use the compromised systems to make scans to find others systems to get in.

  8. What did you learn from this challenge?

  9. The tools available today for searching vulnerabilities in systems on the web are each day more sofisticated and we need to make all changes in owr systems to prevent the use of this tools, applying always the last patch available

  10. How long did this challenge take you?

  11. About 2 days, one to understand the tool used to translate the snort log and another day to search the snort log and to extract the tar file

Bonus Question:
Can you recover the blackhat's rootkit from the Snort binary log file? If so, how?

Yes.

I used The Ethereal Network Analyzer tool to recover the tar file. This tool has a function that follow the TCP Stream, and I used this to recreate the lk.tgz file. The first time the file created was not able to untar. After some analises, I found some tcp nodes with invalid checksums. I made a rule to discard the invalid nodes (frame.number < 913 or frame.number > 915) and then I saved the snort log, only with the displayed nodes. After that I opened the saved snort log again and the tcp stream, now generated the correct file.

Sorry for the errors in my english!! It's not so good.

Davi Gugelmin
Dgugelmin@usa.net