- = [ Scan Of The Month 18 ] = - I treated this SotM in a bit different way than I was probably supposed to. I haven't tried to answer the specified questions, rather I wanted to get a picture of the attack and its effect. As this SotM was concerning one specific compromised machine, I ignored the traffic going to other hosts (in the 172.16.1.0/24 network), unless it was a scan which targetted this machine among the others. Some information (in fact, something like my notes) about the connections is in the attached file (conns.tgz). Some information we have about the attacking (resp. connecting) machines can be used to guess the target operating system (a sort of passive OS fingerpringing). Snort binary logs were first parsed through snort (using -r -l . -d switches). Then, I looked throught the directories, in order to find the relevant data (this could be achieved using BPF filters, but I was also interested in other data that was logged. The relevant traffic is described in traffic.txt Q1: The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster? A1: First, the attackers did a scan on 172.16.1.{101-108} network space (probably on the whole C address class). The scanning tool used a full-connect scan with several connections opened in parallel (like nmap's -M option). The scanning tool was linked with the exploitation tool, which was activated as soon as a machine running the particular service (rpc.statd) was found. Also, the incoming SYN packets were repeated about 10 times before the scanning tool gave up. Q2: What system/country did the badguys come in from? A2: According to WHOIS, attackers used IP in Korea: ---- whois info Korea Internet Information Service V1.0 ( created by KRNIC, 2001.6 ) query: 211.185.125.124 # ENGLISH IP Address : 211.185.125.0-211.185.125.127 Network Name : KSPURIM-E Connect ISP Name : PUBNET Connect Date : 20001120 Registration Date : 20001129 [ Organization Information ] Orgnization ID : ORG147082 Org Name : Kyongsan Purim Elementary School State : KYONGBUK Address : 171 puki-1ry jinrang-eup kyongsan-ci Zip Code : 712-830 [ Admin Contact Information] Name : DAEDUN KYUN Org Name : Kyongsan Purim Elementary School State : KYONGBUK Address : 171 puki-1ry jinrang-eup kyongsan-ci Zip Code : 712-830 Phone : +82-53-851-9523 Fax : +82-53-851-9522 E-Mail : gum@hanmail.net [ Technical Contact Information ] Name : DAEDUN KYUN Org Name : Kyongsan Purim Elementary School State : KYONGBUK Address : 171 puki-1ry jinrang-eup kyongsan-ci Zip Code : 712-830 Phone : +82-53-851-9523 Fax : +82-53-851-9522 E-Mail : gum@hanmail.net --- end of whois info Q3: What nationality are the badguys, and how were you able to determine this? A3: According to the language used in in rootkit's texts and the fact that they (the attackers) connected to a computer located in Romania, it is highly probable that the attackers come from Romania. Q4: What do the answers to questions #1 and #2 tell us about the tactics the badguys are using? A4: The badguys are some Romanian hackers, specializing on exploiting the rpc.statd vulnerability on Linux machines. In order to cover their tracks, they use other compromised hosts in other countries for portscanning and exploit execution. Q5: What did you learn from this challenge? A5: Basically, it was the first challenge where I could analyze the captured network traffic from a real attack. Undoubtedly, it was very interesting experience. I'd like to see similar challenges more often. Q6: How long did this challenge take you? A6: About 8 hours around the midnight, distribuded symetrically (8pm-4am) :-) QB: Can you recover the blackhat's rootkit from the Snort binary log file? If so, how? AB: If we want to recover the file from snort logs, we need to reconstruct the network flow between the server (193.231.236.41:20) and our machine (172.16.1.108:1027). The easiest way is to take all packets matching the above mentioned criteria (src, dest) and create a file from them. Of course, we must order them according to their sequence numbers (that is what would the target machine do). Furthermore, there might be duplicates in the packet stream, so we need to get rid of them as well. My first step was creation of a file containing the binary dump of all important (=right src and dest, and TCP Push flag set) packets contents. This was accomplished using a slightly modified tcpdump-3.4 (patch included). The resulting file contained packets in the following form. $ ./tcpdump -v -v -S -r "snort-0315@0005.log" dst 172.16.1.108 and tcp > and \ src port 20 and "tcp[13] & 8 != 0" -x 2> dump.in (the tcp[13] & 8 != 0 condition checks if the TCP Push flag is set) The resulting file (dump.in) contained packets contents (no TCP/IP headers), their lengths and sequence numbers. A short program in C did the rest (ordering according to sequence numbers and de-duplicating). $ ./dedump; tar tvzf dump.out drwxr-xr-x 1031/users 0 2001-02-26 21:40 last/ -rwxr-xr-x 1031/users 611931 2002-02-08 14:08 last/ssh -rw-r--r-- 1031/users 1 2001-02-26 16:29 last/pidfile -rwx------ 1031/users 3713 2001-03-03 04:08 last/install -rwx------ 1031/users 7165 2001-02-26 16:22 last/linsniffer -rwxr-xr-x 1031/users 1345 1999-09-09 17:57 last/cleaner -rw-r--r-- 1031/users 3278 2001-01-27 16:11 last/inetd.conf -rwxr-xr-x 1031/users 79 2001-02-26 16:28 last/lsattr -rw-r--r-- 1031/users 11407 2001-01-27 16:11 last/services -rwxr-xr-x 1031/users 4060 2001-02-26 16:22 last/sense -rw-r--r-- 1031/users 880 2000-10-22 21:29 last/ssh_config -rw------- 1031/users 540 2000-10-22 21:29 last/ssh_host_key -rw-r--r-- 1031/users 344 2000-10-22 21:29 last/ssh_host_key.pub -rw------- 1031/users 512 2000-10-22 21:29 last/ssh_random_seed -rw-r--r-- 1031/users 688 2001-02-26 16:29 last/sshd_config -rwx------ 1031/users 8268 2001-02-26 16:22 last/sl2 -rwxr-xr-x 1031/users 4620 2001-02-26 16:23 last/last.cgi -rwxr-xr-x 1031/users 33280 2001-02-26 16:23 last/ps -rwxr-xr-x 1031/users 35300 2001-02-26 16:23 last/netstat -rwxr-xr-x 1031/users 19840 2001-02-26 16:23 last/ifconfig -rwxr-xr-x 1031/users 53588 2001-02-26 16:23 last/top -rwx------ 1031/users 75 2001-02-26 16:24 last/logclear -rw-r--r-- root/root 708 2001-03-03 04:05 last/s -rwxr-xr-x 1031/users 632066 2001-02-26 15:46 last/mkxfs Seems OK. Just for sure, the filelength is 520333 and md5sum of the file is 115f438631de8d0a7c03c9d458eb7257.