Honeynet Project: Scan 18

Kevin Liston

kliston@infornographic.com


The Challenge:

The Scan of the Month for Scan 15 was to recover a deleted rootkit. Scan 18 involves analyzing the snort dump from that March 15th incident and answer the following questions:


  1. The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?

  2. What system/country did the badguys come in from?

  3. What nationality are the badguys, and how were you able to determine this?

  4. What do the answers to questions #1 and #2 tell you about the tactics the badguys are using?

  5. What did you learn from this challenge?

  6. How long did this challenge take you?


The Initial Analysis:


I wanted to determine what scans were going on in the honey net before, during and after the attack. If we examine the SYN connections to tcp services and sort on the source port, we can see the chronology of actions from the scanner's point of view-- unless the scan packets are crafted in strange ways. In this case, I'm looking for the attacker scanning for portmapper, TCP/111. I was using tcpdump version3.6 to process the binary file, and wrote a quick perl script to simplify the output.


connection_filter.pl:


#!/usr/bin/perl

#tcpdump -nr snort-0315\@0005.log tcp[13]=2

#05:33:23.616029 203.111.78.182.2656 > 172.16.1.102.111: S 1642299750:1642299750

(0) win 32120 <mss 1460,sackOK,timestamp 1425735 0,nop,wscale 0> (DF)


while (<>) {

@line = split;

$line[3] =~ s/://;

$line[1] =~ s/(.+\..+\..+\..+)\.(.+)/${1} ${2}/;

$line[3] =~ s/(.+\..+\..+\..+)\.(.+)/${1} ${2}/;

print "$line[0] $line[1] $line[2] $line[3] \n";

}



The command used to generate the output was:


tcpdump -nr snort-0315\@0005.log tcp[13]=2 | ./connection_filter.pl |sort -n -k 3



21:36:21.451950 193.231.236.41 20 > 172.16.1.108 1027

13:34:07.018434 172.16.1.108 1025 > 216.168.224.69 43

21:36:04.694845 172.16.1.108 1026 > 193.231.236.41 21

21:46:15.135480 172.16.1.108 1028 > 216.136.129.14 25

21:46:23.795364 172.16.1.108 1029 > 209.61.188.33 25

21:36:05.086302 193.231.236.41 1516 > 172.16.1.108 113

21:36:07.088458 193.231.236.41 1519 > 172.16.1.108 113

21:36:07.504259 193.231.236.41 1522 > 172.16.1.108 113

09:35:52.282971 211.180.229.190 1558 > 172.16.1.101 515

09:35:55.215472 211.180.229.190 1558 > 172.16.1.101 515

09:35:55.247377 211.180.229.190 1560 > 172.16.1.103 515

09:35:55.224358 211.180.229.190 1561 > 172.16.1.104 515

09:35:55.253008 211.180.229.190 1562 > 172.16.1.105 515

09:35:55.259768 211.180.229.190 1563 > 172.16.1.106 515

09:35:52.282978 211.180.229.190 1564 > 172.16.1.107 515

09:35:55.260752 211.180.229.190 1564 > 172.16.1.107 515

09:35:55.265661 211.180.229.190 1565 > 172.16.1.108 515

12:29:42.462830 65.195.31.2 2471 > 172.16.1.101 53

12:29:39.936665 65.195.31.2 2473 > 172.16.1.103 53

12:29:42.453684 65.195.31.2 2476 > 172.16.1.106 53

12:29:39.939751 65.195.31.2 2477 > 172.16.1.107 53

05:33:23.616029 203.111.78.182 2656 > 172.16.1.102 111

05:33:26.600232 203.111.78.182 2656 > 172.16.1.102 111

05:33:23.616049 203.111.78.182 2657 > 172.16.1.103 111

05:33:29.035589 203.111.78.182 2658 > 172.16.1.104 111

05:33:29.036241 203.111.78.182 2659 > 172.16.1.105 111

05:33:29.044579 203.111.78.182 2660 > 172.16.1.106 111

05:33:29.045235 203.111.78.182 2661 > 172.16.1.107 111

05:33:29.053298 203.111.78.182 2662 > 172.16.1.108 111

10:08:30.974471 211.180.229.190 3329 > 172.16.1.103 23

21:21:23.840485 211.185.125.124 3493 > 172.16.1.101 111

21:21:26.854705 211.185.125.124 3493 > 172.16.1.101 111

21:21:32.900754 211.185.125.124 3493 > 172.16.1.101 111

21:21:44.877860 211.185.125.124 3493 > 172.16.1.101 111

21:22:08.886316 211.185.125.124 3493 > 172.16.1.101 111

21:22:56.833325 211.185.125.124 3493 > 172.16.1.101 111

21:24:32.858860 211.185.125.124 3493 > 172.16.1.101 111

21:26:32.840554 211.185.125.124 3493 > 172.16.1.101 111

21:28:33.049075 211.185.125.124 3493 > 172.16.1.101 111

21:30:33.040132 211.185.125.124 3493 > 172.16.1.101 111

21:32:32.867640 211.185.125.124 3493 > 172.16.1.101 111

21:34:32.867518 211.185.125.124 3493 > 172.16.1.101 111

21:21:23.863730 211.185.125.124 3494 > 172.16.1.102 111

21:21:26.855656 211.185.125.124 3494 > 172.16.1.102 111

21:21:32.890043 211.185.125.124 3494 > 172.16.1.102 111

21:21:44.861092 211.185.125.124 3494 > 172.16.1.102 111

21:22:08.876815 211.185.125.124 3494 > 172.16.1.102 111

21:22:56.843552 211.185.125.124 3494 > 172.16.1.102 111

21:24:32.856862 211.185.125.124 3494 > 172.16.1.102 111

21:26:32.858734 211.185.125.124 3494 > 172.16.1.102 111

21:28:33.030388 211.185.125.124 3494 > 172.16.1.102 111

21:30:33.041487 211.185.125.124 3494 > 172.16.1.102 111

21:32:32.849693 211.185.125.124 3494 > 172.16.1.102 111

21:34:32.849615 211.185.125.124 3494 > 172.16.1.102 111

21:21:23.857472 211.185.125.124 3495 > 172.16.1.103 111

21:21:26.868126 211.185.125.124 3496 > 172.16.1.104 111

21:21:32.887966 211.185.125.124 3496 > 172.16.1.104 111

21:21:44.846595 211.185.125.124 3496 > 172.16.1.104 111

21:22:08.870784 211.185.125.124 3496 > 172.16.1.104 111

21:22:56.851467 211.185.125.124 3496 > 172.16.1.104 111

21:24:32.865990 211.185.125.124 3496 > 172.16.1.104 111

21:26:32.849176 211.185.125.124 3496 > 172.16.1.104 111

21:28:33.011753 211.185.125.124 3496 > 172.16.1.104 111

21:30:33.019663 211.185.125.124 3496 > 172.16.1.104 111

21:32:32.858822 211.185.125.124 3496 > 172.16.1.104 111

21:34:32.869107 211.185.125.124 3496 > 172.16.1.104 111

21:21:23.893589 211.185.125.124 3497 > 172.16.1.105 111

21:21:26.885677 211.185.125.124 3497 > 172.16.1.105 111

21:21:32.862699 211.185.125.124 3497 > 172.16.1.105 111

21:21:44.867892 211.185.125.124 3497 > 172.16.1.105 111

21:22:08.858897 211.185.125.124 3497 > 172.16.1.105 111

21:22:56.869735 211.185.125.124 3497 > 172.16.1.105 111

21:24:32.884170 211.185.125.124 3497 > 172.16.1.105 111

21:26:32.859908 211.185.125.124 3497 > 172.16.1.105 111

21:28:33.020979 211.185.125.124 3497 > 172.16.1.105 111

21:30:33.049258 211.185.125.124 3497 > 172.16.1.105 111

21:32:32.893936 211.185.125.124 3497 > 172.16.1.105 111

21:34:32.850834 211.185.125.124 3497 > 172.16.1.105 111

21:21:23.912707 211.185.125.124 3498 > 172.16.1.106 111

21:21:26.875390 211.185.125.124 3498 > 172.16.1.106 111

21:21:32.853791 211.185.125.124 3498 > 172.16.1.106 111

21:21:44.851719 211.185.125.124 3498 > 172.16.1.106 111

21:22:08.850785 211.185.125.124 3498 > 172.16.1.106 111

21:24:32.849230 211.185.125.124 3498 > 172.16.1.106 111

21:28:33.010894 211.185.125.124 3498 > 172.16.1.106 111

21:30:33.050534 211.185.125.124 3498 > 172.16.1.106 111

21:32:32.877256 211.185.125.124 3498 > 172.16.1.106 111

21:34:32.858684 211.185.125.124 3498 > 172.16.1.106 111

21:21:23.873607 211.185.125.124 3499 > 172.16.1.107 111

21:21:26.863772 211.185.125.124 3499 > 172.16.1.107 111

21:21:32.880809 211.185.125.124 3499 > 172.16.1.107 111

21:21:44.870212 211.185.125.124 3499 > 172.16.1.107 111

21:22:08.849866 211.185.125.124 3499 > 172.16.1.107 111

21:22:56.870900 211.185.125.124 3499 > 172.16.1.107 111

21:24:32.847567 211.185.125.124 3499 > 172.16.1.107 111

21:26:32.869014 211.185.125.124 3499 > 172.16.1.107 111

21:28:33.047668 211.185.125.124 3499 > 172.16.1.107 111

21:30:33.021350 211.185.125.124 3499 > 172.16.1.107 111

21:32:32.848757 211.185.125.124 3499 > 172.16.1.107 111

21:34:32.859952 211.185.125.124 3499 > 172.16.1.107 111

21:21:23.874409 211.185.125.124 3500 > 172.16.1.108 111

21:21:36.312515 211.185.125.124 4450 > 172.16.1.108 39168

21:46:24.453124 209.61.188.33 43497 > 172.16.1.108 113


From this output we can clearly see the portmapper scan originating from 211.185.125.124. The source port increases with the IP number. The entries with repeated entries indicate machines in the honeynet that did not answer. From this, you can tell that 172.16.1.103 and 172.16.1.108 are running some service on TCP/111. No, the scan stops at 172.16.1.108, so perhaps the scanner/attacker switches to a subnet after is makes a successful attack.


So, we have our first IP number of interest, 211.185.125.12. Let's take a look at where its located:


Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)

These addresses have been further assigned to Asia-Pacific users.

Contact info can be found in the APNIC database,

at WHOIS.APNIC.NET or http://www.apnic.net/

Please do not send spam complaints to APNIC.

AU


Netname: APNIC-CIDR-BLK2

Netblock: 210.0.0.0 - 211.255.255.255


Coordinator:

Administrator, System (SA90-ARIN) [No mailbox]

+61-7-3367-0490


Domain System inverse mapping provided by:


NS.APNIC.NET 203.37.255.97

SVC00.APNIC.NET 202.12.28.131

NS.TELSTRA.NET 203.50.0.137

NS.RIPE.NET 193.0.0.193


Regional Internet Registry for the Asia-Pacific Region.

*** Use whois -h whois.apnic.net ***

*** or see http://www.apnic.net/db/ for database assistance ***


Record last updated on 03-May-2000.

Database last updated on 30-Aug-2001 23:13:35 EDT.


Search the APNIC Whois database:


Search results for '211.185.125.124'


inetnum 211.172.0.0 - 211.199.255.255

netname KRNIC-KR

descr KRNIC

descr Korea Network Information Center

country KR

admin-c HM127-AP, inverse

tech-c HM127-AP, inverse

remarks ******************************************

remarks KRNIC is the National Internet Registry

remarks in Korea under APNIC. If you would like to

remarks find assignment information in detail

remarks please refer to the KRNIC Whois DB

remarks http://whois.nic.or.kr/english/index.html

remarks ******************************************

mnt-by APNIC-HM, inverse

mnt-lower MNT-KRNIC-AP, inverse

changed hostmaster@apnic.net 20000607

changed hostmaster@apnic.net 20010606

source APNIC



person Host Master, inverse

address Korea Network Information Center

address Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-ku, Seoul, 137-070, Republic of Korea

country KR

phone +82-2-2186-4500

fax-no +82-2-2186-4496

e-mail hostmaster@nic.or.kr, inverse

nic-hdl HM127-AP, inverse

mnt-by MNT-KRNIC-AP, inverse

changed hostmaster@nic.or.kr 20010514

source APNIC


There is no reverse lookup.


The Attack Mechanism:


Now that we know the players in the attack, we look back at our initiated connections to and from the Honeynet, this time, sorting on time, not the source port. I've added some commented to the notable connection initiations, denoted by >>>>.


05:33:23.616029 203.111.78.182 2656 > 172.16.1.102 111

05:33:23.616049 203.111.78.182 2657 > 172.16.1.103 111

05:33:26.600232 203.111.78.182 2656 > 172.16.1.102 111

05:33:29.035589 203.111.78.182 2658 > 172.16.1.104 111

05:33:29.036241 203.111.78.182 2659 > 172.16.1.105 111

05:33:29.044579 203.111.78.182 2660 > 172.16.1.106 111

05:33:29.045235 203.111.78.182 2661 > 172.16.1.107 111

05:33:29.053298 203.111.78.182 2662 > 172.16.1.108 111

09:35:52.282971 211.180.229.190 1558 > 172.16.1.101 515

09:35:52.282978 211.180.229.190 1564 > 172.16.1.107 515

09:35:55.215472 211.180.229.190 1558 > 172.16.1.101 515

09:35:55.224358 211.180.229.190 1561 > 172.16.1.104 515

09:35:55.247377 211.180.229.190 1560 > 172.16.1.103 515

09:35:55.253008 211.180.229.190 1562 > 172.16.1.105 515

09:35:55.259768 211.180.229.190 1563 > 172.16.1.106 515

09:35:55.260752 211.180.229.190 1564 > 172.16.1.107 515

09:35:55.265661 211.180.229.190 1565 > 172.16.1.108 515

10:08:30.974471 211.180.229.190 3329 > 172.16.1.103 23

12:29:39.936665 65.195.31.2 2473 > 172.16.1.103 53

12:29:39.939751 65.195.31.2 2477 > 172.16.1.107 53

12:29:42.453684 65.195.31.2 2476 > 172.16.1.106 53

12:29:42.462830 65.195.31.2 2471 > 172.16.1.101 53

13:34:07.018434 172.16.1.108 1025 > 216.168.224.69 43

21:21:23.840485 211.185.125.124 3493 > 172.16.1.101 111

21:21:23.857472 211.185.125.124 3495 > 172.16.1.103 111

21:21:23.863730 211.185.125.124 3494 > 172.16.1.102 111

21:21:23.873607 211.185.125.124 3499 > 172.16.1.107 111

21:21:23.874409 211.185.125.124 3500 > 172.16.1.108 111

21:21:23.893589 211.185.125.124 3497 > 172.16.1.105 111

21:21:23.912707 211.185.125.124 3498 > 172.16.1.106 111

21:21:26.854705 211.185.125.124 3493 > 172.16.1.101 111

21:21:26.855656 211.185.125.124 3494 > 172.16.1.102 111

21:21:26.863772 211.185.125.124 3499 > 172.16.1.107 111

21:21:26.868126 211.185.125.124 3496 > 172.16.1.104 111

21:21:26.875390 211.185.125.124 3498 > 172.16.1.106 111

21:21:26.885677 211.185.125.124 3497 > 172.16.1.105 111

21:21:32.853791 211.185.125.124 3498 > 172.16.1.106 111

21:21:32.862699 211.185.125.124 3497 > 172.16.1.105 111

21:21:32.880809 211.185.125.124 3499 > 172.16.1.107 111

21:21:32.887966 211.185.125.124 3496 > 172.16.1.104 111

21:21:32.890043 211.185.125.124 3494 > 172.16.1.102 111

21:21:32.900754 211.185.125.124 3493 > 172.16.1.101 111

21:21:36.312515 211.185.125.124 4450 > 172.16.1.108 39168 >>>> Attack

21:21:44.846595 211.185.125.124 3496 > 172.16.1.104 111

21:21:44.851719 211.185.125.124 3498 > 172.16.1.106 111

21:21:44.861092 211.185.125.124 3494 > 172.16.1.102 111

21:21:44.867892 211.185.125.124 3497 > 172.16.1.105 111

21:21:44.870212 211.185.125.124 3499 > 172.16.1.107 111

21:21:44.877860 211.185.125.124 3493 > 172.16.1.101 111

21:22:08.849866 211.185.125.124 3499 > 172.16.1.107 111

21:22:08.850785 211.185.125.124 3498 > 172.16.1.106 111

21:22:08.858897 211.185.125.124 3497 > 172.16.1.105 111

21:22:08.870784 211.185.125.124 3496 > 172.16.1.104 111

21:22:08.876815 211.185.125.124 3494 > 172.16.1.102 111

21:22:08.886316 211.185.125.124 3493 > 172.16.1.101 111

21:22:56.833325 211.185.125.124 3493 > 172.16.1.101 111

21:22:56.843552 211.185.125.124 3494 > 172.16.1.102 111

21:22:56.851467 211.185.125.124 3496 > 172.16.1.104 111

21:22:56.869735 211.185.125.124 3497 > 172.16.1.105 111

21:22:56.870900 211.185.125.124 3499 > 172.16.1.107 111

21:24:32.847567 211.185.125.124 3499 > 172.16.1.107 111

21:24:32.849230 211.185.125.124 3498 > 172.16.1.106 111

21:24:32.856862 211.185.125.124 3494 > 172.16.1.102 111

21:24:32.858860 211.185.125.124 3493 > 172.16.1.101 111

21:24:32.865990 211.185.125.124 3496 > 172.16.1.104 111

21:24:32.884170 211.185.125.124 3497 > 172.16.1.105 111

21:26:32.840554 211.185.125.124 3493 > 172.16.1.101 111

21:26:32.849176 211.185.125.124 3496 > 172.16.1.104 111

21:26:32.858734 211.185.125.124 3494 > 172.16.1.102 111

21:26:32.859908 211.185.125.124 3497 > 172.16.1.105 111

21:26:32.869014 211.185.125.124 3499 > 172.16.1.107 111

21:28:33.010894 211.185.125.124 3498 > 172.16.1.106 111

21:28:33.011753 211.185.125.124 3496 > 172.16.1.104 111

21:28:33.020979 211.185.125.124 3497 > 172.16.1.105 111

21:28:33.030388 211.185.125.124 3494 > 172.16.1.102 111

21:28:33.047668 211.185.125.124 3499 > 172.16.1.107 111

21:28:33.049075 211.185.125.124 3493 > 172.16.1.101 111

21:30:33.019663 211.185.125.124 3496 > 172.16.1.104 111

21:30:33.021350 211.185.125.124 3499 > 172.16.1.107 111

21:30:33.040132 211.185.125.124 3493 > 172.16.1.101 111

21:30:33.041487 211.185.125.124 3494 > 172.16.1.102 111

21:30:33.049258 211.185.125.124 3497 > 172.16.1.105 111

21:30:33.050534 211.185.125.124 3498 > 172.16.1.106 111

21:32:32.848757 211.185.125.124 3499 > 172.16.1.107 111

21:32:32.849693 211.185.125.124 3494 > 172.16.1.102 111

21:32:32.858822 211.185.125.124 3496 > 172.16.1.104 111

21:32:32.867640 211.185.125.124 3493 > 172.16.1.101 111

21:32:32.877256 211.185.125.124 3498 > 172.16.1.106 111

21:32:32.893936 211.185.125.124 3497 > 172.16.1.105 111

21:34:32.849615 211.185.125.124 3494 > 172.16.1.102 111

21:34:32.850834 211.185.125.124 3497 > 172.16.1.105 111

21:34:32.858684 211.185.125.124 3498 > 172.16.1.106 111

21:34:32.859952 211.185.125.124 3499 > 172.16.1.107 111

21:34:32.867518 211.185.125.124 3493 > 172.16.1.101 111

21:34:32.869107 211.185.125.124 3496 > 172.16.1.104 111

21:36:04.694845 172.16.1.108 1026 > 193.231.236.41 21 >>>>> compromised system FTPing rootkit

21:36:05.086302 193.231.236.41 1516 > 172.16.1.108 113

21:36:07.088458 193.231.236.41 1519 > 172.16.1.108 113

21:36:07.504259 193.231.236.41 1522 > 172.16.1.108 113

21:36:21.451950 193.231.236.41 20 > 172.16.1.108 1027

21:46:15.135480 172.16.1.108 1028 > 216.136.129.14 25 >>>> compromised system mailing out

21:46:23.795364 172.16.1.108 1029 > 209.61.188.33 25 >>>> compromised system mailing out (delivery fails)

21:46:24.453124 209.61.188.33 43497 > 172.16.1.108 113 >>>> ident request from mailserver



The incident occurs as follows:


  1. TCP/111 port scan through the honeynet.

  2. Hit occurs on 172.16.1.103, but yields a negative result to the scanner

  3. Positive hit occurs on 172.16.1.108

  4. 211.185.125.124 makes a request about rpc.statd

  5. 211.185.125.124 opens a connection to UDP/790 on 172.16.1.108

  6. 211.185.125.124 launches a statdx attack to port UDP/931 on 172.16.1.108

  7. Overflowed buffer on 172.16.1.108 instructs it to FTP the root kit from 193.231.236.41

  8. 172.16.1.108 emails a message out to 216.136.129.14

  9. 172.16.1.108 fails to email a message out to 209.61.188.33


More Players, the Plot Thickens:

We seen from the connections coming into and leaving 172.16.1.108, that more machines are at work here than just the scanner/attacker. There is the server that was FTPed into, and the two servers that received email. Let's take a look at who they are:


193.231.236.41, the ftp server, resolves to s1.home.ro


European Regional Internet Registry/RIPE NCC (NETBLK-RIPE)

These addresses have been further assigned to European users.

Contact info can be found in the RIPE database, via the

WHOIS and TELNET servers at whois.ripe.net, and at

http://www.ripe.net/db/whois.html

NL


Netname: RIPE-CBLK

Netblock: 193.0.0.0 - 193.255.255.255

Maintainer: RIPE


Coordinator:

Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) nicdb@RIPE.NET

+31 20 535 4444


Domain System inverse mapping provided by:


NS.RIPE.NET 193.0.0.193

NS.EU.NET 192.16.202.11

AUTH03.NS.UU.NET 198.6.1.83

NS2.NIC.FR 192.93.0.4

SUNIC.SUNET.SE 192.36.125.2

MUNNARI.OZ.AU 128.250.1.21

NS.APNIC.NET 203.37.255.97


To search on arbitrary strings, see the Database page on

the RIPE NCC web-site at http://www.ripe.net/db/


Record last updated on 16-Oct-1998.

Database last updated on 30-Aug-2001 23:13:35 EDT.


% This is the RIPE Whois server.

% The objects are in RPSL format.

% Please visit http://www.ripe.net/rpsl for more information.

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/db/copyright.html



inetnum: 193.231.236.0 - 193.231.236.255

netname: RDSNET

descr: Romania Data Systems

country: RO

admin-c: RDSH1-RIPE

tech-c: RDSH1-RIPE

rev-srv: ns1.rdsnet.ro 193.231.236.17

rev-srv: ns2.rdsnet.ro 193.231.236.10

status: ASSIGNED PA

remarks: object maintained by ro.rnc local registry

notify: domain-admin@rnc.ro

notify: as-admin@rdsnet.ro

mnt-by: AS3233-MNT

changed: danacorb@sunu.rnc.ro 19971217

changed: estaicut@rnc.ro 19981123

changed: cristih@rnc.ro 20000816

changed: cristih@rnc.ro 20010215

source: RIPE



route: 193.231.224.0/20

descr: RDSNET

origin: AS8708

mnt-by: AS8708-MNT

changed: tim@rdsnet.ro 20010320

source: RIPE



person: RDS Hostmaster

address: Romania Data Systems

address: Str. Sf. Vineri Nr. 25

address: Bl. 105C, Sector 3

address: Bucharest / ROMANIA

phone: +40 1 301 08 88

fax-no: +40 1 301 08 51

e-mail: hostmaster@rdsnet.ro

nic-hdl: RDSH1-RIPE

remarks: Hostmaster team:

remarks: Cornel Ciocirlan - CC79-RIPE

remarks: Andrei Stirbu - AS1385-RIPE

remarks: Adrian Niculae Gabriel - NAG4-RIPE

remarks: Dragos Vilceanu - DV461-RIPE

remarks: Bogdan Surdu - BS747-RIPE

notify: hostmaster@rdsnet.ro

mnt-by: AS8708-MNT

changed: tim@rdsnet.ro 20000424

source: RIPE


216.126.129.14 resolves to mta-v15.mail.yahoo.com. The recipient was bidi_damm@yahoo.com, bidi_damm's yahoo profile indicates that he is male.


209.61.188.33 resolves to walterworks.com, a probable co-location customer of rackspace.com. The version of sendmail running on walterworks.com found the sending address to be disagreeable, so the transfer did not continue far enough for us to see the intended recipient.


Registrant:

WalterWorks, Inc. (WALTERWORKS-DOM)

P.O. Box 403

Barker, TX 77413

US


Domain Name: WALTERWORKS.COM


Administrative Contact, Technical Contact, Billing Contact:

Walter, Jeff (JW2131) jwalter@WALTERWORKS.COM

WalterWorks, Inc.

P.O. Box 403

Barker, TX 77413

281-647-9794 (FAX) 281 647-9798


Record last updated on 12-Aug-2001.

Record expires on 11-Jun-2002.

Record created on 10-Jun-1996.

Database last updated on 31-Aug-2001 05:27:00 EDT.


Domain servers in listed order:


NS.WALTERWORKS.COM 209.61.188.33

NS2.WALTERWORKS.COM 66.136.31.20

NS3.WALTERWORKS.COM 66.136.31.21


Rackspace.com (NETBLK-RSPC-NET-2)

112 East Pecan St.

San Antonio, TX 78205

US


Netname: RSPC-NET-2

Netblock: 209.61.128.0 - 209.61.191.255

Maintainer: RSPC


Coordinator:

Rackspace, com (ZR9-ARIN) hostmaster@rackspace.com

210-892-4000


Domain System inverse mapping provided by:


NS.RACKSPACE.COM 207.235.16.2

NS2.RACKSPACE.COM 207.71.44.121


Record last updated on 05-Sep-2000.

Database last updated on 30-Aug-2001 23:13:35 EDT.



Addressing the Challenge


Question 1:


From the source port numbers, it appears that the scanning and attack processes coupled, and that the machine is scanning more than one network at once. See the jump in source ports of 3500 when it scans TCP/111 on 172.16.1.108 and the actual rcp.statd query from source port 4450.

The buffer overflow itself instructs the compromised machine to FTP a rootkit from s1.home.ro, installs the rootkit, and emails a happy little message that it has been compromised. The attackers have a list of emails as machines are compromised, and they can go through their FTP xfer logs to see what machines came in to download the rootkit itself.

It's quite possible that the Korean scanning server was compromised the same way, and that the honeynet server would soon start scanning for vulnerable systems. I'm not sure if this was initiated automatically.



Question 2:


The scan and buffer overflow came from 211.185.125.124 a system reported to be in Korea.


The rootkit was ftpd from s1.home.ro (193.231.236.41) in Bucharest Romania.



Question 3:


In this incident machines in Texas, Korea, and Romania were involved. Where are the real badguys from? The rootkit continued the phrase "Mircea Sugi Pula," which is a lyric from a song called Uzzi by the Romanian Hip Hop band, Bug Mafia. I'm betting my quarter that these fellows are from Romania.



Question 4:


It appears that they are scanning for vulnerable sites, compromising the exploitable-servers, and they employing these new servers in their scanning efforts. Like network marketing, hacker-style, they're enlisting more and more scanning machines.



Question 5:


I learned a bit more about Romanian Pop culture.



Question 6:


Approximately 1.5 hours were spent in acquiring the logs, writing the perl, generating some output, and piecing the attack together.

An additional 15 minutes was spent in addressing the bonus question

Another 1 was spent in making it all look pretty.



Bonus Question:


I employed tcpflow (http://www.circlemud.org/~jelson/software/tcpflow) to generate the file 193.231.236.041.00020-172.016.001.108.01027 (among others, but this was the ftp-data session, TCP/ 20.) Executing file 193.231.236.041.00020-172.016.001.108.01027 indicates that it is a gziped file. The following commands yields our little treasure:


cp 193.231.236.041.00020-172.016.001.108.01027 rootkit.tar.gz

gunzip -c rootkit.tar.gz |tar -tf -

last/

last/ssh

last/pidfile

last/install

last/linsniffer

last/cleaner

last/inetd.conf

last/lsattr

last/services

last/sense

last/ssh_config

last/ssh_host_key

last/ssh_host_key.pub

last/ssh_random_seed

last/sshd_config

last/sl2

last/last.cgi

last/ps

last/netstat

last/ifconfig

last/top

last/logclear

last/s

last/mkxfs