Scan 18
Decode and Analyze snort IDS binary log
(snort binary log captured from Scan15 attack recover deleted rootkit)

 Analysis by: Abraham Lincoln Hao
            e-mail:Abraham@nssolution.net

Introduction:

   - Analysis was performed on both Linux and windows Operating system.

1] Check md5Checksum snort-0315@0005.log.tar.gz and extracting the file.

[root@IDS forensic]# md5 snort-0315@0005.log.tar.gz
 9b68e8ffade74bbf5ce0296a1977d111 snort-0315@0005.log.tar.gz

[root@IDS forensic]# tar -xzvf  snort-0315@0005.log.tar.gz
 snort-0315@0005.log

2] Tools used for the analysis:
    - TcpDump - http://www.tcpdump.org
    - Snort - http://www.snort.org
    - Shellutil package GNU development tool
    - Nmap - http://www.insecure.org

3] Decoded datas from snort Binary log (snort-0315@0005.log)
    - Packet dump of snort-0315@0005.log Binary
    - Strings inside snort-0315@0005.log

Question and Answer:

1]  The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both  automate and make the process faster?

    -They used a rpc vulnerability scanner to scan range of IP w/ rpc port 111 open and  used  rpc.statd exploit  to break in to the system. And they downloaded the rootkit from home.ro using the compromised server.

2]  What system/Country did the badguys from?

    - Based on the Hosts collected from packet logs the attackers came from Australia (.au) and Korea (.kr)
BUT it is possible that the attackers came from ROMANIA coz` they downloaded the rootkit from HOME.RO a romanian
domain and the content of the site is Pure Romanian language But is is also possible that the account used in home.ro ftp server is a compromised account..

    - The attackers are using Linux OS

    - The following information are gathered thru samspade.org whois and DNS query And system has been determined thru nmap and Manual port connection.

    Possible Country the badguys came from: Romania, Australia and Korea

Collected attackers Hosts and System:
A]     Host:  baccess-01-182.magna.com.au - 203.111.78.182
     System:  Linux (probably redhat linux)
B]    Host : Kyongsan Purim Elementary School - 211.185.125.124
     System: Redhat Linux

A] baccess-01-182.magna.com.au - 203.111.78.182
Query:     203.111.78.182
Registry:  whois.apnic.net
Results:

inetnum:     203.111.0.0 - 203.111.127.255
netname:     DAVNET
descr:       Davnet Telecommunications
descr:       Level 7, 209 Castlereagh Street
descr:       Sydney NSW 2000
country:     AU
admin-c:     DR15-AP
tech-c:      DR15-AP
notify:      routemaster@magna.com.au
mnt-by:      APNIC-HM
mnt-lower:   MAINT-AU-DAVNET
changed:     em@magna.com.au 20001018
source:      APNIC

person:      DavTel Routemaster
address:     209 Castlereagh St
address:     Sydney  NSW  2000
address:     -
address:     Spam & Abuse : abuse@davnet.com.au
country:     AU
phone:       +61-2-9272-9600
fax-no:      +61-2-9272-9664
e-mail:      routemaster@davnet.com.au
nic-hdl:     DR15-AP
mnt-by:      MAINT-AU-DAVNET
changed:     emilia.lambros@davnet.com.au 20010219
source:      APNIC

 B] Kyongsan Purim Elementary School - 211.185.125.124

Query:     211.185.125.124
Registry:  whois.nic.or.kr
Results:
Korea Internet Information Service V1.0 ( created by KRNIC, 2001.6 )

IP Address         : 211.185.125.0-211.185.125.127
Network Name       : KSPURIM-E
Connect ISP Name   : PUBNET
Connect Date       : 20001120
Registration Date  : 20001129

[ Organization Information ]
Orgnization ID     : ORG147082
Org Name           : Kyongsan Purim Elementary School
State              : KYONGBUK
Address            : 171 puki-1ry jinrang-eup kyongsan-ci
Zip Code           : 712-830

[ Admin Contact Information]
Name               : DAEDUN KYUN
Org Name           : Kyongsan Purim Elementary School
State              : KYONGBUK
Address            : 171 puki-1ry jinrang-eup kyongsan-ci
Zip Code           : 712-830
Phone              : +82-53-851-9523
Fax                : +82-53-851-9522
E-Mail             : gum@hanmail.net

[ Technical Contact Information ]
Name               : DAEDUN KYUN
Org Name           : Kyongsan Purim Elementary School
State              : KYONGBUK
Address            : 171 puki-1ry jinrang-eup kyongsan-ci
Zip Code           : 712-830
Phone              : +82-53-851-9523
Fax                : +82-53-851-9522
E-Mail             : gum@hanmail.net

3] What nationality are the badguys, and how were you able to determine this?

   -  Based on the Data that has been gathered attackers Hosts came from Korea (.kr) and Australia (.au) so i assume that
the attackers are based in Korea (.Kr)  and Australia (.Au) BUT it is possible that this servers are compromised and used to perform another attack to other Servers for them to be able to bounce there Attack and .kr and .au domains are both using Linux OS.  This method is very common to blackhat community and even used to perform DOS attack.

  - One thing i've noticed is that the Attacker downloaded the LK.TGZ rootkit at home.ro FTP server i assumed that the Attacker is based in ROMANIA (.ro) Why? coz` home.ro is a romanian based Domain and if u try to visit Home.ro the language used or the content of the site is Pure Romanian language so i assume that the attacker came from .ro or it is also possible that the account used in home.ro w/c is USERname is soane is also a compromised account.

    Possible nationality: Romanian, Australian and Korean.

4] What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?

    -  The tactics that the badguys used are pretty straight forward and common to most attackers (script kids or not)
The Tactics being used by the badguys are 1st it is Possible that they Bounce there attacks from other hosts for them to spoof
there ip's or attackers hosts 2nd they are using hosts that they have been  compromised to Scan vulnerable hosts 3rd The attackers used a  rpc vulnerability scanner to scan  a certain range of  IP's w/ port rpc 111 open and 4th the Attackers used rpc.statd exploit to compromise the server.

5] What did you learn from this challenge?

    - I've learned how to analyze well packets from packet logs and how to extract the contents of the packet logs,  What tool or exploit used to compromise the server, what type of rootkit has been used, Vulnerability scanner used, What type of rootkits has been installed and what the attackers done to the system after compromised.

    - The Main lesson learned always install latest security patch in your system, Be aware about latest vulnerabilites and Be Proactive..

6] How long did this challenge take you?

    - It takes me 4 Hours to finish this challenge including extracting snort log in binary format and answering all the questions.

Bonus Question:
Can you recover the blackhat's rootkit from the Snort binary log file? If so, how?
    - NO, coz` the binary log is purely packet logs in application layer and logs all what the attackers have done to the system including how he compromise, what commands did the attacker used  etc... (correct me if im wrong ;).

References and Resources:
    http://www.snort.org
    http://project.honeynet.org/scans/scan15/ - Scan15 Recover a deleted rootkit
    http://www.samspade.org
    http://www.tcpdump.org
    http://www.insecure.org

=====================================================================================
   Name: Abraham Lincoln Hao
Contact: Abraham@nssolution.net KnowledgeBase@lycos.com
      IRC: Undernet #DDN #IDS #nssolution

                (Abraham@nssolution.net)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDuUiH8RBAC9yxaoa4PoqxUBwX3JzIsMV6rt3CVMzaBQgqGydL5M3CLN/4K2
JIBG+d8QBcviCNk824TpNbNPSl/MQ2y0u7sv9eK99xAgjCOdl5ohhz+DhpRsFWn2
dWHBmQWuL/nU+2PVR3EJ3KZUkfpFgvAsyx7grA0qPugR8GsojV4HJmRCHwCg82U5
gWdTy0ZL3P5rxKvAUXQI7FEEAI/1+H/1ul+phQlxQsBFfibb7bB2KrqRwQyaomFR
ezHwoZ+UKQqgXMyK11lQNRe5UcrGku3dj2Dz7OdrS20VFtX+4mtMWqpCOgC4NxFx
SHeRaRaqHpUysZYnKHk7ECm5VyO648GWUfYpX5V16Zm1gPucJokrSf0FhgWM9Zp8
g0gQA/9EGGqsgD5tfDTehVNsSylfd5T6HYWmWfj94Iump1K6QByzSUbzQCX80VKK
Ji/evBSdOIrYxE0AkC37puBZXntMUVAGAxAGrlC/LrbzsuZPDwjHLvmPg7K4jx/Z
jpDwfksQQ17Zhsgu/HKeAMAwr892xLgM/rNQblVfuCo+m1L81rRQQWJyYWhhbSBM
aW5jb2xuIChJbnRlcm5ldCBJbmZvcm1hdGlvbiBTZWN1cml0eSBBbmFseXN0KSA8
YWJyYWhhbUBuc3NvbHV0aW9uLm5ldD6IVgQTEQIAFgUCO5SIfwQLCgQDAxUDAgMW
AgECF4AACgkQFDnDF1a5DLOa7ACgt2vfs1SRFOClJgp0NHxKo/YcsE4AoKeL3tKg
e1BKZg8aKKiHjuiGbYERuQENBDuUiIMQBADKxxxMjbbMU2fdvdeHAAUEoFiWHO0w
KUoqvYeLoNFyPHdQ1ifv7mEuCq91d3fkvyfgXTETVqGtmHekDzBjm66Lp6B0FWw9
DJAg99bGZ33qbboe/q84JEkvtmcLXZmqEv+TnFR9e3KK6zc/hEWgCwCbg8X3Lv3K
H16w/wD0cjvPCwADBQP/dBnzxMx4Gw3ZS+e6hKbedDakYs3werEBCIZTxVTd0p0h
d1IHKU75Rn4t2mdJOrCv56bgLp0mlMeJaIM4ByYt0O5f7e6dNBe78LVRVe+QIi1a
toWkJDqfODhVxqhbecxpRhQfmRAASOLWkkpmW8zbKHv3Gx9b2gLQakxoh84zfJeI
RgQYEQIABgUCO5SIgwAKCRAUOcMXVrkMsyqhAJ9SLnlF7nEgD/YAUWcK9FS/MTOz
ZACfaXapExk9DfmjqwLMr2fhzxQ2GuCZAaIEO5SFcxEEAKS65td6i8kXR0X0bIz8
/PkxtjHHFvH9ktf1iM8Tn9P84vvXhrdTycFNj4wmSDv4/NVPXk/sPn0v57tkO8gN
Oi4TTcDXiljIi9zD6GzcvC1PtiSsUYHejOI8XN2654848UXgELOc4F2+0UW1JFCi
evBTceKisxjYfDI3bSTbIyEzAKCaKfkWTQ36Upy/LYLeOldffXkY0QQAlRg89ssP
aZJO94IYO5GumxPQG3xVl2QMcLyxUfGy8WE9fVKrfmr0mGGlr1tdWsTy08m8DMek
nRwAnfgbjwqx+8ZwL7iRT27QEnPF1rrQWupETqBb7V2yZm5pX9IA0O6V3DrABaZM
rC8O9U2nTEnhSJydRtLYa+GqMxdQTPQnNl0D/26c4p+ZCqER8n2V5aaHdYzTZ1qi
DmXkGM+kAtLkjk5zfNJkoA925pS5BqQ7vAUIfu4VLD3gS/Vt4syx8nWXRVquYSqU
Y19IXqToV+bSCUzOMnFYMRilMOZBrr5FW9IhGYu6++b5LUc/58AQ45GFg1wyOuZl
a9E5YxqP1k1QhAUatFNBYnJhaGFtIExpbmNvbG4gSGFvIChJbnRlcm5ldCBJbmZv
cm1hdGlvbiBTZWN1cml0eSBBbmFseXN0KSA8YW1oYW9AaXRzLWludGwuY29tLnBo
PohWBBMRAgAWBQI7lIVzBAsKBAMDFQMCAxYCAQIXgAAKCRCOO08SNA36bR6FAJ9F
VVZRHZ3VeOvRrGmKW7EDxFJ6PwCaA700ZMXO/8bo5jYwEIJFb4DgJCq5AQ0EO5SF
3hAEAMeoZzcCJG1Nu7vqQ9l2My60BUy+PY6YY2sXE8aDhi2DIyPN1/Bymcxi4Q1A
K/V6FmjruwN2+9karUzbl3E5xvVPl6C/7mL/NcjejkPOtNvnsMiVI5K59K5LXOUV
a+Fuyr977796FndcZaI9MUxtWH8dyv4S6ozugK7tuYoKs4hnAAURBACLuhSBt1f3
BvBNkBywi+fqlVr8igVA7AY7AuIb96+qQg82vNhCOAOR/+QSXfA1ypNNCgd3aRhn
5NbT2Giwfw6ziqWTjMRtk4oVXL8jPFoVpjD1kN+vV0UhRm/eB95JUSCJC5Czxy4e
u8p7tm0WpIBGkvDJZF04Fps/LICmP1wbx4hGBBgRAgAGBQI7lIXeAAoJEI47TxI0
DfptfsIAn3No6SpZtDR9unornqfDdLaxJ/k1AJ0aVgdfuBkKUs88dO0Wql2BMNUG
Ig==
=hmHq
-----END PGP PUBLIC KEY BLOCK-----