The intruder exploited a SITE EXEC vulnerability in wu-ftpd.2.What ways, and in what order, did the intruder use to connect and run commands on the system?
See http://www.redhat.com/support/errata/RHSA-2000-039-02.html
The intruder first ran commands from the root shell that was obtained from the FTP exploit. Next, the intruder logged in to the nobody account via telnet then did an su to the newly created root-equivalent dns account. The third connection was made using an SSH backdoor on port 24. See the Analysis section below for more detail. It should be noted also that the intruder first attempted to connect to via telnet and presumably via SSH on ports 24 and 6666.3.How did the intruder try to hide his edits from the MAC times?
For a given file, the intruder first creates two dummy directories, one for the file to be edited and one for the directory containing that file. The intruder then uses the touch command to give the dummy directories modify, access, and create times of the file (and corresponding directory) that will be edited. After the intruder edits the file, the intruder then touches the edited file (and corresponding directory) with the MAC times of the respective dummy directories. See the Analysis section to see what the intruder actually did.4.The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
The intruder downloaded three files:
Here's a quick analysis of the files:
copy
This is simply a collection of exploit scripts for remotely exploiting
wu-ftp. There is also a copy of smurf.
ooty
This appears to be a collection of "local" exploit scripts. These are
used to get root if the attacker already has an account on the system.
5.Recover (tell how you did it too) the rootkits from the snort
binary capture
To simplify things, I first ran the command:6.What does the rootkit do to hide the presence of the attacker on the system?
% tcpdump -r newdata3.log -w downloads.log host 193.231.236.42
to get a binary capture of just the communication between the compromised machine and the Romanian ftp site.I then ran Ethereal and loaded the new file downloads.log. I saw that packet #26 was an FTP request for the file Zer0.tar.gz, so with the next packet involving the FTPDATA port (packet #32) I used the the nifty "Follow TCP Stream" feature and got a new window of data. Ethereal then gives you the option to save the captured session, so I did with the name Zer0.tar.gz. I then ran the command:
% file Zer0.tar.gz
Zer0.tar.gz: gzip compressed data - deflate method , max compression
Voila, it worked! I repeated the process for the remaining files.
As described previously, the rootkit installs a kernel module that hides processes, open files (including sockets) and files/directories on the filesystem.7.What did you learn from this exercise?
I learned alot from the exercise. First of all, I got more comfortable with tcpdump, Ethereal and packet analysis in general. I learned that the touch command takes command-line options. I also learned that intuders are getting better at hiding themselves and have well equiped rootkits.8.How long did this challenge take you?
I would say in total, this challenge took me about 6 hours, this is not including building and getting familiar with tcpdump and Ethereal. Producing this report took a lot of time.
Doing the "strings" on newdat3.log gave evidence of an ftp buffer overflow. So, using Ethereal, I scrolled through each packet of the capture looking for what could be an ftp attack. Sure enough, at 19:55 on September 16th, we see an anonymous ftp login from IP address 207.35.251.172. Using the "Follow TCP stream" feature of Ethereal, I was able to capture the entire session. Below is the beginning of the attack.
The attack progresses for a bit until we see the attacker getting a root shell. At this point, the attacker begins to confirm he/she is indeed root and looks for a place in the filesystem to take the next step of the intrusion. The attacker (who we can now call an intruder) then enters the following commands:USER ftp PASS mozilla@ SITE EXEC %020d|%.f%.f| SITE EXEC 7 mmmmnnnn%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f|%08x|%08x|
Above, we see the intruder delete the password for the user nobody, and create a superuser account named dns with no password. Before creating the new account, the intruder makes dummy directories to store the MAC times of /etc and /etc/passwd (using the touch command) so that they can be restored after the change to /etc/passwd is made. This is a cool trick, something I didn't even realize you could do until I read the man page for the touch command! The intruder then confirms the MAC times of /etc and /etc/passwd were maintained (perhaps having some trouble with the ls command in the processes) and that the account addtion was successful.passwd nobody -d cd / mkdir -p /etc/X11/applnk/Internet/.etc mkdir -p /etc/X11/applnk/Internet/.etcpasswd touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd touch -acmr /etc /etc/X11/applnk/Internet/.etc passwd nobody -d /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash passwd dns -d touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd touch -acmr /etc/X11/applnk/Internet/.etc /etc ls ls -d ls -s ls -a ls -n ls -lt cd etc ls -lt cat passwd
Next, at 20:32, we see a telnet connection from from 217.156.93.166 with login nobody. The intruder immediately does an su to the newly created root-equivalent dns account and creates the directory /dev/rd/sdc0. After a cd to the newly created directory, the intuder makes an ftp connection to "teleport.go.ro" (193.231.236.42). >From the Romanian site, the intruder downloads three files:
At 20:51, a connection again from 217.156.93.166 but this time on port 24. Once again, using the nifty feature of Ethereal to follow the TCP stream we discover that the session is encrypted. The first line of the session says it all:
However, hope is not lost! We still have the syslog output from the slog2.log file provided. Examining this file we see that all the shell history entries correspond to what we saw in the other snort binary capture. Even the PAM authentication logging matches. We can easily deduce from the time, and the fact that a UID=0 shell suddenly starts up, that the shell with PID=9382 was spawned from the SSH backdoor (not PAM enabled). The shell history follows:SSH-1.5-1.2.27
>From the shell history above, it's difficult to know what the intruder was really doing apart from expanding the file copy.tar.gz. I would be interested in knowing what edits were made to /etc/rc.d/rc3.d/S50inet.cd /dev/rd/sdc0 ls rm Zer0.tar.gz ls alias ls='ls --color' ls ls passwd nobody ping www.yahoo.com pico /etc/rc.d/rc3.d/S50inet ls mv copy.tar.gz /usr/X11R6/bin/.,/copy/ cd /usr/X11R6/bin/.,/copy/ mv copy.tar.gz ../ ls cd .. tar zxvf copy.tar.gz chmod 7777 * ls rm copy.tar.gz cd copy chmod 7777 * ls uname -r pstree