October Scan Of The Month
By: Ian Stefanison
Abstract:
The purpose of this paper is to analyze an attack on a Red Hat 6.2 system based on a snort binary capture of all the data as well as a snort binary capture of the remote syslog entries.
Foreword:
For these questions I'll assume that 217.156.93.166 and 207.35.251.172 are the same attacker. The first thing I did was decrypt the snort log with two different snort rules:
"alert tcp any any <> any 21 (session: printable;)"
"alert tcp any any -> any 23 (session: printable;)"
In these I found the incorrect telnet attempt, the ftp session where the honeypot was overflowed and the subsequent telnet session where the attacker installed his rootkits. Simply refining these to capture both ways (for his password) and adjusting the ftp one to capture the rootkits and ssh session did most of the work.
Which vulnerability did the intruder exploit?
The intruder exploited SITE EXEC buffer overflow vulnerability in wu-ftpd 2.6.0(1) to get a root shell. The following was extracted from the snort binary capture using a filter looking for printable traffic on port 21.
111F11CA?k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11
id;
uid=0(root) gid=0(root) groups=50(ftp)
w
4:17am up 3 days, 10:25, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
The CERT advisory describes it in more detail.
What ways, and in what order, did the intruder use to connect and run commands on the system?
The attacker first connected to the telnet daemon and tried logging in as nobody/ulltravvirus and nobody/virus (unsuccessfully).
He then connected to the ftp daemon and overflowed it to get a root shell. He then connected to the telnet daemon again and logged in as nobody(he erased the password during the ftp session) and su'd to dns(a root account he made during the ftp session)
He then connects via ssh to a hacked ssh daemon he installed during his telnet session.
Detailed Timeline
FTP session
Second telnet session
Syslog details
This was done by comparing the session text with the corresponding timestamps in the raw data packets.
How did the intruder try to hide his edits from the MAC times?
He executes this during his FTP session:
mkdir -p /etc/X11/applnk/Internet/.etc
mkdir -p /etc/X11/applnk/Internet/.etcpasswd
touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd
touch -acmr /etc /etc/X11/applnk/Internet/.etc
The Go script in the Zer0 rootkit also preserves the MAC times of /bin/, /usr/X11R6/bin/ and /etc/rc.d/rc3.d/
The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
The rootkits are called:
Zer0 (a heavily modified version of t0rn)
ooty (programs to exploit sendmail)
copy (a toolkit made just to scan for and exploit wu-ftp 2.6.0 and a DOS tool)
I believe all three are either new or custom. They seem to be put together from parts of other rootkits. I used strings, grep, cat etc to figure out what they all do. That part was what took the longest.
Rootkit Details
Recover (tell how you did it too) the rootkits from the snort binary capture
Here they are:
Zer0.tar.gz
ooty.tar.gz
copy.tar.gz
I did this using Ethereal on the whole log with the filters:
(ip.addr eq 193.231.236.42 and ip.addr eq 192.168.1.102) and (tcp.port eq 20 and tcp.port eq 1026)
(ip.addr eq 193.231.236.42 and ip.addr eq 192.168.1.102) and (tcp.port eq 20 and tcp.port eq 1027)
(ip.addr eq 193.231.236.42 and ip.addr eq 192.168.1.102) and (tcp.port eq 20 and tcp.port eq 1028)
Rootkit Details
What does the rootkit do to hide the presence of the attacker on the system?
It installs the adore toolkit which hides his directories and processes. It preserves MAC times. It deletes some of the modified files and erases log lines containing "login", "ftp" and "dns" from logs in /var/log. It links .bash_history to /dev/null. It also installs a ssh daemon which makes it harder to detect what he's doing.
What did you learn from this exercise?
More things than I can possibly remember:
The -v option of grep
How to reassemble binary files from snort captures with ethereal
How to write descriptive snort rules to catch only what I want
It's important to log to another machine
I learned about the wu-ftp vulnerability and this made me check my own red hat 7.1 (Oops, bad sendmail)
The value of analyzing the logs (ie. a simple glance may have lead to changing the nobody password or removing the dns user when that would not have fixed the system in the long run)
How long did this challenge take you?
Hours and hours. I'd say about 12 hours spread over a week. A lot of that time was spent learning linux though so hopefully next month'll be smoother :)
Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.
I would write two based on the reverse DNS results. One to Philippe Daoust, the contact for 207.35.251.172 and one to Romulus Dogaru, the contact for 217.156.93.166
Phillipe Daoust
Romulus Dogaru