SCAN 19


The Challenge:
On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same intruder. The honeynet is VMware based and uses a modified bash to log to syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP has been replaced). The compromised system has an IP of 192.168.1.102. After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of which is encrypted). The attacker also tried to hide some of his edits from the MAC times. 

Downloads:
scan19.tar.gz, MD5 =11e0be295d138df14111796a7733a5d2
scan19.zip, MD5 = c065797b3c2ddfad3396e3d4542ed8a7


1. Which vulnerability did the intruder exploit? 
2. What ways, and in what order, did the intruder use to connect and run commands on the system? 
3. How did the intruder try to hide his edits from the MAC times? 
4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits? 
5. Recover (tell how you did it too) the rootkits from the snort binary capture 
6. What does the rootkit do to hide the presence of the attacker on the system? 
7. What did you learn from this exercise? 
8. How long did this challenge take you? 
Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.

Analysis:
The first step was to download the scan19.tar.gz file and verify the MD5 signature. 
$ md5sum 

1. Which vulnerability did the intruder exploit? 
Wu-Ftpd Remote Format String Stack Overwrite Vulnerability (Bugtraq ID 1387)

2. What ways, and in what order, did the intruder use to connect and run commands on the system? 
1) ftp - using wu-ftp vulnerability. With this he deleted the password for the nobody account and created a new account called dns with uid and gid = 0. 
2) telnet - logging in as user nobody, the account he compromised during his previous session, and switching to the dns account. He then installed and ran the Zer0 root kit with ssh on port 24.
3) ssh (on port 24)


3. How did the intruder try to hide his edits from the MAC times? 
He used the touch command to change the access and modification times of the files and directories he touched to match the original files (touch -acmr)

4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits? 
He downloaded 3 tar files from teleport.go.ro, 2 rootkits and a copy of his vulnerability scanner and attack scripts.
1) Zer0.tar.gz, looks like a modified t0rnkit ("Modificat de mine... Viruzzel")
2) copy.tar.gz (looks like it installs a copy of his tools to find other vulnerable hosts and attack them from this box)
3) ooty.tar.gz, another rootkit (can't tell if it is new or custom)

5. Recover (tell how you did it too) the rootkits from the snort binary capture 
Using ethereal, I used the "Follow TCP Stream" function to capture the rootkits.

6. What does the rootkit do to hide the presence of the attacker on the system? 
While installing, it uses hidden directories and is careful about not modifying file MAC times. It then loads two kernel modules to hide the intruders presence and it hides it's newly created directories using the ava program. It also installs an rc script to make sure these tasks happen each time the system is booted.
7. What did you learn from this exercise? 
1) How to use ethereal to read tcpdump files and reconstruct data streams and capture downloaded files.
2) More about snort syntax for reading binary files and running them through the rulesets.
3) Alot more about rootkits, especially how all inclusive they are and how hard they would be to detect once installed.
8. How long did this challenge take you? 
On and off, somewhere around 5 hours.