Christopher Lee's Submission to SOM19

Honeynet Scan of the Month Challenge - Scan 19

Submitted by: Christopher Lee < complexity@bigfoot.com >

The Challenge:

On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same intruder. The honeynet is VMware based and uses a modified bash to log to syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP has been replaced). The compromised system has an IP of 192.168.1.102. After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of which is encrypted). The attacker also tried to hide some of his edits from the MAC times.

The Methodology:

Due to the sheer size of this capture, I decided to break things down to more manageable pieces. I started it up by parsing the log with the command "snort -vr \newdat3.log | grep "09/1" | cut -f2 -d" " | cut -f1 -d: | sort | uniq" , and received the list of all unique IP addresses involved in various conversation in this capture and they are:

128.175.106.247
138.86.152.104
192.168.1.102
193.231.236.42
206.75.218.84
207.245.82.221
207.35.251.172
207.50.37.225
208.179.195.130
210.114.220.46
217.156.93.166
24.17.45.29
24.248.173.56
63.168.30.92
64.4.49.71
64.58.76.226
66.51.200.115

Armed with the list of source IP addresses, I broke the entire network capture into individual pieces of traffics to and from each unique IP address identified above, and proceed to analyse those traffic and record the finding in the timeline.html file (after sorting the events by its starting time).

While parsing the newdat3.log file, I used Ethereal to reconstrcut the detail of each TELNET and FTP sessions recorded. Now, for whatever reason, Ethereal was not able to reassemble the telnet session established from the host 217.156.93.166 to the honeynet host at 20:32:10 on Sept-16... As the result, I had to reassemble the entire session manually from the text dump of the binary network capture... It's a little more work, but the end result made it all worthwhile. :-)

Now, I picked up the slog2.log file and attempted to analyse it and merge the findings into the timeline.html file. Half way through the analysis, starting on packet 42, I noticed someone was trying to connect to the syslog server. Now, who would this be?? Given the fact that both source and destination IP addresses were stripped from the slog2.dat file, this seemed like a non-trivial task... One clue that I have is the source port of this TCP connection attempt, which is 2451, and the time of which the connection took place, 20:44:50 on Sept-16. I then went back to the newdat3.log and looked the traffic around this time frame, and sure enough, the traffic were mostly from our intruder on 207.35.251.172 and the source port 2451 was skipped in the midst of her SYN scan. Based on this discovery, I felt confident to say this connection was attempted by the cracker in attempt to gain access to the syslog server (as suggested by the output of the rootkit installation script).

The Questions (and the answers):

1, Which vulnerability did the intruder exploit?

At 19:55:45 on Sept-16, someone established anonymous FTP connection from host 207.35.251.172 to the honeynet host, this person then proceeded to launch a sequence of SITE EXEC command on this host. Base on the format of the SITE EXEC commands executed and the version of the FTPD software (WU-FTP 2.6.0), I believe this intruder exploited the "Input Validation" (a.k.a. Buffer Overflow) problem in WU-FTP 2.6.0 that was documented in CERT Advisory CA-2000-13.

2, What ways, and in what order, did the intruder use to connect and run commands on the system?

From studying the events documented in the timeline.html file, one could identify the host from which exploited the WU-FTP vulnerability (207.35.251.172) and the host from which the intrduder connected to and installed the rootkit (217.156.93.166). For the scope of this discussion, I am going to assume both hosts were being utilized by the same cracker.

The following is the list of methods this intruder used to connect and run commands on the honeynet host (in the order of the earliest to the latest events, and unless explcitely stated, the connections were attempted from 217.156.93.166):

this cracker attempt to gain access to the honeynet host by guessing the passwords to the user acounts "uucp" and "nobody" via TELNET, but this attempt was defeated as she could not successfully do so within the 60 seconds interval.
this cracker then attempted to connected to TCP port 24, but nothing was listening on that port.
then she decided to try connecting to TCP port 6666, but again, nothing was listening on that port.
from the host 207.35.251.172, this cracker connected to the honeynet host via anonymous FTP. From there, a buffer overflow attack was launched successfully against the FTP daemon.
while event #4 above was still in progress, this cracker connected via TELNET to the honeynet host to verified her access to the honeynet host via the user account "nobody".
finally, this cracker connected via TELNET to the honeynet using the account "nobody", and then downloaded and installed the rootkit and binded a SSH1 daemon to TCP port 24.
while event #6 above was still in progress, from the host 207.35.251.172, this cracker performed a SYN scan on the honeynet host from TCP port 1 to port 10000.
this cracker connected to the honeynet host via SSH1 to TCP port 24 of the honeynet host.
once again, this cracker connected to the honeynet host via SSH1 to TCP port 24 of the honeynet host.

3, How did the intruder try to hide his edits from the MAC times?

After the intruder exploited the input validation bug of WU-FTP 2.6.0, she proceeded to secured herself "easier" future access to the system by nullifying the password of the user "nobody" and created a superuser "dns". Taking into consideration that the local sysadmin might noticed the change in the MAC time for both the /etc/passwd file and the /etc directory, she copied the MAC of both the file /etc/passwd and the directory /etc to files under the directory /etc/X11/applnk/Internet/ prior to her creation of the user "dns" and later restored those MAC times back to those respective files.

4, The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?

This intruder downloaded three files from ftp.teleport.go.ro, and they are "Zer0.tar.gz", "copy.tar.gz" and "ooty.tar.gz". Based on the events recorded in both network captures and my own quick analysis of those files, it appeared to me that "Zer0.tar.gz" provides a secured mean for the intruder to return to the compromised host, "copy.tar.gz" contains the tools possibly used to compromise this honeynet host, and the "ooty.tar.gz" apeared to be tools for exploiting a sendmail vulnerability.

From reading the Go script, Zer0.tar.gz seems to be the "t0rnkit" created by the cracker "t0rn" with modification by the cracker "Viruzzel". "ooty.tar.gz" contains a interesting collection of exploits by various authors (e.g. prlnx.sh, by Wojciech Purczynski, is one that caught my attention). "copy.tar.gz" contains yet another collection of exploits.

My impression is that this is a collection of rookits this fellow collected and they are basically tools anyone could use to compromise hosts on the Internet. They are not new rootkit, but probably qualified as "custom" rootkit, since they were bundled/packaged by this intruder into these two packages.

5, Recover (tell how you did it too) the rootkits from the snort binary capture

To recover the rootkit (all three pieces of it), I first locate the actual FTP-DATA stream of the Zer0.tar.gz from within the network capture using Ethereal. Once the appropriate data stream is located, I right click and select the menu option "Follow TCP Stream". A new window is then displayed with the content of this file, and I then save it to the disk by click on the "Save" button. This process is repeated to retrieve copy.tar.gz and ooty.tar.gz as well.

The recovered rootkits are attached along with the submission, but the URLs are not included in this write-up, as I am sure the folks at the Honeynet Project will remove the rootkit binaries once they received the submission.

6, What does the rootkit do to hide the presence of the attacker on the system?

Well, amoung the three files downloaded by this intruder, copy.tar.gz and ooty.tar.gz are just two compessed archives with a whole bunch of cracking utilities/tools in them, with no effort in hiding in hiding its contents. Only Zer0.tar.gz contains a installation script Go, which attempts to both install the backdoor and hide its trail.

This is how the Go script attempts to hide its presence on the system:

It backed up the MAC time of the following directory prior to modifying its contents:
- /bin
- /usr/X11R6/bin
- /etc/rc.d/rc3.d
All directories were created hidden (i.e. a "." preceeds the names) and under directories with large number of files.
The backdoor is activated at boot time from the last line of the /etc/rc.d/rc3.d/S50inet
It further "hides" its traces by running the "ava h" (which changes the UID of the owner to 34, in this case) command on the following list of directories:
- /usr/X11R6/bin/.,
- /usr/info/.t0rn
- /dev/rd/sdc0
- /dev/rd/nscd.init
- /etc/rc.d/rc3.d/S50inet
- /usr/X11R6/lib/X11/.~
- /usr/X11R6/bin/.,
- /usr/info/.t0rn
- /dev/rd/sdc0
- /dev/rd/nscd.init
- /etc/rc.d/rc3.d/S50inet
- /usr/X11R6/lib/X11/.~
Finally, this script cleans up after itself, so no temporary files were left behind and the /bin/.bash_history file was removed as well.

7, What did you learn from this exercise?

Well, I learned a few things from this exercise...

Remote Syslog logging comes real handy when you need to find out what someone did within a encrypted tunnel.
To not give away its intention, the crackers might launch their attack from a different host than the one they are going to come in from. This way, they could come in from their "main" host without drawing too much attention from anyone (e.g. their access to your host will look like one that is attempted by the legitament user).
The script kiddies today are armed with tools that would "quietly" create backdoors which are difficult to be detected, and often time, multiple backdoors could be created on the same host, in case one of them was discovered. In this exercise, the intruder created three backdoors:

telnet access via nobody (with no password)
telnet access via dns (with no password)
SSH1 access via either one of those accounts mentioned previously.

Lastly, as often forgotten by most sysadmins, it is possible to hide files from the all-powerful root user.

8, How long did this challenge take you?

Parsing the newdat3.log to analyse and construct the timeline.html file --> 3 hours

Parsing the slog2.log to analyse and merge its events to the timeline.html file --> 2 hours.

Contructing the answers to the questions and completing the write-up. --> 2 hours

Composing the letter of notification to the source owner that attacked the --> half an hour

Therefore, this challenge take a total of 7.5 hours.

Bonus Questions:

Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.

This is the letter to the owner of the host 207.35.251.172.

This is the letter to the owner of the host 217.156.93.166.

Appendix:

The timeline describing all the events took place, as captured by both the newdat3.log and slog2.log.

The transcript of this intruder exploiting the input validation vulnerability of WU-FTP 2.6.0, as captured by the newdat3.log.

The transcript of this intruder downloading and installing the t0rnkit, as captured by the newdat3.log.

The transcript of the SMTP mail delivery to hatcheryhateched@hotmail.com, as captured by the newdat3.log.

References:

CERT Incident Note IN-2000-10: http://www.cert.org/incident_notes/IN-2000-10.html.

Ethereal's Home Page: http://www.ethereal.com

CERT Advisory CA-2000-13: http://www.cert.org/advisories/CA-2000-13.html