Scan 19 Results
Provided by Ricci Ieong and Vincent Ip

Introduction
============

How we extract the information
------------------------------

After we obtained the file and checked the MD5 sum, we identified that there are two log files inside. First we used the hex editor to identify the data types of the log files. They were identified to be snort files. Afterwards, we used the snort with latest intrusion detection rules turn on captured the possible exploits. 

snort -dCvr newdat3.log -c snort.conf > scan19out.txt
snort -dCvr slog2.log > slog2_out.txt

Then we determined that the possible intrusion methods from the alert.ids. According to the alert.ids file and the manual review of the identified suspicious IP addresses including (210.114.220.46, 217.156.93.116 and 207.35.251.172), we confirmed that the Linux box was compromised through the ftp server SITE EXEC attack through various steps of buffer overflow attack. These can be confirmed from the '%f' format string characters.

Afterwards, we reviewed the captured snort packets again using snort and identified the procedures used by the hacker. We used the following commands to extract the complete session.

snort -dCvr newdat3.log > scan19_complete.txt 

Then we extracted all the unique IP addresses from this captured snort output via a perl script. Among the 16 identified IP addresses, we identified that 

207.35.251.172 was used for exploiting the ftp account
217.156.93.166 was used for telneting to the victim machine
64.4.49.71 received the password file sent from the victim through mail ports.
193.231.236.43 was the ftp server that contains the three exploits Zer0.tar.gz, copy.tar.gz, ooty.tar.gz

Based on the slog2.log, we double confirmed the procedure of the intruder performed at the victim. In the slog2 file, we also confirmed that ./Go 24 was executed to hide the action of the hacking trace. As some of the commands were executed through the ssh, the commands executed by the hintruder can only be found from the slog2.log

The password files of the victim machine was sent to the 64.4.49.71 via email from the victim machine as well.

How we build up the exploits code back together
-----------------------------------------------
In the ftp download session, the intruder collected the three files, Zer0.tar.gz, copy.tar.gz and ooty.tar.gz through the source ports of 1026, 1027 and 1028 respectively.

The exploits code were recovered back by repacking the payload in the ftp sessions from snort. We packed the session back based on the session id order separated by source ports. 

Acknowledgement
===============
Finally, we would like to thank Mark Cooper of HP for providing us some suggestions about the log file review methods.

Answers to the Questions
========================

1. Which vulnerability did the intruder exploit? 

The intruder used the wu-ftp 2.60 SITE EXEC vulnerability to exploit into the system. This vulnerability is due to printf input validation problem. By carefully constructing the character format strings %f, %p, %n together, the ftp daemon would be tricked to excute the arbitrary code as root.

http://www.cert.org/advisories/CA-2000-13.html
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=discussion&id=1387

2. What ways, and in what order, did the intruder use to connect and run commands on the system? 

The collected commands can be found in the attached tcp_session.txt file. Basically, we identified the first set of commands after exploits through the ftp port. Then some of the commands were executed through the telnet port 23 from 217.156.93.166. During the ftp of the rootkit procedures, the intruder send the commands over the 217.156.93.166 source IP address. Finally, the intruder executed all the remaining commands over the ssh channel via port 24 after the rootkit Go script run.

3. How did the intruder try to hide his edits from the MAC times? 

The intruder used the "touch -acmr reference_pt file_edited" to hide the edit he did. That could be found in the Go script and the snort captured pattern. touch -acmr command changed the Modified and Access time of the file_edited without creating a new file based on the reference point file or directory. So the intruder used the original directory or files existing in the directory as the reference point.

4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits? 

The intruder downloaded the rootkits from 193.231.236.42. Zer0.tar.gz is the file that contains the rootkit where ./Go is the scripts that being used for hiding the activities. This information was collected from the slog2.dat file. Based on the information in the Go script, the rootkit itself should be t0rn which is not a new rootkits, but the scripts probably is customized. 


5. Recover (tell how you did it too) the rootkits from the snort binary capture.

The recovered rootkits were Zer0.tar.gz, copy.tar.gz and ooty.tar.gz. They are attached in the zip file.

As described in the previous section, we combined the payload in snort output together by the scripts we wrote to consolidate the payload of the three files together.

6. What does the rootkit do to hide the presence of the attacker on the system? 

The rootkit used the ssh channel to encrypt the commands entered over the ssh channel at destination port 24. At 9/17, 8:51:58, the intruder tried to entered via destination port 24 from 217.156.93.166 to the victim machine. After authentication, all the payload cannot be view in plain text format. So all the commands cannot be read from the payload. The encrypted commands can only be read from the slog2.dat file.

7. What did you learn from this exercise? 

We understand encrypted channel of commands cannot be reviewed. Without the slog2.log which is the separate snort log capturing session from the modified bash shell, even though snort was installed, the hidden commands cannot be identified.

8. How long did this challenge take you? 

We took totally 6.5 hrs to summarize the results. First, we took 1 hrs for preliminary investigation and then 2 hrs for detail investigation. Then, we use around 1 hrs for writing the programs for extracting the results from the captured exploits. Finally, we took around 2.5 hours to summarize all the results together. 

Bonus can be found in the attached "letter.txt" file.