Scan of the month challenge results – October. Author: Tom Lyne Excerpt from project.honeynet.org <----------------------------- The Challenge: On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same intruder. The honeynet is VMware based and uses a modified bash to log to syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP has been replaced). The compromised system has an IP of 192.168.1.102. After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of which is encrypted). The attacker also tried to hide some of his edits from the MAC times. Downloads: scan19.tar.gz, MD5 =11e0be295d138df14111796a7733a5d2 scan19.zip, MD5 = c065797b3c2ddfad3396e3d4542ed8a7 1.Which vulnerability did the intruder exploit? 2.What ways, and in what order, did the intruder use to connect and run commands on the system? 3.How did the intruder try to hide his edits from the MAC times? 4.The intruder downloaded rootkits, what were they called? Are they new/custom rootkits? 5.Recover (tell how you did it too) the rootkits from the snort binary capture 6.What does the rootkit do to hide the presence of the attacker on the system? 7.What did you learn from this exercise? 8.How long did this challenge take you? Bonus Questions: Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important. ---------------------------------------------------------------------> Preperation: First we get the file scan19.zip from project.honeynet.org and run md5sum on the file to make sure we've got what was intended. [# md5sum scan19.zip] [c065797b3c2ddfad3396e3d4542ed8a7 scan19.zip] Success the hashes match!, now I unzip the files into the scan19 directory and get the two binary logs, newdat3.log and slog2.log. Analysis: Firstly I extract all the packet information from the two snort log files by running the commands (on my trusty Win2k box) [C:\snort\snort -vdr scan19\newdat3.log host 192.168.1.102 and not port 20 > scan19\snort_newdat3.txt] and [C:\snort\snort -vdr scan19\slog2.log host 192.168.1.102 and not port 20 > scan19\snort_slog2.txt]. From this I get two files, snort_newdat3.txt and snort_slog2.txt, but the latter has nothing in it so I run snort again with no host defined and get a file with what looksl like the packet captures of the syslog entries. I then extract the ASCII conversations with [snort -dr scan19\newdat3.log -c snort.conf] and [snort -dr scan19\slog2.log -c snort.conf] this stores the files by default to a subdirectory which I had to create. Now on with the fun part, or not so fun part depending on which way you look at it!, 1. Which vulnerability did the intruder exploit? For this I looked at the alert.ids created by snort and created a timeline in an spreadsheet (see timeline.xls) which I find is easier to read at a glance. This spreadsheet will eventually contain all the relevant information from the attack. You can see from the alert.ids file that the attacker tried numerous exploits before he got the right one, at first on 17/9 someone tries to get in via telnet (time 00:53) but is unsuccessful, note the ip 217.156.93.166 of the remote client. Directly after this came some FTP attacks from 207.35.251.172, they try nearly 40 exploits within 8 seconds which leads me to believe this is probably some kind of ftp exploit script which of course would stop when successful which means that the alert at 00:55:59.485710 would have been the successful exploit. We can confirm this by going through snort_newdat3.log and looking at the packet traces after this time and sure enough at 00:56:01.491606 you see [id] being run and information being sent back. FROM snort_newdat3.txt<----------------------------------- 09/17-00:56:01.491606 207.35.251.172:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16787 IpLen:20 DgmLen:56 DF ***AP*** Seq: 0xCF78AEB1 Ack: 0xEBCE0EB9 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237392604 29673829 69 64 3B 0A id;. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-00:56:01.538880 192.168.1.102:21 -> 207.35.251.172:2243 TCP TTL:64 TOS:0x10 ID:1729 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xEBCE0EB9 Ack: 0xCF78AEB5 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 29674023 237392604 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-00:56:01.742466 192.168.1.102:21 -> 207.35.251.172:2243 TCP TTL:64 TOS:0x10 ID:1730 IpLen:20 DgmLen:91 DF ***AP*** Seq: 0xEBCE0EB9 Ack: 0xCF78AEB5 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 29674034 237392604 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D uid=0(root) gid= 30 28 72 6F 6F 74 29 20 67 72 6F 75 70 73 3D 35 0(root) groups=5 30 28 66 74 70 29 0A 0(ftp). ----------------------------------------------------------> The exploit attacks vunerable versions of the wu-ftp daemon with a buffer overflow, more information can be found from http://www.whitehats.com/info/IDS287 as stated by alert.ids. 2.What ways, and in what order, did the intruder use to connect and run commands on the system? Well firstly you can see that the blackhat has already run the [id] command from a remote shell that he has gained from the FTP exploit, so this is the first way he/she has been able to run commands. With this access the blackhat removes the password for the nobody account and then telnets to the compromised host using this account. You'll see at 01:13:27 'nobody' successfully logs in from 217.156.93.166, the sharper eyed readers will notice this is the same system which unsuccessfully tried to telnet in earlier, so the attacker is using two systems, one to run the exploits and the other to control the compromised machines, perhaps the earlier telnet attempts were to see if the box was already compromised. Once the attacker is in he/she runs 'w' to see whis logged on and then logs off. Then using the remote shell gained from the exploit the blackhat creates a new user called dns with no password and root privalages, the attacker also changes access times on /etc/passwd and /etc which we will look at later. The attacker then telnets into the host, logs in as nobody and sus' to the dns user. Once the attacker is in he/she downloads 3 files on of which contains the ssh daemon which he/she then installs to get a remote secure shell to the host. The attacker then connects to this secure shell to run more commands, this secure shell is the last way the attacker connects to run commands. 3.How did the intruder try to hide his edits from the MAC times? The intruder copied the access times of /etc/passwd and /etc to two other directories before creating his/her dns user. Then after creating the user the access times were then copied back to /etc and /etc/passwd to hide the fact that they were changed. This changing of access times was done by running [touch -acmr ] as documented by the touch man page. 4.The intruder downloaded rootkits, what were they called? Are they new/custom rootkits? Once in the intruder downloaded three rootkits/toolkits from teleport.go.ro (.ro=Romania) , Zer0.tar.gz, copy.tar.gz and ooty.tar.gz. Zer0.tar.gz looks like a custom version of the t0rn rootkit, the main script, 'Go', installs the trojan version of sshd, the Adore rootkit and emails out system information to hatcheryhatched@hotmail.com. The other two kits look like tool kits, copy.tar.gz contains smurf the DOS tool and also the tool that was probably used to exploit this system. File ooty.tar.gz contains a tool to exploit the suidperl vulnerability. 5.Recover (tell how you did it too) the rootkits from the snort binary capture As demonstrated in the previous scan of the month, I used Ethereal to isolate and then save the three root/toolkits. 6.What does the rootkit do to hide the presence of the attacker on the system? After warning of a remote logging machine the 'Go' script uses the [touch -acmr] command again to modify access times on the directories it modifies. The script also points /bin/.bash_history to /dev/null in an effort to hide any recent bash commands and also to stop the logging of any new bash shell commands in the future. The files the script has used to run itself are all deleted. The script vrssb from the tls.tgz archive deletes lines containing the argument you give it from log files in /var/log/, the 'Go' script removes all lines containing login, ftp and dns. Oh I nearly forgot, it also stops the syslog daemon until it's finished. 7.What did you learn from this exercise? When we look at a logs we must take in all the information contained in it and compare it with other logs from other sources to get a better overall picture of what has happened. Once this is done we can then strip the log files down to the most relevant pieces of information , only do you get an true picture of what is going on. When this is done, do it again to make sure nothing has been missed, and again, and again.... 8.How long did this challenge take you? The analysis: Around 3 hours. The write up and research: Around 2 hours. Bonus Questions: Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important. The following email could be sent to the administrator of the compromised system which scanned the host. From a quick lookup on Arin we can see the ip belongs to (is actually probably leased to) B-Line Technical services in Montreal, who will probably be cooperative. We could also copy in the ISP's technical contact. EMAIL-----------------------------------------------------------> To the administrator of 207.35.251.172, It has come to my attention that your system (IP: 207.35.251.172) has been compromised ny an intruder. Below is an excerpt from our logs which show the system scanning our host for common vulnerabilities; [**] [1:338:1] FTP EXPLOIT format string [**] [Classification: Attempted User Privilege Gain] [Priority: 8] 09/17-00:55:52.235847 207.35.251.172:2243 -> X.X.X.X:21 TCP TTL:48 TOS:0x0 ID:16648 IpLen:20 DgmLen:76 DF ***AP*** Seq: 0xCF7869CC Ack: 0xEBCD7EC0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237391678 29673183 [Xref => http://www.whitehats.com/info/IDS453] [**] [1:361:2] FTP site exec [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/17-00:55:52.552709 207.35.251.172:2243 -> X.X.X.X:21 TCP TTL:48 TOS:0x0 ID:16651 IpLen:20 DgmLen:468 DF ***AP*** Seq: 0xCF7869E4 Ack: 0xEBCD7EFE Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237391708 29673193 [Xref => http://www.securityfocus.com/bid/2241] [Xref => http://www.whitehats.com/info/IDS317] These are just two of nearly forty scans that occured during an eight second period on the morning of 17th September starting at 00:55:52. After which our host was also compromised. It may be of interest (and also aid removal) that the intruder has downloaded the following rootkits/toolkits on to our compromised host, copy.tar.gz, ooty.tar.gz and Zer0.tar.gz. These files may still be on your system so I have attached them to this email for you to examine. Best Regards, Tom Lyne <--------------------------------------------------------- ARIN OUTPUT-----------------------------------------------> B-Line Technical Services (NETBLK-B-LINE-CA) 800 Rene Levesque, Flr.3 Montreal, Quebec H3B 1X9 CA Netname: B-LINE-CA Netblock: 207.35.251.160 - 207.35.251.191 Coordinator: Daoust, Philippe (PD135-ARIN) noc@in.bell.ca 1-800-450-7771 +1 (416) 215-5423 Record last updated on 08-Jan-2000. Database last updated on 5-Oct-2001 23:18:41 EDT. <----------------------------------------------------------