Scan 19

The first step is to retrieve the challenge package and check its md5sum.

>wget http://project.honeynet.org/scans/scan19/scan19.tar.gz
>md5sum scan19.tar.gz
11e0be295d138df14111796a7733a5d2 scan19.tar.gz

Ok, this correctly matches the md5 hash listed on the website. Lets move on

> tar -zxvf scan19.tar.gz
newdat3.log
slog2.log

1. Which vulnerability did the intruder exploit?

To find out which vulnerability was exploited, we can run newdat3.log through snort with standard rules:

>snort -r newdat.log -A full -c snort.conf

We can then find this log entry:

[**] FTP-site-exec [**] 09/16-19:55:58.372588 207.35.251.172:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16783 IpLen:20 DgmLen:563 DF ***AP*** Seq: 0xCF78AC1D Ack: 0xEBCE0AD8 Win: 0x7C70 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237392290 29673715

After a quick web search we find a link for it: http://www.kb.cert.org/vuls/id/29823

2. What ways, and in what order, did the intruder use to connect and run commands on the system?

The first way the intruder executed commands on the server was through the shell created by the aformentioned vulnerability. In order to tell what commands he ran, we can use snort. First we create a temporary config file for snort (trule) that has the rule:

log tcp any any <> any 21 (session: printable;)

Then we use the snort command:

>snort -r newdat3.log -c trule -l /tmp

This will have created several directories in the /tmp directory. Inside the directory named with the attackers IP is a file that has the commands issued by the attacker during the ftp session. It can be found here.

The second way in which the intruder connected was telnet. During his previous ftp connection he changed the password of user nobody

passwd nobody -d

And the attacker created a new user, dns

/usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash

Now we can modify the snort rule file we made to look for telnet connections.

log tcp any any <> any 23 (session: printable;)

We find a directory named 217.156.93.166 and in it a file containing the commands used during the telnet session. Those commands can be found here.

The third way the intruder connected was via ssh to a trojan ssh deamon. Luckly we were logging keystrokes to syslog (and remotly logging that) so we were able to tell what the intruder was doing during the encrypted session. To read that we can use:

>snort -vdr slog2.log | more

3. How did the intruder try to hide his edits from the MAC times?

The intruder tried to hide his changes to the passwd file by using the touch command to change the files Modification Access Creation times.

mkdir -p /etc/X11/applnk/Internet/.etc
mkdir -p /etc/X11/applnk/Internet/.etcpasswd
touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd
touch -acmr /etc /etc/X11/applnk/Internet/.etc
passwd nobody -d
/usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash
passwd dns -d
touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd
touch -acmr /etc/X11/applnk/Internet/.etc /etc

First the attacker makes a dummy passwd file and a dummy directory. The intruder then assigns the MAC time of /etc/passwd to the fummy file and the MAC times of /etc to the dummy directory. Next the intruder strips user nobody of a password and adds user dns. Finally they change the times of /etc and /etcpasswd to those of the dummy file/directory.

4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?

The first rootkit downloaded was Zer0.tar.gz. Zer0 is a modified t0rn rootkit. This can easily be seen by comparing it to a t0rn config file.

The second kit downloaded was copy.tar.gz. This packages contains programs to generate lists of IP addresses, an ftp scanner, the wu-ftp site-exec exploit and other various things

The third kit downloaded was ooty.tar.gz. This kit contains a bunch of local exploits and even a nice motd message for the sysadmin.

5.Recover (tell how you did it too) the rootkits from the snort binary capture

To recover the rootkits I used a program called tcpflow, http://www.circlemud.org/~jelson/software/tcpflow/.

> tcpflow -r newdat3.log 'port 20'

This returned 3 files with names that are made up of the IP involved. Next we can move them to the more appropriate names:

>mv 193.231.236.042.00020-192.168.001.102.01026 Zer0.tar.gz
>mv 193.231.236.042.00020-192.168.001.102.01027 copy.tar.gz
>mv 193.231.236.042.00020-192.168.001.102.01028 ooty.tar.gz

6.What does the rootkit do to hide the presence of the attacker on the system?

The rootkit, Zer0.tar.gz, contains the Adore Loadable Kernel Module (URL). A kernel module can be a very effective way of hiding things on a system. It does not require you to replace any files, instead it intercepts the system calls to those files. This intruder wanted to hide processes and directories using the adore commands:

./ava i $(ps ax|grep nscdx|awk '{print $1}')
./ava i $(ps ax|grep vrssnf|awk '{print $1}')
./ava i $(ps ax|grep psybnc|awk '{print $1}')
./ava h /usr/X11R6/bin/.,
./ava h /usr/info/.t0rn
./ava h /dev/sdc0
./ava h /etc/rc.d/rc3.d/S50ine

The rootkit also used touch to change the MAC times of certain directoies, a snippet is shown:

touch -acmr /tmp/.dir1 /bin
touch -acmr /tmp/.dir2 /usr/X11R6/bin
touch -acmr /tmp/.dir3 /etc/rc.d/rc3.d

7. This challenge took me about 6 hours to do.

Links

Snort
TcpFlow
CERT