In order to get a list
of running processes and connections, we could not trust the commands.
Moreover, even if using my trusted statically linked binaries, if a LKM
rootkit had been installed, some information could be hidden from us. For
example, the adore rootkit (see, among many other references, http://ouah.kernsh.org/reiterlkm.htm)
hides some connections by searching for a certain string in the ‘write’ system
call if the command is called ‘netstat’.
So, I
decided to take the approach of having renamed ‘netstat’ and ‘ps’ commands
in my cdrom, called something else.
The output
from my renamed netstat command was as follows:
#
/mnt/cdrom/n –anp
Active
Internet connections (servers and established)
Proto
Recv-Q Send-Q Local Address
Foreign Address
State PID/Program
name
tcp 0 0 0.0.0.0:139
0.0.0.0:*
LISTEN 845/smbd
tcp 0 0 0.0.0.0:79
0.0.0.0:*
LISTEN 732/xinetd
tcp 0 0 0.0.0.0:80
0.0.0.0:*
LISTEN 3137/smbd -D
tcp 0 0 0.0.0.0:113
0.0.0.0:* LISTEN 677/identd
tcp 0 0 0.0.0.0:2003
0.0.0.0:*
LISTEN 3137/smbd -D
tcp 0 0 0.0.0.0:21
0.0.0.0:*
LISTEN 732/xinetd
tcp 0 0 0.0.0.0:22
0.0.0.0:*
LISTEN 699/sshd
tcp 0 0 0.0.0.0:23
0.0.0.0:*
LISTEN 732/xinetd
tcp 0 0 0.0.0.0:65336
0.0.0.0:* LISTEN 15119/initd
tcp 0 0 0.0.0.0:3128
0.0.0.0:*
LISTEN 25241/xopen
tcp 0 0 127.0.0.1:25
0.0.0.0:*
LISTEN 759/sendmail:
accep
tcp 0 0 0.0.0.0:443
0.0.0.0:*
LISTEN 3137/smbd -D
tcp 0 0 0.0.0.0:65436
0.0.0.0:*
LISTEN 15119/initd
tcp 0 0 192.168.1.79:65336
213.154.118.200:1188
ESTABLISHED 15119/initd
tcp 0 0 192.168.1.79:1149
64.62.96.42:6667
ESTABLISHED 15119/initd
tcp 0 0 192.168.1.79:1146
199.184.165.133:6667
ESTABLISHED 15119/initd
udp 0 0
192.168.1.79:137
0.0.0.0:*
850/nmbd
udp 0 0 0.0.0.0:137
0.0.0.0:*
850/nmbd
udp 0 0 192.168.1.79:138
0.0.0.0:* 850/nmbd
udp 0 0 0.0.0.0:138
0.0.0.0:*
850/nmbd
udp 0 0 0.0.0.0:3049
0.0.0.0:*
25239/xopen
Active
UNIX domain sockets (servers and established)
Proto
RefCnt Flags Type State I-Node PID/Program name Path
unix 2
[ ACC ] STREAM LISTENING 943 778/gpm /dev/gpmctl
unix 4
[ ] DGRAM 7984
3247/syslogd /dev/log
unix 2
[ ] DGRAM 15679 732/xinetd
unix 2
[ ] DGRAM 7993 3252/klogd
unix 2
[ ] DGRAM 1078 893/login -- root
unix 2
[ ] DGRAM 990 820/crond
unix 2
[ ] DGRAM 924 759/sendmail: accep
unix 2
[ ] DGRAM 834 677/identd
unix 2
[ ] DGRAM 804 657/apmd
unix 2
[ ] STREAM CONNECTED 417 1/init
Active
IPX sockets
Proto
Recv-Q Send-Q Local Address
Foreign Address
State
Which showed the
suspicious programs ‘xopen’, ‘initd’, and smbd. Moreover, how it comes that
there are TWO smbd daemons running in the system, and one with ports 80
& 2003 listening?
The output from the
renamed ‘ps’ command was also interesting:
# /mnt/cdrom/s ax
PID TTY
STAT TIME COMMAND
1
? S 0:05 init
2
? SW 0:00 [keventd]
3
? SW 0:00 [kapm-idled]
4
? SWN 0:00 [ksoftirqd_CPU0]
5
? SW 0:00 [kswapd]
6
? SW 0:00 [kreclaimd]
7
? SW 0:00 [bdflush]
8
? SW 0:00 [kupdated]
9
? SW< 0:00 [mdrecoveryd]
17
? SW 0:04 [kjournald]
92
? SW 0:00 [khubd]
657
? S 0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-scripts/apmscript
677 ?
S 0:00 identd -e -o
685 ? S 0:00
identd -e -o
686 ? S 0:00
identd -e -o
695 ? S 0:00
identd -e -o
696 ? S 0:00
identd -e -o
699 ? S 0:00
/usr/sbin/sshd
732
? S 0:00 xinetd -stayalive -reuse -pidfile
/var/run/xinetd.pid
759
? S 0:00 sendmail: accepting connections
778
? S 0:00 gpm -t ps/2 -m /dev/mouse
820
? S 0:00 crond
845
? S 0:00 smbd
-D
850
? S 0:00 nmbd -D
893
tty1 S 0:00 login -- root
894
tty2 S 0:00 /sbin/mingetty tty2
895
tty3 S 0:00 /sbin/mingetty tty3
896
tty4 S 0:00 /sbin/mingetty tty4
899 tty5 S 0:00 /sbin/mingetty tty5
900
tty6 S 0:00 /sbin/mingetty tty6
901
tty1 S 0:00 -bash
3137
? S 0:03 smbd -D
3153
? S 0:00 (swapd)
3247
? S 0:00 syslogd -m 0
3252
? S 0:00 klogd -2
25239 ?
S 0:00 /lib/.x/s/xopen
-q -p 3128
25241 ?
S 0:00 /lib/.x/s/xopen
-q -p 3128
25247 ?
S 0:00 /lib/.x/s/lsn
15119 ?
S 0:00 initd
16215 pts/1
R 0:00 ps -ax
It showed the already
suspicious processes initd (15119), xopen (25239 & 25241) and smbd –D
(3137). Also the (swapd) process
(3153) and lsn (25247) were suspicious.
Just for checking, I
decided to make an script that would do the following actions:
1.
Try
to enter directory /proc/<num>, being <num> 1 to 99.999.
2.
If
that directory exists, gather all the information from the process:
i.
Command
line, from /proc/<num>/cmdline
ii.
Current
working directory, from /proc/<num>/cwd
iii.
Environment,
from /proc/<num>/environ
iv.
Files,
opened, entering /proc/<num>/fd and doing an ‘ls’.
v.
Summary
of status, from /proc/<num>/status
The script is available
here. The output obtained is also available here.
It showed no new processes,
but confirmed the processes with open sockets and also give a lot of extra
information. For example, the process 3137 is not ‘smbd’ with option –D,
but a binary called ‘smbd –D’ (that is, smbd space –D), posing as a normal
samba daemon under /usr/bin.
Also, some processes
still had some deleted files open already deleted files, that meaning I
could use them to recover these files. For example, process 3137 had the
httpd error log file /var/log/httpd/error_log opened, so I could recover it
doing:
/mnt/cdrom/cat /proc/3137/fd/15
| /mnt/cdrom/nc 192.168.1.80
7777
being 192.168.1.80 my own system, where I had a netcat listening as:
nc –l 7777 > /recovered/var/log/httpd/error_log.
That way, I was able to
recover several log files, as /var/log/messages, httpd error logs and smbd
error logs.
None of the running
processes had its binary deleted. Had this been the case, I could have
recovered it using the /proc/<num>/exe link.
Anyway, using the
netcat method, I transferred all the running binaries to my system for
later analysis. At that time, I had already copied the whole file system
with dd & netcat, but copied them again just for being in the safe
side, in case of the file system image being somehow corrupted or not in a
stable state.
Just for checking, I
decided to run nmap command against the running vmware. This is probably
something you should not do in a real system, as it could trigger a lot of
actions in the analyzed system. But, remember, we are here for fun…
Nmap showed no new
info:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (192.168.1.79):
(The 65523 ports scanned but not shown below are
in state: closed)
Port
State Service
21/tcp
open ftp
22/tcp
open ssh
23/tcp
open telnet
79/tcp
open finger
80/tcp
open http
113/tcp
open auth
139/tcp
open netbios-ssn
443/tcp
open https
2003/tcp
open cfingerd
3128/tcp
open squid-http
65336/tcp
open unknown
65436/tcp
open unknown
|