From Ralf.Hildebrandt@innominate.com Sun Sep 23 07:51:36 2001
Date: Mon, 10 Sep 2001 16:25:21 +0200
From: Ralf Hildebrandt <Ralf.Hildebrandt@innominate.com>
To: project@honeynet.org
Subject: Scan of the month

First I decoded the binary dump using:

% snort -d -r snort-0315@0005.log -l /tmp/data -A fast


1) The attackers used rpc.statd attack to get into the system. What
   modifications did they make to the break-in-process to both automate 
   and make the process faster?

They queried the portmapper via port 111 to find out if a rpc.statd is
running, before trying the exploit:

03/16-03:21:24.995382 211.185.125.124:790 -> 172.16.1.108:111
UDP TTL:43 TOS:0x0 ID:29784 IpLen:20 DgmLen:84
Len: 64
41 26 95 DA 00 00 00 00 00 00 00 02 00 01 86 A0  A&..............
00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01  ................
                           ^^^^^^^^^^^^^^
RPC portmap request status

2) What system/country did the badguys come in from?

211.185.125.124, see 172.16.1.108/TCP:39168-4450
It contains a recorded telnet session that shows what he did to
install the rootkit.

Also, 211.185.125.124 is the source of the packets sent to port 111 of
the victim machine (see packets traces in 211.185.125.124)

211.185.125.124 is in the KRNIC netblock (Korea)

3) What nationality are the badguys, and how were you able to
   determine this? 

Romania. They fetched "lk.tgz" from FTP.HOME.RO [193.231.236.41]
In the mail the rootkit sends to bidi_damm@yahoo.com there's some
Romanian language bits (e.g. "Spatiu Liber" for "free space")

I wouldn't use a Romanian Language rootkit, if I wasn't Romanian...

4) What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?

They use hacked machines as platforms for further expliots.

5) What did you learn from this challenge?

6) How long did this challenge take you? Bonus Question: 

7) Can you recover the blackhat's rootkit from the Snort binary log
   file? If so, how? 

Yes, by processing the data stream from 172.16.1.108/TCP:1027-20

% egrep "^([0-9A-F]{2} ){8,16}.*" 172.16.1.108/TCP:1027-20 > datenstrom.new

and then use some python to re-assemble the binary data from the ascii
dump.

-- 
Ralf.Hildebrandt@innominate.com                           innominate AG
+49.(0)30.308806-62  fax: -77                         networking people
The only "intuitive" interface is the nipple. After that, it's all
learned.