From ichinin@swipnet.se Sun Sep 23 07:58:39 2001 Date: Thu, 20 Sep 2001 10:35:12 +0200 From: Ichinin To: project@honeynet.org Subject: Scan18 Hello there. Here is my submission for Septembers scan of the month: Scan 18. Regards, Glenn ________________________________ Q1: The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster? A1: They installed a rootkit, that further facilitated compromise. The rootkit "patched" several other commands i.e. SSH, PS, Netstat, Ifconfig (etc) and even came with an installer. I assume that "cleaner" and "logclear" is for "exfiltration" - i haven't looked at the rootkit, but that's my guess. It looks like the rootkit also reported compromised hosts to an Email account. ("bidi_damm@yahoo.com") Some of the files the rootkit "patches" are: last/ <-Directory ssh pidfile install linsniffer cleaner inetd.conf lsattr services sense ssh_config ssh_host_key ssh_host_key.pub ssh_random_seed sshd_config sl2 last.cgi ps netstat ifconfig top logclear s (*) mkxfs (* i assume GZip compression hid the file beginning with s...) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Q2: What system/country did the badguys come in from? A2: Frankly - I cannot clearly say, an FTP account on an Romanian server is probably the only "clear" lead as from where, i can provide. Note: Anyone can get an FTP account anywhere and some users/groups share FTP passwords... At least some leads (*) were picked up: "Ftp.home.ro" "shell-station.com" "spf2.us3.outblaze.com" (*could be investigated, may have logging) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Q3: What nationality are the badguys, and how were you able to determine this? A3: To answer that, it would require a deeper analysis and more data; also the "real" attacking hosts could be compromised as well. There is no way of knowing unless further examination of the traffic from/to those remote systems. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Q4: What do the answers to questions #1 and #2 tell us about the tactics the badguys are using? A4: Well, at the very least; they know basic system penetration. They know how to run a rootkit. They probably have an automated attack tool and could be compromising several systems. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Q5: What did you learn from this challenge? A5: A bit more on rootkits and automation. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Q6: How long did this challenge take you? A6: 4 hours, just b4 the deadline so i hope i make it(!) Bonus Question: QBonus: Can you recover the blackhat's rootkit from the Snort binary log file? If so, how? ABonus: Probably, i know that the file "lk.tgz" is 520333 bytes, so if i could filter out the FTP session, then yes - i can recover it. Regards, Glenn Larsson (Ichinin@suespammers.org) __________________________________________________________________ ****************************************** * Wild speculation and analysis follows: * ****************************************** System_A: "SunOS 5.7" (shell-station.com? Could b DNS server?) System_B: "Linux asdf1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown" (Assume it's the compromised host, several indicators) Possibly involved parties: (Compromised or active attackers; unknown for now, assuming all DNS servers were unhacked @ the time...) [1] "ftp.home.ro" [193.231.236.41] [www. = 193.231.236.40] == Bucharest, Romania [2] "www.black-hats.com" (unable to resolve, bogus entry? A session dissasembly would reveal more.) [3] "spf2.us3.outblaze.com" [209.61.188.33] (Count 31 references) == San Antonio, TX (US) [4] "shell-station.com" [www.shell-station.com = 64.242.77.209] (Count 0 references) == Mesa, AZ (U.S.) [5] "172.16.1.108" Compromised host. (We all know 172.16.x.x == private.) _____________________________________________________________________ - TAG: [could be DNS tinkering] ID: "Dustifer@hotmail.com" Server: "www.black-hats.com" - TAG: "bidi_damm@yahoo.com" -> Rootkit sends stuff to this yahoo account. - TAG: "Sendmail 8.11.2/8.11.2" (Exploitable?) Remember that i saw something on packetstorm about this; latest version of sendmail is "8.11.6". -> ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTES (check out: Probably leaking like a sinking ship!) - TAG: FTP server "ProFTPD 1.2.0rc3 Server" - TAG: "./install" + "Instalarea Rootkitului A Pornit La Drum" (Looks like the rootkit is beeing installed) - FTP SESSION from: ASDF to: ftp.home.ro [193.231.236.41] (user "soane" transfered file "lk.tgz", session tried identifying user "root@ASDF") - File "lk.tgz" is 520333 bytes, i think i can extract the rootkit, IF the Snort logs are coherent. - SMTP session: spf2.us3.outblaze.com mta502.mail.yahoo.com was identified. (Weird: Looks like HELO was picked up as "EHLO" Hmmm...?!?!!?!?!) - Email going to bidi_damm@hotmail.com further suggests that the linux system was compromised and can now be used at leisure.