Scan of the Month #19 Summary By Joe Stewart October 3, 2001 Q: Which vulnerability did the intruder exploit? -- A: A format string vulnerability in wu-ftpd 2.6.0 discovered last year. This is a commonly used remote root exploit, as wu-ftpd is running by default on countless Unix systems. See http://www.securityfocus.com/bid/1387 for more detail on this exploit. Q: What ways, and in what order, did the intruder use to connect and run commands on the system? -- A: The attacker tried to log in via telnet initially, presumably through a backdoor left in place from the last rooting. This did not gain them access, so they ran the wu-ftpd exploit, which gave them a temporary root shell on the system over the FTP port. Once they were into a shell, they removed the password from the "nobody" account, then added a new account "dns" with uid and gid of 0. Secondly, they logged in via telnet as nobody, did "su" to user dns, giving them root privileges. From here they ran the master script to clean the logs, rootkit the system, and install backdoors in the RedHat pluggable authentication modules (PAM). The third time they logged in as user "uucp", which was previously backdoored. They used telnet to first verify the backdoor was working, then proceeded to use a Windows ssh client to connect to a hidden ssh daemon on port 24 they started earlier. At this point the session was encrypted, so the syslog output of the modified bash executable is the only way to trace the attacker's actions. Q: How did the intruder try to hide his edits from the MAC times? -- A: The first script used "touch -acmr", which copied the file timestamps to temp files, then copied them back to the original file once the dirty work was done. This shows that file modification times are nearly useless as a forensic tool. Q: The intruder downloaded rootkits, what were they called? Are they new/custom rootkits? -- A: The intruder downloaded Zer0.tar.gz, a custom rootkit mostly based on the Adore rootkit from http://spider.scorpions.net/~stealth/ In it were: Go - main install script for rootkit ssh.tgz - ssh server and keys, probably from a version of t0rnkit tls.tgz - backdoor/log cleaner/vulnerability patching scripts adr.tgz - source code for adore rootkit adr2.tgz - precompiled binaries for adore adore.h - config header for adore Note that the "Go" script discovered the remote syslog box by reading syslog.conf, but that didn't stop the intruder from continuing. Also downloaded were copy.tar.gz, which contained scanner/exploit tools for attacking new hosts, and ooty.tar.gz, which contained some local root exploits. Q: Recover (tell how you did it too) the rootkits from the snort binary capture -- A: You can easily recover binaries from a tcpdump file using the GTK-based sniffer Ethereal. Change your preferences to print to a file instead of lpr. Then use the "View TCP Stream" function on the FTP-DATA stream you wish to decode. Use the print button on the ASCII page display. The file that is output will be a copy of the original binary downloaded via FTP. Q: What does the rootkit do to hide the presence of the attacker on the system? -- A: It uses a kernel module to interrupt system calls at the kernel level and hide output it doesn't want seen. This allows the attacker to hide processes, connections or files without having to trojan system binaries that might be discovered through Tripwire-type integrity checking. However, there are rootkit detectors that can sniff out kernel-module rootkits. See http://www.chkrootkit.org/ Q: What did you learn from this exercise? -- A: Although this attack lacked sophistication, the capture really shows the value of a honeynet in collecting the attacker's tools and tricks, even if they destroy all local evidence of the intrusion. Armed with the knowledge of the intruder's sources and destinations, anonymous email accounts, ftp usernames and passwords, one could easily make life hard on the attacker. Enough people running honeynets could really generate a sense of paranoia in the script kiddie community. :) Q: How long did this challenge take you? -- A: Analysis: 3 hours Writing summary text: 2 hours.