My submission for the scan of the month is below.  Thank-you this was a lot of fun
Michael Osmond
Bay Technologies

Question 1

The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?

Prior to establishing a connection to the target host on port 39168 which is then used to execute shell commands, the attacker is setting up and pulling down connections on port 111, in most cases there are two or three connections being established at a time.   Given the quick succession of attacks these appear to be scripted. 

The actual UDP attack is tried three times in short succession and from different source ports.  I assume that this attack is setting up /bin/sh to be associated with port 39168, so that when this connection is made the attacker gets immediate shell access which is what appears to happen when the connection is made.  You can see “/bin/sh” in the payload of the UDP packet.  I was unable to determine how they select the port number or where it is communicated. 

I suppose the speeding up of the break-in is to setup the backdoor using the rpc.statd hack, so that the subsequent connection on port 39168 gets immediate shell access. 

These observations were made by sifting through a text dump of the entire trace.   It was a case of seeing which sessions actually sent useful data, then determining other activity form that IP address (I used notepad).  Once you know the port address for the session it is very easy to trace the thread.   

There were other sources attacking the host, but after looking at what these were doing I discounted them as not related to this specific hack. 

I was also able to track down information on the rpc.statd attack by looking at CERT (www.cert.org) and security focus (www.securityfocus.com) advisory databases.  I had a look at statd-toy.c by drow to see what was happening with the actual attack.

 Question 2

What system/country did the badguys come in from? 

The host where the connection has come from is – this is a host at Kyongsan Purim Elementary School in KYONGBUK state in Korea.

The IP address is assigned to Korea – this was determined from APNIC (www.apnic.org).  

More details on the address were gained from a whois service at  http://whois.nic.or.kr/english/index.html

Question 3

What nationality are the badguys, and how were you able to determine this?

I suspect that the break was performed by a Romanian.   

The root kit was downloaded by a user soane from the server ftp.home.ro (which is in Romania).  You can see this if you work through the commands sent on the session associated with port 4450.

The root kit install also displays text in both English and another language, although I don’t know what language is.  

Question 4

What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?

They have been breaking into other hosts and using  these to launch further attacks. 

Question 5

What did you learn from this challenge?

This is the first decode if have had to do for several years, so it has forced me to remember some things I had forgotten.  

I have learnt a little about SNORT – especially how much more I need  to find out.

I have become a little more familiar with the resources available for looking into security problems – particularly chasing down source addresses.

I also know now that I need to find out more about the exploits – I was unable to find a protocol description of the rpc.statd break.  There were code examples but I find these difficult to understand. 

Question 6

How long did this challenge take you?

Getting started (finding SNORT and how to work it on windows 2000) = 1 hour

Reading the log file to find out = 4 hours

Working out what the rpc.statd vulnerability should look like = 2 hours

Chasing down the network addresses = 1 hour

Writing up was performed as I went.      Total = 8 hours.

 Bonus Question

I can think of two ways to obtain a copy of the root kit. 

1.        Logon to ftp.home.ro using the user id soane and the password that is also in the trace.   Then GET the file lk.tgz.  Probably the easiest.  Use tar -zxvf lk.tgz to unpack. The trace also shows the root kit being installed.

2.        The complete packet dump from the FTP session is in the trace.  So it would be possible to extract this from the binary (I am not familiar with TCPDUMP). 

 At worst you can use Perl (or similar) to extract the text dump of the transfer, convert these back to binary and pack it into an output file.  This would be