Submitted by: Christopher Lee < firstname.lastname@example.org >
On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same intruder. The honeynet is VMware based and uses a modified bash to log to syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP has been replaced). The compromised system has an IP of 192.168.1.102. After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of which is encrypted). The attacker also tried to hide some of his edits from the MAC times.
Due to the sheer size of this capture, I decided to break things down to more manageable pieces. I started it up by parsing the log with the command "snort -vr \newdat3.log | grep "09/1" | cut -f2 -d" " | cut -f1 -d: | sort | uniq" , and received the list of all unique IP addresses involved in various conversation in this capture and they are:
Armed with the list of source IP addresses, I broke the entire network capture into individual pieces of traffics to and from each unique IP address identified above, and proceed to analyse those traffic and record the finding in the timeline.html file (after sorting the events by its starting time).
While parsing the newdat3.log file, I used Ethereal to reconstrcut the detail of each TELNET and FTP sessions recorded. Now, for whatever reason, Ethereal was not able to reassemble the telnet session established from the host 18.104.22.168 to the honeynet host at 20:32:10 on Sept-16... As the result, I had to reassemble the entire session manually from the text dump of the binary network capture... It's a little more work, but the end result made it all worthwhile. :-)
Now, I picked up the slog2.log file and attempted to analyse it and merge the findings into the timeline.html file. Half way through the analysis, starting on packet 42, I noticed someone was trying to connect to the syslog server. Now, who would this be?? Given the fact that both source and destination IP addresses were stripped from the slog2.dat file, this seemed like a non-trivial task... One clue that I have is the source port of this TCP connection attempt, which is 2451, and the time of which the connection took place, 20:44:50 on Sept-16. I then went back to the newdat3.log and looked the traffic around this time frame, and sure enough, the traffic were mostly from our intruder on 22.214.171.124 and the source port 2451 was skipped in the midst of her SYN scan. Based on this discovery, I felt confident to say this connection was attempted by the cracker in attempt to gain access to the syslog server (as suggested by the output of the rootkit installation script).
1, Which vulnerability did the intruder exploit?
At 19:55:45 on Sept-16, someone established anonymous FTP connection from host 126.96.36.199 to the honeynet host, this person then proceeded to launch a sequence of SITE EXEC command on this host. Base on the format of the SITE EXEC commands executed and the version of the FTPD software (WU-FTP 2.6.0), I believe this intruder exploited the "Input Validation" (a.k.a. Buffer Overflow) problem in WU-FTP 2.6.0 that was documented in CERT Advisory CA-2000-13.
2, What ways, and in what order, did the intruder use to connect and run commands on the system?
From studying the events documented in the timeline.html file, one could identify the host from which exploited the WU-FTP vulnerability (188.8.131.52) and the host from which the intrduder connected to and installed the rootkit (184.108.40.206). For the scope of this discussion, I am going to assume both hosts were being utilized by the same cracker.
The following is the list of methods this intruder used to connect and run commands on the honeynet host (in the order of the earliest to the latest events, and unless explcitely stated, the connections were attempted from 220.127.116.11):
3, How did the intruder try to hide his edits from the MAC times?
After the intruder exploited the input validation bug of WU-FTP 2.6.0, she proceeded to secured herself "easier" future access to the system by nullifying the password of the user "nobody" and created a superuser "dns". Taking into consideration that the local sysadmin might noticed the change in the MAC time for both the /etc/passwd file and the /etc directory, she copied the MAC of both the file /etc/passwd and the directory /etc to files under the directory /etc/X11/applnk/Internet/ prior to her creation of the user "dns" and later restored those MAC times back to those respective files.
4, The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
This intruder downloaded three files from ftp.teleport.go.ro, and they are "Zer0.tar.gz", "copy.tar.gz" and "ooty.tar.gz". Based on the events recorded in both network captures and my own quick analysis of those files, it appeared to me that "Zer0.tar.gz" provides a secured mean for the intruder to return to the compromised host, "copy.tar.gz" contains the tools possibly used to compromise this honeynet host, and the "ooty.tar.gz" apeared to be tools for exploiting a sendmail vulnerability.
From reading the Go script, Zer0.tar.gz seems to be the "t0rnkit" created by the cracker "t0rn" with modification by the cracker "Viruzzel". "ooty.tar.gz" contains a interesting collection of exploits by various authors (e.g. prlnx.sh, by Wojciech Purczynski, is one that caught my attention). "copy.tar.gz" contains yet another collection of exploits.
My impression is that this is a collection of rookits this fellow collected and they are basically tools anyone could use to compromise hosts on the Internet. They are not new rootkit, but probably qualified as "custom" rootkit, since they were bundled/packaged by this intruder into these two packages.
5, Recover (tell how you did it too) the rootkits from the snort binary capture
To recover the rootkit (all three pieces of it), I first locate the actual FTP-DATA stream of the Zer0.tar.gz from within the network capture using Ethereal. Once the appropriate data stream is located, I right click and select the menu option "Follow TCP Stream". A new window is then displayed with the content of this file, and I then save it to the disk by click on the "Save" button. This process is repeated to retrieve copy.tar.gz and ooty.tar.gz as well.
The recovered rootkits are attached along with the submission, but the URLs are not included in this write-up, as I am sure the folks at the Honeynet Project will remove the rootkit binaries once they received the submission.
6, What does the rootkit do to hide the presence of the attacker on the system?
Well, amoung the three files downloaded by this intruder, copy.tar.gz and ooty.tar.gz are just two compessed archives with a whole bunch of cracking utilities/tools in them, with no effort in hiding in hiding its contents. Only Zer0.tar.gz contains a installation script Go, which attempts to both install the backdoor and hide its trail.
This is how the Go script attempts to hide its presence on the system:
7, What did you learn from this exercise?
Well, I learned a few things from this exercise...
8, How long did this challenge take you?
Parsing the newdat3.log to analyse and construct the timeline.html file --> 3 hours
Parsing the slog2.log to analyse and merge its events to the timeline.html file --> 2 hours.
Contructing the answers to the questions and completing the write-up. --> 2 hours
Composing the letter of notification to the source owner that attacked the --> half an hour
Therefore, this challenge take a total of 7.5 hours.
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.
This is the letter to the owner of the host 18.104.22.168.
This is the letter to the owner of the host 22.214.171.124.
The timeline describing all the events took place, as captured by both the newdat3.log and slog2.log.
The transcript of this intruder exploiting the input validation vulnerability of WU-FTP 2.6.0, as captured by the newdat3.log.
The transcript of this intruder downloading and installing the t0rnkit, as captured by the newdat3.log.
The transcript of the SMTP mail delivery to email@example.com, as captured by the newdat3.log.
CERT Incident Note IN-2000-10: http://www.cert.org/incident_notes/IN-2000-10.html.
Ethereal's Home Page: http://www.ethereal.com
CERT Advisory CA-2000-13: http://www.cert.org/advisories/CA-2000-13.html