4. Were there any active network connections? If so, what address(es) was the other end and what service(s) was it for?

Even with the trojaned version of netstat present on the machine, we can see an active connection:

netstat -an (Trojaned netstat binary present on the machine)

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.79:65336 213.154.118.200:1188 ESTABLISHED
tcp 0 0 0.0.0.0:65436 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:65336 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2003 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:79 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:3049 0.0.0.0:*
udp 0 0 0.0.0.0:138 0.0.0.0:*
udp 0 0 192.168.1.79:138 0.0.0.0:*
udp 0 0 0.0.0.0:137 0.0.0.0:*
udp 0 0 192.168.1.79:137 0.0.0.0:*
Active UNIX domain sockets (including servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] STREAM CONNECTED 417
unix 2 [ ] DGRAM 804
unix 2 [ ] DGRAM 834
unix 2 [ ] DGRAM 924
unix 2 [ ] DGRAM 990
unix 2 [ ] DGRAM 1078
unix 2 [ ] DGRAM 7993
unix 2 [ ] DGRAM 15679
unix 4 [ ] DGRAM 7984 /dev/log
unix 2 [ ACC ] STREAM LISTENING 943 /dev/gpmctl
Active IPX sockets
Proto Recv-Q Send-Q Local Address Foreign Address State

 

But just to be sure we have not been tricked into watching a fake connection, let's use a "good" netstat binary (as for the other binaries I used in the rest of the analisys)

netstat -ap (trusted netstat binary)

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:netbios-ssn *:* LISTEN 845/smbd
tcp 0 0 *:finger *:* LISTEN 732/xinetd
tcp 0 0 *:http *:* LISTEN 3137/smbd -D
tcp 0 0 *:auth *:* LISTEN 677/identd
tcp 0 0 *:cfinger *:* LISTEN 3137/smbd -D
tcp 0 0 *:ftp *:* LISTEN 732/xinetd
tcp 0 0 *:ssh *:* LISTEN 699/sshd
tcp 0 0 *:telnet *:* LISTEN 732/xinetd
tcp 0 0 *:65336 *:* LISTEN 15119/initd
tcp 0 0 *:squid *:* LISTEN 25241/xopen
tcp 0 0 localhost.localdom:smtp *:* LISTEN 759/sendmail: accep
tcp 0 0 *:https *:* LISTEN 3137/smbd -D
tcp 0 0 *:65436 *:* LISTEN 15119/initd
tcp 0 688 192.168.1.79:65336 213.154.118.200:1188 ESTABLISHED 15119/initd
udp 0 0 192.168.1.79:netbios-ns *:* 850/nmbd
udp 0 0 *:netbios-ns *:* 850/nmbd
udp 0 0 192.168.1.7:netbios-dgm *:* 850/nmbd
udp 0 0 *:netbios-dgm *:* 850/nmbd
udp 0 288 192.168.1.79:1039 192.168.1.1:domain ESTABLISHED -
udp 0 0 *:3049 *:* 25239/xopen
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 943 778/gpm /dev/gpmctl
unix 4 [ ] DGRAM 7984 3247/syslogd /dev/log
unix 2 [ ] DGRAM 15679 732/xinetd
unix 2 [ ] DGRAM 7993 3252/klogd
unix 2 [ ] DGRAM 1078 893/login -- root
unix 2 [ ] DGRAM 990 820/crond
unix 2 [ ] DGRAM 924 759/sendmail: accep
unix 2 [ ] DGRAM 834 677/identd
unix 2 [ ] DGRAM 804 657/apmd
unix 2 [ ] STREAM CONNECTED 417 1/init
Active IPX sockets
Proto Recv-Q Send-Q Local Address Foreign Address State

 

So we see that really there is a connection with 213.154.118.200:

tcp 0 688 192.168.1.79:65336 213.154.118.200:1188 ESTABLISHED 15119/initd

The host is connected to port 65336, which is definitely not something standard... but at first I thought that this machine was connected TO 213.154.118.200:1188... we'll see in a minute that this connection needs indeed to be read the other way around: from the attacker TO us, and NOT from our box to his.

 

So, let's see who 213.154.118.200 is (this has already been anticipated in Answer N.1):

inetnum: 213.154.96.0 - 213.154.127.255
netname: PCNET
descr: PCNET Data Network S.A.
descr: PROVIDER ADSL Network
country: RO
admin-c: BT17-RIPE
tech-c: PDNN1-RIPE
status: ASSIGNED PA
notify: tudor@pcnet.ro
mnt-by: AS8503-MNT
changed: tudor@pcnet.ro 20030704
source: RIPE

route: 213.154.116.0/22
descr: PCNET
origin: AS8503
notify: tudor@pcnet.ro
mnt-by: AS8503-MNT
changed: tudor@pcnet.ro 20020912
source: RIPE

role: PCNET Data Network NOC
address: Splaiul Unirii, nr. 10
address: Bucharest, ROMANIA
phone: +40 1 330 86 61
phone: +40 1 330 35 23
fax-no: +40 1 675 49 99
e-mail: tudor@pcnet.ro
trouble: +40 9 325 18 84
admin-c: BT17-RIPE
tech-c: BT17-RIPE
tech-c: AP158-RIPE
tech-c: CM3059-RIPE
tech-c: CN19-RIPE
tech-c: IG20-RIPE
tech-c: CR60-RIPE
nic-hdl: PDNN1-RIPE
remarks: ----------
remarks: abuse: abuse@pcnet.ro
remarks: ----------
remarks: for escaladation please directly call the
remarks: technical manager
notify: tudor@pcnet.ro
mnt-by: AS8503-MNT
changed: tudor@pcnet.ro 20011008
source: RIPE

person: Bogdan Tudor
remarks: Technical Manager
remarks: PCNET Data Network S.A.
address: Bucharest, Romania
phone: +40 9 325 18 84
phone: +40 1 330 86 61
phone: +40 1 330 35 23
fax-no: +40 1 675 49 99
nic-hdl: BT17-RIPE
mnt-by: BT17-RIPE-MNT
notify: tudor@pcnet.ro
e-mail: tudor@pcnet.ro
changed: tudor@pcnet.ro 20011009
source: RIPE

 

Romania.... interesting..... and why has my host an established session with a node in Romania on an unknown - to me - port ?
Simple, because I have to read it the other way around: the host in Romania is using a PsyBNC proxy/bouncer on our machine to connect to irc !

 

telnet localhost 65336

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
:Welcome!psyBNC@lam3rz.de NOTICE * :psyBNC2.3.1

 

We did a short research on 'psyBNC' on Google and we found out the following information:

http://www.netknowledgebase.com/tutorials/psybnc.html
http://lam3rz.de/psybnc.html

among several others. I quote the essential info from the first source, about WHAT a BNC is:
[...] If you know nothing about bncs, a bnc is short for a 'bouncer.' A bnc acts as a proxy for irc, allowing you to hide your real IP address and use a vhost (vanity host - something like 'this.is.a.l33t.vhost.com'). [...]


How was it configured in our case?
As it appears from
psybnc.conf:

PSYBNC.SYSTEM.PORT1=65336
PSYBNC.SYSTEM.HOST1=*
PSYBNC.HOSTALLOWS.ENTRY0=*;*
PSYBNC.SYSTEM.PORT2=-100
PSYBNC.SYSTEM.HOST2=*
PSYBNC.SYSTEM.PORT3=-200
PSYBNC.SYSTEM.HOST3=*
USER1.USER.LOGIN=sic
USER1.USER.USER=4,1I`m siCk motherfucker siCk
USER1.USER.PASS==`N`Y1y`T1201'l`C`g
USER1.USER.RIGHTS=1
USER1.USER.VLINK=0
USER1.USER.PPORT=0
USER1.USER.PARENT=0
USER1.USER.QUITTED=0
USER1.USER.DCCENABLED=1
USER1.USER.AUTOGETDCC=0
USER1.USER.AIDLE=0
USER1.USER.LEAVEQUIT=0
USER1.USER.AUTOREJOIN=1
USER1.USER.SYSMSG=1
USER1.USER.LASTLOG=0
USER1.USER.AWAYNICK=[[[kgb]]]
USER1.USER.LEAVEMSG=Exiting...
USER1.USER.NICK=[[[kgb]]]
USER1.SERVERS.SERVER1=mesa.az.us.undernet.org
USER1.SERVERS.PORT1=6667
USER1.CHANNELS.ENTRY1=#radioactiv
USER1.CHANNELS.ENTRY0=#RedCode
USER2.USER.LOGIN=redcode
USER2.USER.USER=4,1redCode8Chicken
USER2.USER.PASS==`&'X1e'O`t1I1k'8'6
USER2.USER.RIGHTS=0
USER2.USER.VLINK=0
USER2.USER.PPORT=0
USER2.USER.PARENT=0
USER2.USER.QUITTED=0
USER2.USER.DCCENABLED=1
USER2.USER.AUTOGETDCC=0
USER2.USER.AIDLE=0
USER2.USER.LEAVEQUIT=0
USER2.USER.AUTOREJOIN=1
USER2.USER.SYSMSG=1
USER2.USER.LASTLOG=0
USER2.USER.AWAYNICK=killMe
USER2.USER.AWAY=gone 2 sleep
USER2.USER.LEAVEMSG=Keyboard Not Found- press F13 to continue...
USER2.USER.NICK=killMe
USER2.SERVERS.SERVER1=mesa.az.us.undernet.org
USER2.SERVERS.PORT1=6667
USER2.CHANNELS.ENTRY1=#AiaBuni
USER2.CHANNELS.ENTRY0=#RedCode

is connected to an irc server mesa.az.us.undernet.org

The program has also left a log, so we can confirm the logins that took place on it since its installation (psybnc.log):

Sun Aug 10 16:02:46 :Listener created :0.0.0.0 port 65336
Sun Aug 10 16:02:46 :Listener created :0.0.0.0 port -100
Sun Aug 10 16:02:46 :Can't create listening sock on host * port -200 (bind)
Sun Aug 10 16:02:46 :Loading all Users..
Sun Aug 10 16:02:46 :No Users found.
Sun Aug 10 16:02:46 :psyBNC2.3.1-cBtITLdDMSNp started (PID :15119) <-- This confirms the PID of initd (see Answer N.3)
Sun Aug 10 16:03:32 :connect from sanido-09.is.pcnet.ro
Sun Aug 10 16:03:32 :New User:sic (wqewqde dedwqere) added by sic
Sun Aug 10 16:03:36 :User sic () has no server added
Sun Aug 10 16:04:06 :User sic () trying fairfax.va.us.undernet.org port 6667 ().
Sun Aug 10 16:04:06 :User sic () connected to fairfax.va.us.undernet.org:6667 ()
Sun Aug 10 16:04:47 :Hop requested by sic. Quitting.
Sun Aug 10 16:04:47 :User sic got disconnected from server.
Sun Aug 10 16:04:51 :User sic () trying fairfax.va.us.undernet.org port 6667 ().
Sun Aug 10 16:06:08 :User sic quitted (from sanido-09.is.pcnet.ro)
Sun Aug 10 16:06:24 :connect from sanido-09.is.pcnet.ro
Sun Aug 10 16:06:25 :User sic logged in.
Sun Aug 10 16:06:57 :User sic quitted (from sanido-09.is.pcnet.ro)
Sun Aug 10 16:06:59 :connect from sanido-09.is.pcnet.ro
Sun Aug 10 16:06:59 :User sic logged in.
Sun Aug 10 16:07:26 :User sic quitted (from sanido-09.is.pcnet.ro)
Sun Aug 10 16:07:34 :connect from sanido-09.is.pcnet.ro
Sun Aug 10 16:07:47 :User sic logged in.
Sun Aug 10 16:08:00 :User sic: cant connect to fairfax.va.us.undernet.org port 6667.
Sun Aug 10 16:08:06 :User sic () trying fairfax.va.us.undernet.org port 6667 ().
Sun Aug 10 16:08:06 :User sic () connected to fairfax.va.us.undernet.org:6667 ()
Sun Aug 10 16:11:30 :User sic quitted (from sanido-09.is.pcnet.ro)
Sun Aug 10 17:49:41 :connect from sanido-08.is.pcnet.ro
Sun Aug 10 17:49:47 :User sic logged in.
Sun Aug 10 17:50:39 :New User:redcode (4,1redCode8Chicken) added by sic
Sun Aug 10 17:50:51 :User redcode () has no server added
Sun Aug 10 17:51:22 :connect from sanido-08.is.pcnet.ro
Sun Aug 10 17:51:22 :User redcode logged in.
Sun Aug 10 17:51:36 :User redcode () trying mesa.az.us.undernet.org port 6667 ().
Sun Aug 10 17:51:36 :User redcode () connected to mesa.az.us.undernet.org:6667 ()
Sun Aug 10 17:51:42 :User redcode () got disconnected (from mesa.az.us.undernet.org) Reason: Closing Link: killme by mesa.az.us.undernet.org (Sorry, your connection class is full - try again later or try another server)
Sun Aug 10 17:52:06 :User redcode () trying mesa.az.us.undernet.org port 6667 ().
Sun Aug 10 17:52:06 :User redcode () connected to mesa.az.us.undernet.org:6667 ()
Sun Aug 10 18:00:49 :User redcode quitted (from sanido-08.is.pcnet.ro)

 

 Previous  To answer N.5 -> How many instances of an SSH server were installed and at what times?  Home