8. Which system executables (if any) were trojaned and what configuration files did they use?

Veryfying the md5 checksums of the files with the provided list of checksums of the "good" binaries, we immediately spot the following replaced files:

/usr/bin/top: FAILED
/bin/netstat: FAILED
/bin/ls: FAILED
/bin/ps: FAILED <-- my "feeling" was right about this one already watching its failure to handle the common linux syntax...
/sbin/ifconfig: FAILED

and, as we've seen, also chkrootkit confirms this.


I first tried to use the 'diff' command to see what was different in these executables and in the ones on the FIRE CD. But I am absolutely no unix guru, so I did not manage to use it effectively.
The command was only confirming that indeed the files were different, but not IN WHAT were they actually different.

So I tried to use the 'strings' command to read the text strings contained in the executables, and then tried to read the output of this.
I even tried to 'diff' the resulting outputs of the 'strings' command targeted at the good and at the trojaned executables, to see the differences between the two.

./strings /usr/bin/top >/mnt/floppy/strings_troj_top.out
./strings /bin/netstat >/mnt/floppy/strings_troj_netstat.out
./strings /bin/ls >/mnt/floppy/strings_troj_ls.out
./strings /bin/ps >/mnt/floppy/strings_troj_ps.out
./strings /sbin/ifconfig >/mnt/floppy/strings_troj_ifconfig.out

on BOTH the trojaned system, and on anothr safe system:

./strings /usr/bin/top >/mnt/floppy/strings_good_top.out
./strings /bin/netstat >/mnt/floppy/strings_good_netstat.out
./strings /bin/ls >/mnt/floppy/strings_good_ls.out
./strings /bin/ps >/mnt/floppy/strings_good_ps.out
./strings /sbin/ifconfig >/mnt/floppy/strings_good_ifconfig.out

AND THEN you could analise the strings contained and most likely spot a filename (most likely in /proc or /etc) that is not supposed to be there... but my unix/linux skills are not that good, and I simply don't know enough of the internals of these commands to understand which configuration files these executables might be using.

Even restricting the search of strange strings contained to the strings that were DIFFERENT between the two files, with a command such as this:

./diff -a /mnt/floppy/strings_good_top.out /mnt/floppy/strings_troj_top.out > /mnt/floppy/diff_strings_top.out

left this one answer a daunting task for me.

Another approach is something I read today (25th of September, as this writeup is nearly complete) on Bugtraq Mailing List, posted by Dragos Ruiu:


BTW in case you were wondering how to use diff
on binary files this little program is a nice trick to
to let you use standard diff on arbitrary binaries... :-)

#include <stdio.h>
int c;
while((c = getchar()) != EOF)


Still another approach I used, is to move the files (the trusted and the trojaned binary) to a windows machine, and in a DOS Shell use the old command 'fc', with the /b switch, to perform a binary comparison.

fc /b filname01 filename02

Last approach suggested is to disassemble the binaries. This is most likely the BEST approach (given you are able to read that code).

I admit that my skills are inadequate for this bit of the analisys. I apologize. I am sure someone else will have solved this piece of the puzzle. Each one of us contributes the way he can, and we all learn something. Isn't this the purpose of Honeynet Project ?


Let's move on.
Other than system commands, other executables we have seen added or changed in the system are the various SSH shells, the BNC bouncer, and the files of the rootkit, partly in /lib/.x , but also installed in /usr/lib:

-rw-r--r-- 1 root root 5636 Aug 10 15:30 adore.o
-rw-r--r-- 1 root root 1016 Aug 10 15:30 cleaner.o

the kernel modules for the rootkit.

We have seen all of this in the previous answers: Answer N.1, Answer N.3, 5, 6, 7.

Some more executables, part of the rootkit, and the files in /lib/.x are described in next answer (Answer N.9).


We moreover can see the 'files' created in /dev for the new terminals associated with the backdoors/ssh daemons installed:


crw-rw-rw- 1 root tty 2, 1 Aug 10 15:30 ptyp1
crw-rw-rw- 1 root tty 2, 2 Aug 10 15:41 ptyp2
crw-rw-rw- 1 root tty 2, 3 Aug 10 15:54 ptyp3

crw-rw-rw- 1 root tty 3, 1 Aug 10 15:30 ttyp1
crw-rw-rw- 1 root tty 3, 2 Aug 10 15:41 ttyp2
crw-rw-rw- 1 root tty 3, 3 Aug 10 15:54 ttyp3


Just as an extra, we can see in the following pictures how my Sophos AntiVirus detected some of the exported files:





 Previous  To answer N.9 --> How and from where was the system likely compromised?