By
Date: 11 Feb 2000
Contents:
Section 1: Q1 :Identify the intrusion method, its date,
and time. (Assume the clock on the IDS was synchronized with an NTP reference
time source.)
Section 2: Q2 : Identify as much as possible about the
intruder(s).
Section 3: Was there a "rootkit" or other
post-concealment Trojan horse programs installed on the system? If so, what
operating system programs were replaced and how could you get around them?
Section 4: Was there a sniffer or password-harvesting
program installed? If so, where and what files are associated with it?
Section 5: List all the files that were added/modified by
the intruder. Provide an analysis of these programs
Section 6: What is publicly known about the source of any
programs found on the system?
Section 7: Build a time line of events and provide a
detailed analysis of activity on the system, noting sources of supporting or
confirming evidence
Section 8: Provide
a report suitable for management or news media
Section 9: Provide
an advisory for use within the home organization (a fictitious university,
"honeyp.edu", in this case, where I hold an honorary Doctorate, by
the way) to explain the key aspects of the vulnerability exploited, how to
detect and defend against this vulnerability, and how to determine if other
systems were similarly compromised.
Section 10:
Produce a cost-estimate for this incident using the following guidelines
and method:
Section 1: Identify
the intrusion method, its date, and time. (Assume the clock on the IDS was
synchronized with an NTP reference time source.)
The
attack used looks like a statd exploit by ron1n. However the time of attack as
indicated by the honeynet project could be disputed. /var/log/message recovery from the
disk indicates that the attack took place at around "Nov 8: 00:09:00"
instead of ¨Nov 7: 23:11:51" as indicated by the webside. Of course this
could mean that these two equipments were at two different time zones too.
If RH box was at CST (0600) then the snort was running at -0700 time zone.
Nov 8 00:08:41 apollo
inetd[408]: pid 2077: exit status 1
Nov 8 00:08:41 apollo
inetd[408]: pid 2078: exit status 1
Nov 8 00:09:00 apollo rpc.statd[270]:
SM_MON request for hostname containing '/':
^D...^D...^E...^E...^F...^F...^G...^G...08049f10 bffff754 000028f8 4d5f4d5
72204e4f 65757165 66207473
6820726f 6e74736f 20656d61 746e6f63 696e6961 2720676e 203a272f
000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000bffff70400000000000000000000000000000000000000000000000bffff7050000bffff7060000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000bffff707.......................................
...........K^.v... .^(.. .^... .^... .. ..#.^.1... .F'.F*..
.F..F..+, ...N..V...1...@......./bin/sh -c echo 4545 stream tcp nowait root
/bin/sh sh -i >> /etc
inetd.conf;killall -HUP inetd
Nov 8 04:02:00 apollo
anacron[2159]: Updated timestamp for job `cron.daily' to 2000-11-08
The attacker modified
and restarts inetd. The modification allowed the attacker to login as root
without password using /bin/sh on port 4545.
Probably
from a machine in Texas. However the attacker uses a directory name “paki”
which is not particularly a common word. It is very much possible that the real
attackers start out from somewhere in Pakistan.
216.216.74.2 = ATHM-216-216-xxx-2.home.net
: This is probably a rooted box on a
cable network
Advanced
Commerce Systems (NETBLK-ATWORK-WI33381)
5910 N. Central Expressway, Suite 1040
Dallas, TX 75206
US
Netname: ATWORK-WI33381
Netblock: 216.216.74.0 - 216.216.74.15
Coordinator:
Anderson, Michael J. (MJA-ARIN)
mianders@ADVANCEDCOMMERCE.COM
214-891-6306
Record last updated on 26-Jul-1999.
Database last updated on 6-Feb-2001
18:34:51 EDT.
Though I’ve not been able to
find out which exact rootkit was used, I can provide with a brief analysis of
what was replaced.
The kit used has resemblence to lrk and ark. I believe its
closer to lrk.
Files Replaced – backdoored (to
hide presence)
/bin/ps,
/usr/bin/top, /usr/sbin/syslogd, /bin/ls , /sbin/ifconfig, /bin/netstat,
/usr/sbin/tcpd, /usr/sbin/in.identd, /usr/sbin/in.ftpd
Packages Added – mostly to patch
holes.
Wuftp, lpd, amd
(auto mounter), named
Other files modified/replaced
during attack:
Nov 08 00
06:56:59 17968 ..c -rwx------
root root /bin/ping
45388 ..c -rwx------
root tty /sbin/dump
67788 ..c -rwx------ root tty /sbin/restore
33288 ..c -rwx------
root root /usr/bin/at
35168 ..c -rwx------
root root /usr/bin/chage
36756 ..c -rwx------ root root
/usr/bin/gpasswd
5640 ..c -rwx------
root root /usr/bin/newgrp
531516 ..c -rwx------
root root /usr/bin/sperl5.00503
531516 ..c -rwx------
root root /usr/bin/suidperl
34751 ..c -rwx------
root root /usr/libexec/pt_chown
16488 ..c -rwx------
root bin /usr/sbin/traceroute
5896 ..c -rwx------
root root /usr/sbin/usernetctl
Config files involved
- /dev/ptyp, /usr/man/.a , /usr/man/.p , /usr/man/p , /usr/man/q, /usr/man/r
Sniffer used is
"linsniffer" by Mike Edulla medulla@infosoc.com.
The file "tcp.log" in /usr/man/.Ci could be part of this originaly.
But the real log file
was /var/tmp/nap
The following
executable shell script is also part of this distribution. It does some clean
up to remove old nap logs.
/usr/man/.Ci/
/Anap
Look at the Appendix
for source code of this sniffer.
|
Filename |
Apparent
Author |
Description |
|
|
/dev/ptyp |
Author
of Rootkit |
Txt
file which has info about stuff which needs to be invisible to "ps"
and "top" |
|
|
/usr/libexec/awk/addy.awk |
/usr/man/.Ci/addn |
usr/man/.Ci/addn
writes to this, looks like a mstream configfile ? |
|
|
/usr/man/.Ci/a.sh |
Attacker |
makes
sure rpc stuff is gone |
|
|
/usr/man/.Ci/addn |
Author of Rootkit |
This is some Ddos Tool |
|
|
/usr/man/.Ci/backup/ |
Author of Rootkit |
this is where the real binaries are... |
|
|
/usr/man/.Ci/bx |
Attacker |
looks like bitchx |
|
|
/usr/man/.Ci/chmod-it |
Author of Rootkit |
fixes permissions on newly installed binaries |
|
|
/usr/man/.Ci/clean |
Attacker |
uses "snap" to clean the log files |
|
|
/usr/man/.Ci/do |
Attacker |
cleans up the passwd/shadow file. removes
"own" and "adm1" account. one of these accounts is a root account, other is a user
account |
|
|
/usr/man/.Ci/find |
Author of Rootkit |
Backdoored find |
|
|
/usr/man/.Ci/inetd |
Author of Rootkit |
backdoored inetd |
|
|
/usr/man/.Ci/killall |
Author of Rootkit |
backdoored killall |
|
|
/usr/man/.Ci/needz |
Attacker |
installs pico and screen for putting bot in the
background |
|
|
/usr/man/.Ci/paki/slice |
Not Known |
Syn Flooder source code with spoofed source address |
|
|
/usr/man/.Ci/paki/stream.c |
Not Known |
another one |
|
|
/usr/man/.Ci/pstree |
Author of Rootkit |
fixed pstree |
|
|
/usr/man/.Ci/q |
Mixter |
remote client and server control for Q by Mixter |
|
|
/usr/man/.Ci/qs |
Mixter |
remote client and server control for Q by Mixter |
|
|
/usr/man/.Ci/rmS |
Attacker |
clean up few installation files... |
|
|
/usr/man/.Ci/scan/amd/a.sh |
Attacker |
scans for a class b network 206.110.0.0/16 port 111 |
|
|
/usr/man/.Ci/scan/amd/ben.c |
ryan@junker.org |
Gets RPC ID from a rpc server. |
|
|
/usr/man/.Ci/scan/amd/amdx |
Ron1n |
statd exploit |
|
|
/usr/man/.Ci/scan/amd/pscan |
Unknown |
Usage: %s <b-block> <port> [c-block]\n", argv[0]
Purpose: looks for a specific open port accross a class
b/c network. Its not a generic port scanner, but a scanner to look for specific ports. Something which can b used for looking
for rpc ports. Relevent Code: connlist[i].addr.sin_addr.s_addr = inet_addr(ip); if (connlist[i].addr.sin_addr.s_addr == -1) fatal("Invalid IP."); connlist[i].addr.sin_family = AF_INET; connlist[i].addr.sin_port = htons(atoi(argv[2])); connlist[i].a = time(0); connlist[i].status = S_CONNECTING; |
|
|
/usr/man/.Ci/scan/bind/ibind.sh
|
Not Known |
Usage: echo "Usage: ./ibind.sh <b or c
class>" Purpose: looks for bind holes and makes a list of
different kinds of holes. This section does a dig request for bind info --------- for i in Cat $FILE; do
dig version.bind @$i chaos txt >> $OUT 2>/dev/null & done This section catalogs info --------- cat $OUT|grep -v ";;" >>
$VULN1 cat $VULN1|grep -v "server"
>> $VULN2 cat $VULN2|grep -v "@0" >>
$VULN3 cat $VULN3|grep -v "@3" >>
$VULN4 cat $VULN4|grep -v "@4" >>
$VULN5 cat $VULN5|grep -v "@-" >>
$VULN6 cat $VULN6|grep -v "@sec" >>
$VULN7 cat $VULN7|grep -v "@Scan"
>> $VULN8 cat $VULN8|grep -v "@completed"
>> $VULN9 cat $VULN9|grep -v "8.2.2-P"
>> $VULN10 |
|
|
/usr/man/.Ci/scan/daemon/lscan2.c
|
Mixter |
A generic scanner to look for systems with either bind(53), pop(110), pop2(109),imap(143),ftp(21) |
|
|
/usr/man/.Ci/scan/daemon/z0ne |
Unknown |
this is a dDos tool. I'm not exactly sure of what type. |
|
|
/usr/man/.Ci/scan/fs
|
Author of Rootkit |
|
|
|
/usr/man/.Ci/scan/port/strobe
|
*Proff* (proff@suburbia.apana.org.au) |
scanner |
|
|
/usr/man/.Ci/scan/statd/classb |
Attacker |
|
|
|
/usr/man/.Ci/scan/statd/r
|
Unknown |
rpc port scanner |
|
|
/usr/man/.Ci/scan/statd/statdx
|
Unknown |
exploit for statd |
|
|
/usr/man/.Ci/scan/wu
|
Unknown |
scans for rpc/ttdbserver/wingate |
|
|
/usr/man/.Ci/scan/x/pscan |
Unknown |
-- scanner |
|
|
/usr/man/.Ci/scan/x/x |
Unknown |
exploit for x |
|
|
/usr/man/.Ci/scan/x/xfil |
Unknown |
|
|
|
/usr/man/.Ci/scan/x/xscan |
Attacker |
scan for x servers |
|
|
/usr/man/.Ci/snap |
Attacker |
called by clean to cleanup the log files. |
|
|
/usr/man/.Ci/sniff |
Mike Edulla medulla@infosoc.com |
Sniffer used is "linsniffer" |
|
|
/usr/man/.Ci/sp.pl |
Attacker |
|
|
|
/usr/man/.Ci/syslogd |
Author of Rootkit |
|
|
|
/usr/man/.a |
Attacker |
This has some IP's might be used by some package to hide
these connections |
|
|
/usr/man/.p |
Attacker |
same a /dev/ptyp… only smaller in size… |
|
|
/usr/man/p |
Attacker |
same as /usr/man/.p |
|
|
/usr/man/r |
Attacker |
donno… looks similar… |
|
|
/var/tmp/nap |
|
Password sniffing log generated by snif |
|
|
/usr/man/.Ci/
/Anap |
Attacker |
Anti NAP ? Heh.. Removes the nap log… should be
triggered by one of the proggies to clean nap… just incase.. |
|
|
/usr/bin/pawd |
Author of Rootkit |
What does this do ?? |
|
|
/tmp/.bash_history
-> /dev/null |
|
This was probably part of the
"own"/"adm1" account |
|
|
/root/.bash_history
-> /dev/null |
|
This was to hide logs of root's action on the box |
|
|
/usr/man/.Ci/fix |
Author of Rootkit |
This trojans the real files and uses the backup to keep
funtionality. |
|
|
/usr/games/.bash_history
-> /dev/null |
|
This was to hide logs of root's action on the box |
|
|
/bin/ps |
Author of Rootkit |
|
|
|
/usr/bin/top |
Author of Rootkit |
|
|
|
/usr/sbin/syslogd |
Author of Rootkit |
|
|
|
Backup |
Author of Rootkit |
|
|
|
/sbin/ifconfig
|
Author of Rootkit |
|
|
|
/bin/netstat |
Author of Rootkit |
|
|
|
/usr/sbin/tcpd |
Author of Rootkit |
|
|
|
/usr/sbin/in.identd |
Author of Rootkit |
|
|
|
/usr/sbin/in.ftpd |
Author of Rootkit |
|
|
Mixter
– lscan2.c, q, qs
Ron1n-
amdx, statd exploit used
Strobe-
proff
Linsniffer-
mike edulla
Ben.c
- rayn
Section 7: Build a
time line of events and provide a detailed analysis of activity on the system,
noting sources of supporting or confirming evidence
The
attack used looks like a statd exploit by ron1n. However the time of attack as
indicated by the honeynet project could be disputed. /var/log/message recovery from the
disk indicates that the attack took place at around "Nov 8: 00:09:00"
instead of ¨Nov 7: 23:11:51" as indicated by the webside. Of course this
could mean that these two equipments were at two different time zones too.
If RH box was at CST (0600) then the snort was running at -0700 time zone.
Nov 8 00:08:41 apollo
inetd[408]: pid 2077: exit status 1
Nov 8 00:08:41 apollo
inetd[408]: pid 2078: exit status 1
Nov 8 00:09:00 apollo
rpc.statd[270]: SM_MON request for hostname containing '/':
^D...^D...^E...^E...^F...^F...^G...^G...08049f10 bffff754 000028f8 4d5f4d5
72204e4f 65757165 66207473
6820726f 6e74736f 20656d61 746e6f63 696e6961 2720676e 203a272f
000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000bffff70400000000000000000000000000000000000000000000000bffff7050000bffff7060000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000bffff707.......................................
...........K^.v... .^(.. .^... .^... .. ..#.^.1... .F'.F*..
.F..F..+, ...N..V...1...@......./bin/sh -c echo 4545 stream tcp nowait root
/bin/sh sh -i >> /etc
inetd.conf;killall -HUP inetd
Nov 8 04:02:00 apollo
anacron[2159]: Updated timestamp for job `cron.daily' to 2000-11-08
The attacker modified
and restarts inetd. The modification allowed the attacker to login as root
without password using /bin/sh on port 4545.
The attacker probably
had run an automated attack tool. The first time the attacker logged in was at
0625 (CST). Among the first few actions the
attacker took,
included creation of two different accounts on the system "own" and
"adm1". Probably this was used by the attacker to ssh/telnet
back to the system and then gain local
root access using su. This modification
was later removed using “do” script.
/etc/passwd
own:x:0:0::/root:/bin/bash
adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
/etc/shadow
own::10865:0:99999:7:-1:-1:134538460
adm1:Yi2yCGHo0wOwg:10884:0:99999:7:-1:-1:134538412
Though I cannot
confirm this, I feel the attacker at this point did an FTP to an unknown site
from where he downloaded the rootkit+otherstuff.
Nov 08 00 06:29:27 63728
.a. -rwxr-xr-x root root /usr/bin/ftp
Someone logged in
(probably the attacker using the new account)
Nov 08 00 06:45:18 161
.a. -rw-r--r-- root root /etc/hosts.allow
0
.a. -rw-r--r-- root root /etc/hosts.deny
Nov 08 00 06:45:19 63
.a. -rw-r--r-- root root /etc/issue.net
Nov 08 00 06:45:24 1504
.a. -rw-r--r-- root root /etc/security/console.perms
The attacker untars and
changes permissions of the tools installed in
/usr/man/.Ci
Nov 08 00 06:51:54 714
..c -rwxr-xr-x 1010 users /usr/man/.Ci/a.sh
7229
..c -rwxr-xr-x 1010 users /usr/man/.Ci/snif
Nov 08 00 06:51:55 698
..c -rwxr-xr-x 1010 users /usr/man/.Ci/clean
147900
..c -rwxr-xr-x 1010 users /usr/man/.Ci/inetd
After installation of tool the attacker
modified and added a few files to the OS.
"amd" which looks like "automounter" is installed.
ldconfig
is run.
This is probably when
the rootkit script was run. The rootkit as you can see from the file attached
installs ssh/ftp/named/lpd and backdoors a lot of
binaries with its own
version of binaries.... probably ftp/lpd/named were updated to fix holes...
Nov 08 00 06:55:58 657
m.c -rw-r--r-- root root /etc/passwd
601
m.c -rw-r--r-- root root /etc/shadow
Named installed
Nov 08 00 06:54:22 6416
mac -rwxr-xr-x root root /usr/local/bin/addr
Either the intruder himself (I don’t think though) or
someone else logged in as “drosen” and /var/tmp/nap got its first password
entry.
Nov 08 00 06:59:07 4096
m.c drwx------ drosen drosen /home/drosen
Inetd.conf changed and entry for
sh on port 4545 removed
Nov 08 00 07:03:05 3027 m.c -rw-r--r-- root root /etc/inetd.conf
Admin logged in at this time, and found problems. Within
two hours the system was brought down for analysis
Nov 08 00 18:37:30 20452
.a. -rwxr-xr-x root root /bin/login
1262
.a. -rw-r--r-- root root /etc/localtime
437
.a. -rw-r--r-- root root /etc/pam.d/login
We regret to announce
that one of our servers Apollo was comprimised on Novermber 8th by unknown
intruders.
The attackers used a
security hole in our “rpc.statd” to gain access to our server. Later during
that day the attacker installed a few tools on the server and implemented
backdoors to hide the attacker from a normal user on the system. Some of the
tools installed indicates that the attacker was making an attempt to install a
DdoS tool on this server to attack other servers outside. Also found were tools
like “BitchX” which would have allowed the attacker to control the server from
a IRC channel behind an anonymous nickname.
We have taken
precautionary measures and are doing a full scale organization search for other
signs of compromise. Our priliminary
investigation shows that this was the only system compromised and nothing
sensative was stolen. We have contacted
the ISP from where the attack originated are making an attempt to identify the
attackers.
We have upgraded our
Firewall filters to detect these attacks on the border and have sent a notification
to all Sysadmins in our orgnization to advise them how to secure their systems
so that this does not happen again.
As of 0600 hrs Nov 9th,
we have brought Apollo back online for normal use.
===============================================================================
Topic: rpc.statd
exploit warning Advisory
Announced: 11th Feb
2001
OS Effected: All
Linux Distributions with un-patched rpc.statd
Solution Available:
Yes
Severity: root
compromise
===============================================================================
We have noticed
detected an increase in attacks on Linux based servers all around the world. Anyone running unpatched version
of RPC on Linux Redhat is open to this
attack.
In this particular
attack the attacker uses common rpc.statd buffer overflow exploit to gain root
compromise. This requires "rpc.statd" to be running on
the
box. The attacker then modifies and
re-starts inetd with a shell bound to a port.
Attacker installs a
rootkit (possibily lrk/ark) with password sniffing ability. The rootkit
modifies and installs a few critical binaries including ps, top, syslogd, ls,
ifconfig, netstat tcpd and identd. The
attacker also installs his own version of sshd and wuftp.
If you are running a
version of unpatched rpc.statd then you should start looking for signs of
compromise immediately before you do a upgrade. Check
for MD5 signatures of
your binaries. If you suspect any changes you are recomended to reinstall the OS. Another quicker way of checking
weather this
exact attack was used
against you, you could check for the existance of
"/usr/man/.Ci/backup/ls" by executing it.
The attacker installs
a password harvesting program and runs a DdoS tool kit on the server.