Professional Documents
Culture Documents
Know Your Enemy - III
Know Your Enemy - III
13
The Exploit
On 27 April, at 00:13 hours, our network was scanned by the system 1Cust174.tnt2.long-branch.nj.da.uu.net for several vulnerabilities, including imap. Our intruder came in noisy, as every system in the network was probed (for more information on detecting and analyzing scans, please see the second paper of this series). A p r2 70 0 : 1 2 : 2 5m o z a r ti m a p d [ 9 3 9 ] :c o n n e c tf r o m2 0 8 . 2 5 2 . 2 2 6 . 1 7 4 A p r2 70 0 : 1 2 : 2 7b a c hi m a p d [ 1 1 9 0 ] :c o n n e c tf r o m2 0 8 . 2 5 2 . 2 2 6 . 1 7 4 A p r2 70 0 : 1 2 : 3 0v i v a l d ii m a p d [ 1 2 2 5 ] :c o n n e c tf r o m2 0 8 . 2 5 2 . 2 2 6 . 1 7 4 Apparently he found something he liked and returned at 06:52 and 16:47 the same day. He started off with a more thorough scan, but this time focusing only on mozart. He identified a weakness and launched a successful attack against mountd, a commonly known vulnerability for Red Hat 5.1. Here we see in /var/log/messages the intruder gaining root. The tool used was most likely ADMmountd.c, or something similar to it. A p r2 71 6 : 4 7 : 2 8m o z a r tm o u n t d [ 3 0 6 ] :U n a u t h o r i z e da c c e s sb yN F Sc l i e n t 2 0 8 . 2 5 2 . 2 2 6 . 1 7 4 . A p r2 71 6 : 4 7 : 2 8m o z a r ts y s l o g d :C a n n o tg l u em e s s a g ep a r t st o g e t h e r A p r2 71 6 : 4 7 : 2 8m o z a r tm o u n t d [ 3 0 6 ] :B l o c k e da t t e m p to f2 0 8 . 2 5 2 . 2 2 6 . 1 7 4t om o u n t ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ P ~ Immediately following this exploit, we see in /var/log/messages our intruder gaining root by telneting in as the user crak0, and then su to the user rewt. Both of these accounts were added by the exploit script. Our intruder now
old.honeynet.org/papers/enemy3/ 1/4
05.12.13
05.12.13
/ d e v / ./ ./ p r o c p s 1 . 0 1 / p r o c / . d e p e n d / d e v / ./ . / d e v / Our intruder may have been somewhat sophisticated in using trojan binaries, but had a simpler approach to cleaning the logs files. Instead of using cleaning tools such as zap2 or clean, he copied /dev/null to the files /var/run/utmp and /var/log/utmp, while deleting /var/log/wtmp. You know something is wrong when these logs files contain no data, or you get the following error: [ r o o t @ m o z a r ts b i n ] #l a s t1 0 l a s t :/ v a r / l o g / w t m p : N os u c hf i l eo rd i r e c t o r y P e r h a p st h i sf i l ew a sr e m o v e db yt h eo p e r a t o rt op r e v e n tl o g g i n gl a s ti n f o .
Damage Control
Since our friend had disconnected, this gave me a chance to review the system and see what exactly happened. I was extremely interested to see what was altered, and where he was logging the sniffer information. First, I quickly identified with tripwire which files were modified. Note, make sure you run tripwire from a valid source. I like to run a statically-linked version of tripwire from a read-only floppy. Tripwire showed the following. a d d e d : r w r r -r o o t a d d e d : r w r r -r o o t c h a n g e d :r w s x xr o o t c h a n g e d :d r w x r x r xr o o t c h a n g e d :r w x r x r xr o o t c h a n g e d :r s r s r xr o o t c h a n g e d :r x r x r xr o o t c h a n g e d :r x r x r xr o o t c h a n g e d :r w s s xr o o t c h a n g e d :r w s s xr o o t c h a n g e d :d r w x r x r xr o o t c h a n g e d :r w x r x r xr o o t c h a n g e d :r w x r x r xr o o t c h a n g e d :r w x r x r xr o o t c h a n g e d :r w x r x -r o o t c h a n g e d :r w x r x r xr o o t c h a n g e d :d r w x r x r xr o o t c h a n g e d :r w x r x r xr o o t c h a n g e d :r w r r -r o o t 5A p r2 71 7 : 0 1 : 1 61 9 9 9/ u s r / s b i n / s n i f f . p i d 2 7 2A p r2 71 7 : 1 8 : 0 91 9 9 9/ u s r / s b i n / t c p . l o g 1 5 5 8 8J u n 10 5 : 4 9 : 2 21 9 9 8/ b i n / l o g i n 2 0 4 8 0A p r1 01 4 : 4 4 : 3 71 9 9 9/ u s r / b i n 5 2 9 8 4J u n1 00 4 : 4 9 : 2 21 9 9 8/ u s r / b i n / f i n d 1 2 6 6 0 0A p r2 71 1 : 2 9 : 1 81 9 9 8/ u s r / b i n / p a s s w d 4 7 6 0 4J u n 31 6 : 3 1 : 5 71 9 9 8/ u s r / b i n / t o p 9 7 1 2M a y 10 1 : 0 4 : 4 61 9 9 8/ u s r / b i n / k i l l a l l 1 1 6 3 5 2J u n 12 0 : 2 5 : 4 71 9 9 8/ u s r / b i n / c h f n 1 1 5 8 2 8J u n 12 0 : 2 5 : 4 71 9 9 8/ u s r / b i n / c h s h 4 0 9 6A p r2 71 7 : 0 1 : 1 61 9 9 9/ u s r / s b i n 1 3 7 8 2 0J u n 50 9 : 3 5 : 0 61 9 9 8/ u s r / s b i n / i n e t d 7 2 2 9N o v2 60 0 : 0 2 : 1 91 9 9 8/ u s r / s b i n / r p c . n f s d 1 7 0 4 6 0A p r2 40 0 : 0 2 : 1 91 9 9 8/ u s r / s b i n / i n . r s h d 2 3 5 5 1 6A p r 42 2 : 1 1 : 5 61 9 9 9/ u s r / s b i n / s y s l o g d 1 4 1 4 0J u n3 01 4 : 5 6 : 3 61 9 9 8/ u s r / s b i n / t c p d 2 0 4 8A p r 41 6 : 5 2 : 5 51 9 9 9/ s b i n 1 9 8 4 0J u l 91 7 : 5 6 : 1 01 9 9 8/ s b i n / i f c o n f i g 6 4 9A p r2 71 6 : 5 9 : 5 41 9 9 9/ e t c / p a s s w d
As you can see, a variety of binaries and files were modified. There were no new entries in /etc/passwd (wisely, he had removed the crak0 and rewt accounts), so our intruder must have left a backdoor in one of the modified binaries. Also, two files were added, /usr/sbin/sniff.pid and /usr/sbin/tcp.log. Not suprisingly, /usr/sbin/sniff.pid was the pid of the sniffer, /usr/sbin/tcp.log was where he was storing all of his captured information. Based on
old.honeynet.org/papers/enemy3/ 3/4
05.12.13
/usr/sbin/sniff.pid, the sniffer turned out to be rpc.nfsd. Our intruder had compiled a sniffer, in this case linsniffer, and replaced rpc.nfsd with it. This ensured that if the system was rebooted, the sniffer would be restarted by the init process. Strings confirms rpc.nfsd is the sniffer: m o z a r t# s t r i n g s/ u s r / s b i n / r p c . n f s d|t a i l1 5 c a n tg e tS O C K _ P A C K E Ts o c k e t c a n tg e tf l a g s c a n ts e tp r o m i s c u o u sm o d e -[ C A P L E NE x c e e d e d ] -[ T i m e dO u t ] -[ R S T ] -[ F I N ] % s= > % s[ % d ] s n i f f . p i d e t h 0 t c p . l o g c a n to p e nl o g r m% s After reviewing the system and understanding what happened, I left the system alone. I was curious to see what the intruder's next steps would be. I did not want him to know that I had caught him, so I removed all of my entries from /usr/sbin/tcp.log.
Conclusion
We have seen in this paper how an intruder may act , from start to finish, once they gain root on your system. They often begin by checking to see if anyone is on the system. Once they know the coast is clear, they cover their tracks by clearing the logfiles and replacing or modifying critical files. Once they are safely hidden, they move onto new and more damaging activities. These tactics are here to stay, as new exploits are constantly being discovered. To better protect yourself against these threats, I recommend you armor your systems. Basic armoring will protect against most script kiddie threats, as they normally go for the easy kill. For ideas on how to armor your system, check out Armoring Linux or Armoring Solaris. If it is to late and you feel your system has already been compromised, a good place to start is CERT's site "Recovering from an Incident" .
old.honeynet.org/papers/enemy3/
4/4