This is the third piece of homework for the course ICT4TN003-4 Linux palvelimena (Linux as a server):
It will most likely not be finished by the deadline, which is something I’m not happy about, and realize this will likely impact my grade.
Solve HoneyNet: Scan of the Month 15. http://old.honeynet.org/scans/scan15/
– Can you find additional information on the attacker (using legal means)?
– Analyze the rootkit line by line
Examine the partition to your heart’s content. Use nothing but legal methods, ie. don’t portscan remote addresses. Be careful with the image.
I’ll use Virtualbox for this assignment. I’ve had my eye on Lubuntu for a while, so the guest OS image I’ll be using is lubuntu-12.04-desktop-i386.iso. After downloading the Scan of the month 15 image and installing autopsy, I’ll disable networking functionality from the guest, and use the host for searches and writing this report.
In Virtual Lubuntu:
Computer name: luba
Username is: mrf
Also, I’ve been advised to include information on my system for compatibility reference.
Mobo: Asus P5Q (BIOS 1208)
CPU: Intel Core 2 Quad Q9550 @ 3.4GHz
RAM: 8GB 800MHz DDR2 (4x2GB)
GPU: Nvidia Geforce GTX 470 (Gigabyte branding)
HDD: Samsung Spinpoint F1 HD753LJ 750GB
PWR: Antec Earthwatts 500W
Sound: Creative SB X-Fi (EMU20K1 chip)
Wlan: ASUS PCE-N15 11n
DVD: TSSTcorp SH-S223F
KB: Costar tenkeyless Cherry MX Black (PS/2)
Mouse: 1000Hz 500DPI (USB)
Windows 7 Professional x64 SP1
Windows Server 2008 R2
Xubuntu 12.04 LTS x86
Ubuntu Server 14.04 LTS x64
Oracle Virtualbox (VT-x disabled, as I only ever use one core for VMs and Virtualbox’s own virtualization seems to work better)
Every piece of kit seems to work well in Xubuntu 12.04. Nvidia’s restricted driver provides the occasional headache, though.
Autopsy install and setup
We’ve covered the basic apt-get install routine in earlier posts, so from here on out I will just include the commands without the output, unless there is something exceptional worth reporting. (Provided our teacher agrees.) Let’s start by installing autopsy, a forensic browser.
mrf@luba:~$ sudo apt-get install autopsy
We also need the Scan of the month 15 partition image from http://old.honeynet.org/scans/scan15 The image is thus found in /home/mrf/Downloads/honeynet/honeypot.hda8.dd
Autopsy must be started as sudo:
mrf@luba:~$ sudo autopsy
Now we can use Chromium browser to open http://localhost:9999/autopsy
All set! Time to click the “New Case” button. Case name is “scan15”, description is empty, Investigator name is a. Antero. Autopsy then creates a directory and configuration for the case, located in:
Case directory (/var/lib/autopsy/scan15/) created Configuration file (/var/lib/autopsy/scan15/case.aut) created
Next we add a new host, which will be the previously downloaded image file. I choose to call it host1, which is the default.
Host Directory (/var/lib/autopsy/scan15/host1/) created Configuration file (/var/lib/autopsy/scan15/host1/host.aut) created
We must now import an image file for this host -> Add Image. Let’s insert /home/mrf/Downloads/honeynet/honeypot.hda8.dd as the location, select Partition for Type, and Copy for Import Method.
In the Image File Details page, we ignore the hash value, accept the default mount point of /1/ and ext file system.
Testing partitions Copying image(s) into evidence locker (this could take a little while) Image file added with ID img1 Volume image (0 to 0 - ext - /1/) added with ID vol1
Let’s create a File Activity timeline (Create data file, create timeline, view timeline)
That’s done. We can now access it if need be. We close the timeline view with the Close button and return to autopsy’s gallery. Time to take a look at the contents of the image. We press the Analyze button and enter the File Analysis view.
I made some progress in class earlier, so I’ll be picking up where I left off, informationwise.
First off, there’s a deleted file that doesn’t seem to belong: /1/lk.tgz. Let’s click it and use the Export feature and see what it contains.
The archive certainly contains interesting stuff. I extracted the file to /home/mrf/Downloads/last. Let’s take a look at ‘cleaner’ with the strings-command:
mrf@luba:~/Downloads/last$ strings cleaner |less
This thing seems to be a bash script that cleans log files, and contains odd stuff in german. How about ‘install’?
mrf@luba:~/Downloads/last$ strings install |less
The strange boasting in the beginning of the file is pretty incriminating. I’d say that lk.tgz contains the rootkit.
Let’s take a look at some other interesting files.
mrf@luba:~/Downloads/last$ strings logclear |less killall -9 linsniffer rm -rf tcp.log touch tcp.log ./linsniffer >tcp.log &
File ‘ssh’ contains a lot of lines relating to man-in-the-middle attacks and other warnings. It reads like a logfile.
File sshd_config mentions PidFile /dev/ida/.drag-on/pidfile. There are also keys present (ssh_host_key and ssh_host_key.pub)
I’ll take a closer look a bit later on. Let’s check out the other directories on the partition now.
…they seem to be mostly empty. For future reference: /etc and $OrphanFiles are interesting. /etc because it contains system settings in human readable form, although the attacker did have the cleaner script, and $OrphanFiles because it might contain interesting loose files.
Notes on orphanfiles
OrphanFile-2060 seemed to contain suspicious urls:
But then again, they’re commented out, and the urls seem like example placeholder stuff. (Allow friend, deny lowsecurity…)
OrphanFile-2041 is the previously mentioned install script. Based on this, it has been deployed on the server. Its last line “rm -rf last lk.tgz computer lk.tar.gz” removes lk.tar.gz, last, computer and lk.tgz, which, incidentally, is the archive we extracted earlier. There’s some romanian in there as well.
The file mentions two e-mail addresses: firstname.lastname@example.org and email@example.com, which might be forensically useful in the future.
OrphanFile-2043 is the logfile cleaner script. The script’s called sauber, which is german for clean.
OrphanFile-2044 is inetd.conf, which mentions a user called ‘cyrus’.
OrphanFile-2045 is bash script that mentions mkxfs and linsniffer (remember to write more about this later)
OrphanFile-2047 is a perl script that sorts the output from LinSniffer.
OrphanFile-2050 contains a long string of numbers and an e-mail address: firstname.lastname@example.org
OrphanFile-2059 kills linsniffer and removes tcp.log
I had to export most of the orphanfiles for closer inspection with the strings-command.
2039: Similar content with the previously mentioned ssh-file
2049: Mentions email@example.com again
Conclusions so far
The Scan 15 challenge asks:
Show step by step how you identify and recover the deleted rootkit from the / partition.
What files make up the deleted rootkit?
We have located lk.tgz and recovered it. Its contents seem to make up the deleted rootkit.
It includes Linsniffer: “linsniffer is an ethernet sniffer. It sits and listens on a network and grabs every packet it sees” (Source: http://firstname.lastname@example.org/msg02383.html)
It also includes a bash script called Sauber, which cleans the system’s logfiles.
Can you find additional information on the attacker (using legal means)?
Analyze the rootkit line by line.
I would seek additional information on the attacker by the aforementioned e-mail addresses: email@example.com and firstname.lastname@example.org.
I have analyzed the contents of lk.tgz as well I can in the given timeframe and reported the things I deem most noteworthy.