Linux palvelimena – Homework 3 – Villains and decent folk

This is the third piece of homework for the course ICT4TN003-4 Linux palvelimena (Linux as a server):
http://terokarvinen.com/2012/aikataulu-%E2%80%93-linux-palvelimena-ict4tn003-3-ja-ict4tn003-5-kevaalla-2012

It will most likely not be finished by the deadline, which is something I’m not happy about, and realize this will likely impact my grade.

Assignment

Solve HoneyNet: Scan of the Month 15. http://old.honeynet.org/scans/scan15/

Additional tasks:
– Can you find additional information on the attacker (using legal means)?
– Analyze the rootkit line by line

Examine the partition to your heart’s content. Use nothing but legal methods, ie. don’t portscan remote addresses. Be careful with the image.

Notes

I’ll use Virtualbox for this assignment. I’ve had my eye on Lubuntu for a while, so the guest OS image I’ll be using is lubuntu-12.04-desktop-i386.iso. After downloading the Scan of the month 15 image and installing autopsy, I’ll disable networking functionality from the guest, and use the host for searches and writing this report.

In Virtual Lubuntu:

Computer name: luba
Username is: mrf

Also, I’ve been advised to include information on my system for compatibility reference.
Hardware:

Mobo:     Asus P5Q (BIOS 1208)
CPU:     Intel Core 2 Quad Q9550 @ 3.4GHz
RAM:    8GB 800MHz DDR2 (4x2GB)
GPU:    Nvidia Geforce GTX 470 (Gigabyte branding)
HDD:    Samsung Spinpoint F1 HD753LJ 750GB
PWR:    Antec Earthwatts 500W
Sound:    Creative SB X-Fi (EMU20K1 chip)
Wlan:    ASUS PCE-N15 11n
DVD:    TSSTcorp SH-S223F
KB:        Costar tenkeyless Cherry MX Black (PS/2)
Mouse:    1000Hz 500DPI (USB)

Software:

Windows 7 Professional x64 SP1
Windows Server 2008 R2
Xubuntu 12.04 LTS x86
Ubuntu Server 14.04 LTS x64

Oracle Virtualbox (VT-x disabled, as I only ever use one core for VMs and Virtualbox’s own virtualization seems to work better)

Every piece of kit seems to work well in Xubuntu 12.04. Nvidia’s restricted driver provides the occasional headache, though.

Autopsy install and setup

We’ve covered the basic apt-get install routine in earlier posts, so from here on out I will just include the commands without the output, unless there is something exceptional worth reporting. (Provided our teacher agrees.) Let’s start by installing autopsy, a forensic browser.

mrf@luba:~$ sudo apt-get install autopsy

We also need the Scan of the month 15 partition image from http://old.honeynet.org/scans/scan15 The image is thus found in /home/mrf/Downloads/honeynet/honeypot.hda8.dd

Autopsy must be started as sudo:

mrf@luba:~$ sudo autopsy

Now we can use Chromium browser to open http://localhost:9999/autopsy

“WARNING: Your browser currently has Java Script enabled.” Time to disable Javascript from Chromium:

chrome://settings/content -> Javascript -> Do not allow any site to run JavaScript.

All set! Time to click the  “New Case” button. Case name is “scan15”, description is empty, Investigator name is a. Antero. Autopsy then creates a directory and configuration for the case, located in:

Case directory (/var/lib/autopsy/scan15/) created
Configuration file (/var/lib/autopsy/scan15/case.aut) created

Next we add a new host, which will be the previously downloaded image file. I choose to call  it host1, which is the default.

Host Directory (/var/lib/autopsy/scan15/host1/) created
Configuration file (/var/lib/autopsy/scan15/host1/host.aut) created

We must now import an image file for this host -> Add Image. Let’s insert /home/mrf/Downloads/honeynet/honeypot.hda8.dd as the location, select Partition for Type, and Copy for Import Method.

In the Image File Details page, we ignore the hash value, accept the default mount point of /1/ and ext file system.

Testing partitions
Copying image(s) into evidence locker (this could take a little while)
Image file added with ID img1
Volume image (0 to 0 - ext - /1/) added with ID vol1

Let’s create a File Activity timeline (Create data file, create timeline, view timeline)

That’s done. We can now access it if need be. We close the timeline view with the Close button and return to autopsy’s gallery. Time to take a look at the contents of the image. We press the Analyze button and enter the File Analysis view.

Analysis

I made some progress in class earlier, so I’ll be picking up where I left off, informationwise.

First off, there’s a deleted file that doesn’t seem to belong: /1/lk.tgz. Let’s click it and use the Export feature and see what it contains.

The archive certainly contains interesting stuff. I extracted the file to /home/mrf/Downloads/last. Let’s take a look at ‘cleaner’ with the strings-command:

mrf@luba:~/Downloads/last$ strings cleaner |less

This thing seems to be a bash script that cleans log files, and contains odd stuff in german. How about ‘install’?

mrf@luba:~/Downloads/last$ strings install |less

The strange boasting in the beginning of the file is pretty incriminating. I’d say that lk.tgz contains the rootkit.

Further analysis

Let’s take a look at some other interesting files.

mrf@luba:~/Downloads/last$ strings logclear |less

killall -9 linsniffer
rm -rf tcp.log
touch tcp.log
./linsniffer >tcp.log &

File ‘ssh’ contains a lot of lines relating to man-in-the-middle attacks and other warnings. It reads like a logfile.

File sshd_config mentions PidFile /dev/ida/.drag-on/pidfile. There are also keys present (ssh_host_key and ssh_host_key.pub)

I’ll take a closer look a bit later on. Let’s check out the other directories on the partition now.

…they seem to be mostly empty. For future reference: /etc and $OrphanFiles are interesting. /etc because it contains system settings in human readable form, although the attacker did have the cleaner script, and $OrphanFiles because it might contain interesting loose files.

Notes on orphanfiles

OrphanFile-2060 seemed to contain suspicious urls:

But then again, they’re commented out, and the urls seem like example placeholder stuff.  (Allow friend, deny lowsecurity…)

OrphanFile-2041 is the previously mentioned install script. Based on this, it has been deployed on the server. Its last line “rm -rf last lk.tgz computer lk.tar.gz” removes lk.tar.gz, last, computer and lk.tgz, which, incidentally, is the archive we extracted earlier. There’s some romanian in there as well.

The file mentions two e-mail addresses: last@linuxmail.org and bidi_damm@yahoo.com, which might be forensically useful in the future.

OrphanFile-2043 is the logfile cleaner script. The script’s called sauber, which is german for clean.
OrphanFile-2044 is inetd.conf, which mentions a user called ‘cyrus’.
OrphanFile-2045 is bash script that mentions mkxfs and linsniffer (remember to write more about this later)
OrphanFile-2047 is a perl script that sorts the output from LinSniffer.
OrphanFile-2050 contains a long string of numbers and an e-mail address: root@dil2.datainfosys.net
OrphanFile-2059 kills linsniffer and removes tcp.log

I had to export most of the orphanfiles for closer inspection with the strings-command.

2039: Similar content with the previously mentioned ssh-file
2049: Mentions root@dil2.datainfosys.net again

Conclusions so far

The Scan 15 challenge asks:

Show step by step how you identify and recover the deleted rootkit from the / partition.
What files make up the deleted rootkit?

We have located lk.tgz and recovered it. Its contents seem to make up the deleted rootkit.

It includes Linsniffer: “linsniffer is an ethernet sniffer. It sits and listens on a network and grabs every packet it sees” (Source: http://www.mail-archive.com/redhat-list@redhat.com/msg02383.html)

It also includes a bash script called Sauber, which cleans the system’s logfiles.

Can you find additional information on the attacker (using legal means)?
Analyze the rootkit line by line.

I would seek additional information on the attacker by the aforementioned e-mail addresses: last@linuxmail.org and bidi_damm@yahoo.com.

I have analyzed the contents of lk.tgz as well I can in the given timeframe and reported the things I deem most noteworthy.

Advertisements

About a1100320

IT student, musician, gamer. Beep boop.
This entry was posted in Linux palvelimena ICT4TN003-4. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s