Security Incidents mailing list archives

RE: illogic rootkit

From: Dan Irwin <dan () jackies com au>
Date: Mon, 22 Apr 2002 07:22:29 +1000
Some additional information:

(For readers on the Honeypot list, please read my original post on Incidents
Here: 
http://online.securityfocus.com/archive/75/268589)

The honeypot was a Default fresh install of Redhat Linux 7.2. As many
network services were enabled as possible. No patches were applied. This was
installed in a VMware virtual machine, on a host-only network consisting of
public IP addresses.

Another /28 network was DNAT'd to the machine.

They honeypot was online for a little over 24 hours.  In that time, i
believe it was compromised twice. Syslog logged a _lot_ of ftp connections
from 1 particular IP address, indicating some kind of brute force wuftpd
exploit.

I believe the machine was also compromised via sshd, although i have not
confirmed this.

I had tcpdump -w running on the VMware host machine. It generated a lot of
traffic, which i really need to analyse more. I have analysed the attackers
download of this rootkit, obtained his username and password to the FTP site
in question (albeit invalid).

For anyone interested, here is some tcpdump output (tcpdump -w) of the host
in question. I have not fully analyzed this, but im am sure others will. The
gz file is about 800k. The logfile inside is around 2.7megs. It can be
loaded into ethereal or tcpdump or whatever. This will be full of little
secrets, no doubt.

http://www2.linuxphreaks.org/pub/unsorted/tcpdump_log.gz

I pulled that honeypot offline after about 24 hours. I did not want to be
the source of a worm starting or spreading. In the days since, my network
has recieved a LOT of port scans from networks in romania, looking for their
"root". In particilar, i have noticed a lot of scans for port 1221, which
appears to the the port the illogic rootkit's sshd binds to.

I have also been on the Undernet IRC network in these guys channel, #h4ck3r,
but not alot appears to go on.

And for those who read my email signature, Security is a personal hobby of
myn. The company for which i consult dont mind me reading/following security
issues on their time. My boss is shit scared about being "hacked" or having
downtime to viruses. The honeypot was on my own home network, and not here
at Jackies.

I originally planned to post all this information on a web page over the
weekend, but never got around to it. Too much Coding.

PS. This is only really the second time i have unleashed a honeypot on
unsuspecting script kiddies; i am a relative honeypot newbee!

- Dan.



And Once Again, The rootkit et al:

Here it is:

http://www2.linuxphreaks.org/pub/security/rootkits/illogic.tgz


Output from Installer:

http://www2.linuxphreaks.org/pub/hp/20020418/illogic-install.txt

chkrootkit output:

http://www2.linuxphreaks.org/pub/hp/20020418/chkrootkit.log


--
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: dan () jackies com au
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: info () jackies com au
Web: http://www.jackies.com.au


-----Original Message-----
From: Jerry_Pierce () providian com [mailto:Jerry_Pierce () providian com]
Sent: Saturday, 20 April 2002 9:07 AM
To: Dan Irwin
Subject: Re: illogic rootkit



Would love to see the rootkit and tcpdump.  Did you use CTC to recover the
deleted files and develop a timeline of the event?

      Jerry D. Pierce
      GCIA, GCIH




----------------------------------------------------------------------------
--
Warning : The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message is
not the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please notify us immediately by
replying to this message and then delete it from your computer. All e-mail
sent to this address will be received by the Providian Financial corporate
e-mail system and is subject to archiving and review by someone other than
the recipient.

============================================================================
==


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

illogic rootkit Dan Irwin (Apr 19)
- <Possible follow-ups>
- RE: illogic rootkit Dan Irwin (Apr 21)
- RE: illogic rootkit Dan Irwin (Apr 21)
  - Rootkit or trojan Jason Robertson (Apr 23)