My next class:

MyDoom Details, ssh password brute forcing.

Published: 2004-07-28. Last Updated: 2004-07-29 04:22:14 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
MyDoom Details

Lurhq published an excellent writeup with many details
about the Zindos, the worm taking advantage of MyDoom infected systems.

http://www.lurhq.com/zindos.html
If you find a MyDoom infected host, we are very interested in any copies
of the log left behind by MyDoom. Or if you have any early MyDoom samples.
See the writeup about for details about the logs.

More ssh password brute forcing

A reader discovered a system that was likely compromised as part of the
recent wave of ssh scans. The system's root account had no password configured
and was easy picking. Another ssh compromise is discussed on our DShield
mailing list: http://lists.sans.org/pipermail/list/2004-July/061219.html .
Both compromises use tools from the same repository, indicating that the
same group/individual is behind these scans and attacks.

Once connected to the system, the attacker downloaded a rootkit to gain
a foothold in the system. The bash history revealed the commands issued
by the attacker. Given several typos, and some of the command options used,
the attacker appears to be not very skilled.

First, the attacker collected some basic system information using
/etc/issue and /proc/cpuinfo (note: not uname -a). As a next step,
two tarballs are downloaded using wget. The web sites these
files origin from appear to be compromised.

Only one of the tarballs appears to be used ('tc5.tgz'). The
intruder unpacked the file, and started an installer shell script.

This script identifies the root kit as 'b0skit'. The header:


# Presenting
# -= [ tc5 bin ] =-
# by TeRmID -at- 6:55PM - Sunday, December 23th, 2001
# greetz to: hex66, keyhook, eqsol, maher_, tiggi, ch40s, pixel-fX,zK
# - manipul8r u rock dewd! ;>
# PRIVATE!! DO NOT DISTRO bijatchZ!! !termCREW memberz only _
# LAST UPDATE on Monday, February 4th, 2002
# by maher


Some of the highlights from the install script: (more later or in a
different format if there is interest.)

1 - kills syslogd

2 - detects t0rn rootkit

3 - aborts install if remote syslogging is detected (based on /etc/syslogd.conf, can be overridden)

4 - the script looks for hidden processes by comparing the output from /proc with the output from 'ps'

5 - check for tripwire, tcplogd, stmichael, snort and LIDS. Abort if either is found.

6 - replace md5sum, libproc, ldb with trojaned versions.

7 - create a new directory /usr/info/.tc2k and /usr/bin/util. Uses touch to change its creation time to the same time /bin/mv shows (probably to make it 'blend in' with other files)

8 - remove /etc/term.db (first, file attributes like immutable, append only are removed).

9 - create /dev/ida/.. /.org (again, match time with /bin/mv)

10 - remove /.bash_history (which assumes that root's home directory is /. However, this is not the case on any current Linux distribution). The
script also removes /bin/.bash_history. No idea what OS would drop a bash_history into /bin

11 - setup an ssh backdoor. The password can be specified as first command line parameter and the port it will listen on is configured as second parameter. In this case, port 7070 was specified.
md5 hashed passwords
are stored in /etc/term.db
next, a few more binaries are replaced, and again, following the prior pattern, the ctime is adjusted to match /bin/mv. The new binaries are
protected by setting the immutable, append only and overwrite attribute
(sounds like overkill. but the tool in general likes to use as many
commandline options as possible ;-) ).

The backdoor binary is installed as /usr/sbin/ldb, and a shell script
(/etc/sbin/initcheck) is added to /etc/inittab to restart the binary on reboot or on kill.

Other replaced binaries:

/lib/lidps1.so

/bin/ps

/usr/bin/dir

/bin/ls

/usr/sbin/lsof

/usr/bin/find

/usr/bin/top

/usr/bin/pstree

/sbin/ifconfig

/usr/bin/slocate

/usr/bin/md5sum

...

(the script is careful to maintain the file permissions/times)
Lastly, the script removes a number of 'competing' root kits and removes
the files it originally downloaded.

(sorry this is a bit shorter then it should be. Decrypt the message embedded in the spelling errors and typos to win an ISC bumper sticker)

--------------

Johannes Ullrich, jullrich/at/sans.org
Keywords:
0 comment(s)
My next class:

Comments


Diary Archives