Scan of the Month 15

Dilbert, Copyright Scott Adams.

See the original challenge here:

• http://old.honeynet.org/scans/scan15/

 

The Challenge

On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was downloaded to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB,(honeynet.tar.gz) MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.

Show step by step how you identify and recover the deleted rootkit from the / partition.

What files make up the deleted rootkit?"

 

The preparations

 

sudo apt-get install tree

mkdir honey

cd honey

I installed tree for getting a better visual understanding of the files and locations I was about to explore.

I created a folder for the image-file I would download from http://old.honeynet.org/scans/scan15/

wget http://old.honeynet.org/scans/scan15/honeynet.tar.gz

tar xf honeynet.tar.gzhoneynet

I extracted the file by using tar and a new folder, honeynet, appeared. Inside this folder I could find the README file and also the target image honeypot.hda8.dd

xubuntu@xubuntu:~/honey/honeynet$ tree
.
├── honeypot.hda8.dd
└── README 

Recovering the lost files

I used the instractions written by Tero Karvinen (http://terokarvinen.com/2013/forensic-file-recovery-with-linux) as a guide while recovering the lost files.

mkdir allocated deleted
tsk_recover -a honeypot.hda8.dd allocated/

When trying to ran the recovering command I got a notification that installation of sleuthkit was required. 

sudo apt-get install sleuthkit
tsk_recover -a honeypot.hda8.dd allocated/

tsk_recover -a honeypot.hda8.dd deleted/

This time the command was functional and I could see that totally  1614 allocated and 37 deleted files were recovered.

The research and discovering the rootkit

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software.

- Wikipedia: Rootkit, source: https://en.wikipedia.org/wiki/Rootkit

tar xvf lk.tgz

cd last

tree

ls -la

Inside the folder of deleted files I found a strange package which I chose to open with using tar onche again.

Wits ls -la I could find out which file was edited last (in this case the install file).

xubuntu@xubuntu:~/honey/honeynet/deleted/last$ tree
.
├── cleaner
├── ifconfig
├── inetd.conf
├── install
├── last.cgi
├── linsniffer
├── logclear
├── lsattr
├── mkxfs
├── netstat
├── pidfile
├── ps
├── s
├── sense
├── services
├── sl2
├── ssh
├── ssh_config
├── sshd_config
├── ssh_host_key
├── ssh_host_key.pub
├── ssh_random_seed
└── top

cat install

I opened the install file with cat and was soon more than sure that this was indeed the source a rootkit.   

Sources 
Lectures by Tero Karvinen
https://en.wikipedia.org/wiki/Rootkit

http://terokarvinen.com/2013/forensic-file-recovery-with-linux

https://axelauvinen.wordpress.com/2015/09/14/honeynet-scan-of-the-month-scan-15/
http://nikokiuru.com/2013/09/scan-of-the-month-15/

http://dilbert.com/ Based on Linux course by Tero Karvinen (http://terokarvinen.com)