The Honeynet Challenge

I am writing this post as part of Tero Karvinen’s course: Linux palvelimena (roughly translated: Linux as a server) http://terokarvinen.com/2012/aikataulu-linux-palvelimena-ict4tn003-4-ja-ict4tn003-6-syksylla-2012.

My objective on the assignment:

  1. Show step by step how you identify and recover the deleted rootkit from the / partition.
  2. What files make up the deleted rootkit?
  3. What information can you find from the perpetrator by legal means?
  4. Analyze the rootkit.

I’ll start of by saying that once again I am using a live environment and in addition I am using a computer with no personal data nor any important information. I am using xubuntu 12.04.1 LTS 32-bit.

EDIT: I couldn’t find the rootkit. Many accomplished walk throughs can be found at the same website where the image was downloaded from. Although I got close on a few ocasions. For example if I had used “tsk_recover” instead of “tsk_recover -e” I would have gotten only the deleted files, or if I had stopped to think why there was a tgz-file in the root directory or while using meld why were there files called linsniffer and logclear.

Preparations

I downloaded the file “honeynet.tar.gz” from the website http://old.honeynet.org/scans/scan15/. Using Terminal I created a new folder called “Challenge” under /home/xubuntu with the command $ mkdir Challenge and after that moved to the folder where the file was downloaded $ cd /home/xubuntu/Downloads/ I uncompressed the file with the command $ tar -xzvf honeynet.tar.gz (x-extract, z-ungzip, v-verbose, f-file). I checked the README for information before starting with the challenge $ cat README.

I moved a copy of “honeypot.hda8.dd” to the Challenge-folder I made earlier. $ cp honeypot.hda8.dd /home/xubuntu/Challenge/
$ cd /home/xubuntu/Challenge

I created a new folder called “Recovered” where I can serch and read files without worrying that I ruin something important, I also created a new folder “Mounted” where I will mount the image $ mkdir Mounted Recovered. I installed sleuthkit so I could copy the files from “honeypot.hda8.dd” to the “Recovered” folder $ sudo apt-get install sleuthkit
$ tsk_recover -e honeypot.hda8.dd Recovered/ (e-all files) I got confirmation that there were 1651 files recovered.

Mounting the image

I mounted the image by using the following $ sudo mount -ro,loop,noexec,nodev /home/xubuntu/Challenge/honeypot.hda8.dd /home/xubuntu/Challenge/Mounted/
I opened a second terminal and I made it so that the other one is in the “Mounted” folder and the other one in the “Recovered” one, as in the picture below.

So if I happen to make the mistake of opening a file in Mounted, I most likely need to copy a new image from the “Download” folder and do a new mount.

Searching for the rootkit

I started off by searching for files between the dated 14th and 16th of March, since the date of the infection was 15th somewhere in the world with possibly a different time zone. ls -l in the mount folder showed that almost all of the folders matched the criteria. I first opened a third terminal and opened the “Challenge” folder and went through all the files with “diff” which checks for differences between files. So I went through every folder using the command $ diff Mounted/bin/ Recovered/bin/ through to $ diff Mounted/tmp/ Recovered/tmp/. I was hoping to find a file that only existed on the backup I made in the folder “Recovered” but ended up finding nothing interesting.

I basically tried the same thing with a graphical program called “meld” $ sudo apt-get install meld and meld to open. File -> new -> Directory comparison -> I added the folders I created earlier as seen on the picture.

After pressing ok the files are showed on the screen. I removed the filters and clicked off the “show new button” so it only showed modified files. And I got none the wiser.

I tried to search through the of both folders (Mounted & Recovered) for files with the following word “rm” (remove) $ grep -R "rm " * after skimming through the files I tried a nother search grep -R "rm -r" * and after checking a few files for any clues, I came to the impression that this was a nother dead end.

Conclusion

After ~6 hours of searching (documenting included) I couldn’t find the rootkit with my level of skill and knowledge of the system. I succeeded taking a backup of the files on the image and in mounting said image. I failed to find the rootkit and the follow up tasks, using the methods listed above.

Advertisements

2 thoughts on “The Honeynet Challenge

  1. Pingback: Kotitehtävä 2 | jnskrk

  2. Pingback: Kotitehtävä h3 – Imagen tutkimista | Linux palvelimena ict4tn003

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s