I am writing this post as part of Tero Karvinen’s course: Linux palvelimena (roughly translated: Linux as a server) http://terokarvinen.com/2012/aikataulu-linux-palvelimena-ict4tn003-4-ja-ict4tn003-6-syksylla-2012.
My objective on the assignment:
- Download a compressed image from http://old.honeynet.org/scans/scan15/
- See what I can find out about the rootkit
- Report my findings
- Show step by step how you identify and recover the deleted rootkit from the / partition.
- What files make up the deleted rootkit?
- What information can you find from the perpetrator by legal means?
- Analyze the rootkit.
I’ll start of by saying that once again I am using a live environment and in addition I am using a computer with no personal data nor any important information. I am using xubuntu 12.04.1 LTS 32-bit.
EDIT: I couldn’t find the rootkit. Many accomplished walk throughs can be found at the same website where the image was downloaded from. Although I got close on a few ocasions. For example if I had used “tsk_recover” instead of “tsk_recover -e” I would have gotten only the deleted files, or if I had stopped to think why there was a tgz-file in the root directory or while using meld why were there files called linsniffer and logclear.
I downloaded the file “honeynet.tar.gz” from the website http://old.honeynet.org/scans/scan15/. Using Terminal I created a new folder called “Challenge” under /home/xubuntu with the command
$ mkdir Challenge and after that moved to the folder where the file was downloaded
$ cd /home/xubuntu/Downloads/ I uncompressed the file with the command
$ tar -xzvf honeynet.tar.gz (x-extract, z-ungzip, v-verbose, f-file). I checked the README for information before starting with the challenge
$ cat README.
I moved a copy of “honeypot.hda8.dd” to the Challenge-folder I made earlier.
$ cp honeypot.hda8.dd /home/xubuntu/Challenge/
$ cd /home/xubuntu/Challenge
I created a new folder called “Recovered” where I can serch and read files without worrying that I ruin something important, I also created a new folder “Mounted” where I will mount the image
$ mkdir Mounted Recovered. I installed sleuthkit so I could copy the files from “honeypot.hda8.dd” to the “Recovered” folder
$ sudo apt-get install sleuthkit
$ tsk_recover -e honeypot.hda8.dd Recovered/ (e-all files) I got confirmation that there were 1651 files recovered.
Mounting the image
I mounted the image by using the following
$ sudo mount -ro,loop,noexec,nodev /home/xubuntu/Challenge/honeypot.hda8.dd /home/xubuntu/Challenge/Mounted/
I opened a second terminal and I made it so that the other one is in the “Mounted” folder and the other one in the “Recovered” one, as in the picture below.
So if I happen to make the mistake of opening a file in Mounted, I most likely need to copy a new image from the “Download” folder and do a new mount.
Searching for the rootkit
I started off by searching for files between the dated 14th and 16th of March, since the date of the infection was 15th somewhere in the world with possibly a different time zone.
ls -l in the mount folder showed that almost all of the folders matched the criteria. I first opened a third terminal and opened the “Challenge” folder and went through all the files with “diff” which checks for differences between files. So I went through every folder using the command
$ diff Mounted/bin/ Recovered/bin/ through to
$ diff Mounted/tmp/ Recovered/tmp/. I was hoping to find a file that only existed on the backup I made in the folder “Recovered” but ended up finding nothing interesting.
I basically tried the same thing with a graphical program called “meld”
$ sudo apt-get install meld and
meld to open. File -> new -> Directory comparison -> I added the folders I created earlier as seen on the picture.
After pressing ok the files are showed on the screen. I removed the filters and clicked off the “show new button” so it only showed modified files. And I got none the wiser.
I tried to search through the of both folders (Mounted & Recovered) for files with the following word “rm” (remove)
$ grep -R "rm " * after skimming through the files I tried a nother search
grep -R "rm -r" * and after checking a few files for any clues, I came to the impression that this was a nother dead end.
After ~6 hours of searching (documenting included) I couldn’t find the rootkit with my level of skill and knowledge of the system. I succeeded taking a backup of the files on the image and in mounting said image. I failed to find the rootkit and the follow up tasks, using the methods listed above.