Scan of the Month 15
Dilbert, Copyright Scott Adams. |
See the original challenge here:
The Challenge
Show step by step how you identify and recover the deleted rootkit from the / partition.
What files make up the deleted rootkit?"
The preparations
sudo apt-get install tree
mkdir honey
cd honeyI installed tree for getting a better visual understanding of the files and locations I was about to explore.
I created a folder for the image-file I would download from http://old.honeynet.org/scans/scan15/
wget http://old.honeynet.org/scans/scan15/honeynet.tar.gz
wget http://old.honeynet.org/scans/scan15/honeynet.tar.gz
tar xf honeynet.tar.gzhoneynet
I extracted the file by using tar and a new folder, honeynet, appeared. Inside this folder I could find the README file and also the target image honeypot.hda8.dd
xubuntu@xubuntu:~/honey/honeynet$ tree
.
├── honeypot.hda8.dd
└── README
Recovering the lost files
I used the instractions written by Tero Karvinen (http://terokarvinen.com/2013/forensic-file-recovery-with-linux) as a guide while recovering the lost files.
mkdir allocated deleted
tsk_recover -a honeypot.hda8.dd allocated/
When trying to ran the recovering command I got a notification that installation of sleuthkit was required.
sudo apt-get install sleuthkit
tsk_recover -a honeypot.hda8.dd allocated/
tsk_recover -a honeypot.hda8.dd allocated/
tsk_recover -a honeypot.hda8.dd deleted/
This time the command was functional and I could see that totally 1614 allocated and 37 deleted files were recovered.
The research and discovering the rootkit
A rootkit is a collection of computer software, typically malicious,
designed to enable access to a computer or areas of its software that
would not otherwise be allowed (for example, to an unauthorized user)
while at the same time masking its existence or the existence of other
software.
- Wikipedia: Rootkit, source: https://en.wikipedia.org/wiki/Rootkit
tar xvf lk.tgz
cd last
tree
ls -la
Inside the folder of deleted files I found a strange package which I chose to open with using tar onche again.
Inside the folder of deleted files I found a strange package which I chose to open with using tar onche again.
Wits ls -la I could find out which file was edited last (in this case the install file).
xubuntu@xubuntu:~/honey/honeynet/deleted/last$ tree
.
├── cleaner
├── ifconfig
├── inetd.conf
├── install
├── last.cgi
├── linsniffer
├── logclear
├── lsattr
├── mkxfs
├── netstat
├── pidfile
├── ps
├── s
├── sense
├── services
├── sl2
├── ssh
├── ssh_config
├── sshd_config
├── ssh_host_key
├── ssh_host_key.pub
├── ssh_random_seed
└── top
.
├── cleaner
├── ifconfig
├── inetd.conf
├── install
├── last.cgi
├── linsniffer
├── logclear
├── lsattr
├── mkxfs
├── netstat
├── pidfile
├── ps
├── s
├── sense
├── services
├── sl2
├── ssh
├── ssh_config
├── sshd_config
├── ssh_host_key
├── ssh_host_key.pub
├── ssh_random_seed
└── top
cat install
I opened the install file with cat and was soon more than sure that this was indeed the source a rootkit.
https://axelauvinen.wordpress.com/2015/09/14/honeynet-scan-of-the-month-scan-15/
http://nikokiuru.com/2013/09/scan-of-the-month-15/
http://nikokiuru.com/2013/09/scan-of-the-month-15/
http://dilbert.com/ Based on Linux course by Tero Karvinen (http://terokarvinen.com)
Comments
Post a Comment