Skip to main content

Scan of the Month 15

Dilbert, Copyright Scott Adams.


See the original challenge here:

 

The Challenge


On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was downloaded to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB,(honeynet.tar.gz) MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.

Show step by step how you identify and recover the deleted rootkit from the / partition.

What files make up the deleted rootkit?"

 

The preparations

 

sudo apt-get install tree

mkdir honey

cd honey

I installed tree for getting a better visual understanding of the files and locations I was about to explore.
I created a folder for the image-file I would download from http://old.honeynet.org/scans/scan15/




wget http://old.honeynet.org/scans/scan15/honeynet.tar.gz
tar xf honeynet.tar.gzhoneynet

I extracted the file by using tar and a new folder, honeynet, appeared. Inside this folder I could find the README file and also the target image honeypot.hda8.dd


xubuntu@xubuntu:~/honey/honeynet$ tree
.
├── honeypot.hda8.dd
└── README 



Recovering the lost files


I used the instractions written by Tero Karvinen (http://terokarvinen.com/2013/forensic-file-recovery-with-linux) as a guide while recovering the lost files.

mkdir allocated deleted
tsk_recover -a honeypot.hda8.dd allocated/


When trying to ran the recovering command I got a notification that installation of sleuthkit was required. 

sudo apt-get install sleuthkit
tsk_recover -a honeypot.hda8.dd allocated/
tsk_recover -a honeypot.hda8.dd deleted/

This time the command was functional and I could see that totally  1614 allocated and 37 deleted files were recovered.


The research and discovering the rootkit


A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software.
- Wikipedia: Rootkit, source: https://en.wikipedia.org/wiki/Rootkit



tar xvf lk.tgz
cd last
tree
ls -la

Inside the folder of deleted files I found a strange package which I chose to open with using tar onche again.
Wits ls -la I could find out which file was edited last (in this case the install file).

xubuntu@xubuntu:~/honey/honeynet/deleted/last$ tree
.
├── cleaner
├── ifconfig
├── inetd.conf
├── install
├── last.cgi
├── linsniffer
├── logclear
├── lsattr
├── mkxfs
├── netstat
├── pidfile
├── ps
├── s
├── sense
├── services
├── sl2
├── ssh
├── ssh_config
├── sshd_config
├── ssh_host_key
├── ssh_host_key.pub
├── ssh_random_seed
└── top


cat install

I opened the install file with cat and was soon more than sure that this was indeed the source a rootkit.   



Sources 
Lectures by Tero Karvinen
https://en.wikipedia.org/wiki/Rootkit
http://dilbert.com/ Based on Linux course by Tero Karvinen (http://terokarvinen.com)
 

Comments

Popular posts from this blog

Building Love-O-Meter by using a temperature sensor

This "Love-O-Meter" is based on the tutorial by Arduino and it comes with the starter kit. It uses a temperature sensor to measure the warmth of your skin and then starts to turn on (or off) the LEDs  indicated by the temperature.

The components Arduino UNOBreadboardJumper wiresLEDs220 ohm resistorsTMP36 temperature sensor

Building the Circuit
At first I ran the "Hello World" for Arduino to make sure the environment would work as expected. Now I could start to connect the jumper wires between Arduino UNO and the breadboard.

As usually I connected the breadboard to power (5V) and to the ground (GND). I inserted the TMP36 on the breadboard so the rounded part of the sensor would face away from Arduino.

I attached 3 LED lights and the resistors and connected them with Arduino. The lights should react to the heat of the finger and if the temperature would get hot enough all the lights would be on and would also tell you if you are a hot lover or not...

The result and the …

Using a button to control the LED light

This time my project was to configure how to build a button that would turn on and off depending if the user is pushing it or not. While holding the button down the LED should stay on until removing the finger.



For this assignment I used the fallowing components:
Arduino UNO and USBJumper wiresLED lightBreadboardButton10k ohm resistor
At first I run the "Hello World" for Arduino and made sure that the LED I was using worked properly (read my previous post).

I attached the button in the middle of the breadboard so the legs were touching the both "sides" of it.


Now I started to connect the jumper wires between the Arduino UNO and the breadboard. In order to get it working like in the sample code (Ardoino > Examples > 02.Digital > Button)
I linked the wires with Arduino's 5V (red wire, positive) and ground (black wire, negative) to the equal holes on the very corner of the breadboard (+ and -). I put the white jumper wire to connect the positive circuit to t…

Creating a Bootable USB for Kali Linux

If you are interested to see my documentation about making a bootable USB for Xubuntu please click here!

This USB was made by using the latest version of Xubuntu (the 14.04 release).

Downloading Kali Linux 
23.13. After navigating to https://www.kali.org/ I chose the version that would suit me the best and started downloading the ISO image for 64-Bit system.


USB imaging
22.40. I followed the guide offered by kali.org and used the commandsudo fdisk -lwithout plugging the USB yet. I needed to pay attention to the path of Device Boot (/dev/sdb1). After this I inserted USB and ran the same command again. Now I could see how the name of Device Boot had changed to sdc1. This would be my USB to use.

22.50 It only took a while to format the dd code correctly as the base was already given on Kali's web page. After running the correct command for the first time I got an error message "'/dev/sdc1': Permission denied". In these kind of situations I tend to ask sudo for help an…