Assignments of day 4 in week #3

Rootkit analysis (Install trojan horse program)

1. Install the rootkit at your host

    cd /tmp
   tar zxvf /usr/local2/wsh/rootkit/rkt.tar.gz
   cd rkt
   ./install
   

   Exam the install script and try to figure out what trojan horse program have been installed and what backdoor has been created

2. login your partner host and telnet back to your host backdoor

    telnet your_host 8080

   Stay there until you finish step 4 below.

3. At your host, type "rehash" to rehash the backup original program in your search path

4. Compare the outputs difference between the trojan horse programs and the original programs

   ls -Fa /usr/src	ls.orig -Fa /usr/src
   find /usr/src -name .hide -print	find.orig /usr/src -name .hide -print
   du -sk /usr/src/.h*	du.orig -sk /usr/src/.h*
   ps -aux	ps.orig -aux
   pstree	pstree.orig
   top	top.org
   ifconfig eth0	ifconfig.orig eth0
   netstat	netstat.orig

   What information do the trojan horse programs try to hide? Exam the /usr/src/.hide/.1* files. What are these files for? Try to edit these files and test if you can change the the information hiding of these trojan horse programs.

5. Compare the time stamp, checksum and md5 signature of the trojan horse programs and the original programs. E.g.

   ls.orig -l /bin/ps /bin/ps.orig
   sum /bin/ps /bin/ps.orig
   /usr/local2/bin/md5 /bin/ps /bin/ps.orig
   

   What information you should trust from the above comparison?

6. wipe out your login entry
   • Type "finger", you should see your login entry

   • Now try to wipe out your login entry

     cd /usr/src/.hide
     ./wipe u your_login_name
     

   • Type "finger" again. What is the difference before and after running the wipe program?

7. Erase log entry
   • Type "grep ftpd /var/log/messages". You should find some ftpd entries if you have done the ftpd buffer overflow assignment.
   • Try to erase these entry

      /usr/src/.hide/t0rnsb ftpd

   • Type "grep ftpd /var/log/messages" again. Do you find any ftpd entries again?

8. Install a chkootkit

   Download and install a chkrootkit from http://www.chkrootkit.org/. See if you can detect any trojan horse program that you have installed.

9. Restore your host into normal status
   • Exit the backdoor in step 2
   • run "/usr/local2/wsh/rootkit/restore_normal"

References:

• Read the man page of the above commands
• Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities

• Analysis of the T0rn Rootkit

• Rootkit related links at www.chkrootkit.org