Umm…Yeah…So I Think I Got Owned…

Posted: November 8, 2011 in Random pontifications
Tags: ,

I know it’s been a long time since I’ve posted, for this I greatly apologize. However, I’m back today and going to talk about something that I’ve seen quite frequently on Ubuntu Forums recently. People posted rkhunter, or chkrootkit logs asking if they’ve been owned. So today we’re going to take a quick look at what “getting owned” and or rooted looks like for MOST Ubuntu users. The simple fact is most Ubuntu users get cracked through a poorly configure SSH server or VNC server. In this case we’re going to use SSH because I don’t even trust VNC in a VM. Okay , that’s not true, I just had SSH installed already.

We’re going to look at what a rooted system looks like from the victim’s point of view. What are your rkhunter logs going to look like, your netstat etc, syslog, etc.

So many of you probably already know if you’re running an internet facing SSH service you should probably be using RSA keys for authentication. On top of that you might consider using denyhosts, or iptables rate limiting to stop a brute force attack. Despite the fact that I know myself and at least 10 others preach this on various forums I could guarantee, some of you aren’t. So here we have the average Joe, with his highly ownable SSH service.

We quickly bruteforced it and discovered that our SSH user is a sudoer. Yep, did you guys consider that? One password to rule them all 😉

What does the brute force attack look like from the victim’s point of view though? Well if we take a look at our /var/log/auth.log we will see what the attack looks like.

Nov  7 19:39:18 dangertux-laptop sshd[1953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4  user=dangertux
Nov  7 19:39:20 dangertux-laptop sshd[1953]: Failed password for dangertux from 192.168.0.4 port 47193 ssh2
Nov  7 19:39:26 dangertux-laptop sshd[1970]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4  user=dangertux
Nov  7 19:39:28 dangertux-laptop sshd[1970]: Failed password for dangertux from 192.168.0.4 port 60425 ssh2
Nov  7 19:39:34 dangertux-laptop sshd[1972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4  user=dangertux
Nov  7 19:39:36 dangertux-laptop sshd[1972]: Failed password for dangertux from 192.168.0.4 port 34163 ssh2
Nov  7 19:39:42 dangertux-laptop sshd[1974]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4  user=dangertux
Nov  7 19:39:43 dangertux-laptop sshd[1974]: Failed password for dangertux from 192.168.0.4 port 58979 ssh2
Nov  7 19:39:49 dangertux-laptop sshd[1976]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4  user=dangertux
Nov  7 19:39:51 dangertux-laptop sshd[1976]: Failed password for dangertux from 192.168.0.4 port 59253 ssh2
Nov  7 19:39:57 dangertux-laptop sshd[1979]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4  user=dangertux
Nov  7 19:39:59 dangertux-laptop sshd[1979]: Failed password for dangertux from 192.168.0.4 port 59213 ssh2
Nov  7 19:40:05 dangertux-laptop sshd[1981]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4  user=dangertux
Nov  7 19:40:06 dangertux-laptop sshd[1981]: Failed password for dangertux from 192.168.0.4 port 48775 ssh2
Nov  7 19:40:12 dangertux-laptop sshd[1983]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4  user=dangertux
Nov  7 19:40:14 dangertux-laptop sshd[1983]: Failed password for dangertux from 192.168.0.4 port 58695 ssh2
Nov  7 19:40:19 dangertux-laptop sshd[1985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.4  user=dangertux
Nov  7 19:40:22 dangertux-laptop sshd[1985]: Failed password for dangertux from 192.168.0.4 port 44615 ssh2
Nov  7 19:40:28 dangertux-laptop sshd[1987]: Accepted password for dangertux from 192.168.0.4 port 59713 ssh2

So now that we have our SSH session established, we can give ourselves a little more access by setting up an additional foothold in the form of a meterpreter or netcat reverse shell. If you are one of those cautious types who lives with a terminal running watch netstat -an you might notice this.

So now we have root priveleges on our system we’re going to install a rootkit. Just for good measure, we could have easily made our netcat or meterpreter session persistent since we already had uid 0, but this is just to illustrate what rkhunter looks like when it’s not giving off false positives.

So we compile good ole Phalanx which for some reason still works amazingly after 6 years. Psst…Maybe someone should do something about this? Well, whatever. Anyway so after it’s compiled we configure all of its awesome features (there are only 3 of them lol) ; and we execute it, and it kindly hooks our kernel for us. However, what does this look like for the victim.

If you check your syslog you’ll notice that Phalanx takes a bad guess at where the first memory address is and fails to hook it (don’t worry it gets it later). However, this gives you a shot at seeing it hook in your syslog before it cleans up after itself.

Nov  7 21:27:40 dangertux-laptop kernel: [ 7549.229981] phalanx[27964]: segfault at 763405 ip 080490ee sp bfe940b0 error 4 in phalanx[8048000+5000]
Nov  7 21:28:09 dangertux-laptop kernel: [ 7577.979252] Program phalanx tried to access /dev/mem between 0->1f400000.
Nov  7 21:28:09 dangertux-laptop kernel: [ 7577.979292] phalanx[29055]: segfault at 763405 ip 080490ee sp bff465e0 error 4 in phalanx[8048000+5000]

Note : this is the last time you will see Phalanx’s pid once it hooks your kernel.

So now that it’s hooked our kernel, and the system is completely trashed in terms of recoverability (reinstall incoming). What if any options do we have for detecting it? Well thankfully signatured rootkits, such as phalanx get detected pretty well by rkhunter. I’m personally not a fan of chkrootkit, however it should detect it as well. As we can see rkhunter DOES detect Phalanx, unfortunately, you’re pretty much done at this point in terms of removal, you can try to remove a rootkit if you’d like to waste a ton of time. However generally speaking once a system is this owned its best to hope you’ve been doing your backups dilligently and do a full reinstall.

Here also we have an excerpt from the /var/log/rkhunter.log file showing exactly what it found. Pay special attention to these as it shows exactly what rkhunter is looking for in terms of the rootkit. Also for all of you wondering about false positives at the end of this post will be a “clean” rkhunter.log from a scan done on a default Ubuntu 10.04 installation. If you’d like to compare notes.

[21:32:40]
[21:32:40] Checking for Phalanx Rootkit...
[21:32:40]   Checking for file '/uNFuNF'                     [ Not found ]
[21:32:40]   Checking for file '/etc/host.ph1'               [ Found ]
[21:32:40]   Checking for file '/bin/host.ph1'               [ Found ]
[21:32:40]   Checking for file '/usr/share/.home.ph1/phalanx' [ Found ]
[21:32:41]   Checking for file '/usr/share/.home.ph1/cb'     [ Found ]
[21:32:41]   Checking for file '/usr/share/.home.ph1/kebab'  [ Not found ]
[21:32:41]   Checking for directory '/usr/share/.home.ph1'   [ Found ]
[21:32:41]   Checking for directory '/usr/share/.home.ph1/tty' [ Found ]
[21:32:41] Warning: Phalanx Rootkit                          [ Warning ]
[21:32:41]          File '/etc/host.ph1' found
[21:32:42]          File '/bin/host.ph1' found
[21:32:42]          File '/usr/share/.home.ph1/phalanx' found
[21:32:42]          File '/usr/share/.home.ph1/cb' found
[21:32:42]          Directory '/usr/share/.home.ph1' found
[21:32:42]          Directory '/usr/share/.home.ph1/tty' found
[21:32:42]

So as you can see we definitely have a rooted box, and it’s time to hose the thing. Hopefully, this will help demystify what actually happens when a system is rootkitted, and give you some tips to determine if your system is rooted in this manner.

Also here are is a brief list of rootkits that I have successfully compiled and used on Ubuntu 10.04 LTS and higher systems. You would be quite surprised out how old some of them are and how many actually still work just fine. This is not exhaustive and these are only signatured rootkits nothing custom, but this might give you a little insight into what threats you’re looking for.

Phalanx-b6
Phalanx
Phalanx2
Flea Rootkit
Ambient Rootkit

Hope this wasn’t too dry for a Monday, I haven’t been really creative in what to talk / write about lately. 😦

Also as promised here is the clean rkhunter.log

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s