Archive

Archive for September, 2009

From pass_file to Script Kiddies

September 30, 2009 8 comments

This is a follow-up to my previous post.  For background on this post, please read that post.

The botnet master behind the attacks described in the last post could be*:

Image © Crystal Project

Image © Crystal Project

  • Romanian
  • trancetears@yahoo.com, cezar179@yahoo.com and/or hotzu@hotzu.us
  • Frequenting IRC (Undernet): Diemen.NL.EU.Undernet.org:6667
  • Controlling a small botnet with IRC nickname fSs in channel #19
  • Talking in these channels: #ls, #Work, #LinuxTeam, #Linux-Team, #Catalin, #112, #juno and #master
  • Using small variations of the word “tears” for his/her handles and the handles of his/her bots
  • (Probably) proxying his/her IRC connection through compromised hosts
  • Using pre-packaged tools

*I don’t have any evidence indicating that this specific individual is the one attacking me (in fact it’s kind of a long shot), but I do have evidence that this individual is using a toolkit very similar to the one being used against me and that this individual is operating a botnet.  You sacrifice privacy when you choose to run a botnet.

script kiddie magic

this is how you know they're legit. they have skulls and knives in their banners.


Gathering the info:

I’ve been running my modified sshd for a few days now, and as previously mentioned, I have a fairly lengthy log going already.

My original purpose for collecting full usernames & passwords tried against my server was to use those captured credentials to determine whether this dictionary attack was the work of a single group or the work of multiple groups.  I set out determine which using the following observations:

  • If there is a single group behind these attacks, it would make sense that they would synchronize this work amongst the attacking IPs, allowing the attack to evade simple IDS rules and avoid duplication of effort.
  • If there are multiple parties behind these attacks, it would make sense that the same username/password combinations would be tried by different hosts, pointing to a lack of synchronization.

Let’s take a look at first two IPs in these logs:

  • For about 8 minutes from 09/27/09 05:05:47 AM until 09/27/09 05:13:38 AM PST, 85.62.95.198 tried a list of 86 username / password combinations.
  • For about 2 minutes from 09/27/09 07:06:10 AM until 09/27/09 07:08:03 AM PST, 190.82.64.149 tried the exact same username / password combinations in the exact same order.
  • 85.62.95.198 made a request every 7 seconds and 190.82.64.149 made a request every 2 seconds, with very small clock drift.
  • Using two hosts was almost certainly a duplication of effort (that is unless they were trying to determine the rate at which my ssh daemon would process logins…in which case they were just sloppy).
  • Given the even spread of the attempts and the identical dictionaries, it’s not unreasonable to conclude that these two hosts are running the same attack software with a wait parameter changed.

So: one group (no synchronization of dictionaries between bots), or multiple groups (both using a common dictionary)?

In order to determine which, I needed more information on the toolkit in use here. 


Warning: the URL below should not be visited without taking precautions. I use NoScript inside of a VM when looking at sites I know to be malicious. Whenever possible, I have notified the providers hosting this malicious software and have reported whatever is applicable to Google Safe Browsing.


I am a fan of full disclosure; I will be listing sites that are hosting malicious toolkits.  Please do not make the mistake that blackhats find toolkits by reading whitehat blogs.  They already know about and use these tools or could easily find them with simple Google searches (as I did).  Exposure to real world attacks and toolkits is an important learning tool for anyone on the defensive.  Not talking about them doesn’t help anyone.


blah

yeah - this is the entire script.

I took the odd-looking username/password combinations and ran some Google searches.  The following is what I found with my first search.  I’ve found much more than this, including more sophisticated attacks and full output (screenshots, keys pressed) from a keylogger, but going into that would be too much material for this post.

search term: mythtv vivafood
initial result: pass_file
host: f0rbidden.home.ro
notes: payload staging server; activity as recently as Sep. 13th
interesting files found on host:

boo.tgz:

  • Linux IRC bot
  • c&c information

boodarwin.tgz:

  • darwin: PPC Mach-O (OS X) IRC bot
  • freebsd: FreeBSD IRC bot
  • sendmail: Unix IRC bot
  • pico (trojaned? are the attackers unfamiliar with vi?)
  • help files and configuration for a popular botnet control program
  • “random” IRC nicks, comments, away messages, insults, etc.

gosh.tgz:

  • a bunch of things we’ve seen already
  • ssh-scan, ss: ssh brute-forcer & tool; based on libssh-0.1
  • pscan2: a port scanner
  • a, go.sh: ssh-scan supporting scripts
  • mfu.txt: a list of IPs serving SSH(?)
  • vuln.txt: a file to hold successfully brute-forced hosts
  • gen-pass.sh: combines a user list & password list into a single list
  • secure.sh: checks if user is root, moves mail to s8 if user is root

psyBNC-2.3.2-7.tar.gz & psyDarwin.tgz:

  • IRC bouncers (BNC). Allows the attackers to proxy their IRC connections through infected hosts.

sniff.tgz:

  • a bunch of things we’ve seen already
  • the bot master’s email address (found inside sniff/install)

liviu.tar (partially corrupted):

  • a bunch of things we’ve seen already
  • a PHP shell
  • ps: trojan horse scanner

gosh.tgz is a Romanian(?) kit made a group identified as “TASE”.
scam, a file inside gosh.tgz, will email the following to hotzu@hotzu.us:

  • output from /sbin/ifpconfig (IP address of bot)
  • output from uptime (reliability of bot)
  • /etc/issue (bot’s Linux distribution)
  • /etc/passwd (valid users on bot)
  • output from id (current user)
  • output from df -h (disk space available on bot)
  • output from pwd (working directory)
  • current list of successfully brute-forced hosts

As previously stated, I’m not going to dissect the other malware staging servers I found as this would take too much time/space.  I will, however, point out a few highlights that resulted from some simple Google searching with the usernames / passwords tried against me (you’re going to have to find these yourself):

  • a complete PayPal phishing package (source code included)
  • output from a keylogger (screenshots, captured credentials)
  • possible source code for the ssh brute-force utility
  • a rather odd place for a pass_file
  • privilege escalation attempts (most likely successful, judging by the timestamps); very similar tools appear to be used post-escalation
  • Conficker uses some of the same passwords that have been used against me
  • valid* logins to SSH servers on compromised hosts
  • the same toolkit (or slight variations thereof) on about a dozen hosts (hosting providers have been notified)

*Obviously I didn’t verify this.

At this point I know a lot about the tools most likely being run against me.  But what about some more info on the attackers?  IRC information was included in some malware kits…

I decided to look up the OP and see what other channels (s)he frequents.  Almost all were Romanian chat channels, but #a1b2c3 looked interesting:

very lonely botnet

a very lonely c&c channel.

…as did #19:

looks like (s)he figured me out.  no more trolling c&c channels for me.

looks like (s)he figured me out. no more trolling c&c channels for me.

The #19 log is particularly interesting because you can clearly see fSs issue commands and expect a response.  After I failed to respond correctly, was he actually asking me something or is all of this part of the “random” request/response/nickname/away message lists mentioned previously?  Is everyone just reading from a script but me?

The command “shit” is an EnergyMech command.   He told all his bots to ban me (shitlist me) for the next 999 days even if one of them tries to unban me.  His reason for doing this is “boo”.

Hacking sshd for a pass_file

September 28, 2009 16 comments

First of all, I want to apologize for not getting around to writing part 2 of my previous post yet. I have more free time now and have started research for that post, but haven’t had a chance to write everything down yet. Hopefully I’ll get to it soon.

Update: some people have been confused at to my intention or my recommended use of the code I present here.  Let me make a few things clear:

  1. Don’t make these modifications on any production machine
  2. Don’t make these modifications on any machine receiving a lot of traffic
  3. This isn’t the best way to capture logins.

I called it a “hack” for a reason.  It’s something I threw together in a few minutes in order to gather the necessary data to conduct the analysis I did in my next post.  As dozzie pointed out, this can be done better by writing a PAM module.  My purpose here was not to write something robust, rather to write something quick in order to find a password file being used against me.  I apologize for any confusion.


This post concerns another topic I’ve been interested in for a while: honeypots.  Some friends and I run an SSH server and have that server registered with DynDNS so that we will always have an easy route to our box without remembering an IP address.  A botnet master may find it to be a profitable endeavor to scan predictable (ours is predictable) DynDNS entries for popular services offered over known ports and attempt to guess credentials for those services.

Keeping in mind that:

  • only a fraction of the subdomains pinged will actually be registered with DynDNS
  • only a fraction of the registered subdomains will be offering authentication services
  • only a fraction of the authentication services will allow predictable usernames*, and
  • only a fraction of those valid usernames will have predictable passwords

* root logins aren’t allowed by default on openssh and many other SSH implementations.

The (hopefully) small number of boxes that can be owned by brute forcing with this method apparently outweighs the cost to our adversary(ies).  As I later discovered, our IP address wasn’t enumerated via our DynDNS entry, but was brute forced.  Yeah.  They are trying IP addresses sequentially.

We noticed the SSH logs for our box were getting suspiciously long and it was pretty obvious why:

09/24/2009 12:49:19 PM: [FAIL] An error occured during key exchange auth done
09/24/2009 12:49:19 PM: [NOTE] Connection from 118.46.137.101 disconnected
09/24/2009 12:49:20 PM: [FAIL] An error occured during key exchange auth done
09/24/2009 12:49:20 PM: [NOTE] Connection from 118.46.137.101 disconnected
(repeat about 100 times)...

Our gateway Snort agreed that something was up:

[ ** ] [ 1:2001219:18 ] ET SCAN Potential SSH Scan [ ** ]
[ Classification: Attempted Information Leak ] [ Priority: 2 ]
09/17-10:49:59.339210 118.46.137.101:50905 -> ***.***.***.***:22
(repeat about 100 times)...

The attacking IP addresses would change periodically.

Perhaps I could discover if this is a single attacker or if this is multiple attackers:

  • If there is a single group behind these attacks, it would make sense that they would synchronize this work amongst the attacking IPs, allowing the attack to evade simple IDS rules and avoid duplication of effort.
  • If there are multiple parties behind these attacks, it would make sense that the same username/password combinations would be tried by different hosts, pointing to a lack of synchronization.

Of course this is a lot of assuming and is hardly scientific, but promises to be a fun experiment regardless.

My first thought was: I’ll build a honeynet!  After reading more about honeynets, however, I came to realize that a honeypot would require a lot of network work and a tough cost/benefit analysis. The problem is that a smart attacker will first check his/her newly compromised environment: is he/she root? is he/she in an obvious VM or jail? what others hosts are on this subnet?

If the attacker isn’t satisfied that what they’ve compromised is a unwitting user’s box (and not a honeypot), they may never execute telling commands or push interesting payloads. On the other hand, if you give the attacker too much access, the attacker may use your box to attack others, host child pornography or conduct other malicious/illegal actions.  To everyone else it will look like your box (and by extension, you) are doing these illegal things. In such a scenario, you would be presumed guilty unless you can prove you’re running a honeypot and aren’t actually the person breaking the law.

Having a severe lack of lawyers at my side (I do know a few poly sci majors), I opted to go a different route, at least for now:

I’ll modify sshd itself, causing it to log the time and origin of all attempts to authenticate, along with the complete usernames & passwords attempted.

This is not a new idea, in fact, it’s kinda what honeyd is for, but I thought it would be fun to do the ssh modification myself and follow the password trail to see where it leads.  (Where these harvested passwords lead will be the topic of my next post.)

For obvious reasons, openssh and others never log incorrect passwords (a mistype of your password would get winblowz logged when you meant winblows…such logging would make it trivial to escalate privilege).

Setting up the Server:

I chose to use VirtualBox on a Windows XP machine to virtualize Ubuntu 9.04 Desktop, on which I will be serving SSH with openssh.  VirtualBox is like VMware Workstation except it’s free (as in speech).  The process of creating and configuring a VM is outside the scope of this post.  Don’t do this on a production machine or any machine that has multiple users, as privilege escalation may become trivial.

The rest of these instructions will be valid for Ubuntu 9.04 Desktop’s default directory structure, installed software and openssh-5.1p1.  They can easily be adapted to other environments & versions of openssh.  The instructions listed here result in multiple installations of openssh-server.  I did’t really care about overlap in this throwaway VM environment, so long as I could get my modified sshd running with Ubuntu’s daemon manager.  A purist might do this another way.

1) Install the required dependencies for building openssh:

sudo apt-get install zlib1g-dev libssl-dev

2) Install openssh-server itself (we’ll modify the default installation):

sudo apt-get install openssh-server

3) Check which version of openssh you’re running:

ssh -v

4) Get the source code of the version of openssh you’re currently running (by the using the same version we may avoid odd version dependency issues).

5) (Optional) Download the corresponding .asc file & verify your copy of openssh.

gpg --recv-key 86FF9C48
gpg --verify openssh-5.1p1.tar.gz.asc openssh-5.1p1.tar.gz

(The above is the signing key for Damien Miller, maintainer of portable openssh. Try to guess which is him.)

Of course, if you’re really concerned about the integrity of your openssh download, you’ll want to verify gpg fingerprints as well.

Hacking sshd:

1) Extract the source & verify you can successfully build it:

tar -xvf openssh-5.1p1.tar.gz
cd openssh-5.1p1
./configure
make
ls -al | grep sshd

If you see an sshd binary, you compiled it.

2) Stop the sshd daemon:

sudo /etc/init.d/ssh stop

3) Install the openssh build you just created. (This is to put the config files, etc. in locations that our modified sshd will expect, while breaking very little of the Ubuntu package installation.  Since we’re not going to modify the config files, we don’t need to worry about syncing changes between them.)

sudo make install

4) Back up your current sshd binary (just in case):

sudo cp /usr/sbin/sshd /usr/sbin/sshd_original

5) Make the following modification to openssh-5.1p1/auth-passwd.c:

--- auth-passwd_original.c    2007-10-25 21:25:12.000000000 -0700
+++ auth-passwd.c    2009-09-28 21:35:04.000000000 -0700
@@ -53,6 +53,7 @@
 #include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
+#include "canohost.h"

 extern Buffer loginmsg;
 extern ServerOptions options;
@@ -82,6 +83,23 @@
 {
 struct passwd * pw = authctxt->pw;
 int result, ok = authctxt->valid;
+
+    if (*password != '')
+    {
+        struct tm *timePtr;
+        time_t localTime;
+        char timeString[100];
+
+        localTime = time(NULL);
+        timePtr = localtime(&localTime);
+        strftime(timeString, 100, "%D %r", timePtr);
+
+        FILE *logFile;
+        logFile = fopen("/var/log/sshd_attempts","a+");
+        fprintf (logFile,"From: %s at: %s | user: %s, pass: %s\n", \
get_remote_ipaddr(), timeString, authctxt->user, password);
+        fclose (logFile);
+    }
+
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 static int expire_checked = 0;
 #endif

Or you can grab my modified auth-passwd.c file and throw it in your openssh source directory.

6) Rebuild sshd:

make

7) Stop SSH, replace sshd, Start SSH:

sudo /etc/init.d/ssh stop
sudo cp sshd /usr/sbin/sshd
sudo /etc/init.d/ssh start

You’re done.  You should now have a modified sshd binary running your openssh server and logging all connection attempts to /var/log/sshd_attempts.  I’ve been running my modified sshd for a few days now and have collected quite a few of these attempts. Click below to view the connection attempts against my server.

View my Log

Part 2: From pass_file to Script Kiddies