This is piecemeal, I just wanted to put my thoughts down.

First off:

root     pts/3        ip.c Thu Jan 21 20:32 - 20:35  (00:03)
root     pts/3        ip.c Thu Jan 21 20:31 - 20:31  (00:00)
root     pts/3        ip.c Thu Jan 21 00:04 - 00:04  (00:00)
jackyll  pts/3        ip.c Wed Jan 20 23:30 - 23:51  (00:21)
root     pts/3        ip.c Wed Jan 20 23:11 - 23:11  (00:00)
jackyll  pts/3        ip.c Wed Jan 20 22:58 - 23:07  (00:09)
jackyll  pts/0        ip.c Wed Jan 20 19:46 - 19:48  (00:01)

I can see that the attack begain at around 19:46 on 20 Jan, they got root sometime around 23:00, and then came back on the 21 to do some more stuff. All the interesting files will be from this timeframe. Note, I deleted a lot of the lines, there was a lot more activity than I pasted here.

First off, lets see what they CHANGED in this timeframe:
I am specifically looking for Change time, because this cannot be updated using the touch command.

find / -newerct "2016-01-19" | xargs stat 2>/dev/null | grep -B 6 -A 1 "Change: 2016-01-2[012]"

  File: `/root/.ssh/authorized_keys'
  Size: 782             Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 786441      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-10-11 16:27:20.846649842 -0400
Modify: 2016-01-20 23:11:18.327282000 -0500
Change: 2016-01-20 23:11:18.327282000 -0500
--
  File: `/root/ops'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d    Inode: 786631      Links: 2
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-10-16 14:42:43.318676000 -0400
Modify: 2016-01-20 22:58:19.827282000 -0500
Change: 2016-01-20 22:58:19.827282000 -0500
--
  File: `/usr/bin/perl'
  Size: 1462760         Blocks: 2864       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 1050296     Links: 2
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-04-09 14:54:53.000000000 -0400
Modify: 2014-02-04 18:30:54.000000000 -0500
Change: 2016-01-20 23:47:01.523282000 -0500
--
  File: `/usr/bin/python2.7'
  Size: 2795288         Blocks: 5464       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 1055585     Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-10-18 21:00:54.000000000 -0400
Modify: 2015-06-22 16:23:19.000000000 -0400
Change: 2016-01-20 23:46:33.891282000 -0500
--
  File: `/usr/bin/nmap'
  Size: 728952          Blocks: 1424       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 1062256     Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-24 18:39:50.709545046 -0400
Modify: 2011-12-14 10:15:57.000000000 -0500
Change: 2016-01-20 23:43:49.731282000 -0500
--
  File: `/usr/bin/perl5.14.2'
  Size: 1462760         Blocks: 2864       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 1050296     Links: 2
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-04-09 14:54:53.000000000 -0400
Modify: 2014-02-04 18:30:54.000000000 -0500
Change: 2016-01-20 23:47:01.523282000 -0500
--
  File: `/usr/bin/gcc-4.6'
  Size: 306200          Blocks: 600        IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 1083029     Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-10-12 22:27:43.000000000 -0400
Modify: 2012-04-15 19:45:33.000000000 -0400
Change: 2016-01-20 23:47:37.343282000 -0500
find: `/proc/13708/task/13708/fd/5': No such file or directory
find: `/proc/13708/task/13708/fdinfo/5': No such file or directory
find: `/proc/13708/fd/5': No such file or directory
find: `/proc/13708/fdinfo/5': No such file or directory
find: `/proc/13722': No such file or directory
--
  File: `/etc/group'
  Size: 744             Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 411725      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-01-20 22:55:21.699282000 -0500
Modify: 2016-01-20 22:55:21.699282000 -0500
Change: 2016-01-20 22:55:21.703282000 -0500
--
  File: `/home/jackyll/.config'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d    Inode: 540512      Links: 3
Access: (0700/drwx------)  Uid: ( 1002/ jackyll)   Gid: ( 1002/ jackyll)
Access: 2016-01-20 20:38:52.295282000 -0500
Modify: 2016-01-20 20:38:52.295282000 -0500
Change: 2016-01-20 20:38:52.295282000 -0500
--
  File: `/home/jackyll/.config/htop'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d    Inode: 540513      Links: 2
Access: (0700/drwx------)  Uid: ( 1002/ jackyll)   Gid: ( 1002/ jackyll)
Access: 2016-01-20 20:38:52.295282000 -0500
Modify: 2016-01-20 20:38:58.415282000 -0500
Change: 2016-01-20 20:38:58.415282000 -0500
--
  File: `/home/jackyll/.config/htop/htoprc'
  Size: 597             Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 540514      Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1002/ jackyll)   Gid: ( 1002/ jackyll)
Access: 2016-01-20 20:38:58.415282000 -0500
Modify: 2016-01-20 20:38:58.415282000 -0500
Change: 2016-01-20 20:38:58.415282000 -0500
--
  File: `/sbin'
  Size: 12288           Blocks: 24         IO Block: 4096   directory
Device: fd01h/64769d    Inode: 262145      Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-24 18:39:45.101330215 -0400
Modify: 2016-01-20 23:33:28.143282000 -0500
Change: 2016-01-20 23:33:28.143282000 -0500
--
  File: `/sbin/dosfsmount'
  Size: 7390            Blocks: 16         IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 540536      Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-05-01 13:37:00.000000000 -0400
Modify: 2015-05-01 13:37:00.000000000 -0400
Change: 2016-01-20 23:35:02.059282000 -0500
--
  File: `/bin/nano'
  Size: 170016          Blocks: 336        IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 262368      Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-24 18:39:45.797356874 -0400
Modify: 2010-12-03 14:40:19.000000000 -0500
Change: 2016-01-20 23:42:05.151282000 -0500

  File: `/root'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d    Inode: 786433      Links: 10
Access: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-24 18:39:45.621350135 -0400
Modify: 2016-01-21 00:25:57.987282000 -0500
Change: 2016-01-21 00:25:57.987282000 -0500
--
  File: `/root/auth.log'
  Size: 1               Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 787953      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-01-21 00:25:57.987282000 -0500
Modify: 2016-01-21 00:25:57.987282000 -0500
Change: 2016-01-21 00:25:57.987282000 -0500
--
  File: `/root/.profile'
  Size: 471             Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 787908      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-01-20 23:21:47.935282000 -0500
Modify: 2016-01-21 20:31:14.631282000 -0500
Change: 2016-01-21 20:31:14.631282000 -0500
--
  File: `/root/.viminfo'
  Size: 4762            Blocks: 16         IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 787822      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-01-21 00:19:52.459282000 -0500
Modify: 2016-01-21 00:19:52.459282000 -0500
Change: 2016-01-21 00:19:52.459282000 -0500
find: `/proc/13742/task/13742/fd/5': No such file or directory
find: `/proc/13742/task/13742/fdinfo/5': No such file or directory
find: `/proc/13742/fd/5': No such file or directory
find: `/proc/13742/fdinfo/5': No such file or directory
find: `/proc/13756': No such file or directory
--
  File: `/etc/sudoers.d'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d    Inode: 393837      Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-24 18:39:45.657351511 -0400
Modify: 2016-01-21 00:22:50.007282000 -0500
Change: 2016-01-21 00:22:50.007282000 -0500
--
  File: `/etc/sudoers.d/README'
  Size: 783             Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 393838      Links: 1
Access: (0440/-r--r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2013-10-24 18:39:45.657351511 -0400
Modify: 2016-01-21 00:24:58.351282000 -0500
Change: 2016-01-21 00:24:58.351282000 -0500
--
  File: `/var/backups/group.bak'
  Size: 744             Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 790957      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-01-20 22:55:21.699282000 -0500
Modify: 2016-01-20 22:55:21.699282000 -0500
Change: 2016-01-21 06:56:54.047282000 -0500

Here’s a breakdown of just the filenames:

/root/.ssh/authorized_keys
/root/ops
/usr/bin/perl
/usr/bin/python2.7
/usr/bin/nmap
/usr/bin/perl5.14.2
/usr/bin/gcc-4.6
/etc/group
/home/jackyll/.config
/home/jackyll/.config/htop
/home/jackyll/.config/htop/htoprc
/sbin
/sbin/dosfsmount
/bin/nano
/root
/root/auth.log
/root/.profile
/root/.viminfo
/etc/sudoers.d
/etc/sudoers.d/README
/var/backups/group.bak

So my thoughts:

perl,python,nano, and nmap have all had the suid bit set. All four of these programs with the suid bit can allow a normal user to escalate to root. Heres a quick breakdown of how:

perl -U -e "exec('/bin/sh');"
python -c "import os;os.execl('/bin/sh')"
nmap --interactive
!sh
Nano is a little tricker. However, since suid is set you can edit root-owned files. Any root-owned file with a +x set you could just change to drop you into a shell.

-rwsr-xr-x 1 root root 306200 Apr 15 2012 /usr/bin/gcc-4.6
gcc also has the suid bit set. Ill be honest, Im not sure what the advantage this provides.

The modification in the /root/.ssh/authorized_keys was the addition of an ssh key. This ssh key is probably the source of the login events captured in /var/log/wtmp, which I saw using the last command

In /etc/group, I noticed 2 things:

sudo:x:27:jackyll
spooky:x:2001:

The user jackyll (the compromised user) has been appended to the sudo group, and there is a new group “spooky”. This probably indicates a new user, so lets check out /etc/passwd

cat /etc/passwd | grep spooky
spooky:x:2001:2001::/home/jackyll/:/bin/sh

A backdoor user! Checking /etc/shadow confirms they have a password. 2spooky4me

I’m not sure whats up with /sbin/dosfsmount being changed. This warrants further research.

The rest of the files are insignificant, with the exception of /etc/sudoers.d/README
This is the sudoers file, and jackyll has been added with all sudo permissions.

~# sudo -U jackyll -l
Matching Defaults entries for jackyll on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jackyll may run the following commands on this host:
    (ALL : ALL) ALL
    (root) NOPASSWD: ALL

All told, the attacker placed in numerous methods of privilege escalation from a normal user. They added their compromised account to the sudoers list, then added an additional user. Things to look into are why they would suid bit gcc, research into dosfsmount, and rsync. I didnt detail it, but a lot of rsync files were modified in this timeframe, but I feel it might have just been a normal update.

Edit: /sbin/dosfsmount is definitely privilege escalation as well. Here’s a snippet of a run of strings against it:

setuid
perror
execlp
setgroups
setegid
seteuid
setgid
__libc_start_main
GLIBC_2.0
PTRh
UWVS
[^_]
Setuid failed, no suid-bit set?
ULTRASHELL
/bin/sh
;*2$"
Finding Persistance on Server

Leave a Reply

Your email address will not be published.