Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Sun 09-Jan-05 00:09 by antonino
Image text-base: 0x00003000, data-base: 0x0099748C
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(14r)EA1a, RELEASE SOFTWARE (fc1)
3750-sw1 uptime is 10 years, 6 weeks, 6 days, 2 minutes
System returned to ROM by power-on
System restarted at 12:16:53 UTC Wed Sep 28 2005
Definitely needs an upgrade at some point....
Friday, 13 November 2015
Friday, 7 August 2015
Cisco Packet Captures and Perl Net::Pcap::Easy
So today I once again was dealing with a packet capture taken from a Cisco router using the "monitor capture buffer/monitor capture point" commands. I wanted to build a Perl script to do some basic parsing and sanity checking of the data.
Unfortunately, my simple pcap library of choice in Perl, Net::Pcap::Easy, doesn't like Cisco packet captures:
ERROR Unhandled data link type: RAW at /usr/local/share/perl/5.18.2/Net/Pcap/Easy.pm line 122.
This is very easy to fix, although a bit ugly. The lines of code in Net::Pcap::Easy which handle frames with no Ethernet header is shown below:
# For non-ethernet data link types, construct a
# fake ethernet header from the data available.
my ($ether, $type);
if ($linktype == Net::Pcap::DLT_EN10MB) {
$ether = NetPacket::Ethernet->decode($packet);
$type = $ether->{type};
} elsif ($linktype == Net::Pcap::DLT_LINUX_SLL) {
use bytes;
$type = unpack("n", substr($packet, 2+2+2+8, 2));
$ether = NetPacket::Ethernet->decode(
pack("h24 n", "0" x 24, $type) . substr($packet, 16));
no bytes;
} else {
die "ERROR Unhandled data link type: " .
Net::Pcap::datalink_val_to_name($linktype);
}
As you can see, it generates the error for the unhandled packet type. Since I don't have the data at the Ethernet level, my tools wouldn't be using that data, so literally anything will do, as long as it doesn't crash the higher level packet dissectors.
So... I added a really simple extra option to the if statement:
} elsif ($linktype == Net::Pcap::DLT_RAW) {
#Steve's attempt to handle RAW
$ether = NetPacket::Ethernet->decode(pack('H*','0001020304050005040302010800').$packet);
$type = $ether->{type};
Literally, this adds a header that says data is from 00:01:02:03:04:05 and to 00:05:04:03:02:01, and is of type 0x0800, IP. This fix worked first time, which surprised me a little!
Hope that helps!
Unfortunately, my simple pcap library of choice in Perl, Net::Pcap::Easy, doesn't like Cisco packet captures:
ERROR Unhandled data link type: RAW at /usr/local/share/perl/5.18.2/Net/Pcap/Easy.pm line 122.
This is very easy to fix, although a bit ugly. The lines of code in Net::Pcap::Easy which handle frames with no Ethernet header is shown below:
# For non-ethernet data link types, construct a
# fake ethernet header from the data available.
my ($ether, $type);
if ($linktype == Net::Pcap::DLT_EN10MB) {
$ether = NetPacket::Ethernet->decode($packet);
$type = $ether->{type};
} elsif ($linktype == Net::Pcap::DLT_LINUX_SLL) {
use bytes;
$type = unpack("n", substr($packet, 2+2+2+8, 2));
$ether = NetPacket::Ethernet->decode(
pack("h24 n", "0" x 24, $type) . substr($packet, 16));
no bytes;
} else {
die "ERROR Unhandled data link type: " .
Net::Pcap::datalink_val_to_name($linktype);
}
As you can see, it generates the error for the unhandled packet type. Since I don't have the data at the Ethernet level, my tools wouldn't be using that data, so literally anything will do, as long as it doesn't crash the higher level packet dissectors.
So... I added a really simple extra option to the if statement:
} elsif ($linktype == Net::Pcap::DLT_RAW) {
#Steve's attempt to handle RAW
$ether = NetPacket::Ethernet->decode(pack('H*','0001020304050005040302010800').$packet);
$type = $ether->{type};
Literally, this adds a header that says data is from 00:01:02:03:04:05 and to 00:05:04:03:02:01, and is of type 0x0800, IP. This fix worked first time, which surprised me a little!
Hope that helps!
Friday, 12 September 2014
Cisco ezVPN with FreeRADIUS
It's been a while since I posted, but I have come across another comparatively poorly-documented part of the networking world. I struggled to find the answers to this, so here is a writeup that may help!
So, the idea is that I want to use ezVPN for remote sites dialling into a central point. However, rather than having my users configured locally on the hub router, I want to use RADIUS. However, I don't want to pay to use Cisco ACS server or Windows Server, so FreeRADIUS is the obvious open-source option.
aaa group server radius VPN-RADIUS
server-private <RADIUS Server IP> key <RADIUS Shared Secret>
server-private <RADIUS Server IP> auth-port 1812
server-private <RADIUS Server IP> acct-port 1813
ip vrf forwarding Mgmt-intf
ip radius source-interface GigabitEthernet0
!
aaa authentication login VPN-Users group VPN-RADIUS
aaa authorization network VPN-Users group VPN-RADIUS
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteUsers
key <pre-shared-key>
acl 110
save-password
!
crypto isakmp profile VPN
match identity group RemoteUsers
client authentication list VPN-Users
isakmp authorization list VPN-Users
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set ezVPN-Transform esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile ezVPN
set transform-set ezVPN-Transform
set isakmp-profile VPN
!
crypto dynamic-map Remote-Map 10
set transform-set ezVPN-Transform
set isakmp-profile VPN
reverse-route
!
crypto map VPN 65535 ipsec-isakmp dynamic Remote-Map
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ezVPN
!
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
!
interface Gigabit1
ip address <WAN Address> <Netmask>
crypto map VPN
This is a lot of configuration, and some of this may not be necessary. I need to go back and clean it out. In particular, the ISAKMP Client Configuration group will actually be provided by RADIUS, so likely we can remove this part.
The majority of the above configuration is easily found with some Google searches and is well documented. However, the next part, the RADIUS part, is not.
client <Cisco device RADIUS source IP> {
secret = <Shared Secret>
nastype = cisco
shortname = ezVPN-Server
}
This now enables our Cisco router to talk to the RADIUS server. Check that you know what the source-address is on the Cisco - it can be defined within the Server Group config.
The users file defines the different users available. This can also be done with an SQL database. However, the SQL part is well documented so I will not cover it here. First we have to set up the VPN Group user definition - this is the main part that I struggled with. Here is my example config:
RemoteUsers Cleartext-Password := "cisco"
Tunnel-Type = "ESP",
Tunnel-Password = "<pre-shared-key>",
Cisco-AVPair := "ipsec:tunnel-type=ESP",
Cisco-AVPair += "ipsec:key-exchange=IKE",
Cisco-AVPair += "ipsec:save-password=1",
Cisco-AVPair += "ipsec:inacl=110"
So, to explain some of the fields:
- "RemoteUsers" - this will be whatever your VPN group is
- Cleartext-Password := "cisco" - This is required - the router sends a request with the group name and the password of "cisco".
- Tunnel-Type - This is another required item.
- Tunnel-Password - This should be your actual VPN group key.
Now we move on to the "Cisco-AVPair" entries. These are Cisco Attribute-Value pairs. So basically this is information that gets passed back to the router as parameters for the connection.
crypto isakmp client configuration group RemoteUsers
key <pre-shared-key> ! Tunnel-Password = "<pre-shared-key>"
acl 110 ! Cisco-AVPair += "ipsec:inacl=110"
save-password ! Cisco-AVPair += "ipsec:save-password=1"
For further reading about Cisco Attribute-Value pairs, have a look at this page: https://supportforums.cisco.com/document/58091/exploring-remote-access-vpn-easy-vpn-cisco-router-cisco-secure-access-control-server
For our actual VPN users, the entries are much simpler. We just need to add user/password pairs to the users file:
User1 Cleartext-Password := "<password>"
Once this is done, you should have a working ezVPN setup with FreeRADIUS server.
So, the idea is that I want to use ezVPN for remote sites dialling into a central point. However, rather than having my users configured locally on the hub router, I want to use RADIUS. However, I don't want to pay to use Cisco ACS server or Windows Server, so FreeRADIUS is the obvious open-source option.
Hub Router Configuration
The configuration on the router is fairly simple and well-documented. You will need an appropriate IOS with appropriate crypto functionality. In my case, I am using a Cisco CSR1000V in the cloud to test this. Below are the relevant parts of my configuration:aaa group server radius VPN-RADIUS
server-private <RADIUS Server IP> key <RADIUS Shared Secret>
server-private <RADIUS Server IP> auth-port 1812
server-private <RADIUS Server IP> acct-port 1813
ip vrf forwarding Mgmt-intf
ip radius source-interface GigabitEthernet0
!
aaa authentication login VPN-Users group VPN-RADIUS
aaa authorization network VPN-Users group VPN-RADIUS
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteUsers
key <pre-shared-key>
acl 110
save-password
!
crypto isakmp profile VPN
match identity group RemoteUsers
client authentication list VPN-Users
isakmp authorization list VPN-Users
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set ezVPN-Transform esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile ezVPN
set transform-set ezVPN-Transform
set isakmp-profile VPN
!
crypto dynamic-map Remote-Map 10
set transform-set ezVPN-Transform
set isakmp-profile VPN
reverse-route
!
crypto map VPN 65535 ipsec-isakmp dynamic Remote-Map
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ezVPN
!
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
!
interface Gigabit1
ip address <WAN Address> <Netmask>
crypto map VPN
This is a lot of configuration, and some of this may not be necessary. I need to go back and clean it out. In particular, the ISAKMP Client Configuration group will actually be provided by RADIUS, so likely we can remove this part.
The majority of the above configuration is easily found with some Google searches and is well documented. However, the next part, the RADIUS part, is not.
FreeRADIUS Configuration
First of all you need to get a server set up and FreeRADIUS installed. I won't elaborate further, since this is also well documented elsewhere. For reference, in my setup I used Ubuntu Server 12.04LTS.clients.conf
The clients.conf file is simply used to identify expected RADIUS clients that may talk to us, and set the shared-secret for them. Below is a sample file:client <Cisco device RADIUS source IP> {
secret = <Shared Secret>
nastype = cisco
shortname = ezVPN-Server
}
This now enables our Cisco router to talk to the RADIUS server. Check that you know what the source-address is on the Cisco - it can be defined within the Server Group config.
users
The users file defines the different users available. This can also be done with an SQL database. However, the SQL part is well documented so I will not cover it here. First we have to set up the VPN Group user definition - this is the main part that I struggled with. Here is my example config:
RemoteUsers Cleartext-Password := "cisco"
Tunnel-Type = "ESP",
Tunnel-Password = "<pre-shared-key>",
Cisco-AVPair := "ipsec:tunnel-type=ESP",
Cisco-AVPair += "ipsec:key-exchange=IKE",
Cisco-AVPair += "ipsec:save-password=1",
Cisco-AVPair += "ipsec:inacl=110"
So, to explain some of the fields:
- "RemoteUsers" - this will be whatever your VPN group is
- Cleartext-Password := "cisco" - This is required - the router sends a request with the group name and the password of "cisco".
- Tunnel-Type - This is another required item.
- Tunnel-Password - This should be your actual VPN group key.
Now we move on to the "Cisco-AVPair" entries. These are Cisco Attribute-Value pairs. So basically this is information that gets passed back to the router as parameters for the connection.
- ipsec:tunnel-type=ESP - Required - stating we will use ESP
- ipsec:key-exchange=IKE - Required - stating we will use IKE
- ipsec:save-password=1 - Optional - Since my setup is for branch-offices, I want to have the password pre-configured in the router without people needing to keep entering it. Therefore I have to permit the password to be saved locally.
- ipsec:inacl=110 - Optional - This is for split-tunnel VPNs. It specifies which ACL on my hub router should be used to define the split networking list.
crypto isakmp client configuration group RemoteUsers
key <pre-shared-key> ! Tunnel-Password = "<pre-shared-key>"
acl 110 ! Cisco-AVPair += "ipsec:inacl=110"
save-password ! Cisco-AVPair += "ipsec:save-password=1"
For further reading about Cisco Attribute-Value pairs, have a look at this page: https://supportforums.cisco.com/document/58091/exploring-remote-access-vpn-easy-vpn-cisco-router-cisco-secure-access-control-server
For our actual VPN users, the entries are much simpler. We just need to add user/password pairs to the users file:
User1 Cleartext-Password := "<password>"
Once this is done, you should have a working ezVPN setup with FreeRADIUS server.
Monday, 9 June 2014
IGMP Query Solicitation
Once again, I've come back to IGMP/Multicast/STP. This is a topic that, while reasonably well documented, can be complex to find explanations of.
In this case, I saw a network where a switch was running many (lots, like 300+) VLANs and we were regularly seeing traffic from the same MAC in all of those VLANs. This behaviour was intruiging, so I did some digging.
The switch in question was an Allied Telesyn x610 switch. Looking at the packets in Wireshark, it turns out they all originate from a switch and they are IGMP Query Solicitation. So...
In the case of the AT switches, there are two options, the default is that only the STP root-bridge will send the query solicitation packets. You can turn that off, or you can optionally enable it for all switches, not just the root. Commands are:
As always, I hope this has been of use to somebody!
In this case, I saw a network where a switch was running many (lots, like 300+) VLANs and we were regularly seeing traffic from the same MAC in all of those VLANs. This behaviour was intruiging, so I did some digging.
The switch in question was an Allied Telesyn x610 switch. Looking at the packets in Wireshark, it turns out they all originate from a switch and they are IGMP Query Solicitation. So...
What is IGMP Query Solicitation?
So you remember back in one of my earliest posts, where we had IGMP and Spanning-Tree interacting in such a way that we had floods of traffic on the network? This is very much related. In that scenario we were seeing that our switches were flooding traffic to all ports whenever there was a Spanning-Tree topology change. This "IGMP Query Solicitation" is another behaviour that can occur at exactly the same time, when a topology change is seen. As well as flooding the multicast traffic to ensure it reaches the correct destination, the switch can also send an "IGMP Query Solicitation" message to everybody. This message essentially "resets" IGMP by prompting the querier to immediately send out a General Query. This, in turn, means that all clients will re-affirm their interest in the appropriate multicasting groups by sending a Membership Report. Therefore, the IGMP snoopers (switches) will then be able to rebuild their snooping databases and once again send traffic to all the right places. So it provides a way of restoring order to your network after Spanning-Tree announces a Topology Change.So do I want this behavior? How do I turn it off?
Yes. It's good. It helps your network to get back to normal after any changes in topology. In our case there was a device that was not coping with seeing the same MAC in 300+ VLANs at the same time. However, there may be legitimate reasons to turn this on or off. In the Cisco switches I tested, this was disabled by default. In order for it to function, it required:- An IGMP querier active in a VLAN (any VLAN with no querier got no query solicitation)
- IGMP Query Solicitation enabled ("ip igmp snooping tcn query solicit")
In the case of the AT switches, there are two options, the default is that only the STP root-bridge will send the query solicitation packets. You can turn that off, or you can optionally enable it for all switches, not just the root. Commands are:
(no) ip igmp snooping tcn query solicit rootThe variation in implementations and defaults across switch manufacturers is interesting. Allied Telesyn seem to be protecting people, whereas Cisco are assuming you should know what you're doing at least a little bit!
(no) ip igmp snooping tcn query solicit
As always, I hope this has been of use to somebody!
Thursday, 15 May 2014
Cisco NAT Payload Inspection
I came across an interesting problem today with our public-facing DNS server. For various reasons that I can't actually justify, we have some DNS A records with private IP addresses in our main public-facing NS. Somebody noticed today that those weren't working any more and that DNS requests for these addresses would time out. For example, with apologies for the potentially confusing anonymisation of my company's names and addresses:
Whereas, a request for a name with a public IP would work:
So... what is happening?
As I often do, my first step into looking was a packet capture. I captured whilst doing first a "public" request and then a "private" request. The result was as below:
So, for a "normal", "public" request, the response is fine. For the "private" request, the server replies correctly, but our NAT router is sending an ICMP Destination Unreachable and the response never reaches the client. So, this immediately says that the router is doing some level of inspection at Layer 5 or above and electing to drop our DNS response, which we don't want.
A quick bit of Googling later and I found this incredibly helpful article: https://plone.lucidsolutions.co.nz/networking/cisco/ios/a-workaround-for-nat-rewriting-dns-packets
This makes complete sense. So, I added the no-payload option to my NAT statement and immediately, all my DNS requests started working!
steve@linuxbox:~$ dig myname.mydomain.com @ns1.mydomain.com
; <<>> DiG 9.8.1-P1 <<>> myname.mydomain.com @ns1.mydomain.com
;; global options: +cmd
;; connection timed out; no servers could be reached
Whereas, a request for a name with a public IP would work:
steve@linuxbox:~$ dig mypublicname.mydomain.com @ns1.mydomain.com
; <<>> DiG 9.8.1-P1 <<>> mypublicname.mydomain.com @ns1.mydomain.com
;; global options: +cmd
;; Got answer:
--snip--
mypublicname.mydomain.com. 86400 IN A 4.2.2.2
So... what is happening?
As I often do, my first step into looking was a packet capture. I captured whilst doing first a "public" request and then a "private" request. The result was as below:
A quick bit of Googling later and I found this incredibly helpful article: https://plone.lucidsolutions.co.nz/networking/cisco/ios/a-workaround-for-nat-rewriting-dns-packets
This makes complete sense. So, I added the no-payload option to my NAT statement and immediately, all my DNS requests started working!
Sunday, 9 June 2013
Samsung Galaxy Player 50 (YP-G50EW) Hard Reset
So, I found it very difficult to find instructions for doing a hard reset on an early model Samsung Galaxy Player (model YP-G50EW). There are various key codes that are reported, but the one I found to work is:
Hold down Volume Up, Volume Down and the Home/Menu button, then hold Power until the Samsung logo appears. The release the power button, but keep the other buttons held down.
Now you are in the Android Recovery menu and you can continue with normal reset operations!
As always, hope this helps somebody!
Hold down Volume Up, Volume Down and the Home/Menu button, then hold Power until the Samsung logo appears. The release the power button, but keep the other buttons held down.
Now you are in the Android Recovery menu and you can continue with normal reset operations!
As always, hope this helps somebody!
Friday, 1 February 2013
IRC DOS Bot
So, if you've read my previous post, you will see that I was recently looking into a Denial-of-Service attack. Once I eventually tracked down the host it was coming from, I needed to identify what was sending all the packets.
Thankfully, the owner of the server was very interested in my offer of assistance with their server, so I was able to do more digging!
So, it was a Debian Linux server running sending a lot of source-spoofed packets onto the network. My first step was to get access back to the server remotely, to make life easier. This was simple; two iptables rules to block all packets to our two destination hosts:
This quickly stopped the outgoing packets and made the server remotely accessible.
Next up, checking netstat gave no obvious connections to these IPs. However, knowing they are spoofed, this was actually the wrong place to look. The offending process was almost certainly using a raw socket. So:
There were three processes with raw sockets open, dhcpd, and two unnamed ones. Knowing that dhcpd was legitimate, the two other processes needed looking at. A quick run of "top" showed me that one of them was consuming *way* too much CPU!
It seemed a bit strange that the process was called "migration" as this is a standard Linux process. However, the real migration process would have a low pid as it is a system process started at boot. The other process was also called migration and also had a high pid, but this time without the high cpu. So, I paused both processes, without terminating them, to enable further analysis.
Another new trick I learned, which to many of you will be no surprise, is that you can simply and easily access a copy of the running application even if it has removed itself from the disk. Looking in /proc/<pid> I could see:
So the "exe" symlink pointed to the original file on disk, but told me that it had now been deleted. However, the file was still in memory, so I was able to copy it and start looking at it!
Looking further at what strings it contained (IP address hidden!):
So it was fairly obviously an IRC bot, with the main goal of sending spoofed DOS attacks. It also had the ability for the controller to execute arbitrary shell commands, which in this case would be run with root privilege. Therefore, it could be used to insert further malware.
I have since been playing a little with this bot in a sandbox, but that is for a later post.
Hope you found that interesting, it was a bit of a rushed post. I hope you find it an encouragement to do some of your own malware analysis!
Thankfully, the owner of the server was very interested in my offer of assistance with their server, so I was able to do more digging!
So, it was a Debian Linux server running sending a lot of source-spoofed packets onto the network. My first step was to get access back to the server remotely, to make life easier. This was simple; two iptables rules to block all packets to our two destination hosts:
iptables -I OUTPUT -d aaa.bbb.37.10 -j DROP
iptables -I OUTPUT -d aaa.bbb.38.140 -j DROP
This quickly stopped the outgoing packets and made the server remotely accessible.
Next up, checking netstat gave no obvious connections to these IPs. However, knowing they are spoofed, this was actually the wrong place to look. The offending process was almost certainly using a raw socket. So:
~# netstat -anp | grep raw
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 2666/dhcpd
raw 0 0 0.0.0.0:255 0.0.0.0:* 7 9060/0]
raw 0 0 0.0.0.0:255 0.0.0.0:* 7 28477/0]
There were three processes with raw sockets open, dhcpd, and two unnamed ones. Knowing that dhcpd was legitimate, the two other processes needed looking at. A quick run of "top" showed me that one of them was consuming *way* too much CPU!
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
9060 root 20 0 1836 300 196 R 101 0.0 642:44.59 migration
It seemed a bit strange that the process was called "migration" as this is a standard Linux process. However, the real migration process would have a low pid as it is a system process started at boot. The other process was also called migration and also had a high pid, but this time without the high cpu. So, I paused both processes, without terminating them, to enable further analysis.
kill -STOP 9060
kill -STOP 28477
Another new trick I learned, which to many of you will be no surprise, is that you can simply and easily access a copy of the running application even if it has removed itself from the disk. Looking in /proc/<pid> I could see:
~# cd /proc/28477
/proc/28477# ls -l
total 0
dr-xr-xr-x 2 root root 0 Jan 28 12:12 attr
-r-------- 1 root root 0 Jan 28 12:12 auxv
-r--r--r-- 1 root root 0 Jan 28 12:12 cgroup
--w------- 1 root root 0 Jan 28 12:12 clear_refs
-r--r--r-- 1 root root 0 Jan 27 01:27 cmdline
-rw-r--r-- 1 root root 0 Jan 28 12:12 coredump_filter
-r--r--r-- 1 root root 0 Jan 28 12:12 cpuset
lrwxrwxrwx 1 root root 0 Jan 28 11:30 cwd -> /usr/sbin/ttyload
-r-------- 1 root root 0 Jan 28 12:12 environ
lrwxrwxrwx 1 root root 0 Jan 26 06:25 exe -> /usr/sbin/ttyload/migration (deleted)
dr-x------ 2 root root 0 Jan 28 11:30 fd
dr-x------ 2 root root 0 Jan 28 11:30 fdinfo
-r-------- 1 root root 0 Jan 28 12:12 io
-r-------- 1 root root 0 Jan 28 12:12 limits
-rw-r--r-- 1 root root 0 Jan 28 12:12 loginuid
-r--r--r-- 1 root root 0 Jan 28 11:30 maps
-rw------- 1 root root 0 Jan 28 12:12 mem
-r--r--r-- 1 root root 0 Jan 28 12:12 mountinfo
-r--r--r-- 1 root root 0 Jan 28 12:12 mounts
-r-------- 1 root root 0 Jan 28 12:12 mountstats
dr-xr-xr-x 8 root root 0 Jan 28 12:12 net
-rw-r--r-- 1 root root 0 Jan 28 12:12 oom_adj
-r--r--r-- 1 root root 0 Jan 28 12:12 oom_score
-r--r--r-- 1 root root 0 Jan 28 12:12 pagemap
-r--r--r-- 1 root root 0 Jan 28 12:12 personality
lrwxrwxrwx 1 root root 0 Jan 28 11:30 root -> /
-rw-r--r-- 1 root root 0 Jan 28 12:12 sched
-r--r--r-- 1 root root 0 Jan 28 12:12 sessionid
-r--r--r-- 1 root root 0 Jan 28 12:12 smaps
-r--r--r-- 1 root root 0 Jan 28 12:12 stack
-r--r--r-- 1 root root 0 Jan 27 01:26 stat
-r--r--r-- 1 root root 0 Jan 27 01:26 statm
-r--r--r-- 1 root root 0 Jan 27 01:27 status
-r--r--r-- 1 root root 0 Jan 28 12:12 syscall
dr-xr-xr-x 3 root root 0 Jan 28 11:43 task
-r--r--r-- 1 root root 0 Jan 28 12:12 wchan
So the "exe" symlink pointed to the original file on disk, but told me that it had now been deleted. However, the file was still in memory, so I was able to copy it and start looking at it!
/proc/28477# cat exe > /tmp/thing
/proc/28477# file /tmp/thing
/tmp/thing: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
Looking further at what strings it contained (IP address hidden!):
# strings /tmp/thing
--snip--
aa.bb.ccc.251
ircd.exampledomain.net
privmsg %s :CHECKSUM <on/off>
privmsg %s :Checksum has been turned on.
privmsg %s :Checksum has been turned off.
privmsg %s :DNS <host>
privmsg %s :Resolving %s...
privmsg %s :Unable to resolve.
privmsg %s :Resolved to %s.
privmsg %s :%d.%d.%d.%d
privmsg %s :%d.%d.%d.%d - %d.%d.%d.%d
privmsg %s :White Knight 2012
privmsg %s :NICK <nick>
privmsg %s :Nick cannot be larger than 50 characters.
NICK %s
privmsg %s :Removed all spoofs
privmsg %s :What kind of subnet address is that? Do something like: 169.40
privmsg %s :BYSIN <target> <port>
privmsg %s :Packeting %s.
privmsg %s :SLICE <destination> <lowport> <highport>
privmsg %s :Error in SLICE2: Low > high.
privmsg %s :PAN <target> <lowport> <highport>
privmsg %s :Talking %s ...
privmsg %s :This knight accepts the following commands via ctcp (with a #):
privmsg %s :NICK <nick> = Changes the nick of the knight
privmsg %s :GETSPOOF = Gets the current spoofing
privmsg %s :SPOOFS <subnet> = Changes spoofing to a subnet
privmsg %s :DNS <host> = DNSs a host
privmsg %s :CHECKSUM <on/off> = Turns checksum on or off
privmsg %s :IRC <command> = Sends this command to the server
privmsg %s :SH <command> = Executes a command
privmsg %s :KILLALL = Kills all current packeting
privmsg %s :KILL = Kills the knight
privmsg %s :DISABLE = Disables all packeting from this knight
privmsg %s :ENABLE = Enables all packeting from this knight
privmsg %s :VERSION = Requests version of knight
privmsg %s :HELP = Displays this
kill -9 %d;kill -9 0
privmsg %s :Killing pid %d.
--snip--
So it was fairly obviously an IRC bot, with the main goal of sending spoofed DOS attacks. It also had the ability for the controller to execute arbitrary shell commands, which in this case would be run with root privilege. Therefore, it could be used to insert further malware.
I have since been playing a little with this bot in a sandbox, but that is for a later post.
Hope you found that interesting, it was a bit of a rushed post. I hope you find it an encouragement to do some of your own malware analysis!
Subscribe to:
Comments (Atom)