Summary
Here, we borrow some examples in Honeynet Project to simply explain the utility software TCT and its related assistance software under a UNIX. And in the end, it will introduce another more nice software Recover that can restore the EXT2 file system. (2002-09-16 13:33:23)
By Wing, Source:
INBURST
Engaged in system management, even if you do everything very well, you may have intruders to break through your protection into the system, and change or delete some files. Here, we borrow some instances in Honeynet Project to simply explain the utility software TCT and its related assistance software under a UNIX. And in the end, it will introduce another more nice software Recover that can restore the EXT2 file system. First, let's talk about the software: 1, The Coroners Toolkit: That is the TCT we said, you can download in China, you can go to the security focus (http://xfocus.org/tool/other/tct 1.07. Tar.gz) Download. This is a command line file system toolset under UNIX, supports FFS and EXT2FS, recovered data from blocks and nodes. It can analyze the last modification, access, or change (Mac) of the file, and extract the file list according to the value of the data node for recovery. 2, Tctutils: At http://xfocus.org/tool/other/tctutils-1.01.tar.gz can download the current latest version. It is a supplement to TCT and provides a command line tool that recovers data according to the file name. Both tools require users to know some underlying basic knowledge. 3, AutoPsy Forensic Browser: You can download from http://xfocus.org/tool/other/autopsy-1.01.tar.gz. It provides a friendly HTML interface to TCT and TCTUTILS. It enables boring analysis work relatively relatively relatively relaxed :) First, installation: TCT has been tested under various UNIX platforms. It is now able to support FreeBSD, OpenBSD, SunOS, Linux and other platforms. Tctutils and Autopsy are not necessarily running, the platform I test is a default installed Red Hat 6.2 system. 1, TCT
# TAR ZVFX TCT-1.07.tar.gz -c / usr / local / tct /; cd / usr / local / TCT / TCT *; MAKE to expand TCT to /usr/local/tct/tct 1.07/ directory Under, and enter, make. Here, if it is MAKE, you need to be re-compiled, you need to run the Perl Reconfig command to reconfigure. 2, Tctutils:
# TAR ZVFX TCTUTILS-1.01.tar.gz -c / usr / local /
TCT; CD / USR / local / TCT / TCTU *; Make Now Tctutils seems to be only tested in OpenBSD 2.8, Debian Linux 2.2, Solaris 2.7, and is not well supported for FreeBSD. Usually make what is wrong, if there is, change the code yourself or makefile. 3, AutoPsy: After the package is run ./configure, it will find some utility as the path to GREP, STRINGS, MD5Sum, and ask the TCT and TCTUTILS path (if you don't find it, you will ask you to enter the correct path). Finally, you need to enter the file system you need to check, generate the program autopsy. Second, Honeynet Scan15 Introduction: About Honeynet Project details, see Security Focus (http://xfocus.org/honeynet/), they now maintain the Chinese mirror of foreign Honeynet projects. The SCAN15 is the problem that Honeynet is collected on the invasive Linux machine on March 15, 2001. The invader downloaded some rootkit placed in the root directory and was successfully installed. HoneyNet Project will come down the original data image, as a topic to network security enthusiasts, require recovery of this deleted rootkit. See http://xfocus.org/honeynet/scans/honeynet/scans.. According to the requirements, I downloaded HoneyNet.Tar.gz package, about 13m, decompressed is a 270M file Honeypot.hda8.dd and a readme file, readme as follows: Summary
-------
You have Download the / Partition of a Compromised RH 6.2
Linux Box. Your mission is to recover the deleted rootkit
From The / Partition. Below Are A List of All The Partitions
That Made Up The Compromised System.
/ dev / hda8 / <----- The partition you downloaded
/ DEV / HDA1 / BOOT
/ dev / hda6 / home
/ DEV / HDA5 / USR
/ DEV / HDA7 / VAR
/ DEV / HDA9 SWAP
- The Honeynet Project
http://project.honeynet.org
The task is very clear. Third, the operation process 1, confirm that the download data is correct
# md5sum honeynet.tar.gz
0DFF8FB9FE022EA80D8F1A4E4AE33E21 Honeynet.tar.gz
# md5sum honeypot.hda8.dd
5A8EBF5725B15E563C825BE85F2F852E Honeypot.hda8.dd
These MD5 verification values are the same as the Honeynet website, indicating that the file is downloaded, and it is not tampered. 2. Pick up the mirror downloaded to the system
# mount honeypot.hda8.dd / mnt / -oloop, RO
3, configure autopsy and run it (actually do this in the autopsy Configure process)
[root @ Test autopsy-1.01] # ./configure
Autopsy Forensic Browser V.1.01 Installation
MD5 Found: / usr / bin / md5sum
Strings Found: / usr / bin / stringsgrep found: / bin / grep
ENTER TCT DIRECTORY:
/ usr / local / TCT
TCT BIN DIRECTORY WAND
ENTER TCTUTILS DIRECTORY:
/ usr / local / tctutils
Tctutils Bin Directory Was Found
ENTER MORGUE DIRECTORY:
/ home / inburst
ENTER Default Investigator Name (for the autopsy reports):
INBURST
Settings saved to conf.pl
[root @ Test Autovsy-1.01] #
Then enter the / home / inburst /, where you are stored, and edit the file fsmorgue, make it look like this:
# fsmorgue file for autopsy forensic browser
#
# Local_File Name Can Contain Letters, Digits, '-','_ ', and'. '
#
# local_file mount_point
Honeypot.hda8.dd / mnt /
And edit ZoneInfo to determine time information. Then you can run the command:
# ./autopsy 9999 192.168.168.130
Here 192.168.168.130 is the working machine I have, 9999 is a port number, and the screen will be output:
AutoPSy Forensic Browser Ver 1.01
Investigator: Inburst
Paste this as your browser URL on 192.168.168.130:
192.168.168.130:9999/1727589285/AUTOPSY
Paste 192.168.168.130:9999/1727589285/autopsy can be further analyzed in your browser URL. 4. Restore the removed rootkit, here we use the command line to solve the problem, actually using AutoPsy to make these troubles look relatively intuitive. A, collect information
# ils honeypot.hda8.dd> ilsdump.txt
# Cat ilsdump.txt
Class | Host | Device | Start_Time
Ils | Test.inburst.com.cn | Honeypot.hda8.dd | 992134159
ST_INO | ST_ALLOC | ST_UID | ST_GID | ST_MTIME | ST_ATIME | ST_CTIME | ST_DTIME
| ST_MODE | ST_NLINK | ST_SI | ST_BLOCK0 | ST_BLOCK1
23 | f | 0 | 0 | 984707090 | 984707090 | 984707105 | 984707105 | 984707105 | 984707105 ||| | 0 | 520333 | 307 | 308
2038 | F | 1031 || | 984707105 | 984707105 | 984707105 | 984707105 | 984707169 | 984707169 | 984707169 | 40755 | 0 | 0 | 8481 | 0
......
......
The ILS command is used to display inode information, which shows the original information of each deleted file node. The first domain displayed above is the node number. The rear data is restored, and the details about this output are as follows:
ST_INO: The Inode Number.
ST_Alloc: Allocation Status: `a 'for allocated inode,` f' for free inode.st_uid: Owner User ID.
ST_GID: OWNER Group ID.
ST_MTIME: UNIX TIME (Seconds) of last file model.
ST_AATIME: UNIX TIME (Seconds) of Last File Access.
ST_CTIME: UNIX TIME (Seconds) of Last Inode Status Change.
ST_DTIME: UNIX TIME (Seconds) of File Deletion (Linux Only).
ST_MODE: File Type and Permissions (Octal).
ST_NLINK: NUMBER OF HARD LINKS.
ST_SIZE: FILE SIZE IN BYTES.
ST_BLOCK0, ST_BLOCK1: The First Two Entries In The Direct block address list.
# / usr / local / tct / extras / ils2mac ilsdump.txt> deletedFiles.txt
# Cat deletedFiles.txt
Class | Host | Device | Start_Time
Body | TEST.INBURST.COM.CN | Honeypot.hda8.dd | 992134159
MD5 | file | ST_DEV | ST_INO | ST_MODE | ST_LS | ST_NLINK | ST_UID | ST_GID | ST_RDEV | ST_SIZE
| ST_ATIME | ST_MTIME | ST_CTIME | ST_BLKSIZE | ST_BLOCKS
||| 23 | 100644 | -rw-r - r - | 0 | 0 | 0 || 520333 | 984707090 | 984706608 | 984707105 |
||| 2038 | 40755 | DRWXR-XR-X | 0 | 1031 | 100 || 0 | 984707105 | 984707105 ||
||| 2039 | 100755 | -rwxr-xr-x | 0 | 0 | 0 || 611931 | 984707090 | 1013173693 | 984707105 ||
||| 2040 | 100644 | -rw-r - r - | 0 | 0 | 0 || 1 | 984707090 | 983201398 | 984707105 ||
......
......
The ILS2MAC rearranged outputs the above information, which is more useful when you have multiple disk partitions.
# mactime -p / mnt / etc / passwd -g / mnt / etc / group -b
DelededFiles.txt 1/1/2001> Mactime.txt
# Cat Mactime.txt
Feb 08 02 21:08:13 611931 m .. -rwxr-xr-x root root
Jan 27 01 23:11:32 3278 m .. -rw-r - r - root root
Jan 27 01 23:11:44 11407 m .. -RW-R - R - Root root
Feb 26 01 22:46:04 632066 m .. -RWXR-XR-X root root
Feb 26 01 23:22:55 4060 m .. -RWXR-XR-X root root
Feb 26 01 23:22:59 8268 m .. -rwx ------ Root root
Feb 26 01 23:23:10 4620 m .. -rwxr-xr-x root root
Feb 26 01 23:23:55 53588 m .. -RWXR-XR-X root rootfeb 26 01 23:24:03 75 m .. -rwx ------ root root
Feb 26 01 23:28:40 79 m .. -RWXR-XR-X root root
Feb 26 01 23:29:51 688 m .. -rw-r - r - root root
Feb 26 01 23:29:58 1 m .. -rw-r - r - root root
Mar 03 01 11:05:12 708 m .. -rw-r - r - root root
Mar 03 01 11:08:37 3713 m .. -rwx ------ Root root
Mar 15 01 19:17:36 33135 Mac -RW-R - R - Root root
Mar 15 01 19:19:37 16 mA. Lrwxrwrwx root root
16 mA. Lrwxrwxrwx root root
16 mA. Lrwxrwxrwx root root
Mar 15 01 19:20:25 16 ..c lrwxrwxrwx root root
239 .ac -rw-r - r - root root
......
......
The MACTIME command is arranged at time, inode, the output is arranged, comparison, which inodes displayed or has been modified or accessed. Ok, interesting things have been played, let us see, actually use autopsy to see the related graphic from http://xfocus.org/tmp/autopsy.jpg, from the picture It can be clearly seen that where we want to recover, where is it :) b, restore data After the above data analysis, we should be able to determine which data may be more interesting, then use the ICAT command to extract. From the above figure we can know that the LK.tgz at the node 23 should be more fun things, ok, let's take a look.
# i i i hYpot.hda8.dd 23> File-23 <- extraction
# File file-23 <- View file type
FILE-23: Gzip Compressed Data, Deflated,
Last Modified: Sat Mar 3 11:09:06 2001, OS: UNIX
# TAR ZVFX File-23 <- Unpack
LAST /
TAR: Archive Contains Future TimeStamp 2002-02-08 21:08:13
Last / SSH
Last / pidfile
Last / Install
Last / Linsniffer
Last / Cleaner
Last / inetd.conf
Last / lsattr
Last / SERVICES
Last / Sense
Last / SSH_Config
Last / SSH_HOST_KEY
Last / SSH_HOST_KEY.PUB
Last / ssh_random_seed
Last / sshd_config
Last / SL2
Last / last.cgi
Last / PS
Last / NetStat
Last / ifconfig
Last / TOP
Last / logclear
Last / s
Last / MKXFS
It is easy to recover the deleted rk.tgz. If you are interested, we can also recover the / last catalog at the node 2038 of the figure. Now look at what is put in 2038:
# ils honeypot.hda8.dd 2038
......
2038 | F | 1031 | 100 | 984707105 | 984707105 | 984707105 | 984707169 | 984707169 | 984707169 | 40755 | 0 | 0 | 8481 | 0 ^^^^
|
> Note
# bcat -h honeypot.hda8.dd 8481 512
0 F6070000 0C000102 2E000000 02000000 .... .... .... ....
16 F4030202 2E2E0000 F7070000 0C000301 .... .... .... ....
32 73736800 F8070000 10000701 70696466 SSH. .... .... PIDF
48 696C6500 F9070000 10000701 696E7374 ILE. .... .....in
64 616C6C00 FA070000 14000801 636F6D70 all. .... ....COMP
80 75746572 65720000 FB070000 10000701 uter .. .... ....
96 636C6561 6E657200 FC070000 14000A01 Clea Ner. .... ....
112 696E6574 642E636F 6E660000 FD070000 INET D.CO NF .. ....
128 10000601 6C736174 74720000 Fe070000 .... lsat tr .. ....
144 20000801 73657276 69636573 FF070000 ... Serv Ices ....
160 10000501 73656E73 65000000 00080000 .... SENS E .... ....
176 28000A01 7373685F 636F6E66 69670000 (... SSH_ conf IG ..
192 01080000 14000c01 7373685F 686F7374 .... .... ssh_ host
208 5F6B6579 020800000 30001001 7373685F _Key .... 0 ... SSH_
224 686F7374 5F6B6579 2E707562 03080000 host _key .pub ....
240 18000F01 7373685F 72616E64 6F6D5F73 .... SSH_ Rand OM_S
256 65656400 04080000 FC020B01 73736864 EED. .... .... sshd
272 5f636f6e 66696700 05080000 0C000301 _CON FIG .... ....
288 736C3200 06080000 DC020801 6C617374 SL2. .... .... Last
304 2E636769 07080000 2C000201 70730000 .cgi ...., ... ps ..
320 08080000 20000701 6E657473 74617400 .... ... Nets Tat.
336 09080000 10000801 6966636F 6E666967 .... .... IFCO NFIG
352 0A080000 0C00030301 746F7000 0B080000 .... .... Top. ....
368 10000801 6C6F6763 6C656172 0C080000 .... logc lear ....
384 84020101 73000000 0D080000 78020501 .... s .... x ...
400 6D6B7866 73000000 00000000 0000000 MKXF S .... ....
416 00000000 000,000 00000000 00000000 .... .... .... .... 432 000000 00000000 00000000 00000000 .... .... ....
448 00000000 00000000 00000000 000,000 .... .... .... ....
464 00000000 00000000 00000000 000,000 .... .... .... ....
480 00000000 00000000 00000000 000,000 .... .... .... ....
496 00000000 00000000 00000000 000,000 .... .... .... ....
We can see that the Last directory is actually lk.tgz unpacking, there is no great recovery value;) C, further analysis is now found, we should come and see where they are put, there is A simple approach, you can't take too much energy to find too much.
# Find / mnt -type f -exec md5sum {};> md5.all This is extracted with all the executable files in our mount, use MD5SUM to take its Hash, and store it in the md5.all file, prepare Contrast with rootkit.
# for i in last / *
> Do Echo $ I;
> GREP `MD5SUM $ I` MD5.All;
> DONE;
Last / Cleaner
Last / ifconfig
Md5.all: 086394958255553f6f38684dad97869e / mnt / sbin / ifconfig
Last / inetd.conf
Md5.all: b63485e42035328c0d900a71ff2e6bd7 / mnt/etc/inetd.conf
Last / Install
Last / last.cgi
Last / Linsniffer
Md5.all: 6c0f96c1e43a23a21264f924ae732273 / mnt/dev/ida/.drag-on/linsniffer
Md5.all: 6C0F96C1E43A23A21264F924AE732273 / MNT / DEV / IDA / .. / LINSNIFFER
Last / logclear
Md5.all: 5F22CEB87631FBCBF32E59234FEEAA5B /MNT/dev/ida/.drag-on/logclear
Md5.all: 5F22CEB87631FBCBF32E59234FEEAA5B / MNT / DEV / IDA / .. / LOGCLEAR
Last / lsattr
Last / MKXFS
Md5.all: 18A2D7D3178F321B881E7C493AF72996 / mNT/dev/ida/.drag-on/mkxfs
Md5.all: 18A2D7D3178F321B881E7C493AF72996 / MNT / DEV / IDA / .. / MKXFS
Last / NetStat
Md5.all: 2B07576213C1C8B942451459B3DC4903 / MNT / BIN / NETSTAT
Last / pidfile
Md5.all: 68b329da9893e34099c7d8ad5cb9c940 / mnt/etc/at.deny
Last / PS
Md5.all: 7728C15D89F27E376950F96A7510BF0F / MNT / BIN / PS
Last / s
Md5.all: 06d04fa3c4941b398756d029de75770e / mnt/dev/ida/.drag-on/s
Md5.all: 06d04fa3c4941b398756d029de75770e / mnt / dev / ida / .. / SLAST / SENSE
Md5.all: 464dc23cac477c43418eb8d3ef087065 / mnt/dev/ida/.drag-on/sense
Md5.all: 464DC23CAC477C43418EB8D3EF087065 / MNT / DEV / IDA /. / SENSE
Last / SERVICES
Md5.all: 54E41F035E026F439D4188759B210F07 / MNT / ETC / Services
Last / SL2
Md5.all: 4cfae8c44a6d1ede669d41fc320c7325 / mnt/dev/ida/.drag-on/sl2
Md5.all: 4CFAE8C44A6D1EDE669D41FC320C7325 / MNT / DEV / IDA / .. / SL2
Last / SSH
Last / SSH_Config
Last / SSH_HOST_KEY
Md5.all: C2C1B08498ED71A908C581D634832672 / mNT/dev/ida/.drag-on/ssh_host_key
Md5.all: C2C1B08498ED71A908C581D634832672 / MNT / DEV / IDA / .. / SSH_HOST_KEY
Last / SSH_HOST_KEY.PUB
Last / ssh_random_seed
Md5.all: AD265D3C07DEA3151BACB6930E0B72D3 / mNT / dev / ida /. / ssh_random_seed
Last / sshd_config
Last / TOP
This approach has great help to intrusion detection. From the above output we can easily determine that rootkit is installed in several hidden directories, such as
/ DEV / IDA / .. /
/Dev/ida/.drag-on/
D. Since the focus of this article is not placed in the intrusion detection, the traces left by other intruders in the image will no longer be further analyzed. It is recommended that if the interest of interest can download this package to download this package And you can have a lot of experience from the analysis of HoneyNet masters. Finally, an introduced a software called Recover. This software can restore the files deleted under EXT2, but there is no TCT is powerful. It's just a relatively more "fool", it is more convenient to operate. You can get it at http://xfocus.org/tool/other/recover-1.2.tar. It is easy to run, just run ./Recover is OK, then ask the data you need to recover so system information such as disk, delete time, file size, to help accurately locate files that need to be recovered, but finally restore things They are all sorted by digital, and there is a certain difficulty. That's, Have Fun. References: 1. "Honeynet Scan of The Month # 15" by Brian Carrier 2, http://www.xfocus.org/honeynet/Afockery Trap Network 3, TCTTTTILSAUTOPSY's Man Page (http://www.xfocus). ORG / TMP / TCT_MAN.ZIP) 4, http://www.incident-response.org/
