Beastkit analyze by: unknown Analysis of a rootkit found on a RedHat 7.2 System in 01/2002. The rootkit setup script includes the line "#Beastkit 7.0 - X-Org edition". Due to this fact, we call the rootkit "Beastkit 7.0" in this document. The compromise was done through an crc32 compensation attack against SSH-1.5-1.2.27. Detecting Beastkit To ensure unmodified results of common programs (like ps) we used a mounted Stand-alone shell (sash) and static binaries. results of unmodified netstat shows following interesting connections: Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:56493 0.0.0.0:* LISTEN results of unmodified ps shows following interesting proceses: USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND root 17081 0.0 0.0 1880 4 ? S 03:42 0:00 /usr/sbin/arobia -q -p 56493 root 17097 0.0 0.0 1528 160 ? S 03:42 0:00 lpsched /usr/local/bin/bin/..././ root 17109 0.0 0.0 1524 156 ? S 03:42 0:00 lpsched /idrun root 17300 0.0 0.0 1528 160 ? S 03:45 0:00 lpsched results of unmodified lsof (LiSt Open Files) shows following interesting open files: COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME arobia 17081 root cwd DIR 3,2 1024 2 / arobia 17081 root rtd DIR 3,2 1024 2 / arobia 17081 root txt REG 3,5 206760 306925 /usr/sbin/arobia arobia 17081 root mem REG 3,2 485171 34370 /lib/ld-2.2.4.so arobia 17081 root mem REG 3,2 436784 34380 /lib/libnsl-2.2.4.so arobia 17081 root mem REG 3,2 85115 34282 /lib/libcrypt-2.2.4.so arobia 17081 root mem REG 3,2 47872 34327 /lib/libutil-2.2.4.so arobia 17081 root mem REG 3,2 5772268 60578 /lib/i686/libc-2.2.4.so arobia 17081 root 0u CHR 1,3 22868 /dev/null arobia 17081 root 1u CHR 1,3 22868 /dev/null arobia 17081 root 2u CHR 1,3 22868 /dev/null arobia 17081 root 3u IPv4 110686 TCP *:56493 (LISTEN) arobia 17081 root 5u sock 0,0 110290 can't identify protocol idrun 17109 root cwd DIR 3,5 0 306921 /usr/man/.man10/bk7 (deleted) idrun 17109 root rtd DIR 3,2 1024 2 / idrun 17109 root txt REG 3,5 89828 306945 /usr/sbin/idrun idrun 17109 root mem REG 3,2 485171 34370 /lib/ld-2.2.4.so idrun 17109 root mem REG 3,2 5772268 60578 /lib/i686/libc-2.2.4.so idrun 17109 root mem REG 3,2 261460 34311 /lib/libnss_files-2.2.4.so idrun 17109 root 0u raw 263594 00000000:0001->00000000:0000 st=07 idrun 17109 root 3u raw 111231 00000000:0001->00000000:0000 st=07 idrun 17109 root 5u sock 0,0 110290 can't identify protocol bktd 17097 root cwd DIR 3,5 0 306921 /usr/man/.man10/bk7 (deleted) bktd 17097 root rtd DIR 3,2 1024 2 / bktd 17097 root txt REG 3,5 93924 306924 /usr/local/bin/.../bktd bktd 17097 root mem REG 3,2 485171 34370 /lib/ld-2.2.4.so bktd 17097 root mem REG 3,2 5772268 60578 /lib/i686/libc-2.2.4.so bktd 17097 root mem REG 3,2 261460 34311 /lib/libnss_files-2.2.4.so bktd 17097 root 0u raw 263598 00000000:0001->00000000:0000 st=07 bktd 17097 root 3u raw 110971 00000000:0001->00000000:0000 st=07 bktd 17097 root 5u sock 0,0 110290 can't identify protocol Beastkit properties Beastkit 7.0 replaces common binaries that can be used to monitor system operation (like ps). List of programs included in the rootkit (bin.tgz): md5sum Filename Size 98bf3bd30914773e50060a7f56eda4f4 encrypt 14808 ae060f54e8f3a8e79dc95867171811ef pg 3552 f2e3b130a937af92ff507315406589b1 sz 1382 0a07cf554c1a74ad974416f60916b78d /bin/ls 39696 195075782a2f7853731bf3e0c62e6925 /bin/netstat 54152 ced323b51dc984f66c2695d8fd6a2368 /bin/ps 62920 e4738d828b366ac21572e6a17f7ecba4 /sbin/ifconfig 31504 753d5e7af271c12e0803956dd8c2b8e6 /sbin/syslogd 26496 0a07cf554c1a74ad974416f60916b78d /usr/bin/dir 39696 98596eaad65b9f748fca2dcf48a9b3ef /usr/bin/find 59536 a1931a396d9a7ffbcd0c7612627073ba /usr/bin/pstree 12340 3fc77d2a3ae361c86ef4629c0f5e380e /usr/bin/slocate 23560 fd319aa8e6f56a32c0cb8fc6e9a69195 /usr/bin/top 33992 f7acbc61f8715bdda41989683bc8e8a8 /usr/bin/md5sum 31452 0c1411a47e58bcbef33abdaf53ede4e6 /usr/sbin/idrun 89828 56b863dcfacadf6d66d859e2ee59517e /usr/sbin/lsof 82628 The original programs got replaced by the rootkit. The timestamps doesn't change, because the rootkit use touch -acmr to transmit the timestamp to the rootkit files. Beastkit contains some tools (bktools) (placed at /lib/ldd.so/bktools): md5sum Filename Size b0812b62c9c3307161c5400870d7d230 bkget 25664 926784667fa921b38fceb124644f6568 bkp 7578 63c6a53e779c06923344b15a0e8f1799 bks 16070 12e8748c19abe7a44e67196c22738e9b bksb 1345 5dba380b431418f1d15a014472268b65 bkscan 9556 d536271d4c13a2cf71c0e74d09839f27 bktd 90788 2f6957ee2b2c29259225c6b0f271539b patch 1875 0bb5cb28717d1a36c2a871a1dd713666 prl 1854 e2384d85534272ba46baa6979cefc634 prw 1831 bkget - SynScan Daemon (by psychoid/tCl) bkp - hdlp2 version 2.05 bks - Sniffer bksb - "sauber"-Script (see duarawkz-rootkit), cleans up some of the intruders traces bkscan - SynScan (by psychoid/tCl) bktd patch - SSHd-Patchscript (update to ssh-1.2.32 using ftp) prl - SSHd-Patchscript (update to ssh-1.2.32 using http) prw - SSHd-Patchscript (update to ssh-1.2.32) A SSHd backdoor named "arobia" was installed. The config files were found in /usr/lib/elm/arobia/. A new password for the backdoor was generated with the command sed s/08e7592e361de6fd59d4d126b29fe6ea/`md5sum --string=$1|awk '{print $1}'`/g elm\ > arobia, which replaces the default password (08e7592e361de6fd59d4d126b29fe6ea=arobia) of the original backdoor "elm" and generates the new backdoor "arobia". After that, "arobia" was moved to /usr/sbin. The backdoor start-up is done by /usr/sbin/arobia -q -p 56493, whereby "56493" is the portnumber. md5sum Filename Size f7820a858bceee09246f4454e3c24e95 /usr/sbin/arobia 206760 f78fa4c346287a3af35656a9ac33e733 /usr/lib/elm/arobia/elm 206760 a5d7227117841d0518a6be3510dabb57 /usr/lib/elm/arobia/elm/hk 529 eb1929cdeb8c4abe428540a58adfa7a2 /usr/lib/elm/arobia/elm/hk.pub 333 5fd2ce512e0eba4d090191e8a1518808 /usr/lib/elm/arobia/elm/sc 880 563b9fb9877beb3b33428acdfba1a571 /usr/lib/elm/arobia/elm/sd.pp 6 82ff57cdc95b9b01d88ef5dca721981d /usr/lib/elm/arobia/elm/sdco 480 a604bd841806dd5abe543a3281eb5a78 /usr/lib/elm/arobia/elm/srsd 512 More rootkit properties: The program bktd was placed at /usr/local/bin/.../, furthermore some libraries at /lib/: md5sum Filename Size 00846ffcc2ed7fa23b42089e92273964 bktd 93924 2aed58986303584c96edd16f6195e797 /lib/libproc.a 33848 8581544643145cd159e93df986539ce8 /lib/libproc.so.2.0.6 37984 dcf6a1cb6fd162461195294904c078f8 /lib/lidps1.so 9 6efdfd44c0b1e197dae1b10e994f7721 /usr/include/file.h 56 1791784f079870739ecc707add37aafe /usr/include/hosts.h 19 64bdd72e707ba4680cc7d7a58e8aac07 /usr/include/log.h 43 1534580c14b3b70d29d000f3691d1c25 /usr/include/proc.h 47 The following lines were added in /etc/rc.d/rc.sysinit to start a backdoor at port 33333 at system startup: # Arobia daemon startup.. /usr/sbin/xntps -q -p 33333