T A K E D O W N

E V I D E N
C E


This is Tsutomu's anaylsis of the state of his system after it was halted after the break-in. The fields here are information about when and how files on the machine were accessed:


inode# size permissions linkcount owner  group  size date system Access/Change/Modify [ACM] filename
       blocks                                  bytes

Appears to be a "finger -l" to Rimmon. Note that in.fingerd was accessed later, so it does not appear here. This is believed to be a finger because no other server programs were accessed later. The "-l" is inferred from the accesses to the timezone files.


  6501    1 -rw-r--r--  9 root     staff          55 Dec 25 14:10:42 rimmon  A /z/usr/share/lib/zoneinfo/GMT
  6501    1 -rw-r--r--  9 root     staff          55 Dec 25 14:10:42 rimmon  A /z/usr/share/lib/zoneinfo/GMT+0
  6501    1 -rw-r--r--  9 root     staff          55 Dec 25 14:10:42 rimmon  A /z/usr/share/lib/zoneinfo/GMT-0
  6501    1 -rw-r--r--  9 root     staff          55 Dec 25 14:10:42 rimmon  A /z/usr/share/lib/zoneinfo/GMT0
  6501    1 -rw-r--r--  9 root     staff          55 Dec 25 14:10:42 rimmon  A /z/usr/share/lib/zoneinfo/Greenwich
  6501    1 -rw-r--r--  9 root     staff          55 Dec 25 14:10:42 rimmon  A /z/usr/share/lib/zoneinfo/UCT
  6501    1 -rw-r--r--  9 root     staff          55 Dec 25 14:10:42 rimmon  A /z/usr/share/lib/zoneinfo/UTC
  6501    1 -rw-r--r--  9 root     staff          55 Dec 25 14:10:42 rimmon  A /z/usr/share/lib/zoneinfo/Universal
  6501    1 -rw-r--r--  9 root     staff          55 Dec 25 14:10:42 rimmon  A /z/usr/share/lib/zoneinfo/Zulu

A "finger" to Rimmon. Note that the zoneinfo files were not accessed, hence no "-l".


    17    1 lrwxrwxrwx  1 root     wheel          10 Dec 25 14:11:00 rimmon  A /z/usr/adm -> ../var/adm
  3303   16 -rwxr-xr-x  1 root     staff       16384 Dec 25 14:11:00 rimmon  A /z/usr/etc/in.fingerd
  2589   24 -rwxr-xr-x  1 root     staff       24576 Dec 25 14:11:00 rimmon  A /z/usr/ucb/finger

   118    1 -rw-r--r--  1 root     staff          97 Dec 25 14:11:08 astarte A /z/export/root/osiris/etc/resolv.conf

A "finger -l" to Osiris. Note that even though Astarte is Osiris's fileserver, Osiris's private data was accessed as well.


    61   10 -rw-r--r--  1 root     staff        9846 Dec 25 14:11:15 astarte A /z/export/root/osiris/etc/ttytab
    64    2 -rw-rw-rw-  1 root     staff        1080 Dec 25 14:11:15 astarte A /z/export/root/osiris/etc/utmp
  2343   16 -rwxr-xr-x  1 root     staff       16384 Dec 25 14:11:15 astarte A /z/usr/etc/in.fingerd
  4572    1 -rw-r--r--  9 root     staff          55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/GMT
  4572    1 -rw-r--r--  9 root     staff          55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/GMT+0
  4572    1 -rw-r--r--  9 root     staff          55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/GMT-0
  4572    1 -rw-r--r--  9 root     staff          55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/GMT0
  4572    1 -rw-r--r--  9 root     staff          55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/Greenwich
  4572    1 -rw-r--r--  9 root     staff          55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/UCT
  4572    1 -rw-r--r--  9 root     staff          55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/UTC
  4572    1 -rw-r--r--  9 root     staff          55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/Universal
  4572    1 -rw-r--r--  9 root     staff          55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/Zulu
  1820   24 -rwxr-xr-x  1 root     staff       24576 Dec 25 14:11:15 astarte A /z/usr/ucb/finger

Perhaps a "finger -l user" to Osiris. The user is inferred from the access to the lastlog file. There is no access to in.fingerd as Osiris still has it cached from the previous request.


 14642    1 -rw-r--r--  1 root     staff         224 Dec 25 14:12:06 astarte A /z/export/root/osiris/var/adm/lastlog

An "rsh" connection to root on Osiris. Root is inferred from access to the .cshrc and .rhosts files (they are root's).


  2272   16 -rwxr-xr-x  1 root     staff       16384 Dec 25 14:18:37 astarte A /z/usr/etc/in.rshd
 14650    1 -rw-r--r--  1 root     staff         589 Dec 25 14:18:38 astarte A /z/export/root/osiris/.cshrc
 14653    1 -rw-r--r--  1 root     staff         187 Dec 25 14:18:38 astarte A /z/export/root/osiris/.rhosts

"uname" command on astarte or one of its clients. Given the recent history, almost certainly on Osiris.


  1098   16 -rwxr-xr-x  1 root     staff       16384 Dec 25 14:19:11 astarte A /z/usr/bin/uname

"file" command executed.


   999   32 -rwxr-xr-x  1 root     staff       32768 Dec 25 14:19:36 astarte A /z/usr/bin/file

"head" command executed.


  1825    4 -rwxr-xr-x  1 root     staff        3240 Dec 25 14:19:49 astarte A /z/usr/ucb/head

"whereis" command executed. Given the next few commands, "whereis gunzip" would be a reasonable candidate. (there is no standard place for gzip to live, if it is present at all).


    13    1 lrwxrwxrwx  1 root     wheel           9 Dec 25 14:20:43 astarte A /z/usr/src -> share/src
  1843    8 -rwxr-xr-x  1 root     staff        7744 Dec 25 14:20:43 astarte A /z/usr/ucb/whereis
    17    1 lrwxrwxrwx  1 root     wheel           9 Dec 25 14:20:45
    astarte A /z/usr/man -> share/man

A uuencoded gzip'd file is transfered (transfer time was < 18 seconds), unpacked, and uncompressed.


  1087   16 -rwxr-xr-x  1 root     staff       16384 Dec 25 14:21:10 astarte A /z/usr/bin/uudecode
183233   88 -rwxr-xr-x  3 root     staff       90112 Dec 25 14:21:28 astarte A /z/x/usr_u1/local/bin/gunzip
183233   88 -rwxr-xr-x  3 root     staff       90112 Dec 25 14:21:28 astarte A /z/x/usr_u1/local/bin/gzip
183233   88 -rwxr-xr-x  3 root     staff       90112 Dec 25 14:21:28 astarte A /z/x/usr_u1/local/bin/zcat

The file just transferred is compiled. From the list of included header files, such as "arpa/telnet.h", this is likely a backdoor access telnet program of some sort. From the access to iropt, we infer that the optimizer, "cc -O" was used. It took 19 seconds to compile.


  5453    2 -r--r--r--  1 root     staff        1732 Dec 25 14:21:40 astarte A /z/usr/include/stdio.h
  6786    5 -r--r--r--  1 root     staff        5041 Dec 25 14:21:40 astarte A /z/usr/include/sys/socket.h
  6789    2 -r--r--r--  1 root     staff        1163 Dec 25 14:21:40 astarte A /z/usr/include/sys/stdtypes.h
  6796    1 -r--r--r--  1 root     staff         399 Dec 25 14:21:40 astarte A /z/usr/include/sys/sysmacros.h
  6809    3 -r--r--r--  1 root     staff        2979 Dec 25 14:21:40 astarte A /z/usr/include/sys/types.h
  9463   96 -rwxr-xr-x  1 bin      bin         98304 Dec 25 14:21:40 astarte A /z/usr/lib/compile
  9510   80 -rwxr-xr-x  1 root     staff       81920 Dec 25 14:21:40 astarte A /z/usr/lib/cpp
  9462    1 -rw-r--r--  1 bin      bin            80 Dec 25 14:21:40 astarte A /z/usr/lib/lang_info
  5457    1 lrwxrwxrwx  1 root     wheel          11 Dec 25 14:21:41 astarte A /z/usr/include/fcntl.h -> sys/fcntl.h
  5409    3 -r--r--r--  1 root     staff        2649 Dec 25 14:21:41 astarte A /z/usr/include/netdb.h
  6280    6 -r--r--r--  1 root     staff        5366 Dec 25 14:21:41 astarte A /z/usr/include/netinet/in.h
  5452    1 -r--r--r--  1 root     staff         563 Dec 25 14:21:41 astarte A /z/usr/include/pwd.h
  5420    4 -r--r--r--  1 root     staff        3317 Dec 25 14:21:41 astarte A /z/usr/include/signal.h
  6748    1 -r--r--r--  1 root     staff         180 Dec 25 14:21:41 astarte A /z/usr/include/sys/fcntl.h
  6749    6 -r--r--r--  1 root     staff        5298 Dec 25 14:21:41 astarte A /z/usr/include/sys/fcntlcom.h
  6772    5 -r--r--r--  1 root     staff        4890 Dec 25 14:21:41 astarte A /z/usr/include/sys/param.h
  6782    2 -r--r--r--  1 root     staff        1740 Dec 25 14:21:41 astarte A /z/usr/include/sys/resource.h
  6785   12 -r--r--r--  1 root     staff       11873 Dec 25 14:21:41 astarte A /z/usr/include/sys/signal.h
  6790    3 -r--r--r--  1 root     staff        2771 Dec 25 14:21:41 astarte A /z/usr/include/sys/stat.h
  6800    2 -r--r--r--  1 root     staff        1777 Dec 25 14:21:41 astarte A /z/usr/include/sys/time.h
  6832    4 -r--r--r--  1 root     staff        3857 Dec 25 14:21:41 astarte A /z/usr/include/sys/wait.h
  5455    1 -r--r--r--  1 root     staff         553 Dec 25 14:21:41 astarte A /z/usr/include/time.h
 12553    2 -r--r--r--  1 root     staff        1029 Dec 25 14:21:41 astarte A /z/usr/include/vm/faultcode.h
  2412    1 -r--r--r--  1 root     staff         488 Dec 25 14:21:42 astarte A /z/usr/include/arpa/inet.h
  2414    4 -r--r--r--  1 root     staff        3351 Dec 25 14:21:42 astarte A /z/usr/include/arpa/telnet.h
  5391    1 -r--r--r--  1 root     staff         172 Dec 25 14:21:42 astarte A /z/usr/include/errno.h
 18841    5 -r--r--r--  1 root     staff        5057 Dec 25 14:21:42 astarte A /z/usr/include/sun4c/param.h
  6746    5 -r--r--r--  1 root     staff        4990 Dec 25 14:21:42 astarte A /z/usr/include/sys/errno.h
  6752    2 -r--r--r--  1 root     staff        1269 Dec 25 14:21:42 astarte A /z/usr/include/sys/filio.h
  6756    3 -r--r--r--  1 root     staff        2905 Dec 25 14:21:42 astarte A /z/usr/include/sys/ioccom.h
  6757    2 -r--r--r--  1 root     staff        1569 Dec 25 14:21:42 astarte A /z/usr/include/sys/ioctl.h
  6788    4 -r--r--r--  1 root     staff        3886 Dec 25 14:21:42 astarte A /z/usr/include/sys/sockio.h
  6804    7 -r--r--r--  1 root     staff        6970 Dec 25 14:21:42 astarte A /z/usr/include/sys/ttold.h
  6806    2 -r--r--r--  1 root     staff        1299 Dec 25 14:21:42 astarte A /z/usr/include/sys/ttychars.h
  6807    4 -r--r--r--  1 root     staff        3756 Dec 25 14:21:42 astarte A /z/usr/include/sys/ttycom.h
  6808    1 -r--r--r--  1 root     staff         755 Dec 25 14:21:42 astarte A /z/usr/include/sys/ttydev.h
  9515  208 -r-xr-xr-x  1 root     staff      204800 Dec 25 14:21:46 astarte A /z/usr/lib/iropt
  9512  152 -r-xr-xr-x  1 root     staff      147456 Dec 25 14:21:49 astarte A /z/usr/lib/cg
  1125  232 -r-xr-xr-x  1 root     staff      221215 Dec 25 14:21:51 astarte A /z/usr/bin/as
  1127  312 -rwxr-xr-x  1 root     staff      303617 Dec 25 14:21:59 astarte A /z/usr/bin/ld
  9423    2 -rw-r--r--  1 root     staff        1132 Dec 25 14:21:59 astarte A /z/usr/lib/crt0.o
  9415    9 -rw-r--r--  1 root     staff        8478 Dec 25 14:21:59 astarte A /z/usr/lib/libc.sa.1.9.1

"strings" was run on /x/usr_u1/openwin/bin/loadmodule. (probably referenced as /usr/openwin/bin/loadmodule).


  1835    5 -rwxr-xr-x  1 root     staff        4904 Dec 25 14:22:20 astarte A /z/usr/ucb/strings
 83057   24 -rwsr-xr-x  1 root     staff       24576 Dec 25 14:22:20 astarte A /z/x/usr_u1/openwin/bin/loadmodule

Probably searching for something in /usr/kvm/modload with "egrep". Might be the output of a "strings", as "egrep" doesn't work well on binaries; strings would still be cached. Perhaps the intruder is interested in loading a kernel module.


  1101   24 -rwxr-xr-x  1 root     staff       24576 Dec 25 14:22:53 astarte A /z/usr/bin/egrep
 11264   24 -rwxr-xr-x  1 root     staff       24576 Dec 25 14:22:53 astarte A /z/usr/kvm/modload

"env" was run --- perhaps to strip the environment from something, like the backdoor program?


   935    6 -rwxr-xr-x  1 root     staff        5560 Dec 25 14:23:15 astarte A /z/usr/bin/env

"file" was executed.


   105    4 -rw-r--r--  1 root     staff        3292 Dec 25 14:23:26 astarte A /z/export/root/osiris/etc/magic

Some kind of system status command, like "w" or "ps" was executed.


    63  144 -rw-r--r--  1 root     staff      138592 Dec 25 14:24:08 astarte A /z/export/root/osiris/etc/psdatabase

Entry via the back door?


 16156    1 -rw-r--r--  1 root     staff         684 Dec 25 14:24:24 astarte A /z/usr/share/lib/terminfo/u/unknown

In my home directory, /u1/tsutomu, browsing ...


 16048    2 -rw-r--r--  1 tsutomu  g            1265 Dec 25 14:25:57 astarte A /z/u1/tsutomu/sun.stuff
 16518    1 -rw-r--r--  1 tsutomu  g             838 Dec 25 14:28:55 astarte A /z/u1/tsutomu/r.break.again
 16555    5 -rw-r--r--  1 tsutomu  g            5050 Dec 25 14:28:55 astarte A /z/u1/tsutomu/r.break.more
153822   25 -rw-r--r--  2 tsutomu  g           25080 Dec 25 14:29:54 astarte A /z/u1/tsutomu/hack/hackdir/rumors
153822   25 -rw-r--r--  2 tsutomu  g           25080 Dec 25 14:29:54 astarte A /z/u1/tsutomu/hack/rumors

"diff stel.c stelnet.c", or some such, executed.


 22798   51 -rw-r--r--  1 tsutomu  g           51444 Dec 25 14:30:51 astarte A /z/u1/tsutomu/src/stel.c
 22797   51 -rw-r--r--  1 tsutomu  g           51424 Dec 25 14:30:51 astarte A /z/u1/tsutomu/src/stelnet.c
   923   30 -rwxr-xr-x  1 root     staff       29952 Dec 25 14:30:51 astarte A /z/usr/bin/diff

More browsing.


 22730    3 -rw-r--r--  1 tsutomu  g            2798 Dec 25 14:31:23 astarte A /z/u1/tsutomu/src/memtest.c
 22728    1 -rw-r--r--  1 tsutomu  g             141 Dec 25 14:31:35 astarte A /z/u1/tsutomu/src/usemem.c
    57    5 -rw-r--r--  1 root     staff        4202 Dec 25 14:32:28 astarte A /z/export/root/osiris/etc/inetd.conf
   117    1 -rw-r--r--  1 root     staff          10 Dec 25 14:33:04 astarte A /z/export/root/osiris/etc/hosts.deny
  6871    2 -rw-r--r--  2 root     staff        1323 Dec 25 14:33:22 astarte A /z/usr/share/lib/terminfo/v/vs100s
  6871    2 -rw-r--r--  2 root     staff        1323 Dec 25 14:33:22 astarte A /z/usr/share/lib/terminfo/x/xterms

Appears to be fetching a file, making a directory, and untarring the file.


  9511  352 -r-xr-xr-x  1 root     staff      344586 Dec 25 14:34:10 astarte A /z/usr/lib/ccom
  1150    4 -rwxr-xr-x  1 root     staff        3416 Dec 25 14:34:15 astarte A /z/usr/bin/id
    58    2 -rw-r--r--  1 root     staff        1940 Dec 25 14:34:26 astarte A /z/export/root/osiris/etc/services
   940    3 -rwxr-xr-x  1 root     staff        2864 Dec 25 14:36:32 astarte A /z/usr/bin/mkdir
   961  152 -rwxr-xr-x  1 root     staff      147456 Dec 25 14:36:59 astarte A /z/usr/bin/tar

Running a "make".


   924  128 -rwxr-xr-x  1 root     staff      115472 Dec 25 14:37:16 astarte A /z/usr/bin/make
   929    1 -rwxr-xr-x  1 root     staff         164 Dec 25 14:37:17 astarte A /z/usr/bin/mach
   928    1 -rwxr-xr-x  1 root     staff          63 Dec 25 14:37:17 astarte A /z/usr/bin/true
  6833    4 -r--r--r--  1 root     staff        3942 Dec 25 14:37:17 astarte A /z/usr/include/make/default.mk
 11260    1 -rwxr-xr-x  1 root     staff        1010 Dec 25 14:37:17 astarte A /z/usr/kvm/arch

Compiling a program which uses curses, a package for handling screens and cursor movements. This program also cares about stuff having to do with terminal I/O (termio.h).


  7384    6 -r--r--r--  1 root     staff        5180 Dec 25 14:37:18 astarte A /z/usr/5include/stdio.h
  7652    1 -r--r--r--  1 root     staff         224 Dec 25 14:37:18 astarte A /z/usr/5include/sys/fcntl.h
  7376   24 -r--r--r--  1 root     staff       23646 Dec 25 14:37:19 astarte A /z/usr/5include/curses.h
  7386    2 -r--r--r--  1 root     staff        1489 Dec 25 14:37:19 astarte A /z/usr/5include/time.h
  7378    1 -r--r--r--  1 root     staff         513 Dec 25 14:37:19 astarte A /z/usr/5include/unctrl.h
  6799    6 -r--r--r--  1 root     staff        5837 Dec 25 14:37:19 astarte A /z/usr/include/sys/termios.h
  5440    1 lrwxrwxrwx  1 root     wheel          13 Dec 25 14:37:21 astarte A /z/usr/include/stropts.h -> sys/stropts.h
  6792    3 -r--r--r--  1 root     staff        3016 Dec 25 14:37:21 astarte A /z/usr/include/sys/stropts.h
  6813    5 -r--r--r--  1 root     staff        4481 Dec 25 14:37:21 astarte A /z/usr/include/sys/unistd.h
  6820    1 -r--r--r--  1 root     staff         539 Dec 25 14:37:21 astarte A /z/usr/include/sys/varargs.h
  5445    1 lrwxrwxrwx  1 root     wheel          12 Dec 25 14:37:21 astarte A /z/usr/include/unistd.h -> sys/unistd.h
  5446    1 lrwxrwxrwx  1 root     wheel          13 Dec 25 14:37:21 astarte A /z/usr/include/varargs.h -> sys/varargs.h
  6798    1 -r--r--r--  1 root     staff         748 Dec 25 14:37:24 astarte A /z/usr/include/sys/termio.h
  7387    1 lrwxrwxrwx  1 root     wheel          11 Dec 25 14:37:25 astarte A /z/usr/5include/fcntl.h -> sys/fcntl.h
  5444    1 lrwxrwxrwx  1 root     wheel          12 Dec 25 14:37:25 astarte A /z/usr/include/termio.h -> sys/termio.h
   963    1 lrwxrwxrwx  1 root     wheel          14 Dec 25 14:37:27 astarte A /z/usr/bin/cc -> ../lib/compile
  8518    9 -rw-r--r--  1 root     staff        8478 Dec 25 14:37:28 astarte A /z/usr/5lib/libc.sa.2.9.1
  8530  248 -rw-r--r--  3 root     staff      242342 Dec 25 14:37:28 astarte A /z/usr/5lib/libcurses.a
  8530  248 -rw-r--r--  3 root     staff      242342 Dec 25 14:37:28 astarte A /z/usr/5lib/libtermcap.a
  8530  248 -rw-r--r--  3 root     staff      242342 Dec 25 14:37:28 astarte A /z/usr/5lib/libtermlib.a

Compiling a program which appears to be a kernel module, which we soon discover to be "tap". Note invocations of programs for determining kernel architecture, etc.


   930    1 lrwxrwxrwx  1 root     wheel          11 Dec 25 14:38:22 astarte A /z/usr/bin/arch -> ../kvm/arch
   970    1 lrwxrwxrwx  1 root     wheel          12 Dec 25 14:38:22 astarte A /z/usr/bin/sparc -> ../kvm/sparc
   984    1 lrwxrwxrwx  1 root     wheel          12 Dec 25 14:38:22 astarte A /z/usr/bin/sun4c -> ../kvm/sun4c
  6791   17 -r--r--r--  1 root     staff       16716 Dec 25 14:38:22 astarte A /z/usr/include/sys/stream.h
  6815    8 -r--r--r--  1 root     staff        7252 Dec 25 14:38:22 astarte A /z/usr/include/sys/user.h
 11242    1 lrwxrwxrwx  1 root     wheel          11 Dec 25 14:38:22 astarte A /z/usr/kvm/sparc -> ../bin/true
 11254    1 lrwxrwxrwx  1 root     wheel          11 Dec 25 14:38:22 astarte A /z/usr/kvm/sun4c -> ../bin/true
  1854    1 lrwxrwxrwx  1 root     wheel          14 Dec 25 14:38:22 astarte A /z/usr/ucb/cc -> ../lib/compile
 14648    1 lrwxrwxrwx  1 root     wheel           7 Dec 25 14:38:23 astarte A /z/export/root/osiris/lib -> usr/lib
  5447    1 lrwxrwxrwx  1 root     wheel          14 Dec 25 14:38:23 astarte A /z/usr/include/machine -> ../kvm/machine
 16639   10 -r--r--r--  1 root     staff        9966 Dec 25 14:38:23 astarte A /z/usr/include/sun/vddrv.h
 18842    2 -r--r--r--  1 root     staff        1839 Dec 25 14:38:23 astarte A /z/usr/include/sun4c/pcb.h
 18845    7 -r--r--r--  1 root     staff        6763 Dec 25 14:38:23 astarte A /z/usr/include/sun4c/reg.h
  6729    6 -r--r--r--  1 root     staff        5371 Dec 25 14:38:23 astarte A /z/usr/include/sys/audit.h
  6735    2 -r--r--r--  1 root     staff        1216 Dec 25 14:38:23 astarte A /z/usr/include/sys/conf.h
  6747    2 -r--r--r--  1 root     staff        1320 Dec 25 14:38:23 astarte A /z/usr/include/sys/exec.h
  6751    3 -r--r--r--  1 root     staff        2475 Dec 25 14:38:23 astarte A /z/usr/include/sys/file.h
  6761    1 -r--r--r--  1 root     staff         280 Dec 25 14:38:23 astarte A /z/usr/include/sys/label.h
  6776    7 -r--r--r--  1 root     staff        6931 Dec 25 14:38:23 astarte A /z/usr/include/sys/proc.h
  6783    3 -r--r--r--  1 root     staff        2060 Dec 25 14:38:23 astarte A /z/usr/include/sys/session.h
  6810    1 -r--r--r--  1 root     staff         803 Dec 25 14:38:23 astarte A /z/usr/include/sys/ucred.h
 11233    1 lrwxrwxrwx  1 root     wheel          16 Dec 25 14:38:23 astarte A /z/usr/kvm/machine -> ../include/sun4c

A "pwd" somewhere.


   945    3 -rwxr-xr-x  1 root     staff        2128 Dec 25 14:39:12 astarte A /z/usr/bin/pwd

The kernel module is loaded, followed by a "modstat" to verify that it loaded properly and get module info.


  2314    1 lrwxrwxrwx  1 root     wheel          14 Dec 25 14:39:27 astarte A /z/usr/etc/modload -> ../kvm/modload
 14657 1304 -rwxr-xr-x  1 root     wheel     1322027 Dec 25 14:39:30 astarte A /z/export/root/osiris/vmunix
  1136   16 -rwxr-xr-x  1 root     staff       16384 Dec 25 14:39:30 astarte A /z/usr/bin/strip
    14    1 lrwxrwxrwx  1 root     wheel          10 Dec 25 14:39:32 astarte A /z/usr/tmp -> ../var/tmp
  2313   16 -rwxr-xr-x  1 root     staff       16384 Dec 25 14:39:39 astarte A /z/usr/etc/modstat

Create "/dev/tap", presumably to access the kernel module just loaded.


  2294    3 -rwxr-xr-x  1 root     staff        2888 Dec 25 14:40:30 astarte A /z/usr/etc/mknod
 14102    0 crwxrwxrwx  1 root     staff     37,  59 Dec 25 14:40:31 astarte A /z/export/root/osiris/dev/tap
 13384   12 drwxr-sr-x  2 root     staff       11776 Dec 25 14:40:31 astarte M /z/export/root/osiris/dev
 14102    0 crwxrwxrwx  1 root     staff     37,  59 Dec 25 14:40:31 astarte M /z/export/root/osiris/dev/tap

Perhaps running the curses program just compiled?


  8519  552 -rwxr-xr-x  1 root     staff      557056 Dec 25 14:46:42 astarte A /z/usr/5lib/libc.so.2.9.1

Perhaps an attempt to "rlogin" to ariel? It failed.


  2106    0 -r--r--r--  1 root     staff           0 Dec 25 14:51:14 ariel   A /z/etc/hosts.equiv

Intruder appears on Ariel, almost 4 minutes later. Mechanism is unknown --- perhaps has something to do with the "tap" module just loaded? Repeat the same uudecode drill as before, to download and compile a backdoor program.


  2228   16 -rwxr-xr-x  1 root     staff       16384 Dec 25 14:55:10 ariel   A /z/usr/bin/uudecode

Compiling the backdoor telnet program. Note the same headers as above, on Osiris.


 12366    1 -r--r--r--  1 root     staff         563 Dec 25 14:56:16 ariel   A /z/usr/include/pwd.h
 12367    2 -r--r--r--  1 root     staff        1732 Dec 25 14:56:16 ariel   A /z/usr/include/stdio.h
 15432    2 -r--r--r--  1 root     staff        1740 Dec 25 14:56:16 ariel   A /z/usr/include/sys/resource.h
 15436    5 -r--r--r--  1 root     staff        5041 Dec 25 14:56:16 ariel   A /z/usr/include/sys/socket.h
 12305    1 -r--r--r--  1 root     staff         172 Dec 25 14:56:17 ariel   A /z/usr/include/errno.h
 12371    1 lrwxrwxrwx  1 root     wheel          11 Dec 25 14:56:17 ariel   A /z/usr/include/fcntl.h -> sys/fcntl.h
 12361    1 lrwxrwxrwx  1 root     wheel          14 Dec 25 14:56:17 ariel   A /z/usr/include/machine -> ../kvm/machine
 12323    3 -r--r--r--  1 root     staff        2649 Dec 25 14:56:17 ariel   A /z/usr/include/netdb.h
 14346    6 -r--r--r--  1 root     staff        5366 Dec 25 14:56:17 ariel   A /z/usr/include/netinet/in.h
 12334    4 -r--r--r--  1 root     staff        3317 Dec 25 14:56:17 ariel   A /z/usr/include/signal.h
 41048    5 -r--r--r--  1 root     staff        4901 Dec 25 14:56:17 ariel   A /z/usr/include/sun4/param.h
 15396    5 -r--r--r--  1 root     staff        4990 Dec 25 14:56:17 ariel   A /z/usr/include/sys/errno.h
 15398    1 -r--r--r--  1 root     staff         180 Dec 25 14:56:17 ariel   A /z/usr/include/sys/fcntl.h
 15399    6 -r--r--r--  1 root     staff        5298 Dec 25 14:56:17 ariel   A /z/usr/include/sys/fcntlcom.h
 15422    5 -r--r--r--  1 root     staff        4890 Dec 25 14:56:17 ariel   A /z/usr/include/sys/param.h
 15435   12 -r--r--r--  1 root     staff       11873 Dec 25 14:56:17 ariel   A /z/usr/include/sys/signal.h
 15482    4 -r--r--r--  1 root     staff        3857 Dec 25 14:56:17 ariel   A /z/usr/include/sys/wait.h
 28705    2 -r--r--r--  1 root     staff        1029 Dec 25 14:56:17 ariel   A /z/usr/include/vm/faultcode.h
 35881    1 lrwxrwxrwx  1 root     wheel          15 Dec 25 14:56:17 ariel   A /z/usr/kvm/machine -> ../include/sun4
 53274    1 -r--r--r--  1 root     staff         488 Dec 25 14:56:18 ariel   A /z/usr/include/arpa/inet.h
 53276    4 -r--r--r--  1 root     staff        3351 Dec 25 14:56:18 ariel   A /z/usr/include/arpa/telnet.h
 15402    2 -r--r--r--  1 root     staff        1269 Dec 25 14:56:18 ariel   A /z/usr/include/sys/filio.h
 15406    3 -r--r--r--  1 root     staff        2905 Dec 25 14:56:18 ariel   A /z/usr/include/sys/ioccom.h
 15407    2 -r--r--r--  1 root     staff        1569 Dec 25 14:56:18 ariel   A /z/usr/include/sys/ioctl.h
 15438    4 -r--r--r--  1 root     staff        3886 Dec 25 14:56:18 ariel   A /z/usr/include/sys/sockio.h
 15454    7 -r--r--r--  1 root     staff        6970 Dec 25 14:56:18 ariel   A /z/usr/include/sys/ttold.h
 15456    2 -r--r--r--  1 root     staff        1299 Dec 25 14:56:18 ariel   A /z/usr/include/sys/ttychars.h
 15457    4 -r--r--r--  1 root     staff        3756 Dec 25 14:56:18 ariel   A /z/usr/include/sys/ttycom.h
 15458    1 -r--r--r--  1 root     staff         755 Dec 25 14:56:18 ariel   A /z/usr/include/sys/ttydev.h
 69771  208 -r-xr-xr-x  1 root     staff      204800 Dec 25 14:56:20 ariel   A /z/usr/lib/iropt
 69768  152 -r-xr-xr-x  1 root     staff      147456 Dec 25 14:56:23 ariel   A /z/usr/lib/cg

Probably checking to see where stuff is being logged to.


  2119    2 -rw-r--r--  1 root     staff        1805 Dec 25 15:00:33 ariel   A /z/etc/syslog.conf

Appears to be compiling a program for modifying file access/modification/creation times. Inferred from the header files accessed.


 12337    2 -r--r--r--  1 root     staff        1068 Dec 25 15:05:08 ariel   A /z/usr/include/string.h
 15440    3 -r--r--r--  1 root     staff        2771 Dec 25 15:05:08 ariel   A /z/usr/include/sys/stat.h
 15439    2 -r--r--r--  1 root     staff        1163 Dec 25 15:05:08 ariel   A /z/usr/include/sys/stdtypes.h
 15446    1 -r--r--r--  1 root     staff         399 Dec 25 15:05:08 ariel   A /z/usr/include/sys/sysmacros.h
 15450    2 -r--r--r--  1 root     staff        1777 Dec 25 15:05:08 ariel   A /z/usr/include/sys/time.h
 15459    3 -r--r--r--  1 root     staff        2979 Dec 25 15:05:08 ariel   A /z/usr/include/sys/types.h
 12369    1 -r--r--r--  1 root     staff         553 Dec 25 15:05:08 ariel   A /z/usr/include/time.h

Presumably tweaking access/modification times on something.


 41005   16 -rwxr-xr-x  1 root     staff       16384 Dec 25 15:08:50 ariel   A /z/usr/5bin/touch

New junk mail received. (unrelated to the attack).


  4969 3728 -rw--w----  1 tsutomu  daemon    3806752 Dec 25 15:10:22 ariel   C /z/u1/tsutomu/etc/ts.mail

Browsing my files on Ariel ...


 64358    1 -rw-r--r--  1 tsutomu  g             669 Dec 25 15:14:53 ariel   C /z/u1/tsutomu/security/FILE-FORMAT
 64359    1 -rw-r--r--  1 tsutomu  g             136 Dec 25 15:14:53 ariel   C /z/u1/tsutomu/security/README
 64360   39 -rw-r--r--  1 tsutomu  g           39182 Dec 25 15:14:53 ariel   C /z/u1/tsutomu/security/christmas.exec
 64361   38 -rw-r--r--  1 tsutomu  g           38331 Dec 25 15:14:53 ariel   C /z/u1/tsutomu/security/epidemic-control


Copyright © 1995 Vicious Fishes Web Design and Dan Meriwether. All rights reserved.
Contact: webmaster@takedown.com