################################################ # # # ## ## ###### ####### ## ## ## ## ## # # ## ## ## ## ## ### ## ## ## ## # # ## ## ## ## #### ## ## ## ## # # ## ## ###### ###### ## ## ## ## ### # # ## ## ## ## ## #### ## ## ## # # ## ## ## ## ## ## ### ## ## ## # # ####### ###### ####### ## ## ## ## ## # # # ################################################ The following paper was originally published in the Proceedings of the Fourth USENIX UNIX Security Symposium Santa Clara, California, October 4-6 1993. For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: office@usenix.org 4. WWW URL: https://www.usenix.org The Persistent Hacker: An Intruder Attacks A New Internet Host Eduardo Rodr'iguez Jos'e M. Piquer erodrigu@dcc.uchile.cl jpiquer@dcc.uchile.cl Departamento Ciencias de la Computaci'on, Universidad de Chile. Blanco Encalada 2120 Santiago, Chile. August 14, 1993 Abstract As newcomers to the Internet, network security was considered a minor problem in the whole set of services and programs that we enjoyed setting up: the primary name server for Chile, the main news feed (almost full) for the country, the local workstation network design, to mention just a few. Moreover, even if we heard a lot of stories about the activities of hackers in the Internet, they all seemed far away from our country, surrounded by mountains and the sea at the end of the world. And our computers are mainly used by students and professors in a supposedly secure academic environment. Our confidence was completely misplaced. In this paper, we describe the activities of a hacker in our hosts during the last few months of 1992 and the beginning of 1993, and the conclusions and experiences he (she, them?) left us with. This was our first serious hacker problem, with an intruder that had only two powerful weapons: time and patience. We named that hacker "Morgan", because the Chilean coasts were devastated more than two centuries ago by an English pirate of that name when our country was a Spanish colony (nothing personal against England :-) He entered the campus network from many sites (always hacked sites) and from here to other hosts in many other countries. During the time he was our uninvited guest, he showed perseverance and regularity in his procedure. Based on that, we can affirm that he used the same method to attack other hosts. We obtained evidence of this from only one other host, located in Europe. In general, system administrators don't like to talk about their security problems. This paper has two authors, however it is a report of the work of the whole system administration staff of the Department of Computer Science. 1 1 Introduction This paper is intended to present a detailed trace of a hacker's behavior. We were alerted by European friends that our machines were probably being used by an intruder in December 1992. To our surprise, we found out that he had entered all of our machines, and that he was our guest for three months with root access! At this moment, we realized that our lack of concern for security was a big mistake, and we began to monitor the hacker, to learn his ways and to find out how he managed to enter our machines. This paper is divided as follows: Section 1 presents a brief history of our department. Section 2 shows how Morgan enters a machine and how he gets root access. Section 3 describes what he does after obtaining root access. Section 4 tries to figure out Morgan's objectives. Section 5 details our procedures and traps set up to track our hacker. Finally, section 6 presents some conclusions. 2 History In 1985, the Department of Computer Science of the University of Chile established an experimental UUCP network, using slow modems and phone lines, linking together three Unix systems from different Universities. Very quickly a connection to the international UUCP network became an important goal. A test period (during 1986) with an X.25 connection to inria in France, and to seismo in the USA ended when we started using Telebit Trailblazers to call long distance to uunet. At that time, we registered the Chilean top level domain (.CL), and decided since the beginning to use a domain name system. This Chilean UUCP network slowly grew as more Universities, companies and private individuals joined it (with currently more than 50 nodes), but its growth was stunted by the high cost of international telephone communications. In 1992 Chile joined the Internet through two dedicated 56Kbps satellite links. Our department was deeply involved in the technical issues surrounding this connection, setting up most of the initial TCP/IP services in Chile: mail, news, and the primary nameserver. Security was our last concern. As of may 1993, the whole (Internet and UUCP) top-level domain includes 844 nodes and 32 direct sub-domains. 2 3 Arriving to Port The first thing Morgan did, was to obtain the password of one of the users of our host, presumibly the password of one of our professors doing postgraduate studies in the USA or Europe (at that time, the Department of Computer Science had more than half a dozen professors studying abroad). He entered the system at hours of low activity or when nobody was around (primarily at night or in the weekends). He placed trojan horse commands throughout the system that recorded the password of the root superuser. The most common trojan horse was the su command implemented as a Bourne shell that records the username and password in a hidden file, and executes the real /usr/bin/su after that. He placed the su trojan horse in user's directories, usually the $HOME/bin, that in most cases is in the $PATH variable. It is very difficult to detect the trojan horse unless one lists the files in $HOME/bin. If the program successfully obtained the root password of the system, it recorded it in a file (usually $HOME/bin/.exrc) and deleted itself. Afterwards, Morgan had only to check if the $HOME/bin/.exrc files of a hacked user exists to knew if he had root password. We didn't log connections at that time, and due to this we could not tell how many times he connected by day, how much time he spent in each connection, how many accounts he had hacked and used before obtaining the root password, nor could we tell, most importantly, where he came from. We saw later, when we followed Morgan's steps that he always used hacked hosts to attack us. It is strange, assuming he is an experienced hacker, that Morgan used trojan horse commands to obtain the root password instead of trying to crack the /etc/passwd file using a program that tests for the most common passwords (from a dictionary) using the crypt() subroutine [1]. This procedure is far more secure if he doesn't want to be discovered. However, once he obtained the root password, it was almost impossible to detect him from inside the system. We present here the code of the hacked su that he used in a host in France, we presume that he used it in our machines too. Note that he used a very structured bourne shell program (the $ACCT variable), like a Pascal fan instead of a C hacker: 3 #! /bin/sh LOG="$HOME/bin/.exrc" SU="$HOME/bin/su" if [ -n "$1" ]; then ACCT="$1" else ACCT="root" fi if [ "root" = "$ACCT" ]; then trap "exit" 2 3 echo -n "Password:" stty -echo read PASS stty echo echo echo "Sorry" if [ -w $LOG ]; then echo "`hostname` / $PASS" >>$LOG fi if [ -w "$SU" ]; then /bin/rm -f $SU fi else exec /bin/su $1 fi 4 Sailing and Attacking Once Morgan had the root password, he replaced the /usr/ucb/telnet and /bin/login for hacked versions of the same programs: o telnet The hacked version of telnet recorded all the characters typed and received during telnet sessions from the host in some log files (one per each session) in a hidden directory of the system (specially created by Morgan). As a lot of data is often transfered in a telnet session, the hacked telnet stores a maximum of 5 kilobytes per log file. In our system, he created the directory /usr/lib/fonts/tekfonts/. / (note that he used a directory "dot-space" to hide it) and inside it, the log files had the format .f%05d (using a C printf like notation). This is a ls -la command on that directory, but note that he used the dot in the name of the files to hide it. 4 [usr/lib/fonts/tekfonts/. /] ls -la total 36 drwxrwsrwx 2 root 512 Jan 26 1993 ./ drwxrwsrwx 3 bin 512 Jun 3 16:15 ../ -rw-r--r-- 1 mcatalan 1487 Jan 26 1993 .f00865 -rw-r--r-- 1 isilva 2240 Jan 26 1993 .f01064 -rw-r--r-- 1 erodrigu 2110 Jan 26 1993 .f01362 -rw-r--r-- 1 cabarca 855 Jan 26 1993 .f02115 -rw-r--r-- 1 mtorres 2446 Jan 26 1993 .f02165 -rw-r--r-- 1 mtorres 323 Jan 26 1993 .f04264 -rwxr-xr-x 1 root 24576 Dec 5 1992 tekfont4* -rw-rw-rw- 1 root 0 Jan 14 1993 tekfont5 The file tekfont4 was an executable that allowed him to collect the relevant information from the log files: the hosts, the user name and the password used of all the log files present in the directory; the tekfont5 file, if present, tells the bogus telnet that it must collect the log files. That last file could be used to stop the recording when he liked. In one of our computers he deleted the tekfont5 file used, because of lack of space and interest. On that computer there are many terminals in public rooms, so the administrator creates some accounts that execute a /usr/ucb/telnet to other local hosts, so that the users of another computers, with no access to that host, could connect remotely (as a terminal server). The number of log files grew so much with local user connections, that it soon became unusable to him.So he turned off the recording. About that time, the system administrator had space problem in a partition that never reported space problems (it was not used to write). He solved it by deleting some unused files and forgot about it. o login The hacked version of login was installed to accept him as superuser with one special string as password, indepen- dently of the real root password of the system (Morgan used 1803^fnab). At this point, he could obtain root access even if we changed the root password. Also, each time he connected as root,using his own password (granted by the hacked login) there were no registration of the entry in the usual files of the system, so the last, who, and other commands that inform one about the users currently connected didn't show him. The only way you could see him was by using the ps command. Both modified files (login and telnet) kept the same time of last modification, and size of the originals, but we could easily see that they were hacked by simply using the strings UNIX command. The telnet program contains the name of the direc- tory where the logs were kept and the login program contains the special root password that Morgan used, which could not be completely seen (just the numerical string 1803). One site in England reported that the strings command was also hacked on their site. 5 5 The Treasure We don't know yet what was the main goal of the intruder. He didn't do anything else. He just collected more and more passwords and hosts through the hacked telnet. He repeated always the Arriving to Port and Sailing and Attacking procedures, and in our hosts, during the time we were monitoring his activities, he didn't examine mailboxes nor did he list processes to see if we knew of his presence. Besides, it is doubtful he knows Spanish which makes reading the mailboxes difficult. Was he collecting a dictionary of passwords? Possibly. The consistency of his method, and his persistence in trying to access more hosts and obtain more passwords make this possible. Was he trying to prove his capacity to be superuser in as many machines as he could? He never compromised the functionality of the system, and we didn't detect him until we were warned. He used us, it's true,as a bridge to other machines and that could be a good reason to keep us undamaged. What could he gain? Experience? We don't think so. Knowledge? A bit. Personal satisfaction? Perhaps. It may be the best reason. 6 Analizing the Procedures of Morgan Morgan used patience and time as a powerful weapon to attack our hosts. Obtaining access to some hosts can be easy (depending, of course, on the type of host: .edu, .com, .mil, etc) but obtaining superuser access is not simple. Morgan could be more than one person, and he must have a log of all his connections, organized, filtered and methodically reviewed. [2] We know that he attacked hosts in USA, Scotland, France, Italy, Germany, Australia, Chile, and presumibly more countries, breaking laws in several. The CERT (Computer Emergency Response Team) was informed of the intruder's activities, the hosts he broke into, and the hosts where the attacks to our machines came from (all of them hacked, as we could test by entering them with Morgan's password). From the moment we were alerted of his presence, we decided to monitor his activities, trying to keep system modifications to a minimum (not introducing new suspicious daemons, not changing the configuration of our machines, etc). We only talked about Morgan vocally, never by e-mail. Each day, we revised all the log files collected by the hacked telnet and deleted the files that could provide him more information. We supplied him with a lot of innocuous telnet logs. One of the methods used to monitor him was modifying the Morgan's tekfont4 program used to collect information in the host. We found the source code on a host and we modified it to obtain the IP number of the host Morgan connected from (the executable once replaced had the same size and modification time as Morgan's original). We also modified a function of the shared libraries of the system to obtain the string used by Morgan as root password. 6 We kept all the information collected about Morgan on a new workstation that was physically disconnected from the network and was not in the nameserver. As a result of the revision of the log files of the telnet, we discovered a group of local hackers that had root access to one of our neighbour's machines, using a set-uid executable that waited for a special password that only they, and we, knew. We later informed the system administrator. We always hoped to trace Morgan back, to discover his iden- tity, but we couldn't for many reasons (technical, legal, political, etc.) and so we just used the experience to learn how to protect ourselves. In March, 1993, we cleaned all of our machines, and alerted all the hosts that knew of our monitoring that we were closing the doors. In August, 1993, we learned that the FBI in the USA, and Interpol in France began investigating the case. 7 Conclusions Clearly, Morgan showed us that one doesn't need to be an expert system administrator, nor a great programmer to obtain the root password of a system. Most of all, the simplicity of the method used by Morgan is surprising. Obviously, for the time spent, for the modifications done in the system, and for the number of hosts compromised, he must have a reasonable level of knowledge of the systems. Most hackers, including Morgan, dedicate many man-hours (man-days!?) to their work [3 ]. The hacker not only tries to hide his activities, but also collects, organizes, filters and reviews the information obtained. The system administrator must not only maintain a secure system against the hacker's attacks but also must try to maintain a relatively unrestricted environ- ment in which the users can accomplish their work efficiently. A good system configuration, as defined by the balance between security and efficiency, is the most important task of a system administrator. Unfortunately for the system administrator, the Unix operating system has evolved to be an incredibly complex system, filled with little known features and bugs. Experts on security readily admit that it is much more difficult to main- tain a complicated evolving system secure than it is to maintain a simple stable system secure. It is very difficult for systems administrators to keep themselves up to date on the current se- curity problems in Unix, and just the fact that they must keep themselves up to date indicates a time lag in which their systems are vulnerable to more up-to-date hackers. 7 Acknowledgements William Contreras and Eduardo Mercader, member os the administration staff, and especially Chris Perleberg for his suggestions and corrections. References [1] Alec D. E. Muffett "A Sensible Password Checker," Docu- mentation of Crack Version 4.1, available via anonymous ftp. [2] Cliff Stoll, "The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket Books, New York, 1990 [3] Bill Cheswick, "An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied" Procedures USENIX - Winter 1992 8