AnsweredAssumed Answered

Issue with parser to detect bind/reverse shells. Please adivse.

Question asked by RSA Admin Employee on Aug 26, 2013
Latest reply on Aug 28, 2013 by RSA Admin

Hello all,. i was hoping someone could point out what im doing wrong here.  The parser below does seem to match on the bash_shell token name, but not one the rest even though the values are clearly in the packets. 

 

IP 192.168.1.19.13377 > 192.168.1.17.52172: Flags [P.], seq 666:690, ack 17, win 91, options [nop,nop,TS val 911716 ecr 1343276283], length 24

E..L..@.@...........4A...'....@?...[H[.....

.dP...root@ubuntu:/usr/_gtW_#

 

IP 192.168.1.19.13377 > 192.168.1.17.52172: Flags [P.], seq 627:666, ack 17, win 91, options [nop,nop,TS val 911716 ecr 1343276282], length 39

E..[..@.@...........4A...'....@?...[.......

.dP...uid=0(root) gid=0(root)

 

 

It does however match on the bash-shell token and bash-shell match:

IP 192.168.1.19.13377 > 192.168.1.17.52172: Flags [P.], seq 565:600, ack 14, win 91, options [nop,nop,TS val 910924 ecr 1343273116], length 35

E..W.{@.@...........4A...'.K..@<...[.f.....

.LP...bash: no job control in

 

Below is the parser, and i've attached the pcap

 

 

 

<?xml version="1.0" encoding="utf-8"?>

<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="C:\Program Files\NetWitness\NetWitness 9.0\Investigator\parsers\parsers.xsd">

 

  <!--

  Parser created by dniz0r@gmail.com on 8/26/2013

  Last update:

  Discussion:

  Attempts to detect rootshell in the TCP stream. kbeast rootkit was used in order to create this parser

 

Keys required by this parser:

 

  <key description="Risk: Warning" format="Text" level="IndexValues" name="risk.warning" valueMax="1000"/>

 

  -->

  <parser name="bash_shell" desc="bash_shell">

 

    <declaration>

 

      <meta format="Text" key="risk.warning" name="warning"/>

     

      <token name="bash-shell" value="bash:"/>

      <token name="root-shell" value="&#x72;&#x6F;&#x6F;&#x74;&#x40;" /> <!--root@-->

      <token name=uid" value="uid=" />

      <number name="temp_offset"/>

     

    </declaration>

 

    <match name="bash-shell">

      <find length="30" name="temp_offset" value="no job control in">

        <register name="warning" value="bash_shell"/>

      </find>

    </match>

 

 

    <match name="root-shell">

      <find length="60" name="temp_offset" value="&#x23;">   <!--#-->

        <register name="warning" value="root_shell"/>

      </find>

    </match>

 

    <match name="uid">

      <find length="60" name="temp_offset" value="gid="> 

        <register name="warning" value="root_shell"/>

      </find>

    </match>

 

  </parser>

</parsers>

Attachments

Outcomes