++++++++++++++++++++++++++++++++++++++++++++++++++++ 1.Which exploit(s) were used to attack the system? + ++++++++++++++++++++++++++++++++++++++++++++++++++++ The attacker used a combination of the RDS exploit (MS99-025) and UNICODE attacks to successfully comprimise the system. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2.How were the exploits used to access and control the system? + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ RDS Exploit The attacker was able to access different command line utilities with this exploit. He/she was able to create files on the system, FTP files to the system, and run various other commands. The attack used RFP's PERL script for this technique. In the end the attacker was able to make the users IUSR_KENNY and IWAM_KENNY administrators of the system. UNICODE Exploit The attacker used the UNICODE representation of "/" "%C0%AF" to traverse the directory structure of the web server. With this technique the attacker was able to create files, view files and run commands. +++++++++++++++++++++++++++++++++++++++++ 3.What was done once access was gained? + +++++++++++++++++++++++++++++++++++++++++ Once the attacker was able to get a remote console on the system via netcat (listening) he/she did the following: 1. Looked through the directories: C:\ C:\exploits C:\exploits\microsoft C:\exploits\newfiles C:\exploits\unix C:\exploits\unix\sunos-exploits C:\exploits\unix\tcp-exploits C:\Program Files C:\Program Files\Common Files C:\Program Files\Common Files\Microsoft Shared C:\Program Files\Common Files\ODBC C:\Program Files\Common Files\ODBC\Data Sources C:\Program Files\Common Files\System C:\Program Files\Common Files\System\msadc C:\Program Files\Outlook Express C:\WINNT C:\WINNT\repair C:\wiretrip C:\InetPub C:\InetPub\wwwroot C:\TEMP 2. Make the users IUSR_KENNY and IWAM_KENNY part of the "administrators" local group. 3. Found out that the system was a honeypot and created files letting RFP know this. 4. FTP'd files off the system. 5. Looked at some source code. +++++++++++++++++++++++++++++++++++++++++ 4.How could this attack been prevented? + +++++++++++++++++++++++++++++++++++++++++ To remove the RDS exploit the system admin could follow what Microsoft has recommended at "http://www.microsoft.com/technet/security/bulletin/fq99-025.asp". The RDS exploit could have also been prevented by getting rid of the "msadc" directory link in IIS. Just to make sure I would also remove the msadcs.dll also. This would only work if you did not need the RDS services. To remove the UNICODE directory traversal vulnerability the system admin could install the patches that accompany the MS00-57 advisory. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5.How much time did you spend on this analysis and writeup? + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ About 10-16 hours. I know, it's pathetic. I have never used snort before so had some trouble getting snort to read the log file. When I got it in a format that I could handle I manually searched through the ASCII decode of the application layer data. Because the attacker was doing the same stuff over and over agian I was checking the timestamps to make sure that the attacker was really doing this. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Bonus Question: + Do you feel that the attacker in question knew if this was a honeypot? If so, why or why not? + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Yes the attacker knows that this is a honeypot. He lets RFP know when he writes to the file "C:\rfp.txt". The file contains the following text: best honeypot i've seen till now :) The attacker also posts the following text to his guestbook: hey how ya doin rfp..like the skins.. especially natural..oh and grats on getting hacked hehe oops+you won't sue right? it worked hehe.. oh the evil i see ]:)) The attacker had problems deleting files and adding user accounts. The server was behaving in such a way as to only let certain things be done to it. It really blew away the attacker when he/she was not able to get to the web pages via a browser from a particular IP address. Plus why would RFP have a server vulnerable to an exploit that he not only has a writeup for but a PERL script as well. All this and the fact that RFP is part of the honeynet project.