From sheila.bamberg@tecstar.com Tue Aug 21 12:36:51 2001 Date: Fri, 20 Jul 2001 14:06:51 -0700 From: sheila.bamberg@tecstar.com To: project@honeynet.org Subject: Scan 17 To Whom It May Concern: 1. What trends did you identify? For trend analysis, the firewall log provided the best data in a very easily readable form. Just by looking at the darn thing, one can quickly scan the log for the type of connection made. A quick scan indicated a lot of ftp and rpc activity. I'll bet Redhat released some kind of security vulnerability warning related to ftp and rpc. 2. What does this activity tell us about the blackhat community? In my opinion, the blackhat community has the best telecommunication system in the world. It's not the telegraph or telephone, but "tell a friend" who tells two friends, who tell two friends and so on and so on ........ In addition, the blackhats take advantage of every publicly announced security alert. If I were a blackhat, I would be on every mailing list, automate my browser to notify me of the latest security update, just to name a few. From the Honeypot analysis, On November 7, 2000, a Red Hat Linux 6.2 server belonging to honeyp.edu was compromised. Analysis of the system confirms the attacker broke in through the rpc.statd daemon, a Network File System service. This vulnerability was made public July 16, 2000 and CERT released an Advisory about the issue on August 18, 2000: http://www.cert.org/advisories/CA-2000-17.html The time from public announcement to a successful attack was approximately 1 month. It appears that it doesn't take very long to develop and deploy a new exploit. Heed the warnings. The bad news is, as an administrator, you will not have much time to secure your network. The good news is you do have time. 3. What if anything happened in the fire and IDS logs that gave us a clue of what was coming? Could any of the attacks been predicted ahead of time. If so, how? Both the fire and IDS logs had more ftp and rpc words than swiss cheese has holes. The attacks that can be predicted are based on publicly announced vulnerabilities. The clock starts ticking. 4. What data did you find more valuable, the Snort alerts or the firewall logs of unique scans? Why? For the trend analysis, the firewall log was better than the Snort alerts. The firewall log did not overwhelm me with data and therefore I could easily scan for reoccurring words. However, the Snort alerts captured the intrusion. With out Snort, I believe the intrusion would have gone undetected. The firewall log clearly did not indicate any kind of intrusion. The intrusion is identified by the following line: Nov 4 22:30:41 ids snort[5240]: IDS362 - MISC - Shellcode X86 NOPS-UDP: 24.69.66.75:852 -> 172.16.1.107:949 I don't know what the above line means except that I have been hacked. 5. What lesson did I learn from this? I answered Questions 1 thru 4 with no network security experience. I have 1 1/2 years IT support experience. The main lesson learned was "Keep your operating system updated with the latest security patches". Secondly, pray that the patch does not crash your network or system. 6. How long did this challenge take you? I spent 6 hours on this challenge. Bonus Question: The attack was "The Forensic Challenge" that was written up and posted on this site. Check it out. A must read for forensic analysis. The attacker exploited rpc.statd daemon. Honeynet failed to alert because this rpc.statd exploit was a new and Snort did not have a signature. Best regards, Sheila Bamberg