From sparqmchne@hotmail.com Sun Aug 26 21:53:09 2001 Date: Fri, 24 Aug 2001 18:04:21 -0400 From: . . To: project@honeynet.org Subject: Scan of the Month 8/2001 Honey Net Analysis Step I I noticed in the firewall logs there was no direct indication of which host the traffic was destined for; the only information provided was the destination services. The first step I did was divided the snort logs into separate files for each host using grep $IP snort-alerts.txt > $LAST_OCTET_snort Step II I next did an outline of what I thought the most logical layout of the network would be, labeling each host with IP address and OS FWàIDSàHUBàHOSTS Hosts 102 ^Ö 106 experienced the same scans: FTP, SUNRpc and Proxy scans. Evidence of malicious and premeditated events is present due the same source and destination ports noted for each host. In addition to the each host receiving the same flow of traffic. Based on the traffic analysis none of the hosts appear to have been compromised. Traffic Examples: 172.16.1.102 Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.102:21 Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.102:111 Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.102:111 Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.102:53 Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4882 -> 172.16.1.102:1080 Nov 25 09:01:15 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4882 -> 172.16.1.102:1080 Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.102:511 172.16.1.103 Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.103:21 Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.103:111 Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.103:111 Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.103:53 Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4883 -> 172.16.1.103:1080 Nov 25 09:01:15 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4883 -> 172.16.1.103:1080 Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.103:511 Nov 30 22:30:56 ids snort[18951]: IDS8 - TELNET - daemon-active: 172.16.1.103:23 -> 207.239.115.11:1947 172.16.1.104 Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.104:21 Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.104:111 Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.104:111 Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.104:53 Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4884 -> 172.16.1.104:1080 Nov 25 09:01:15 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4884 -> 172.16.1.104:1080 Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.104:511 Nov 30 21:55:44 ids snort[18951]: IDS287 - FTP - Wuftp260 venglin linux: 141.223.222.143:4761 -> 172.16.1.104:21 Nov 30 21:55:47 ids snort[18951]: IDS317 - FTP-site-exec: 141.223.222.143:4761 -> 172.16.1.104:21 172.16.1.105 Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.105:21 Nov 6 16:44:14 ids snort[237]: SCAN-SYN FIN: 61.129.65.42:111 -> 172.16.1.105:111 Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.105:111 Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.105:53 Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4885 -> 172.16.1.105:1080 Nov 25 09:01:15 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4885 -> 172.16.1.105:1080 Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.105:511 172.16.1.106 Nov 4 18:25:59 ids snort[5240]: SCAN-SYN FIN: 203.59.72.172:21 -> 172.16.1.106:21 Nov 6 17:02:50 ids snort[237]: SCAN-SYN FIN: 62.98.45.141:111 -> 172.16.1.106:111 Nov 23 19:46:57 ids snort[16083]: SCAN-SYN FIN: 206.77.188.15:53 -> 172.16.1.106:53 Nov 25 09:01:12 ids snort[17159]: MISC-WinGate-1080-Attempt: 24.42.178.243:4886 -> 172.16.1.106:1080 Nov 29 11:13:29 ids snort[18432]: SCAN-SYN FIN: 12.24.136.201:511 -> 172.16.1.106:511 Summary The trends I noticed in the scans were for the most prevalent exploits during that current time; Mainly Wu-FTP, RPC Statd, and BIND. Based on this activity I can conclude the Black Hat community is very prompt to exploit the known coding or flaws available; often doing so without the administrator^Òs knowledge until it is too late. The similar portscans to the various hosts and return traffic often promote a forth-coming compromise or system attack. The portscans and exploit attempts were key factors in signaling a definite problem on the network. I focused mainly on host^Òs 172.16.1.101, and 172.16.1.107 because of the large amount of activity destined for the particular hosts. Host 172.16.1.107, appears to be have been compromised via an external source surmised in the following traffic excerpts Nov 30 21:55:44 ids snort[18951]: IDS287 - FTP - Wuftp260 venglin linux: 141.223.222.143:4761 -> 172.16.1.104:21 Nov 30 21:55:47 ids snort[18951]: IDS317 - FTP-site-exec: 141.223.222.143:4761 -> 172.16.1.104:21 Nov 7 23:11:51 ids snort[1260]: IDS15 - RPC - portmap-request-status: 216.216.74.2:709 -> 172.16.1.107:111 Nov 7 23:11:51 ids snort[1260]: IDS362 - MISC - Shellcode X86 NOPS-UDP: 216.216.74.2:710 -> 172.16.1.107:871 First attempt of outgoing traffic: Nov 7 23:11:31 ids snort[1260]: IDS08 - TELNET - daemon-active: 172.16.1.101:23 -> 216.216.74.2:1209 The compromises may have been prevented if the firewall, had rules limiting traffic to particular hosts. Below are two examples were access rules should have been applied. HSE-Sherbrooke-ppp78874.qc.sympatico.ca 3Nov2000 1:39:00 sunrpc 24.69.66.75.bc.wave.home.com 4Nov2000 22:24:54 rpc 61.129.65.42 6Nov2000 16:44:13 rpc 62.98.45.141 6Nov2000 17:02:49 rpc dyn-212-129-5-218.paris.none.net 6Nov2000 20:34:00 sunrpc modem-95.thallium.dialup.pol.co.uk 22Nov2000 19:55:28 ftp pD90553EB.dip.t-dialin.net 24Nov2000 7:34:04 ftp user3.net016.fl.sprint-hsd.net 24Nov2000 9:51:55 ftp azazello.chem.unc.edu 25Nov2000 12:13:19 ftp 209.148.83.51 25Nov2000 15:40:12 ftp ca-ol-marseille-22-206.abo.wanadoo.fr 29Nov2000 15:04:03 ftp CPE-144-132-223-204.nsw.bigpond.net.au 30Nov2000 4:58:45 ftp pec-118-255.tnt9.me2.uunet.de 30Nov2000 9:36:09 ftp MAPT4903.postech.ac.kr 30Nov2000 20:42:58 ftp The IDS rules should also have set to monitor traffic between the hosts. One host could have been compromised, and from that point used to own the rest of the hosts undetected. The snort logs were more valuable, the alerts outlined what happened on each host, the firewall only displayed the traffic entering the network. The lesson learned from this event is applying restrictive rules to a firewall and only log traffic for critical services. Both firewall and IDS should be set to watch traffic entering and leaving the network. The attacks could have been noticed if the syslogs were also included in the bastard-logging scheme In addition to logging the Application Layer data. The Ramen Worm could have caused the nature of the scan. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp