Honeynet Project: Scan 18
Kevin Liston
The Challenge:
The Scan of the Month for Scan 15 was to recover a deleted rootkit. Scan 18 involves analyzing the snort dump from that March 15th incident and answer the following questions:
The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?
What system/country did the badguys come in from?
What nationality are the badguys, and how were you able to determine this?
What do the answers to questions #1 and #2 tell you about the tactics the badguys are using?
What did you learn from this challenge?
How long did this challenge take you?
The Initial Analysis:
I wanted to determine what scans were going on in the honey net before, during and after the attack. If we examine the SYN connections to tcp services and sort on the source port, we can see the chronology of actions from the scanner's point of view-- unless the scan packets are crafted in strange ways. In this case, I'm looking for the attacker scanning for portmapper, TCP/111. I was using tcpdump version3.6 to process the binary file, and wrote a quick perl script to simplify the output.
connection_filter.pl:
#!/usr/bin/perl
#tcpdump -nr snort-0315\@0005.log tcp[13]=2
#05:33:23.616029 203.111.78.182.2656 > 172.16.1.102.111: S 1642299750:1642299750
(0) win 32120 <mss 1460,sackOK,timestamp 1425735 0,nop,wscale 0> (DF)
while (<>) {
@line = split;
$line[3] =~ s/://;
$line[1] =~ s/(.+\..+\..+\..+)\.(.+)/${1} ${2}/;
$line[3] =~ s/(.+\..+\..+\..+)\.(.+)/${1} ${2}/;
print "$line[0] $line[1] $line[2] $line[3] \n";
}
The command used to generate the output was:
tcpdump -nr snort-0315\@0005.log tcp[13]=2 | ./connection_filter.pl |sort -n -k 3
21:36:21.451950 193.231.236.41 20 > 172.16.1.108 1027
13:34:07.018434 172.16.1.108 1025 > 216.168.224.69 43
21:36:04.694845 172.16.1.108 1026 > 193.231.236.41 21
21:46:15.135480 172.16.1.108 1028 > 216.136.129.14 25
21:46:23.795364 172.16.1.108 1029 > 209.61.188.33 25
21:36:05.086302 193.231.236.41 1516 > 172.16.1.108 113
21:36:07.088458 193.231.236.41 1519 > 172.16.1.108 113
21:36:07.504259 193.231.236.41 1522 > 172.16.1.108 113
09:35:52.282971 211.180.229.190 1558 > 172.16.1.101 515
09:35:55.215472 211.180.229.190 1558 > 172.16.1.101 515
09:35:55.247377 211.180.229.190 1560 > 172.16.1.103 515
09:35:55.224358 211.180.229.190 1561 > 172.16.1.104 515
09:35:55.253008 211.180.229.190 1562 > 172.16.1.105 515
09:35:55.259768 211.180.229.190 1563 > 172.16.1.106 515
09:35:52.282978 211.180.229.190 1564 > 172.16.1.107 515
09:35:55.260752 211.180.229.190 1564 > 172.16.1.107 515
09:35:55.265661 211.180.229.190 1565 > 172.16.1.108 515
12:29:42.462830 65.195.31.2 2471 > 172.16.1.101 53
12:29:39.936665 65.195.31.2 2473 > 172.16.1.103 53
12:29:42.453684 65.195.31.2 2476 > 172.16.1.106 53
12:29:39.939751 65.195.31.2 2477 > 172.16.1.107 53
05:33:23.616029 203.111.78.182 2656 > 172.16.1.102 111
05:33:26.600232 203.111.78.182 2656 > 172.16.1.102 111
05:33:23.616049 203.111.78.182 2657 > 172.16.1.103 111
05:33:29.035589 203.111.78.182 2658 > 172.16.1.104 111
05:33:29.036241 203.111.78.182 2659 > 172.16.1.105 111
05:33:29.044579 203.111.78.182 2660 > 172.16.1.106 111
05:33:29.045235 203.111.78.182 2661 > 172.16.1.107 111
05:33:29.053298 203.111.78.182 2662 > 172.16.1.108 111
10:08:30.974471 211.180.229.190 3329 > 172.16.1.103 23
21:21:23.840485 211.185.125.124 3493 > 172.16.1.101 111
21:21:26.854705 211.185.125.124 3493 > 172.16.1.101 111
21:21:32.900754 211.185.125.124 3493 > 172.16.1.101 111
21:21:44.877860 211.185.125.124 3493 > 172.16.1.101 111
21:22:08.886316 211.185.125.124 3493 > 172.16.1.101 111
21:22:56.833325 211.185.125.124 3493 > 172.16.1.101 111
21:24:32.858860 211.185.125.124 3493 > 172.16.1.101 111
21:26:32.840554 211.185.125.124 3493 > 172.16.1.101 111
21:28:33.049075 211.185.125.124 3493 > 172.16.1.101 111
21:30:33.040132 211.185.125.124 3493 > 172.16.1.101 111
21:32:32.867640 211.185.125.124 3493 > 172.16.1.101 111
21:34:32.867518 211.185.125.124 3493 > 172.16.1.101 111
21:21:23.863730 211.185.125.124 3494 > 172.16.1.102 111
21:21:26.855656 211.185.125.124 3494 > 172.16.1.102 111
21:21:32.890043 211.185.125.124 3494 > 172.16.1.102 111
21:21:44.861092 211.185.125.124 3494 > 172.16.1.102 111
21:22:08.876815 211.185.125.124 3494 > 172.16.1.102 111
21:22:56.843552 211.185.125.124 3494 > 172.16.1.102 111
21:24:32.856862 211.185.125.124 3494 > 172.16.1.102 111
21:26:32.858734 211.185.125.124 3494 > 172.16.1.102 111
21:28:33.030388 211.185.125.124 3494 > 172.16.1.102 111
21:30:33.041487 211.185.125.124 3494 > 172.16.1.102 111
21:32:32.849693 211.185.125.124 3494 > 172.16.1.102 111
21:34:32.849615 211.185.125.124 3494 > 172.16.1.102 111
21:21:23.857472 211.185.125.124 3495 > 172.16.1.103 111
21:21:26.868126 211.185.125.124 3496 > 172.16.1.104 111
21:21:32.887966 211.185.125.124 3496 > 172.16.1.104 111
21:21:44.846595 211.185.125.124 3496 > 172.16.1.104 111
21:22:08.870784 211.185.125.124 3496 > 172.16.1.104 111
21:22:56.851467 211.185.125.124 3496 > 172.16.1.104 111
21:24:32.865990 211.185.125.124 3496 > 172.16.1.104 111
21:26:32.849176 211.185.125.124 3496 > 172.16.1.104 111
21:28:33.011753 211.185.125.124 3496 > 172.16.1.104 111
21:30:33.019663 211.185.125.124 3496 > 172.16.1.104 111
21:32:32.858822 211.185.125.124 3496 > 172.16.1.104 111
21:34:32.869107 211.185.125.124 3496 > 172.16.1.104 111
21:21:23.893589 211.185.125.124 3497 > 172.16.1.105 111
21:21:26.885677 211.185.125.124 3497 > 172.16.1.105 111
21:21:32.862699 211.185.125.124 3497 > 172.16.1.105 111
21:21:44.867892 211.185.125.124 3497 > 172.16.1.105 111
21:22:08.858897 211.185.125.124 3497 > 172.16.1.105 111
21:22:56.869735 211.185.125.124 3497 > 172.16.1.105 111
21:24:32.884170 211.185.125.124 3497 > 172.16.1.105 111
21:26:32.859908 211.185.125.124 3497 > 172.16.1.105 111
21:28:33.020979 211.185.125.124 3497 > 172.16.1.105 111
21:30:33.049258 211.185.125.124 3497 > 172.16.1.105 111
21:32:32.893936 211.185.125.124 3497 > 172.16.1.105 111
21:34:32.850834 211.185.125.124 3497 > 172.16.1.105 111
21:21:23.912707 211.185.125.124 3498 > 172.16.1.106 111
21:21:26.875390 211.185.125.124 3498 > 172.16.1.106 111
21:21:32.853791 211.185.125.124 3498 > 172.16.1.106 111
21:21:44.851719 211.185.125.124 3498 > 172.16.1.106 111
21:22:08.850785 211.185.125.124 3498 > 172.16.1.106 111
21:24:32.849230 211.185.125.124 3498 > 172.16.1.106 111
21:28:33.010894 211.185.125.124 3498 > 172.16.1.106 111
21:30:33.050534 211.185.125.124 3498 > 172.16.1.106 111
21:32:32.877256 211.185.125.124 3498 > 172.16.1.106 111
21:34:32.858684 211.185.125.124 3498 > 172.16.1.106 111
21:21:23.873607 211.185.125.124 3499 > 172.16.1.107 111
21:21:26.863772 211.185.125.124 3499 > 172.16.1.107 111
21:21:32.880809 211.185.125.124 3499 > 172.16.1.107 111
21:21:44.870212 211.185.125.124 3499 > 172.16.1.107 111
21:22:08.849866 211.185.125.124 3499 > 172.16.1.107 111
21:22:56.870900 211.185.125.124 3499 > 172.16.1.107 111
21:24:32.847567 211.185.125.124 3499 > 172.16.1.107 111
21:26:32.869014 211.185.125.124 3499 > 172.16.1.107 111
21:28:33.047668 211.185.125.124 3499 > 172.16.1.107 111
21:30:33.021350 211.185.125.124 3499 > 172.16.1.107 111
21:32:32.848757 211.185.125.124 3499 > 172.16.1.107 111
21:34:32.859952 211.185.125.124 3499 > 172.16.1.107 111
21:21:23.874409 211.185.125.124 3500 > 172.16.1.108 111
21:21:36.312515 211.185.125.124 4450 > 172.16.1.108 39168
21:46:24.453124 209.61.188.33 43497 > 172.16.1.108 113
From this output we can clearly see the portmapper scan originating from 211.185.125.124. The source port increases with the IP number. The entries with repeated entries indicate machines in the honeynet that did not answer. From this, you can tell that 172.16.1.103 and 172.16.1.108 are running some service on TCP/111. No, the scan stops at 172.16.1.108, so perhaps the scanner/attacker switches to a subnet after is makes a successful attack.
So, we have our first IP number of interest, 211.185.125.12. Let's take a look at where its located:
Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
These addresses have been further assigned to Asia-Pacific users.
Contact info can be found in the APNIC database,
at WHOIS.APNIC.NET or http://www.apnic.net/
Please do not send spam complaints to APNIC.
AU
Netname: APNIC-CIDR-BLK2
Netblock: 210.0.0.0 - 211.255.255.255
Coordinator:
Administrator, System (SA90-ARIN) [No mailbox]
+61-7-3367-0490
Domain System inverse mapping provided by:
NS.APNIC.NET 203.37.255.97
SVC00.APNIC.NET 202.12.28.131
NS.TELSTRA.NET 203.50.0.137
NS.RIPE.NET 193.0.0.193
Regional Internet Registry for the Asia-Pacific Region.
*** Use whois -h whois.apnic.net ***
*** or see http://www.apnic.net/db/ for database assistance ***
Record last updated on 03-May-2000.
Database last updated on 30-Aug-2001 23:13:35 EDT.
Search the APNIC Whois database:
Search results for '211.185.125.124'
inetnum 211.172.0.0 - 211.199.255.255
netname KRNIC-KR
descr KRNIC
descr Korea Network Information Center
country KR
admin-c HM127-AP, inverse
tech-c HM127-AP, inverse
remarks ******************************************
remarks KRNIC is the National Internet Registry
remarks in Korea under APNIC. If you would like to
remarks find assignment information in detail
remarks please refer to the KRNIC Whois DB
remarks http://whois.nic.or.kr/english/index.html
remarks ******************************************
mnt-by APNIC-HM, inverse
mnt-lower MNT-KRNIC-AP, inverse
changed hostmaster@apnic.net 20000607
changed hostmaster@apnic.net 20010606
source APNIC
person Host Master, inverse
address Korea Network Information Center
address Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-ku, Seoul, 137-070, Republic of Korea
country KR
phone +82-2-2186-4500
fax-no +82-2-2186-4496
e-mail hostmaster@nic.or.kr, inverse
nic-hdl HM127-AP, inverse
mnt-by MNT-KRNIC-AP, inverse
changed hostmaster@nic.or.kr 20010514
source APNIC
There is no reverse lookup.
The Attack Mechanism:
Now that we know the players in the attack, we look back at our initiated connections to and from the Honeynet, this time, sorting on time, not the source port. I've added some commented to the notable connection initiations, denoted by >>>>.
05:33:23.616029 203.111.78.182 2656 > 172.16.1.102 111
05:33:23.616049 203.111.78.182 2657 > 172.16.1.103 111
05:33:26.600232 203.111.78.182 2656 > 172.16.1.102 111
05:33:29.035589 203.111.78.182 2658 > 172.16.1.104 111
05:33:29.036241 203.111.78.182 2659 > 172.16.1.105 111
05:33:29.044579 203.111.78.182 2660 > 172.16.1.106 111
05:33:29.045235 203.111.78.182 2661 > 172.16.1.107 111
05:33:29.053298 203.111.78.182 2662 > 172.16.1.108 111
09:35:52.282971 211.180.229.190 1558 > 172.16.1.101 515
09:35:52.282978 211.180.229.190 1564 > 172.16.1.107 515
09:35:55.215472 211.180.229.190 1558 > 172.16.1.101 515
09:35:55.224358 211.180.229.190 1561 > 172.16.1.104 515
09:35:55.247377 211.180.229.190 1560 > 172.16.1.103 515
09:35:55.253008 211.180.229.190 1562 > 172.16.1.105 515
09:35:55.259768 211.180.229.190 1563 > 172.16.1.106 515
09:35:55.260752 211.180.229.190 1564 > 172.16.1.107 515
09:35:55.265661 211.180.229.190 1565 > 172.16.1.108 515
10:08:30.974471 211.180.229.190 3329 > 172.16.1.103 23
12:29:39.936665 65.195.31.2 2473 > 172.16.1.103 53
12:29:39.939751 65.195.31.2 2477 > 172.16.1.107 53
12:29:42.453684 65.195.31.2 2476 > 172.16.1.106 53
12:29:42.462830 65.195.31.2 2471 > 172.16.1.101 53
13:34:07.018434 172.16.1.108 1025 > 216.168.224.69 43
21:21:23.840485 211.185.125.124 3493 > 172.16.1.101 111
21:21:23.857472 211.185.125.124 3495 > 172.16.1.103 111
21:21:23.863730 211.185.125.124 3494 > 172.16.1.102 111
21:21:23.873607 211.185.125.124 3499 > 172.16.1.107 111
21:21:23.874409 211.185.125.124 3500 > 172.16.1.108 111
21:21:23.893589 211.185.125.124 3497 > 172.16.1.105 111
21:21:23.912707 211.185.125.124 3498 > 172.16.1.106 111
21:21:26.854705 211.185.125.124 3493 > 172.16.1.101 111
21:21:26.855656 211.185.125.124 3494 > 172.16.1.102 111
21:21:26.863772 211.185.125.124 3499 > 172.16.1.107 111
21:21:26.868126 211.185.125.124 3496 > 172.16.1.104 111
21:21:26.875390 211.185.125.124 3498 > 172.16.1.106 111
21:21:26.885677 211.185.125.124 3497 > 172.16.1.105 111
21:21:32.853791 211.185.125.124 3498 > 172.16.1.106 111
21:21:32.862699 211.185.125.124 3497 > 172.16.1.105 111
21:21:32.880809 211.185.125.124 3499 > 172.16.1.107 111
21:21:32.887966 211.185.125.124 3496 > 172.16.1.104 111
21:21:32.890043 211.185.125.124 3494 > 172.16.1.102 111
21:21:32.900754 211.185.125.124 3493 > 172.16.1.101 111
21:21:36.312515 211.185.125.124 4450 > 172.16.1.108 39168 >>>> Attack
21:21:44.846595 211.185.125.124 3496 > 172.16.1.104 111
21:21:44.851719 211.185.125.124 3498 > 172.16.1.106 111
21:21:44.861092 211.185.125.124 3494 > 172.16.1.102 111
21:21:44.867892 211.185.125.124 3497 > 172.16.1.105 111
21:21:44.870212 211.185.125.124 3499 > 172.16.1.107 111
21:21:44.877860 211.185.125.124 3493 > 172.16.1.101 111
21:22:08.849866 211.185.125.124 3499 > 172.16.1.107 111
21:22:08.850785 211.185.125.124 3498 > 172.16.1.106 111
21:22:08.858897 211.185.125.124 3497 > 172.16.1.105 111
21:22:08.870784 211.185.125.124 3496 > 172.16.1.104 111
21:22:08.876815 211.185.125.124 3494 > 172.16.1.102 111
21:22:08.886316 211.185.125.124 3493 > 172.16.1.101 111
21:22:56.833325 211.185.125.124 3493 > 172.16.1.101 111
21:22:56.843552 211.185.125.124 3494 > 172.16.1.102 111
21:22:56.851467 211.185.125.124 3496 > 172.16.1.104 111
21:22:56.869735 211.185.125.124 3497 > 172.16.1.105 111
21:22:56.870900 211.185.125.124 3499 > 172.16.1.107 111
21:24:32.847567 211.185.125.124 3499 > 172.16.1.107 111
21:24:32.849230 211.185.125.124 3498 > 172.16.1.106 111
21:24:32.856862 211.185.125.124 3494 > 172.16.1.102 111
21:24:32.858860 211.185.125.124 3493 > 172.16.1.101 111
21:24:32.865990 211.185.125.124 3496 > 172.16.1.104 111
21:24:32.884170 211.185.125.124 3497 > 172.16.1.105 111
21:26:32.840554 211.185.125.124 3493 > 172.16.1.101 111
21:26:32.849176 211.185.125.124 3496 > 172.16.1.104 111
21:26:32.858734 211.185.125.124 3494 > 172.16.1.102 111
21:26:32.859908 211.185.125.124 3497 > 172.16.1.105 111
21:26:32.869014 211.185.125.124 3499 > 172.16.1.107 111
21:28:33.010894 211.185.125.124 3498 > 172.16.1.106 111
21:28:33.011753 211.185.125.124 3496 > 172.16.1.104 111
21:28:33.020979 211.185.125.124 3497 > 172.16.1.105 111
21:28:33.030388 211.185.125.124 3494 > 172.16.1.102 111
21:28:33.047668 211.185.125.124 3499 > 172.16.1.107 111
21:28:33.049075 211.185.125.124 3493 > 172.16.1.101 111
21:30:33.019663 211.185.125.124 3496 > 172.16.1.104 111
21:30:33.021350 211.185.125.124 3499 > 172.16.1.107 111
21:30:33.040132 211.185.125.124 3493 > 172.16.1.101 111
21:30:33.041487 211.185.125.124 3494 > 172.16.1.102 111
21:30:33.049258 211.185.125.124 3497 > 172.16.1.105 111
21:30:33.050534 211.185.125.124 3498 > 172.16.1.106 111
21:32:32.848757 211.185.125.124 3499 > 172.16.1.107 111
21:32:32.849693 211.185.125.124 3494 > 172.16.1.102 111
21:32:32.858822 211.185.125.124 3496 > 172.16.1.104 111
21:32:32.867640 211.185.125.124 3493 > 172.16.1.101 111
21:32:32.877256 211.185.125.124 3498 > 172.16.1.106 111
21:32:32.893936 211.185.125.124 3497 > 172.16.1.105 111
21:34:32.849615 211.185.125.124 3494 > 172.16.1.102 111
21:34:32.850834 211.185.125.124 3497 > 172.16.1.105 111
21:34:32.858684 211.185.125.124 3498 > 172.16.1.106 111
21:34:32.859952 211.185.125.124 3499 > 172.16.1.107 111
21:34:32.867518 211.185.125.124 3493 > 172.16.1.101 111
21:34:32.869107 211.185.125.124 3496 > 172.16.1.104 111
21:36:04.694845 172.16.1.108 1026 > 193.231.236.41 21 >>>>> compromised system FTPing rootkit
21:36:05.086302 193.231.236.41 1516 > 172.16.1.108 113
21:36:07.088458 193.231.236.41 1519 > 172.16.1.108 113
21:36:07.504259 193.231.236.41 1522 > 172.16.1.108 113
21:36:21.451950 193.231.236.41 20 > 172.16.1.108 1027
21:46:15.135480 172.16.1.108 1028 > 216.136.129.14 25 >>>> compromised system mailing out
21:46:23.795364 172.16.1.108 1029 > 209.61.188.33 25 >>>> compromised system mailing out (delivery fails)
21:46:24.453124 209.61.188.33 43497 > 172.16.1.108 113 >>>> ident request from mailserver
The incident occurs as follows:
TCP/111 port scan through the honeynet.
Hit occurs on 172.16.1.103, but yields a negative result to the scanner
Positive hit occurs on 172.16.1.108
211.185.125.124 makes a request about rpc.statd
211.185.125.124 opens a connection to UDP/790 on 172.16.1.108
211.185.125.124 launches a statdx attack to port UDP/931 on 172.16.1.108
Overflowed buffer on 172.16.1.108 instructs it to FTP the root kit from 193.231.236.41
172.16.1.108 emails a message out to 216.136.129.14
172.16.1.108 fails to email a message out to 209.61.188.33
More Players, the Plot Thickens:
We seen from the connections coming into and leaving 172.16.1.108, that more machines are at work here than just the scanner/attacker. There is the server that was FTPed into, and the two servers that received email. Let's take a look at who they are:
193.231.236.41, the ftp server, resolves to s1.home.ro
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE)
These addresses have been further assigned to European users.
Contact info can be found in the RIPE database, via the
WHOIS and TELNET servers at whois.ripe.net, and at
http://www.ripe.net/db/whois.html
NL
Netname: RIPE-CBLK
Netblock: 193.0.0.0 - 193.255.255.255
Maintainer: RIPE
Coordinator:
Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) nicdb@RIPE.NET
+31 20 535 4444
Domain System inverse mapping provided by:
NS.RIPE.NET 193.0.0.193
NS.EU.NET 192.16.202.11
AUTH03.NS.UU.NET 198.6.1.83
NS2.NIC.FR 192.93.0.4
SUNIC.SUNET.SE 192.36.125.2
MUNNARI.OZ.AU 128.250.1.21
NS.APNIC.NET 203.37.255.97
To search on arbitrary strings, see the Database page on
the RIPE NCC web-site at http://www.ripe.net/db/
Record last updated on 16-Oct-1998.
Database last updated on 30-Aug-2001 23:13:35 EDT.
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 193.231.236.0 - 193.231.236.255
netname: RDSNET
descr: Romania Data Systems
country: RO
admin-c: RDSH1-RIPE
tech-c: RDSH1-RIPE
rev-srv: ns1.rdsnet.ro 193.231.236.17
rev-srv: ns2.rdsnet.ro 193.231.236.10
status: ASSIGNED PA
remarks: object maintained by ro.rnc local registry
notify: domain-admin@rnc.ro
notify: as-admin@rdsnet.ro
mnt-by: AS3233-MNT
changed: danacorb@sunu.rnc.ro 19971217
changed: estaicut@rnc.ro 19981123
changed: cristih@rnc.ro 20000816
changed: cristih@rnc.ro 20010215
source: RIPE
route: 193.231.224.0/20
descr: RDSNET
origin: AS8708
mnt-by: AS8708-MNT
changed: tim@rdsnet.ro 20010320
source: RIPE
person: RDS Hostmaster
address: Romania Data Systems
address: Str. Sf. Vineri Nr. 25
address: Bl. 105C, Sector 3
address: Bucharest / ROMANIA
phone: +40 1 301 08 88
fax-no: +40 1 301 08 51
e-mail: hostmaster@rdsnet.ro
nic-hdl: RDSH1-RIPE
remarks: Hostmaster team:
remarks: Cornel Ciocirlan - CC79-RIPE
remarks: Andrei Stirbu - AS1385-RIPE
remarks: Adrian Niculae Gabriel - NAG4-RIPE
remarks: Dragos Vilceanu - DV461-RIPE
remarks: Bogdan Surdu - BS747-RIPE
notify: hostmaster@rdsnet.ro
mnt-by: AS8708-MNT
changed: tim@rdsnet.ro 20000424
source: RIPE
216.126.129.14 resolves to mta-v15.mail.yahoo.com. The recipient was bidi_damm@yahoo.com, bidi_damm's yahoo profile indicates that he is male.
209.61.188.33 resolves to walterworks.com, a probable co-location customer of rackspace.com. The version of sendmail running on walterworks.com found the sending address to be disagreeable, so the transfer did not continue far enough for us to see the intended recipient.
Registrant:
WalterWorks, Inc. (WALTERWORKS-DOM)
P.O. Box 403
Barker, TX 77413
US
Domain Name: WALTERWORKS.COM
Administrative Contact, Technical Contact, Billing Contact:
Walter, Jeff (JW2131) jwalter@WALTERWORKS.COM
WalterWorks, Inc.
P.O. Box 403
Barker, TX 77413
281-647-9794 (FAX) 281 647-9798
Record last updated on 12-Aug-2001.
Record expires on 11-Jun-2002.
Record created on 10-Jun-1996.
Database last updated on 31-Aug-2001 05:27:00 EDT.
Domain servers in listed order:
NS.WALTERWORKS.COM 209.61.188.33
NS2.WALTERWORKS.COM 66.136.31.20
NS3.WALTERWORKS.COM 66.136.31.21
Rackspace.com (NETBLK-RSPC-NET-2)
112 East Pecan St.
San Antonio, TX 78205
US
Netname: RSPC-NET-2
Netblock: 209.61.128.0 - 209.61.191.255
Maintainer: RSPC
Coordinator:
Rackspace, com (ZR9-ARIN) hostmaster@rackspace.com
210-892-4000
Domain System inverse mapping provided by:
NS.RACKSPACE.COM 207.235.16.2
NS2.RACKSPACE.COM 207.71.44.121
Record last updated on 05-Sep-2000.
Database last updated on 30-Aug-2001 23:13:35 EDT.
Addressing the Challenge
Question 1:
From the source port numbers, it appears that the scanning and attack processes coupled, and that the machine is scanning more than one network at once. See the jump in source ports of 3500 when it scans TCP/111 on 172.16.1.108 and the actual rcp.statd query from source port 4450.
The buffer overflow itself instructs the compromised machine to FTP a rootkit from s1.home.ro, installs the rootkit, and emails a happy little message that it has been compromised. The attackers have a list of emails as machines are compromised, and they can go through their FTP xfer logs to see what machines came in to download the rootkit itself.
It's quite possible that the Korean scanning server was compromised the same way, and that the honeynet server would soon start scanning for vulnerable systems. I'm not sure if this was initiated automatically.
Question 2:
The scan and buffer overflow came from 211.185.125.124 a system reported to be in Korea.
The rootkit was ftpd from s1.home.ro (193.231.236.41) in Bucharest Romania.
Question 3:
In this incident machines in Texas, Korea, and Romania were involved. Where are the real badguys from? The rootkit continued the phrase "Mircea Sugi Pula," which is a lyric from a song called Uzzi by the Romanian Hip Hop band, Bug Mafia. I'm betting my quarter that these fellows are from Romania.
Question 4:
It appears that they are scanning for vulnerable sites, compromising the exploitable-servers, and they employing these new servers in their scanning efforts. Like network marketing, hacker-style, they're enlisting more and more scanning machines.
Question 5:
I learned a bit more about Romanian Pop culture.
Question 6:
Approximately 1.5 hours were spent in acquiring the logs, writing the perl, generating some output, and piecing the attack together.
An additional 15 minutes was spent in addressing the bonus question
Another 1 was spent in making it all look pretty.
Bonus Question:
I employed tcpflow (http://www.circlemud.org/~jelson/software/tcpflow) to generate the file 193.231.236.041.00020-172.016.001.108.01027 (among others, but this was the ftp-data session, TCP/ 20.) Executing file 193.231.236.041.00020-172.016.001.108.01027 indicates that it is a gziped file. The following commands yields our little treasure:
cp 193.231.236.041.00020-172.016.001.108.01027 rootkit.tar.gz
gunzip -c rootkit.tar.gz |tar -tf -
last/
last/ssh
last/pidfile
last/install
last/linsniffer
last/cleaner
last/inetd.conf
last/lsattr
last/services
last/sense
last/ssh_config
last/ssh_host_key
last/ssh_host_key.pub
last/ssh_random_seed
last/sshd_config
last/sl2
last/last.cgi
last/ps
last/netstat
last/ifconfig
last/top
last/logclear
last/s
last/mkxfs