Answers

Questions

1. What is the operating system of the honeypot? How did you determine that? (see day1)
   
   The honeypot appears to be running SunOS 5.8, also known as Solaris 8. This was determined by one of the first commands typed by the attacker at the root shell:
   
   # uname -a;ls -l /core /var/dt/tmp/DTSPCD.log;PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export PATH;echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`
SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
/core: No such file or directory
/var/dt/tmp/DTSPCD.log: No such file or directory
BD PID(s): 1773
   
   
2. How did the attacker(s) break into the system? (see day1)
   
   The attacker used a buffer overflow exploit against the dtspcd service running on the system. This exploit is documented in CERT Advisory CA-2002-01 "Exploitation of Vulnerability in CDE Subprocess Control Service".
   
   
3. Which systems were used in this attack, and how?(see day1)
   
   61.219.90.180 was used to perform the exploit and set up the shell on the Ingreslock port. The connection on the Ingreslock port also came from the same IP address.
   62.211.66.16 was used as an FTP server to download utilities to the honeypot.
   62.211.66.53 was used to download further utilities, this time via HTTP.
   
   On day 3 the connections came from the following IP addresses:
   
   62.101.108.86 was the source of the SSH connection to port 5001
   62.211.66.55 was used to download the updated psyBNC tarball via HTTP
   
   
4. Create a diagram that demonstrates the sequences involved in the attack. (see day1)
   
   Refer to this diagram.
   
   
5. What is the purpose/reason of the ICMP packets with 'skillz' in them? (see day1)
   
   Those ICMP packets are messages from a DDOS agent to it's handler. They allow the user to see that the agent is available to receive Denial of Service commands.
   
   
6. Following the attack, the attacker(s) enabled a unique protocol that one would not expect to find on a n IPv4 network. Can you identify that protocol and why it was used? (see day3)
   
   The attacker enabled IPv6. There may have been several motives for this. IPv6 traffic may evade or confuse Intrusion Detection Systems. They would also raise the cracker's status on IRC as he would show up with an address on the 6bone. Some IRC sites may only be available on the 6bone, and not on the normal IPv6 Internet.
   
   
7. Can you identify the nationality of the attacker? (see day3)
   
   During Italian conversations on IRC, "Andreaz" and "Bobz", our attacker, had a conversation about where they were from and how old they were. Bobz said he was from Paestum, Salerno in Italy.

Bonus Question:

1. What are the implications of using the unusual IP protocol to the Intrusion Detection industry?
   
   Interpreting IPv6 traffic involves extra overhead on IDS systems. The IPv6 traffic we saw here is encapsulated over IPv4 which makes session tracking more difficult, all traffic appears to originate from a single host at the IPv4 layer, but we may find that there are mutiple sources/destinations at the IPv6 layer.
   
   
2. What tools exist that can decode this protocol?
   
   The latest versions of Ethereal can decode IPv6 traffic. Some versions of tcpdump also have the capability to decode IPv6.