Scan of the Month 31 - Analysis by Christophe GRENIER

Introduction

Open Proxy servers are a big problem on the Internet. Not only can an improperly secured proxy server expose your internal network to attack, but also these systems are used to obscure the true origin of web-based attacks. In order to gather data on these types of attack channels, the Honeypots: Monitoring and Forensics Project deployed a specially configured Apache web server, designed specifically for use as a honeypot open proxy server or ProxyPot. The paper Open Proxy Honeypot provides important background information to aid in the analysis of the SoTM data.

The data file

Data file can be downloaded from Honeynet web site. a. Honeynet Web Server Proxy IP sanitized to: 192.168.1.103
b. Honeynet Web Server Proxy Hostname sanitized to: www.testproxy.net

Download the Image (25 MB)
c36d39dfd5665a58d7cea06438ceb96d apache_logs.tar.gz

How do you think the attackers found the honeyproxy?

The proxy has been found by scan. As seen in SOTM30, ports 80, 1080, 3128, 8080 are common targets.

What different types of attacks can you identify? For each category, provide just one log example and detail as much info about the attack as possible (such as CERT/CVE/Anti-Virus id numbers). How many can you find?

The obvious attacks are proxy abuse, web attack and brute force attacks but there are a lot more (about 400). You can find the full list on this document. Nessus has generated many of these attacks.

Do attackers target Secure Socket Layer (SSL) enabled web servers as their targets? Did they target SSL on our honeyproxy? Why would they want to use SSL? Why didn't they use SSL exclusively?

Apache SSL server has been attacked:

[Sat Mar 13 08:30:48 2004] [error] mod_ssl: SSL handshake failed (server www.ssltestproxy.net:443, client 80.196.149.199) (OpenSSL library error follows)
[Sat Mar 13 08:30:48 2004] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:master key too long

It looks like OpenSSL SSLv2 handshake bug: CAN-2002-0656. If successfully exploited (the server is patched), the hacker become Apache user and can try to exploit local kernel vulnerabilities to become root.

The hackers are not really interessted in SSL, but rather in CONNECT method. This method is used to proxy data in whatever protocol you want (usually SSL). Hackers have try to connect the ports:

$ grep CONNECT logs/access_log |cut -d\" -f2-|cut -d: -f2|sort -n -u
8 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
21 HTTP/1.0" 403 291 "-" "Mozilla/4.0"
25 HTTP/1.0" 500 434 "-" "-"
43 HTTP/1.1" 400 381 "-" "-"
80 HTTP/1.0" 200 - "-" "-"
110 HTTP/1.0" 403 293 "-" "-"
119 HTTP/1.0" 403 288 "-" "-"
443 HTTP/1.0" 200 - "-" "-"
802 HTTP/1.0" 403 289 "-" "-"
1234 HTTP/1.0" 403 314 "-" "-"
2019 HTTP/1.1" 400 381 "-" "-"
2048/ HTTP/1.1" 400 346 "-" "-"
3777 HTTP/1.0" 403 286 "-" "-"
4141 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
4400 HTTP/1.0" 403 290 "-" "-"
4661 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
5050 HTTP/1.0" 403 293 "-" "-"
5440 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
5849 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
6112 HTTP/1.0" 403 293 "-" "-"
6537 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
6601 HTTP/1.0" 403 285 "-" "-"
6660 HTTP/1.0" 403 302 "-" "-"
6661 HTTP/1.0" 403 304 "-" "-"
6662 HTTP/1.0" 403 297 "-" "-"
6663 HTTP/1.0" 403 289 "-" "-"
6664 HTTP/1.0" 403 302 "-" "-"
6665 HTTP/1.0" 403 295 "-" "-"
6666 HTTP/1.0" 200 - "-" "-"
6667 HTTP/1.0" 500 434 "-" "-"
6668 HTTP/1.0" 403 290 "-" "pxyscand/2.0"
6669 HTTP/1.0" 403 291 "-" "-"
6687 HTTP/1.0" 403 286 "-" "-"
6716 HTTP/1.0" 403 294 "-" "-"
6909 HTTP/1.0" 403 294 "-" "-"
7000 HTTP/1.0" 403 300 "-" "-"
7001 HTTP/1.0" 403 297 "-" "-"
7300 HTTP/1.0" 403 290 "-" "-"
7777 HTTP/1.0" 403 289 "-" "-"
7999 HTTP/1.1" 400 381 "-" "-"
8080 HTTP/1.1" 400 381 "-" "-"
8666 HTTP/1.0" 403 291 "-" "-"
9000 HTTP/1.0" 403 290 "-" "-"
11111 HTTP/1.0" 403 290 "-" "-"
25136 HTTP/1.0" 403 291 "-" "-"
63210 HTTP/1.0" 403 298 "-" "-"

Hackers have been to use the proxy to connect to http (80), https(443) and irc(6666). The following tools has been used: MLDonkey, ProxyChains, pxyscand.

Are there any indications of attackers chaining through other proxy servers? Describe how you identified this activity. List the other proxy servers identified. Can you confirm that these are indeed proxy servers?

In audit_log file, the header X-Forwarded-For is sometimes present. It indicates the honeyproxy has been contacted via a proxy.

Request: 220.173.17.142 - - [Tue Mar  9 22:30:24 2004] "POST http://www.clickcheaper.com/search.php HTTP/1.1" 200 19044
Handler: proxy-server
----------------------------------------
POST http://www.clickcheaper.com/search.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Content-Length: 33
Content-Type: application/x-www-form-urlencoded
Host: www.clickcheaper.com
Pragma: no-cache
Referer: http://www.163.net
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
X-Forwarded-For: 205.216.128.48
mod_security-message: Access denied with code 200. Pattern match "/search" at THE_REQUEST.

username=hui4188&keywords=Cruises

HTTP/1.1 200 OK
Accept-Ranges: bytes
X-Powered-By: PHP/4.2.2
Set-Cookie: uid=188830086; expires=Fri, 09-Apr-04 05:25:43 GMT
Content-Type: text/html; charset=ISO-8859-1
X-Cache: MISS from www.testproxy.net
Transfer-Encoding: chunked

Attackers are chaining through other proxy servers. To confirm they are proxies, I have check there presence in list.dsbl.org, relays.ordb.org, sbl-xbl.spamhaus.org, dnsbl.njabl.org, dnsbl.sorbs.net.

61.55.32.129	dsbl.org
61.55.34.128	dsbl.org open proxy -- 1075524003 (dnsbl.njabl.org)
61.144.119.66	open proxy -- 1078050004 (dnsbl.njabl.org) Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.12.185	www.spamhaus.org Dynamic IP Address See: www.dnsbl.sorbs.net Spam Received See: www.dnsbl.sorbs.net
61.171.13.36	www.spamhaus.org Dynamic IP Address See: www.dnsbl.sorbs.net Spam Received See: www.dnsbl.sorbs.net
61.171.13.151	www.spamhaus.org Spam Received See: www.dnsbl.sorbs.net Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.13.172	www.spamhaus.org Spam Received See: www.dnsbl.sorbs.net Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.15.154	www.spamhaus.org Spam Received See: www.dnsbl.sorbs.net Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.15.201	www.spamhaus.org Spam Received See: www.dnsbl.sorbs.net Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.134.148	dsbl.org open proxy -- 1063236004 (dnsbl.njabl.org) HTTP Proxy See: www.dnsbl.sorbs.net Spam Received See: www.dnsbl.sorbs.net Dynamic IP Address See: www.dnsbl.sorbs.net
61.173.46.23	www.spamhaus.org www.spamhaus.org Dynamic IP Address See: www.dnsbl.sorbs.net
61.179.12.121	www.spamhaus.org
61.233.11.29	dsbl.org Dynamic IP Address See: www.dnsbl.sorbs.net
61.235.153.1	www.spamhaus.org Dynamic IP Address See: www.dnsbl.sorbs.net Exploitable Server See: www.dnsbl.sorbs.net
61.236.192.227	www.spamhaus.org Dynamic IP Address See: www.dnsbl.sorbs.net
61.237.215.17	www.spamhaus.org Dynamic IP Address See: www.dnsbl.sorbs.net
80.54.241.22	dsbl.org
195.82.27.46	dsbl.org Dynamic IP Address See: www.dnsbl.sorbs.net
202.109.116.209	www.spamhaus.org www.spamhaus.org
210.21.209.251	www.spamhaus.org
211.158.126.117	www.spamhaus.org Dynamic IP Address See: www.dnsbl.sorbs.net
218.2.202.54	dsbl.org open proxy -- 1078369207 (dnsbl.njabl.org) Dynamic IP Address See: www.dnsbl.sorbs.net
218.21.83.16	dsbl.org open proxy -- 1055929203 (dnsbl.njabl.org) SOCKS Proxy See: www.dnsbl.sorbs.net
218.56.8.160	www.spamhaus.org
218.88.3.112	dsbl.org open proxy -- 1067772002 (dnsbl.njabl.org) HTTP Proxy See: www.dnsbl.sorbs.net
218.88.12.113	dsbl.org open proxy -- 1079193606 (dnsbl.njabl.org) HTTP Proxy See: www.dnsbl.sorbs.net SOCKS Proxy See: www.dnsbl.sorbs.net
218.93.59.83	dsbl.org open proxy -- 1063016407 (dnsbl.njabl.org) Dynamic IP Address See: www.dnsbl.sorbs.net HTTP Proxy See: www.dnsbl.sorbs.net SOCKS Proxy See: www.dnsbl.sorbs.net
218.242.112.115	dsbl.org open proxy -- 1059201605 (dnsbl.njabl.org) HTTP Proxy See: www.dnsbl.sorbs.net SOCKS Proxy See: www.dnsbl.sorbs.net Spam Received See: www.dnsbl.sorbs.net
219.139.29.234	dsbl.org www.spamhaus.org open proxy -- 1081218005 (dnsbl.njabl.org) SOCKS Proxy See: www.dnsbl.sorbs.net Spam Received See: www.dnsbl.sorbs.net HTTP Proxy See: www.dnsbl.sorbs.net
219.153.118.186	www.spamhaus.org www.spamhaus.org Spam Received See: www.dnsbl.sorbs.net
220.175.17.226	www.spamhaus.org Spam Received See: www.dnsbl.sorbs.net
220.175.19.66	www.spamhaus.org Spam Received See: www.dnsbl.sorbs.net
220.185.150.168	www.spamhaus.org Dynamic IP Address See: www.dnsbl.sorbs.net
220.185.153.45	dsbl.org Dynamic IP Address See: www.dnsbl.sorbs.net

Full listing avaible here (about 300 proxy).

But some proxy doesn't add the header X-Forwarded-For.

Request: 69.0.208.167 - - [Thu Mar 11 00:12:46 2004] "GET http://www.sex.com/ HTTP/1.0" 200 24590
Handler: proxy-server
----------------------------------------
GET http://www.sex.com/ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: deflate
Accept-Language: en-US
Connection: Close
Cookie: SEXCIP=64.237.55.58, S=15984505%7E1%7E6b2a6dd524ad12464e8974d0c2588cb4, T=17426364%7ESEX%7E%7Eeb9e18f375a194ee7c09b31ae63af388
Host: www.sex.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
 
HTTP/1.0 200 OK
Vary: Accept-Encoding
P3P: policyref="http://www.sex.com/w3c/p3p.xml"
X-Powered-By: PHP/4.3.4
X-Accelerated-By: PHPA/1.3.3r2
Set-Cookie: S=15985028%7E1%7Efee871e1105999a12931c14c9902ce20; expires=Thu, 10-Mar-05 05:12:44 GMT; path=/; domain=.sex.com
Set-Cookie: T=17426918%7ESEX%7E%7Ef71ce1ef5816cf97349563a5572da09c; path=/; domain=.sex.com
Content-Type: text/html
X-Cache: MISS from www.testproxy.net
Connection: close

The HTTP request from 69.0.208.167 to http://www.sex.com is using a cookie SEXCIP=64.237.55.58. 69.0.208.167 may be a proxy.

Identify the different Brute Force Authentication attack methods. Can you obtain the clear text username/password credentials? Describe your methods.

Web site can request a login/password to login using two methods:

a form as yahoo
a web authentification (code 403)

To obtain the username/password credentials, search for login|username|email|uid and passwd|password. To obtain the credentials, the header Authorization: Basic is base64 encoded. In both case, it's very easy to retrieve the login/password used.

[kmaster@christophe logs]$ ./extract_pwd.pl
xmlrevenue.com :
sbc1.login.scd.yahoo.com login=exodus_510:passwd=matthew
sbc1.login.scd.yahoo.com login=exodus_510:passwd=matthew]
sbc1.login.scd.yahoo.com login=exodus_510:passwd=matthew
login.europe.yahoo.com login=exodus_$$$$$$$:passwd=matthew
login.europe.yahoo.com login=exodus_$$$$$$$:passwd=matthew]
login.europe.yahoo.com login=exodus_$$$$$$$:passwd=matthew
seekpond.com :
www.appliedsearch.net :
sbc2.login.dcn.yahoo.com login=exodusc:passwd=HELL
sbc2.login.dcn.yahoo.com login=exodusc:passwd=HELL]
sbc2.login.dcn.yahoo.com login=exodusc:passwd=HELL
members.asstraffic.com jonno76:jeanne
sbc2.login.scd.yahoo.com login=exodus_!!!!!!!!:passwd=HELL
sbc2.login.scd.yahoo.com login=exodus_!!!!!!!!:passwd=HELL]
sbc2.login.scd.yahoo.com login=exodus_!!!!!!!!:passwd=HELL
members.asstraffic.com printemp:gonzo2
members.asstraffic.com keon200:pimps
members.asstraffic.com x757x:lamer
members.meganqt.com dqts05d3:aiclzpuq
login.korea.yahoo.com login=exodus9971:passwd=christ
...

What does the Mod_Security error message "Invalid Character Detected" mean? What were the attackers trying to accomplish?

The error Error: mod_security: Invalid character detected is generated when an unicode attack occurs (ie %255c) or when unsual character are used (ie %01). The unicode attack is used for a directory transversal attack (ie to run winnt/system32/cmd.exe).

Request: 68.48.142.117 - - [Tue Mar  9 22:41:34 2004] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 566
Handler: (null)
Error: mod_security: Invalid character detected [193]
----------------------------------------
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Connnection: close
Host: www
mod_security-message: Invalid character detected
mod_security-action: 200
 
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1

Some unsual character like %0a can be used in perl script attack.

Request: 217.95.32.120 - - [Fri Mar 12 12:07:52 2004] "HEAD http://oldnhorny.com/cgi/phf?qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 0
Handler: proxy-server
Error: mod_security: Invalid character detected [10]
----------------------------------------
HEAD http://oldnhorny.com/cgi/phf?qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0
Cache-Control: no-cache
Connection: close
Host: oldnhorny.com
Pragma: no-cache
Proxy-Connection: keep-alive
Referer: http://oldnhorny.com/cgi/phf?qalias=x%0a/bin/cat%20/etc/passwd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
mod_security-message: Invalid character detected
mod_security-action: 200
 
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1

Several attackers tried to send SPAM by accessing the following URL - http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They tried to send email with an html attachment (files listed in the /upload directory). What does the SPAM webpage say? Who are the SPAM recipients?

The mail is send to

ai_nei06@163.com with copy to kjonny@sina.com,kjp14.student@sina.com,kjp1969@sina.com,kjp2000@sina.com,kjp_1000@sina.com,kjp_baotou@sina.com,kjp_cc@sina.com,kjpbc@sina.com,kjpeace@sina.com,kjpfz@sina.com,kjping5455@sina.com,kjpjl212@sina.com
ganyaoke9@163.com with copy to ky221@sina.com,ky2357@sina.com,ky2809@sina.com,ky288@sina.com,ky3158982.student@sina.com,ky3166@sina.com,ky331@sina.com,ky333@sina.com,ky336@sina.com,ky368@sina.com,ky368@sina.com.cn,ky3@sina.com
pangrengye4@163.com with copy to langzixuyao.student@sina.com,langziy@sina.com,langziyanbin@sina.com,langziyangtian20@sina.com,langziyanqing0801@sina.com,langziyanqing@sina.com,langziyexin9830@sina.com,langziyf1982@sina.com,langziyi123@sina.com,langziyihao1@sina.com,langziyiming@sina.com,langziyixiao1@sina.com
shengfiaopa07@163.com laokongque@sina.com,laoku0263@sina.com,laoku4603@sina.com,laoku@sina.com,laokuai86gj@sina.com,laokuai889@sina.com,laokuan3973@sina.com,laokubooks@sina.com,laokui27@sina.com,laokui@sina.com,laokuii@sina.com,laokun@sina.com
kangzhuae1879@163.com with copy to linali@sina.com,linalichao0949@sina.com,linalin1064@sina.com,linalina007@sina.com,linalinda.student@sina.com,linalinda@sina.com,linaliu025@sina.com,linaliu115@sina.com,linalixin@sina.com,linall0136@sina.com,linallenhxr.student@sina.com,linalli@sina.com
shaodancuan60@163.com with copy to likehan001@sina.com,likehanlei@sina.com,likehao023@sina.com,likehao9040_cn@sina.com,likehe@sina.com,likeheihei.student@sina.com,likehersheys@sina.com,likehigh@sina.com,likehiss@sina.com,likehk22@sina.com,likehm@sina.com,likehom@sina.com
...

The HTML page is using gb2312 encoding. On this SPAM, there are links to web site:

http://dweb.blogspot.com/

As first publically reported by Greg Walton, China blocked blogspot.com on Jan. 9, 2003. We believe that China blocked it because Chinese are retrieving DynaWeb IPs to gain access to forbidden sites. (DynaWeb is a proxy network that supports encrypted proxy and CGI proxy. )

www.upholdjustice.org

Civil Disobedience

Asianresearch

Provide some high level statistics on attackers such as:
- Top Ten Attackers
- Top Ten Targets
- Top User-Agents (Any weird/fake agent strings?)
- Attacker correlation from DShield and other sources?

vim /etc/webalizer.conf
mkdir webalizer
webalizer -i -Q -o webalizer -n www.testproxy.net logs/access_log

it's has been easy to create such statistics You can read here. Nessus is seen as User Agent Mozilla/4.75 [en] (X11, U; Nessus).

Bonus Question:

Why do you think the attackers were targeting pornography websites for brute force attacks? (Besides the obvious physical gratification scenarios :)

Credentials to such web site and pictures can be resold. Pornography websites are also holding credit card information, so an hacker may try to get the credit card numbers.

Even though the proxypot's IP/Hostname was obfuscated from the logs, can you still determine the probable network block owner?

Let's gather some stats about the CONNECT destination:

$ grep CONNECT access_log |cut -d\" -f2|sort -n|uniq > CONNECT.txt
$ cat CONNECT.txt|./stat_by_class.pl |head
68.48.106.x     248
209.15.20.x     103
210.242.13.x    98
210.242.12.x    65
207.137.186.x   29
205.158.62.x    14
207.115.63.x    11
207.217.125.x   9
209.228.4.x     6
207.69.200.x    6

The block 68.48.106.x has scanned in random order. The honeyproxy should be one of the missing IP from 68.48.106.x netblock:

68.48.106.11
68.48.106.55
68.48.106.68
68.48.106.72
68.48.106.97
68.48.106.109
68.48.106.161
68.48.106.255

Request: 218.93.58.133 - - [Sat Mar 13 04:38:00 2004] "GET http://s13.sitemeter.com/js/counter.asp?site=s13firstzoneresult HTTP/1.0" 200 1938
Handler: proxy-server
----------------------------------------
GET http://s13.sitemeter.com/js/counter.asp?site=s13firstzoneresult HTTP/1.0
Accept: */*
Accept-Language: en-us
Host: s13.sitemeter.com
Proxy-Connection: Keep-Alive
Referer: http://www.first-zone.com/search.php?AID=35151&q=home+plans
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
mod_security-message: Access denied with code 200. Pattern match "\.asp" at THE_REQUEST.
                                                                                                                             
HTTP/1.0 200 OK
Warning: Subject to Monitoring
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 1938
Content-Type: application/x-javascript
Expires: Sat, 13 Mar 2004 09:38:27 GMT
Set-Cookie: IP=68%2E48%2E106%2E109; path=/js
Cache-control: private
X-Cache: MISS from www.testproxy.net
Connection: close

Request: 218.98.103.76 - - [Sat Mar 13 10:16:23 2004] "GET http://www.golfballzone.com/?looksmart HTTP/1.0" 200 1590
Handler: proxy-server
----------------------------------------
GET http://www.golfballzone.com/?looksmart HTTP/1.0
Accept: image/gif, image/jpeg, image/x-xbitmap, image/pjpeg, */*
Accept-Language: en
Host: www.golfballzone.com
Pragma: no-cache
Referer: http://profilernet.com/search_results.php?fSearch_id=1d0479908aaa4bd4&fString=ball
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
X-Forwarded-For: 12.214.141.199
                                                                                                                             
HTTP/1.0 200 OK
Warning: Subject to Monitoring
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1590
Content-Type: text/html
Set-Cookie: sfCustomer=; expires=Sat, 13-Mar-2004 15:19:06 GMT; path=/
Set-Cookie: sfHTTP%5FREFERER=REMOTE%5FADDRESS=68%2E48%2E106%2E109&HTTP%5FREFERER=http%3A%2F%2Fprofilernet%2Ecom%2Fsearch%5Fresults%2Ephp%3FfSearch%5Fid%3D1d0479908aaa4bd4%26fString%3Dball&REFERER=; expires=Sun, 14-Mar-2004 05:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDCSTSRBSS=GDPBOHGBGJHOOOIHCLJLMCLI; path=/
Cache-control: private
X-Cache: MISS from www.testproxy.net
Connection: close

68%2E48%2E106%2E109 is 68.48.106.109, we have found the honeyproxy.

Tools: I have used snort rules, webalizer and some script perl to parse data.

Christophe GRENIER
Security Consultant
Global Secure
mail me personally or at work