Scan of the Month 27 Analysis

The Honeynet Project Scan of the Month
Analysis performed by Anders Amandusson
<anders dot amandusson at sca dot com >
April 24th 2003


The Challenge:
In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative password. During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a succesful attack, the honeypot was joined to a large botnet. During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. The challenge is based on logs from five days of honeypot operation, collected using Snort. The logs have been edited to remove irrelevant traffic and combined into a single file. Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not readily apparent. Your mission is to analyze the log file in order to answer the questions below.


The server was among other thing targetet by the W32/Deloder worm that also dropped the ircbot on the server. The ircbot tried to connect to 5 different IRC servers until it was accepted by the 5th. One attack used the same flaw as the Deloder worm uses (testing Administrator passwords on TCP 445 (Windows 2000 SMB over TCP instead of NetBIOS)) and uploaded a remote admin tool (remote Administrator Server v2.1).
Frequent but not successful attempts were made by the SQLsnake and W32.SQLExp worms.
A massive web vulnerability scan was performed after a port scan.
There were a couple of other tools (forensic acquisition utilities-, ZipCentral and fport) downloaded via http but since there were no other communication to the server the previous 2 ½ hours before the download I assumed they were fetched by an administrator.

Tools used

Ethereal 0.8.20
Snort 1.9.0


Even though I consider myself a beginner in the forensics area I will try to answer the intermediate questions as well.

File downloaded from

C:\PROGRA~1\md5>md5 c:\download\sotm\sotm27.gz
MD5 (c:\download\sotm\sotm27.gz) = b4bfc10fa8346d89058a2e9507cfd9b9


Beginning Questions

What is IRC?

Internet Relay Chat - It's a worldwide multi-user chat system. A user can connect to a specific channel and "talk" to the other participants. Either in groups or in private conversations.

What message is sent by an IRC client when it asks to join an IRC network?

To connect to an IRC server the following messages are send:
 Command: PASS
   Parameters: <password>
 Command: NICK
   Parameters: <nickname> [ <hopcount> ]
 Command: USER
   Parameters: <username> <hostname> <servername> <realname>

NICK rgdiuggac.
USER rgdiuggac localhost localhost :rgdiuggac.

To join a specific channel:
 Command: JOIN
   Parameters: {,} [{,}]


What is a botnet?

A bot is a scripted IRC "user". It is used to manage access lists, run quizzes or serve files in the channels. They are automated and controlled by events (usually commands given in a channel).
A botnet on the other hand is something different.
It could be described as a channel full of bots, most of them unaware of their presence because of an infection by a Trojan horse. It could have been distributed to the client PC wrapped in another file and run whenever that file is executed, send as an attachment, downloaded from a website or like in this case, delivered by a worm. A botmaster (could be called a botnet administrator) is handling the channels giving commands to the infected clients.

What are botnets commonly used for?

It can be used (and are used) for launching Denial of Service attacks. As a botnet can consist of 1000-nds of infected bots, this will be a very effective DDoS Attack.
The botmaster can use channel commands to make the bots spam other channels with a website that has the Trojan on it to make even more bots.
He/she could also be able to launch attacks against other channels, or get the bots to send him the nickname passwords.

What TCP ports does IRC generally use?


What is a binary log file and how is one created?

The binary log file is generated by a packet logger, for example snort or tcpdump (or windump). Digital data communication is a stream of binary digits, it would be best to keep the logged communication in the same format. That is, the log file is just an exact copy of what the communication looked like when it passed. This way nothing is lost. To analyze the binary log file a tool is used to translate the binary data to something readable for humans (for example Ethereal or snort).

What IRC servers did the honeypot, which has the IP address, communicate with? by California Regional Internet, Inc

Here’s a screenshot showing the connections in the logfile.

During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address

When the honeynet server connected, the IRC server claimed there were 4752 Global users (max 4765). But it also said there were 346 connected local users (of 348 possible slots).

But the Challenge stated:
"During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet"

I'm using snort to extract a readable part of the logfile to see the IRC parts.

C:\download\sotm>c:\snort\snort.exe -dvr sotm27 port 6667 > logfil.txt

The client also does a WHO command, which lists the names of all connected users.
An extract of the logfile.txt can be found here.
There are 4752 distinct hosts.

Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

4752 * 56 kbps = 259,875 Mbps ~ 260 Mbps

Intermediate Questions

What IP source addresses were used in attacking the honeypot?

I separated all sources to different logs for easier analysis.

C:\download\sotm>c:\snort\snort.exe -dvr sotm27 -l c:\snort\log -h



  • Port scan
  • All kinds of web attacks (frontpage extensions, default scripts, known web related vulnerabilities such as web folder traversal and others).

  • Attacked TCP 445 and uploaded Remote Administrator Server v2.1 (view log extract).
    Date: 03/05 Time: 04:39:02 - 04:40:14
  • Tried to use Microsoft Indexing server vulnerability. (MS01-033)
  • Lots of traffic is flowing from to this machine. This should be the radmin communication. Radmin may use 128-bit encryption. (
  • TCP 99 access a lot

  • W32/Deloder-A worm attacked and infected server.
    Date: 03/06 Time: 05:35:34 - 05:38:29
  • Commands used by infection: (those I could find)
    • Copy inst.exe to \winnt\system32\inst.exe
    • Attrib.exe –r inst.exe
    • Inst.exe
    • Attrib.exe –r Devlr32.exe
    • Devlr32.exe
    • Net share /delete C$ /y
    • Net share /delete D$ /y
    • Net share /delete E$ /y
    • Net share /delete ADMIN$ /y

  • SQL scan (UDP 1434) Probably W32.SQLExp.Worm

  • Attacked TCP 445 and tried to access the sam file and the attacker received a list of local users.
  • DNS probe
  • TCP 1433 scan, SQLsnake Worm check?
  • TCP 139 probe

  • TCP 139 probe (tried to map \\PC0191\C)
  • UDP 137 probe

  • FTP probe

  • UDP 137 probe

  • TCP 139 probe

  • TCP 80 probe
  • TCP 57 probe

  • TCP 1433 scan , SQLsnake Worm check?

  • TCP 139 probe
  • Attacked TCP 445 and tried to access the sam file and the attacker received a list of local users.

  • probe from port 4828 to 31337 (Back Orifice)

  • TCP 1080 (proxy probe?)

  • TCP 111 (Sun RPC Portmapper)

  • From to TCP 6667 (IRC)

  • TCP 139 probe
  • TCP 445 probes

  • .ida Microsoft Indexing Server attack

  • UDP 28431 Hack’A’Tack probe

  • Accessed while downloading Flash

  • TCP 139 probe
  • TCP 445 probes
  • Http OPTIONS method probe

Other more or less interesting events (logfile extract):

Access from to on port 4899 (radmin) was conducted until 03/05-04:48:22.370000 -> Between this event and the software downloads above there were only one sunrpc probe and 3 W32.SQLExp.Worm probes. As there are no other communication to for 2 ½ hours before the downloads, my guess would be that it was a valid administrator who downloaded these tools.

What vulnerabilities did attackers attempt to exploit?

Which attacks were successful?

General Questions (not judged)

What did you learn about analysis as a result of studying this scan?

I think that I have leared something more about network comminications but also a better knowledge of how to read the log files. I can handle the tools (ethereal and snort) better, even though I still have very much to learn. I would like to think that I have increased my ability in putting things together to drawing conclusions (but I still need much more experience in this area and hopefully I’m not completely wrong).

How do you anticipate being able to apply your new knowledge and skills?

The most obvious situation would be to apply this knowledge whenever investigating incidents of our own. I also think that I would be able to use this skill and knowledge in my day-to-day work, as I don’t think that there is such a thing as unnecessary knowledge (There might be things you don’t want to know, but that’s a different thing).

How can we improve the SotM challenge? What would you like to see added? What would you like to see done differently?

I like the mix between beginners and advanced level of the challenges. That way experienced people might find some challenges interesting and beginners like me can also increase our experience both by solving easier challenges as well as reading the reports of the more advanced challenges.
I haven't been participating long enough to name anything I would like to see different yet.

Thanks for this possibility to learn.

Anders Amandusson