Analysis of Scan 27

By: Rohit Nand (

Pre-Analysis Steps:

Download the file using wget:
# wget -bcvt0

Verify MD5 checksum of the file downloaded to check integrity of the file:
# md5sum sotm27.gz
b4bfc10fa8346d89058a2e9507cfd9b9 sotm27.gz
Packet extraction
# gzip -d sotm27.gz
# snort -vdr sotm27 host > snort.txt
Also use Ethereal to view the binary log file.

What is IRC?
IRC (Internet Relay Chat) is a multi-user chat system, where people convene on "channels" (a virtual place, usually with a topic of conversation) to talk in groups, or privately. The IRC user runs a "client" program (usually called 'irc') which connects to the irc network via another program called a "server". Servers exist to pass messages from user to user over the irc network.
It allows people all over the internet to talk to one another in real-time. IRC is based on a client-server model. Clients are programs that connect to a server, a server is a program that transports data, (messages), from a user client to another.

What message is sent by an IRC client when it asks to join an IRC network?
A "PASS" command is not required for either client or server connection to be registered, but it must precede the server message or the latter of the NICK/USER combination. The recommended order for a client to register is as follows:
Pass message
Nick message
User message
Clients and servers are both subject to the same level of authentication. For both, an IP number to hostname lookup (and reverse check on this) is performed for all connections made to the server. Both connections are then subject to a password check (if there is a password set for that connection). These checks are possible on all connections although the password check is only commonly used with servers.
Upon connecting to an IRC server, a client is sent the MOTD (if present) as well as the current user/server count (as per the LUSER command). The server is also required to give an unambiguous message to the client which states its name and version as well as any other introductory messages which may be deemed appropriate.
After dealing with this, the server must then send out the new user's nickname and other information as supplied by itself (USER command) and as the server could discover (from DNS/authentication servers). The server must send this information out with NICK first followed by USER.

What is a botnet?
A botnet is created when 2 or more bots are linked together. Each bot on a botnet serves as a redundant backup, automatically oping friends and other bots, enforcing channel bans, and ensuring a party line exists.
IRC 'bots' (short for robot) are usually used to monitor channels for events. A bot can automatically op friends (as specified in the configuration file), enforce bans for channel misuse, and provide some channel misuse control . To add a bot to the network only a simple and static configuration file that specifies the master is needed. Once the new bot starts up, it will automatically contact the master and pull over the requisite configuration information to become a node on the botnet.

What are botnets commonly used for?
Botnets are commonly used to share userfiles or to create a partyline.

What TCP ports does IRC generally use?
In general, the port used is 6667/tcp and udp.
Other ports used are: For IRC - 194/tcp and 194/udp and for IRC-SERV - 529/tcp and 529/udp.

What is a binary log file and how is one created?
A binary log file can be created, by running the following command on a machine:
# snort -b -c
( the -b option creates the log in binary mode, -B can be used to modify the name of the file)

What IRC servers did the honeypot, which has the IP address, communicate with?
The honeypot machine connected to 5 different IRC servers, IP addresses for which are:

During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address
As given in the Challenge description, a total of 15,164 distinct hosts joined the botnet.

Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?
Assuming that each botnet has a 56 kbps network link, the total bandwidth of the botnet would be 56 * 15164 = 849184 kbps
= 829 Mbps

What IP source addresses were used in attacking the honeypot?
The IP source addresses used in attacking the honeypot, among others, were:

What vulnerabilities did attackers attempt to exploit?
The following vulnerabilities were attempted to be exploited on the honeypot:
* Windows SMB Nuke
* NTLMSSP privilege escalation
* Multiple IIS vulnerabilities including:
- Code Red worm (Exploiting Buffer Overflow In IIS Indexing Service DLL)
- MSADCS RDS Vulnerability

Which attacks were successful?
Windows SMB Nuke and NTLMSSP privilege escalation were successfully launced against the honeypot.