Results of Scan of the Month 27 by Christian Schridde
First i wanna say: SORRY FOR MY ENGLISH, I DID MY BEST
In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000
honeypot having a null (blank) administrative password. During its first week of operation, the honeypot was
repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a
succesful attack, the honeypot was joined to a large botnet. During operation of the honeypot, a total of
15,164 distinct hosts were seen entering the botnet. The challenge is based on logs from five days of honeypot
operation, collected using Snort. The logs have been edited to remove irrelevant traffic and combined into a single file.
Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not
readily apparent. Your mission is to analyze the log file in order to answer the questions below.
Ethereal - For opening and analysing the binary logfile
and capturing some of my own traffic for comparing !
IRC (Internet Relay Chat) is compareable to CB Radio. You can talk in real time
to people all over the world.
IRC is a multi-user, multi-channel chat system that is run on a Network.
Like the telephone, the Internet allows people to communicate with each other from any place
in the world at the same time. The major difference is that the Internet makes it easy to meet and
communicate in groups as well as individually
2. What message is sent by an IRC client when it asks to join an IRC network? :
to enter a server you have to type: /server <server name>
to join a channel you have to type: /join #<channel name>
3. What is a botnet? :
Firstly, a botnet is not a net of nice little IRC eggdrops some of you use in your channels to
manage access lists, run quizzes, serve files or come up with corny lines.
They do have something in common with those bots you know and love though,
as they are automated and controlled by events (usually commands given in a channel).
Botnet variety have been created with a trojan and, almost always,
without the knowledge of the person whose computer they are running from.
The trojan may have got on to the person's computer by being wrapped up in a file that looks innocent -
usually a game crack, something sex related, or it can simply be named to make you think it's
an anti-virus program! It may have got there because
there was some hidden code on a website that person visited, which downloaded it to their machine.
Well, the next time that computer is connected to the Internet,
that trojan will start up an IRC client and connect to a server.The trojan will also have been coded to
make the bot join a certain channel once it has connected.
A collection of these bots in a channel is a BOTNET !
4. What are botnets commonly used for? :
Tthe nastiest thing most of these bots can do is to
launch Denial of Service attacks against servers - hundreds or thousands of bots all sending
data to a server until its connection becomes saturated and/or the server crashes.
Because the bots are making many home computers attack, from all over the world,
we call this a Distributed Denial of Service attack (DDoS).
5. What TCP ports does IRC generally use? :
Default IRC Port: 6667
6. What is a binary log file and how is one created? :
Instead of converting the captured traffic into human readable
format, a binary log file captures 1's and 0's. Sometime calles
"raw" traffic capture.
Its often used at high traffic areas, cause its a lot faster and the files
are smaller in size.
The date is captured either in the physical or data-link, or network layer
using the capture library: "Libpcap library".
7. What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with ?:
126.96.36.199 (Server was full) [188.8.131.52 - 184.108.40.206 Host Europe customer machines]
220.127.116.11 (but seems to be dead) [18.104.22.168 - 22.214.171.124 California Regional Internet, Inc.8929A COMPLEX DRIVESAN DIEGO, CA, 92123US
California Regional Intranet, Inc.]
126.96.36.199 (Logged in with username: rgdiuggac
and masking his dynamic part of his ip -> MODE -x
and makes himself invisible for user not in the same channel -> MODE +i) [188.8.131.52 - 184.108.40.206 Sprint12502 Sunrise Valley Dr.Reston, VA, 20196US]
8. During the observation period, how many distinct hosts accessed the botnet
associated with the server having IP address 220.127.116.11? :
I found 8115 host connecting to the botnet.
I got the number by listing all IRC response packets coming from 18.104.22.168
Using ethereal filter: ip.src == 22.214.171.124 && irc.response == 1
I tried also adding the filter: irc.command == "JOIN :#xàéüîéðìx", but i wasn´t able to enter the charcters "àéüîéðìx"
in the ethereal filter box. So i printed the selected lines to a file and wrote a little script, which counts the irc JOIN commands in
After writing another little script, wiping of all double entries i got the number of 4815 !!
distinct host access the botnet
9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet? :
2. What vulnerabilities did attackers attempt to exploit? :
Know as: Index Server ISAPI Extension Vulnerability (bid 2880).
A security vulnerability exists in idq.dll. This DLL contains an unchecked buffer in a section of code that handles input URLs.
ISAPI (Internet Services Application Programming Interface) is a technology that enables developers to extend the functionality
provided by an IIS server. An ISAPI extension is a dynamic link library (.dll) that uses ISAPI to provide
a set of web functions above and beyond those natively provided by IIS. To access a IDA (Internet Data Administration) file, you need
you have to be an administrator to levy a request, but the overflow occurs before the credentials check can be made.
So you run commands with Local System privileges.
It looks like the attacker uses a shellcode, which gives him a remoteshell to port 99. But the attack failed, port 99 stayed closed.
The attacker tried this vulnerability 11 times, but with NO luck.
Copies Radmin Remote-Software (www.radmin.com)
(3 files: r_server.exe, raddrv.dll, admdll.dll) to
c:\winnt\system32 via a microsoft-ds session (blank Administrator account)
installs/runs it as a service (r_server.exe /service) using microsoft-ds over 445 (RPC)
and finally connects to it (port 4899 , default).
(First tries a wrong port 6129 (default) which belongs to daemonware remotesoftware)
What did he do during the session? - RAdmin uses 128-bit encryption, so i dont know !
Makes also a test if a MSSQL server is running (tcp port 1433). But no SYN/ACK packet returns. Port is closed.
which is running a scanner.
First making a port scan 1..80,110,111,137,139,443,1433 and after that
testing for known webserver vulnerabilities for all kind of webservers.
Uses PSEXEC, an utility that comes with the PS-Tools Suite,
which uses by default the ADMIN$ share.
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems,
complete with full interactivity for console applications, without having to manually install client software.
The attacker connects via the blank Administrator account to host OIL-6II61NOJWTK
copies the file inst.exe (selfextracting archieve) to winnt/system32 and executes:
-inst.exe (command: psexec \\172.16.134.191 -u Administrator -p "" c:\winnt\system32\inst.exe)
-attrib -r inst.exe
-attrib -r devlr32.exe
-devlr32.exe (perhaps a backdoor. Couldnt find any informations about a file like that)
and deletes shares: C$, D$, E$, ADMIN$ !
After deleting the shares he tries to reconnect to $ADMIN but it now it fails "STATUS_BAD_NETWORK_NAME"
This one scans for Hack'A'tack. A known backdoor.
I noticed it, cause its unusual that a program uses such a hight source port ( 28341 )
Normally snort detects this with a msg like:
alert UDP $INTERNAL 28431 -> $EXTERNAL 28432 (msg: "IDS289/trojan_trojan-active-hack-a-tack-2000"; content: "H"; depth: 1;)
Scans with (sure 99%) Fx-Scanner , cause this tools uses port 57 for existence testing of the host.
And the it comes along mostly with port 80 probes as it is here in the log file.
IP: 126.96.36.199 && 188.8.131.52
The attacker using this ips, are performing a little buteforce password guessing attack against the
valid account on the target server. They get the list by sending a EnumDomainUsers request to the server:
ACCOUNTS: Administrator, Guest, IUSR_PC0191, IWAM_PC0191,TsInternetUser
The mysql form Slammer is still spreading around. He comes from around 50 IPs. I got attentively as i notice several udp packets going to port 1434.
I look at the payload of the packets and compared it to the one Norton Security Systems description of the Slammer worm.
And it fits. (content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; )
Proxy port probe to port 1080
IP: 184.108.40.206 && 220.127.116.11
Checking for MSSql Server port 1433
3. Which attacks were successful? :
The attack from 18.104.22.168 was successfull, cause he successful established a
session after copying/running the remote controll software over the blank netbios session.
All IPS which are connecting with the blank administrator account to "\\22.214.171.1242\IPC$":
(From my point of view this is successfull, cause he access files on the target server)
1. What did you learn about analysis as a result of studying this scan? :
If you take a deep look at a logfile, you are able to reconstruct most of
the actions. And i learned, that using the right filter in a binary logfile analysis
program (like ethereal) is the most important help to find all activities, instead of
crawling the file line by line.
I am no pro in knowing all the flags und header fields of all the protocols, but i
got a step further a after anaylsing this scan.
2. How do you anticipate being able to apply your new knowledge and skills? :
I administrate some websites and i think i should better read the logs more often :)
3. How can we improve the SotM challenge?
What would you like to see added?
What would you like to see done differently? :
Perhaps leaving the honeypot open, giving us a secure login.
And we can exploring the honeypot ourself and finding the
traces of the attakers by reading the log/historyfiles.
(Having only read access)