Results of Scan of the Month 27 by Christian Schridde

First i wanna say: SORRY FOR MY ENGLISH, I DID MY BEST

The Challenge:
In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative password. During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a succesful attack, the honeypot was joined to a large botnet. During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. The challenge is based on logs from five days of honeypot operation, collected using Snort. The logs have been edited to remove irrelevant traffic and combined into a single file. Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not readily apparent. Your mission is to analyze the log file in order to answer the questions below.


Used Tools:

  • Ethereal - For opening and analysing the binary logfile
    and capturing some of my own traffic for comparing !
  • PS-Tools Suite by Mark Russinovich
  • mIRC , mainly the documentation
  • UltraEdit
  • finally the one and only Google



SERVER IP: 172.16.134.191
172.16.0.0 - 172.31.255.255 Internet Assigned Numbers Authority4676 Admiralty Way, Suite 330 Marina del Rey, CA, 90292-6695US

BOTNET-SERVER: 209.196.44.172
209.196.44.0 - 209.196.44.255 Interliant64 Perimeter Center EastAtlanta, GA, 30346US





Goto: SETUP | BEGINNING QUESTIONS | INTERMEDIATE QUESTIONS | GENERAL QUESTIONS


Setup

Downloading the file sotm27.gz from http://www.honeynet.org/misc/files/sotm27.gz and comparing the checksum to get sure i got an exact copy.
Extracting it, making coffee and starting.....

Beginning Questions

    1. What is IRC? :
  • IRC (Internet Relay Chat) is compareable to CB Radio. You can talk in real time
    to people all over the world. IRC is a multi-user, multi-channel chat system that is run on a Network. Like the telephone, the Internet allows people to communicate with each other from any place in the world at the same time. The major difference is that the Internet makes it easy to meet and communicate in groups as well as individually
    2. What message is sent by an IRC client when it asks to join an IRC network? :
  • to enter a server you have to type:
    /server <server name>
  • to join a channel you have to type:
    /join #<channel name>
    3. What is a botnet? :
  • Firstly, a botnet is not a net of nice little IRC eggdrops some of you use in your channels to manage access lists, run quizzes, serve files or come up with corny lines. They do have something in common with those bots you know and love though, as they are automated and controlled by events (usually commands given in a channel). Botnet variety have been created with a trojan and, almost always, without the knowledge of the person whose computer they are running from. The trojan may have got on to the person's computer by being wrapped up in a file that looks innocent - usually a game crack, something sex related, or it can simply be named to make you think it's an anti-virus program! It may have got there because there was some hidden code on a website that person visited, which downloaded it to their machine. Well, the next time that computer is connected to the Internet, that trojan will start up an IRC client and connect to a server.The trojan will also have been coded to make the bot join a certain channel once it has connected. A collection of these bots in a channel is a BOTNET !
    4. What are botnets commonly used for? :
  • Tthe nastiest thing most of these bots can do is to launch Denial of Service attacks against servers - hundreds or thousands of bots all sending data to a server until its connection becomes saturated and/or the server crashes. Because the bots are making many home computers attack, from all over the world, we call this a Distributed Denial of Service attack (DDoS).
    5. What TCP ports does IRC generally use? :
  • Default IRC Port: 6667
    6. What is a binary log file and how is one created? :
  • Instead of converting the captured traffic into human readable format, a binary log file captures 1's and 0's. Sometime calles "raw" traffic capture. Its often used at high traffic areas, cause its a lot faster and the files are smaller in size. The date is captured either in the physical or data-link, or network layer using the capture library: "Libpcap library".
    7. What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with ?:
  • Using ethereal filter: ip.src == 172.16.134.191 && tcp.dstport == 6667 && tcp.flags.syn == 1
  • 66.33.65.58 (but it seems to be dead)
    [66.33.0.0 - 66.33.127.255 Dialtone Inc.4101 SW 47th AveSuite 101Davie, FL, 33314US]
  • 63.241.174.144 (Nickname ehisou already in use. Connection timed out!)
    [63.240.0.0 - 63.242.255.255 CERFnet9805 Scranton RoadSuite 150San Diego, CA, 92121US
    AT&T Enhanced Network Services]
  • 217.199.175.10 (Server was full)
    [217.199.172.0 - 217.199.175.255 Host Europe customer machines]
  • 209.126.161.29 (but seems to be dead)
    [209.126.128.0 - 209.126.255.255 California Regional Internet, Inc.8929A COMPLEX DRIVESAN DIEGO, CA, 92123US
    California Regional Intranet, Inc.]
  • 209.196.44.172 (Logged in with username: rgdiuggac
    and masking his dynamic part of his ip -> MODE -x
    and makes himself invisible for user not in the same channel -> MODE +i)
    [209.196.0.0 - 209.196.63.255 Sprint12502 Sunrise Valley Dr.Reston, VA, 20196US]


    Additional Information from ALL NETTOOLS
    8. During the observation period, how many distinct hosts accessed the botnet
    associated with the server having IP address 209.196.44.172? :
  • I found 8115 host connecting to the botnet. I got the number by listing all IRC response packets coming from 209.196.44.172
    Using ethereal filter: ip.src == 209.196.44.172 && irc.response == 1
    I tried also adding the filter: irc.command == "JOIN :#xx", but i wasnt able to enter the charcters "x" in the ethereal filter box. So i printed the selected lines to a file and wrote a little script, which counts the irc JOIN commands in the outputfile. After writing another little script, wiping of all double entries i got the number of 4815 !! distinct host access the botnet
    9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet? :
  • 4815 * 56kbps = 269.640 kbps.
    454.432 / 1024 = 263.32 Mbps OR 32,92 MB/s

Intermediate Questions

    1. What IP source addresses were used in attacking the honeypot? :
  • 210.22.204.101
    210.22.204.0 - 210.22.204.127 yichang city - TECH GROUP CNC
  • 24.197.194.106
    24.196.0.0 - 24.197.255.255 Charter Communications12405 Powerscourt Dr.St. Louis, MO, 63131 US
  • 62.150.170.134
    [62.150.0.0 - 62.150.255.255 QualityNet General Trading & Contracting Co. Provider Local Registry]
  • 213.23.49.158
    213.23.0.0 - 213.23.71.255 Arcor AG & Co
  • These IPS connecting with the blank administrator account over microsoft-ds (port 445)
    - 195.36.247.77
    (- 210.22.204.101 )
    - 80.181.116.202
    - 66.139.10.15
    - 209.45.125.69
    - 129.116.182.239
    (- 61.111.101.78 )
    - 66.8.163.125
  • 61.111.101.78
    61.96.0.0 - 61.111.255.255 KRNIC Korea Network Information Center


    Additional Information from ALL NETTOOLS
    2. What vulnerabilities did attackers attempt to exploit? :
  • IP: 210.22.204.101:
    • GET /null.ida?cccccccccc.....cc<SHELLCODE>
      Know as: Index Server ISAPI Extension Vulnerability (bid 2880).
      A security vulnerability exists in idq.dll. This DLL contains an unchecked buffer in a section of code that handles input URLs.
      ISAPI (Internet Services Application Programming Interface) is a technology that enables developers to extend the functionality provided by an IIS server. An ISAPI extension is a dynamic link library (.dll) that uses ISAPI to provide a set of web functions above and beyond those natively provided by IIS. To access a IDA (Internet Data Administration) file, you need you have to be an administrator to levy a request, but the overflow occurs before the credentials check can be made. So you run commands with Local System privileges.

      It looks like the attacker uses a shellcode, which gives him a remoteshell to port 99. But the attack failed, port 99 stayed closed.
      The attacker tried this vulnerability 11 times, but with NO luck.

    • Copies Radmin Remote-Software (www.radmin.com) (3 files: r_server.exe, raddrv.dll, admdll.dll) to
      c:\winnt\system32 via a microsoft-ds session (blank Administrator account)
      installs/runs it as a service (r_server.exe /service) using microsoft-ds over 445 (RPC) and finally connects to it (port 4899 , default).
      (First tries a wrong port 6129 (default) which belongs to daemonware remotesoftware)
      What did he do during the session? - RAdmin uses 128-bit encryption, so i dont know !

    • Makes also a test if a MSSQL server is running (tcp port 1433). But no SYN/ACK packet returns. Port is closed.
  • IP: 24.197.194.106
    • which is running a scanner.
      First making a port scan 1..80,110,111,137,139,443,1433 and after that testing for known webserver vulnerabilities for all kind of webservers.
  • IP: 61.111.101.78
    • Uses PSEXEC, an utility that comes with the PS-Tools Suite, which uses by default the ADMIN$ share. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
      The attacker connects via the blank Administrator account to host OIL-6II61NOJWTK
      copies the file inst.exe (selfextracting archieve) to winnt/system32 and executes:
      -inst.exe (command: psexec \\172.16.134.191 -u Administrator -p "" c:\winnt\system32\inst.exe)
      -attrib -r inst.exe
      -attrib -r devlr32.exe
      -devlr32.exe (perhaps a backdoor. Couldnt find any informations about a file like that)
      and deletes shares: C$, D$, E$, ADMIN$ !
      After deleting the shares he tries to reconnect to $ADMIN but it now it fails "STATUS_BAD_NETWORK_NAME"
  • IP: 62.150.170.134
    • This one scans for Hack'A'tack. A known backdoor. I noticed it, cause its unusual that a program uses such a hight source port ( 28341 ) Normally snort detects this with a msg like:
      alert UDP $INTERNAL 28431 -> $EXTERNAL 28432 (msg: "IDS289/trojan_trojan-active-hack-a-tack-2000"; content: "H"; depth: 1;)
  • IP: 213.23.49.158
    • Scans with (sure 99%) Fx-Scanner , cause this tools uses port 57 for existence testing of the host. And the it comes along mostly with port 80 probes as it is here in the log file.
  • IP: 209.45.125.69 && 66.139.10.15
    • The attacker using this ips, are performing a little buteforce password guessing attack against the valid account on the target server. They get the list by sending a EnumDomainUsers request to the server: ACCOUNTS: Administrator, Guest, IUSR_PC0191, IWAM_PC0191,TsInternetUser


    • ADDITIONAL

  • IP:
    • The mysql form Slammer is still spreading around. He comes from around 50 IPs. I got attentively as i notice several udp packets going to port 1434. I look at the payload of the packets and compared it to the one Norton Security Systems description of the Slammer worm. And it fits. (content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; )
  • IP: 200.74.26.73
    • Proxy port probe to port 1080
  • IP: 210.111.56.66 && 194.199.201.9
    • Checking for MSSql Server port 1433
    3. Which attacks were successful? :
  • The attack from 210.22.204.101 was successfull, cause he successful established a session after copying/running the remote controll software over the blank netbios session.
  • All IPS which are connecting with the blank administrator account to "\\171.16.121.1212\IPC$":
    (From my point of view this is successfull, cause he access files on the target server)

General Questions (not judged)

    1. What did you learn about analysis as a result of studying this scan? :
  • If you take a deep look at a logfile, you are able to reconstruct most of the actions. And i learned, that using the right filter in a binary logfile analysis program (like ethereal) is the most important help to find all activities, instead of crawling the file line by line. I am no pro in knowing all the flags und header fields of all the protocols, but i got a step further a after anaylsing this scan.
    2. How do you anticipate being able to apply your new knowledge and skills? :
  • I administrate some websites and i think i should better read the logs more often :)
    3. How can we improve the SotM challenge?
    What would you like to see added?
    What would you like to see done differently? :
  • Perhaps leaving the honeypot open, giving us a secure login. And we can exploring the honeypot ourself and finding the traces of the attakers by reading the log/historyfiles. (Having only read access)