The MD5 hash check of the two archives is done by the
following commands :
$ md5sum -c day1.log.gz.md5
$ file day1.log
The two files seem to be a tcpdump binary capture of
a network traffic. To read it we can choose one of the following
programs : tcpdump, tethereal, and ethereal. Firstly, we begin by
choosing Ethereal (a free network protocol analyzer for Unix and
Window) due to his conviviality, we disable the two options "Enable
MAC name resolution", and "ENABLE netwok name resolution" to
minimize the time processing.
The total number of packets for the first log file
is : 18843. A first look at the content reveals many traffic usage :
UDP 20.95 %
DNS 20.91 %
NetBIOS Name Service 0.03 %
Syslog message 0.02 %
Data 21.89 %
FTP 0.38 %
FTP Data 5.08 %
HTTP 6.86 %
DG Gryphon Protocol 2.24 %
Internet Relay Chat 0.10 %
From this summary, we should take attention to some
kinds of traffic (highlighted)which generally encapsulate informations
related to attacks.
The total number of packets for the second log file
is : 123123. Protocols listed
for the first log file still exist for day3.log with additional protocol
We choosed to run the original day1.log and day3.log tcpdump file through snort and see what comes up. Since snort has many attack signatures, we may get the list of IP address attacking the honeypot, and their attack ID.
After installing the snort, and disabling all the commented rules and preprocessors in the snort.conf file, we execute the following command (respectively for day3.log) :
$ snort -r day1.log -c /etc/snort/snort.conf
Alerts generated as a result to processing these tcpdum files have
been used to detect some attacks performed or vulnerabilities
exploited. We will refer to these alerts for the analysis of some
To determine the honeypot OS, we have first used p0f, which is a passive OS
fingerprinting tool. We have applied this tool on the first
binary file "day1.log", using the following command :
$ ./p0f -s ../day1.log | grep 192.168.100.28
After processing "day1.log" file, the tool has reported that the honeypot OS is Sun Solaris (see p0f.result).
This result (passive OS fingerprinting) is approved by the following
additional signs collected from the binary log file :
0000 00 07 ec b2 d0 0a 08 00 20 d1 76 19 08 00 45 00 ..ì²Ð... Ñv...E.
Gaining access method
To find what techniques the attacker was used to break into the system, we need to know what attempted exploitable vulnerabilities we can pick out from the day1.log. So, we concentrate on vulnerabilities which allow a remotely monitoring. Doing that, we run snort on the given log file day1.log, and we analysed the output file with snort_stat.pl utility for the purpose of readibility.
$ snort -A full -c /etc/snort/snort.conf -r day1.log
Where alert is the logging file
configured in snort.conf
From the list of the generated alerts (Distribution of attack methods), the "EXPLOIT CDE dtspcd exploit attempt" seems to be the successful means that allowed the attacker to break into the system.
The CDE Subprocess Control Service
(dtspcd) is a network daemon that accepts requests from clients to
execute commands and launch applications remotely.
dtspcd is typically configured to run on port 6112/tcp with root privileges. So, we filter the day1.log throw the following filter to concentrate in details of these attack.
The passed command is :
/bin/ksh -c echo "ingreslock stream tcp nowait root /bin/sh sh -i">/tmp/x;/usr/sbin/inetd -s /tmp/x;sleep 10;/bin/rm -f /tmp/x
it ordered the honeypot to :
#/bin/ksh -c echo "ingreslock stream tcp nowait root /bin/sh sh -i" > /tmp/x;
Save the "ingreslock stream tcp nowait root /bin/sh sh -i" to /tmp/x
#/usr/sbin/inetd -s /tmp/x; : Execute /tmp/x to start the service ingreslock which is running on the port 1524
#/bin/rm -f /tmp/x : Remove the loaded program
From this moment, the attacker has obtained a shell with root privileges on the port 1524 of the honeypot.
Systems involved in this attack
To determine which system were involved
to elaborate this attack, the investigation need to handle the
session corresponding to the exploit activity. The traffic which was
generated from this session reveals the systems that were used.
For this purpose, we have used a program tcpflow which allows us to reconstruct data streams of the logged file (day1.log). It stores each flow in a separate file. After the installation of tcpflow, we runned the following command :
$ tcpflow -r day1.log
Focusing on the session opened by
the attacker (18.104.22.168), we found the obtained file 061.219.090.180.56712-192.168.100.028.01524. It reports automatically the generated
traffic over this session which indicates the following ip addresses
was used for this attack. Searching the respective response of these
servers (running the separately the filters "ip.addr ==
22.214.171.124" and "ip.addr == 126.96.36.199" with ethereal) when the
honeypots was connecting, the OS can be deduced from the reported
* 188.8.131.52 --> ftp server : Version XOOM FTP 1.24.3
from which the attacker downloaded :
$ tethereal -nr day1.log "tcp.port == 7000" | ./sumsrcdst > attacker.7000
$ tethereal -nr day1.log "tcp.port == 6667" | ./sumsrcdst > attacker.irc
Major Steps for
The attacker has followed some major steps during his attack (from packets captured in the day1.log file). These steps are highlighted in the following diagram :