- What is the operating system of the honeypot? How did you determine that?
The honeypot appears to be running SunOS 5.8, also known
as Solaris 8. This was determined by one of the first commands typed by the
attacker at the root shell:
# uname -a;ls
-l /core /var/dt/tmp/DTSPCD.log;PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export
PATH;echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk
SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
/core: No such file or directory
/var/dt/tmp/DTSPCD.log: No such file or directory
BD PID(s): 1773
- How did the attacker(s) break into the system? (see day1)
The attacker used a buffer overflow exploit against
the dtspcd service running on the system. This exploit is documented in CERT
Advisory CA-2002-01 "Exploitation of Vulnerability in CDE Subprocess
- Which systems were used in this attack, and how?(see day1)
220.127.116.11 was used to perform the exploit and set
up the shell on the Ingreslock port. The connection on the Ingreslock port
also came from the same IP address.
18.104.22.168 was used as an FTP server to download utilities to the honeypot.
22.214.171.124 was used to download further utilities, this time via HTTP.
On day 3 the connections came from the following IP
126.96.36.199 was the source of the SSH connection to port 5001
188.8.131.52 was used to download the updated psyBNC tarball via HTTP
- Create a diagram that demonstrates the sequences involved in the attack.
Refer to this diagram.
- What is the purpose/reason of the ICMP packets with 'skillz' in them? (see
Those ICMP packets are messages from a DDOS agent to
it's handler. They allow the user to see that the agent is available to receive
Denial of Service commands.
- Following the attack, the attacker(s) enabled a unique protocol that one
would not expect to find on a n IPv4 network. Can you identify that protocol
and why it was used? (see day3)
The attacker enabled IPv6. There may have been several
motives for this. IPv6 traffic may evade or confuse Intrusion Detection Systems.
They would also raise the cracker's status on IRC as he would show up with
an address on the 6bone. Some IRC sites may only be available on the 6bone,
and not on the normal IPv6 Internet.
- Can you identify the nationality of the attacker? (see day3)
During Italian conversations on IRC, "Andreaz"
and "Bobz", our attacker, had a conversation about where they were
from and how old they were. Bobz said he was from Paestum, Salerno in Italy.
- What are the implications of using the unusual IP protocol to the Intrusion
Interpreting IPv6 traffic involves extra overhead on
IDS systems. The IPv6 traffic we saw here is encapsulated over IPv4 which
makes session tracking more difficult, all traffic appears to originate from
a single host at the IPv4 layer, but we may find that there are mutiple sources/destinations
at the IPv6 layer.
- What tools exist that can decode this protocol?
The latest versions of Ethereal can decode IPv6 traffic.
Some versions of tcpdump also have the capability to decode IPv6.