Scan of the Month 31 - Analysis by Christophe GRENIER

Introduction

Open Proxy servers are a big problem on the Internet. Not only can an improperly secured proxy server expose your internal network to attack, but also these systems are used to obscure the true origin of web-based attacks. In order to gather data on these types of attack channels, the Honeypots: Monitoring and Forensics Project deployed a specially configured Apache web server, designed specifically for use as a honeypot open proxy server or ProxyPot. The paper Open Proxy Honeypot provides important background information to aid in the analysis of the SoTM data.

The data file

Data file can be downloaded from Honeynet web site. a. Honeynet Web Server Proxy IP sanitized to: 192.168.1.103
b. Honeynet Web Server Proxy Hostname sanitized to: www.testproxy.net

Download the Image (25 MB)
c36d39dfd5665a58d7cea06438ceb96d apache_logs.tar.gz

How do you think the attackers found the honeyproxy?

The proxy has been found by scan. As seen in SOTM30, ports 80, 1080, 3128, 8080 are common targets.

What different types of attacks can you identify? For each category, provide just one log example and detail as much info about the attack as possible (such as CERT/CVE/Anti-Virus id numbers). How many can you find?

The obvious attacks are proxy abuse, web attack and brute force attacks but there are a lot more (about 400). You can find the full list on this document. Nessus has generated many of these attacks.

Do attackers target Secure Socket Layer (SSL) enabled web servers as their targets? Did they target SSL on our honeyproxy? Why would they want to use SSL? Why didn't they use SSL exclusively?

Apache SSL server has been attacked:

[Sat Mar 13 08:30:48 2004] [error] mod_ssl: SSL handshake failed (server www.ssltestproxy.net:443, client 80.196.149.199) (OpenSSL library error follows)
[Sat Mar 13 08:30:48 2004] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:master key too long

It looks like OpenSSL SSLv2 handshake bug: CAN-2002-0656. If successfully exploited (the server is patched), the hacker become Apache user and can try to exploit local kernel vulnerabilities to become root.

The hackers are not really interessted in SSL, but rather in CONNECT method. This method is used to proxy data in whatever protocol you want (usually SSL). Hackers have try to connect the ports:

$ grep CONNECT logs/access_log |cut -d\" -f2-|cut -d: -f2|sort -n -u
8 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
21 HTTP/1.0" 403 291 "-" "Mozilla/4.0"
25 HTTP/1.0" 500 434 "-" "-"
43 HTTP/1.1" 400 381 "-" "-"
80 HTTP/1.0" 200 - "-" "-"
110 HTTP/1.0" 403 293 "-" "-"
119 HTTP/1.0" 403 288 "-" "-"
443 HTTP/1.0" 200 - "-" "-"
802 HTTP/1.0" 403 289 "-" "-"
1234 HTTP/1.0" 403 314 "-" "-"
2019 HTTP/1.1" 400 381 "-" "-"
2048/ HTTP/1.1" 400 346 "-" "-"
3777 HTTP/1.0" 403 286 "-" "-"
4141 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
4400 HTTP/1.0" 403 290 "-" "-"
4661 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
5050 HTTP/1.0" 403 293 "-" "-"
5440 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
5849 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
6112 HTTP/1.0" 403 293 "-" "-"
6537 HTTP/1.1" 400 381 "-" "MLDonkey 2.5-12"
6601 HTTP/1.0" 403 285 "-" "-"
6660 HTTP/1.0" 403 302 "-" "-"
6661 HTTP/1.0" 403 304 "-" "-"
6662 HTTP/1.0" 403 297 "-" "-"
6663 HTTP/1.0" 403 289 "-" "-"
6664 HTTP/1.0" 403 302 "-" "-"
6665 HTTP/1.0" 403 295 "-" "-"
6666 HTTP/1.0" 200 - "-" "-"
6667 HTTP/1.0" 500 434 "-" "-"
6668 HTTP/1.0" 403 290 "-" "pxyscand/2.0"
6669 HTTP/1.0" 403 291 "-" "-"
6687 HTTP/1.0" 403 286 "-" "-"
6716 HTTP/1.0" 403 294 "-" "-"
6909 HTTP/1.0" 403 294 "-" "-"
7000 HTTP/1.0" 403 300 "-" "-"
7001 HTTP/1.0" 403 297 "-" "-"
7300 HTTP/1.0" 403 290 "-" "-"
7777 HTTP/1.0" 403 289 "-" "-"
7999 HTTP/1.1" 400 381 "-" "-"
8080 HTTP/1.1" 400 381 "-" "-"
8666 HTTP/1.0" 403 291 "-" "-"
9000 HTTP/1.0" 403 290 "-" "-"
11111 HTTP/1.0" 403 290 "-" "-"
25136 HTTP/1.0" 403 291 "-" "-"
63210 HTTP/1.0" 403 298 "-" "-"

Hackers have been to use the proxy to connect to http (80), https(443) and irc(6666). The following tools has been used: MLDonkey, ProxyChains, pxyscand.

Are there any indications of attackers chaining through other proxy servers? Describe how you identified this activity. List the other proxy servers identified. Can you confirm that these are indeed proxy servers?

In audit_log file, the header X-Forwarded-For is sometimes present. It indicates the honeyproxy has been contacted via a proxy.

Request: 220.173.17.142 - - [Tue Mar  9 22:30:24 2004] "POST http://www.clickcheaper.com/search.php HTTP/1.1" 200 19044
Handler: proxy-server
----------------------------------------
POST http://www.clickcheaper.com/search.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Content-Length: 33
Content-Type: application/x-www-form-urlencoded
Host: www.clickcheaper.com
Pragma: no-cache
Referer: http://www.163.net
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
X-Forwarded-For: 205.216.128.48
mod_security-message: Access denied with code 200. Pattern match "/search" at THE_REQUEST.

username=hui4188&keywords=Cruises

HTTP/1.1 200 OK
Accept-Ranges: bytes
X-Powered-By: PHP/4.2.2
Set-Cookie: uid=188830086; expires=Fri, 09-Apr-04 05:25:43 GMT
Content-Type: text/html; charset=ISO-8859-1
X-Cache: MISS from www.testproxy.net
Transfer-Encoding: chunked

Attackers are chaining through other proxy servers. To confirm they are proxies, I have check there presence in list.dsbl.org, relays.ordb.org, sbl-xbl.spamhaus.org, dnsbl.njabl.org, dnsbl.sorbs.net.

61.55.32.129dsbl.org
61.55.34.128dsbl.org
open proxy -- 1075524003 (dnsbl.njabl.org)
61.144.119.66open proxy -- 1078050004 (dnsbl.njabl.org)
Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.12.185www.spamhaus.org
Dynamic IP Address See: www.dnsbl.sorbs.net
Spam Received See: www.dnsbl.sorbs.net
61.171.13.36www.spamhaus.org
Dynamic IP Address See: www.dnsbl.sorbs.net
Spam Received See: www.dnsbl.sorbs.net
61.171.13.151www.spamhaus.org
Spam Received See: www.dnsbl.sorbs.net
Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.13.172www.spamhaus.org
Spam Received See: www.dnsbl.sorbs.net
Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.15.154www.spamhaus.org
Spam Received See: www.dnsbl.sorbs.net
Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.15.201www.spamhaus.org
Spam Received See: www.dnsbl.sorbs.net
Dynamic IP Address See: www.dnsbl.sorbs.net
61.171.134.148dsbl.org
open proxy -- 1063236004 (dnsbl.njabl.org)
HTTP Proxy See: www.dnsbl.sorbs.net
Spam Received See: www.dnsbl.sorbs.net
Dynamic IP Address See: www.dnsbl.sorbs.net
61.173.46.23www.spamhaus.org
www.spamhaus.org
Dynamic IP Address See: www.dnsbl.sorbs.net
61.179.12.121www.spamhaus.org
61.233.11.29dsbl.org
Dynamic IP Address See: www.dnsbl.sorbs.net
61.235.153.1www.spamhaus.org
Dynamic IP Address See: www.dnsbl.sorbs.net
Exploitable Server See: www.dnsbl.sorbs.net
61.236.192.227www.spamhaus.org
Dynamic IP Address See: www.dnsbl.sorbs.net
61.237.215.17www.spamhaus.org
Dynamic IP Address See: www.dnsbl.sorbs.net
80.54.241.22dsbl.org
195.82.27.46dsbl.org
Dynamic IP Address See: www.dnsbl.sorbs.net
202.109.116.209www.spamhaus.org
www.spamhaus.org
210.21.209.251www.spamhaus.org
211.158.126.117www.spamhaus.org
Dynamic IP Address See: www.dnsbl.sorbs.net
218.2.202.54dsbl.org
open proxy -- 1078369207 (dnsbl.njabl.org)
Dynamic IP Address See: www.dnsbl.sorbs.net
218.21.83.16dsbl.org
open proxy -- 1055929203 (dnsbl.njabl.org)
SOCKS Proxy See: www.dnsbl.sorbs.net
218.56.8.160www.spamhaus.org
218.88.3.112dsbl.org
open proxy -- 1067772002 (dnsbl.njabl.org)
HTTP Proxy See: www.dnsbl.sorbs.net
218.88.12.113dsbl.org
open proxy -- 1079193606 (dnsbl.njabl.org)
HTTP Proxy See: www.dnsbl.sorbs.net
SOCKS Proxy See: www.dnsbl.sorbs.net
218.93.59.83dsbl.org
open proxy -- 1063016407 (dnsbl.njabl.org)
Dynamic IP Address See: www.dnsbl.sorbs.net
HTTP Proxy See: www.dnsbl.sorbs.net
SOCKS Proxy See: www.dnsbl.sorbs.net
218.242.112.115dsbl.org
open proxy -- 1059201605 (dnsbl.njabl.org)
HTTP Proxy See: www.dnsbl.sorbs.net
SOCKS Proxy See: www.dnsbl.sorbs.net
Spam Received See: www.dnsbl.sorbs.net
219.139.29.234dsbl.org
www.spamhaus.org
open proxy -- 1081218005 (dnsbl.njabl.org)
SOCKS Proxy See: www.dnsbl.sorbs.net
Spam Received See: www.dnsbl.sorbs.net
HTTP Proxy See: www.dnsbl.sorbs.net
219.153.118.186www.spamhaus.org
www.spamhaus.org
Spam Received See: www.dnsbl.sorbs.net
220.175.17.226www.spamhaus.org
Spam Received See: www.dnsbl.sorbs.net
220.175.19.66www.spamhaus.org
Spam Received See: www.dnsbl.sorbs.net
220.185.150.168www.spamhaus.org
Dynamic IP Address See: www.dnsbl.sorbs.net
220.185.153.45dsbl.org
Dynamic IP Address See: www.dnsbl.sorbs.net

Full listing avaible here (about 300 proxy).

But some proxy doesn't add the header X-Forwarded-For.

Request: 69.0.208.167 - - [Thu Mar 11 00:12:46 2004] "GET http://www.sex.com/ HTTP/1.0" 200 24590
Handler: proxy-server
----------------------------------------
GET http://www.sex.com/ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: deflate
Accept-Language: en-US
Connection: Close
Cookie: SEXCIP=64.237.55.58, S=15984505%7E1%7E6b2a6dd524ad12464e8974d0c2588cb4, T=17426364%7ESEX%7E%7Eeb9e18f375a194ee7c09b31ae63af388
Host: www.sex.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
 
HTTP/1.0 200 OK
Vary: Accept-Encoding
P3P: policyref="http://www.sex.com/w3c/p3p.xml"
X-Powered-By: PHP/4.3.4
X-Accelerated-By: PHPA/1.3.3r2
Set-Cookie: S=15985028%7E1%7Efee871e1105999a12931c14c9902ce20; expires=Thu, 10-Mar-05 05:12:44 GMT; path=/; domain=.sex.com
Set-Cookie: T=17426918%7ESEX%7E%7Ef71ce1ef5816cf97349563a5572da09c; path=/; domain=.sex.com
Content-Type: text/html
X-Cache: MISS from www.testproxy.net
Connection: close

The HTTP request from 69.0.208.167 to http://www.sex.com is using a cookie SEXCIP=64.237.55.58. 69.0.208.167 may be a proxy.

Identify the different Brute Force Authentication attack methods. Can you obtain the clear text username/password credentials? Describe your methods.

Web site can request a login/password to login using two methods:

To obtain the username/password credentials, search for login|username|email|uid and passwd|password. To obtain the credentials, the header Authorization: Basic is base64 encoded. In both case, it's very easy to retrieve the login/password used.

[[email protected] logs]$ ./extract_pwd.pl
xmlrevenue.com :
sbc1.login.scd.yahoo.com login=exodus_510:passwd=matthew
sbc1.login.scd.yahoo.com login=exodus_510:passwd=matthew]
sbc1.login.scd.yahoo.com login=exodus_510:passwd=matthew
login.europe.yahoo.com login=exodus_$$$$$$$:passwd=matthew
login.europe.yahoo.com login=exodus_$$$$$$$:passwd=matthew]
login.europe.yahoo.com login=exodus_$$$$$$$:passwd=matthew
seekpond.com :
www.appliedsearch.net :
sbc2.login.dcn.yahoo.com login=exodusc:passwd=HELL
sbc2.login.dcn.yahoo.com login=exodusc:passwd=HELL]
sbc2.login.dcn.yahoo.com login=exodusc:passwd=HELL
members.asstraffic.com jonno76:jeanne
sbc2.login.scd.yahoo.com login=exodus_!!!!!!!!:passwd=HELL
sbc2.login.scd.yahoo.com login=exodus_!!!!!!!!:passwd=HELL]
sbc2.login.scd.yahoo.com login=exodus_!!!!!!!!:passwd=HELL
members.asstraffic.com printemp:gonzo2
members.asstraffic.com keon200:pimps
members.asstraffic.com x757x:lamer
members.meganqt.com dqts05d3:aiclzpuq
login.korea.yahoo.com login=exodus9971:passwd=christ
...

What does the Mod_Security error message "Invalid Character Detected" mean? What were the attackers trying to accomplish?

The error Error: mod_security: Invalid character detected is generated when an unicode attack occurs (ie %255c) or when unsual character are used (ie %01). The unicode attack is used for a directory transversal attack (ie to run winnt/system32/cmd.exe).

Request: 68.48.142.117 - - [Tue Mar  9 22:41:34 2004] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 566
Handler: (null)
Error: mod_security: Invalid character detected [193]
----------------------------------------
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Connnection: close
Host: www
mod_security-message: Invalid character detected
mod_security-action: 200
 
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1

Some unsual character like %0a can be used in perl script attack.

Request: 217.95.32.120 - - [Fri Mar 12 12:07:52 2004] "HEAD http://oldnhorny.com/cgi/phf?qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 0
Handler: proxy-server
Error: mod_security: Invalid character detected [10]
----------------------------------------
HEAD http://oldnhorny.com/cgi/phf?qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0
Cache-Control: no-cache
Connection: close
Host: oldnhorny.com
Pragma: no-cache
Proxy-Connection: keep-alive
Referer: http://oldnhorny.com/cgi/phf?qalias=x%0a/bin/cat%20/etc/passwd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
mod_security-message: Invalid character detected
mod_security-action: 200
 
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
  • Several attackers tried to send SPAM by accessing the following URL - http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They tried to send email with an html attachment (files listed in the /upload directory). What does the SPAM webpage say? Who are the SPAM recipients?
  • The mail is send to

    The HTML page is using gb2312 encoding. On this SPAM, there are links to web site: