Linux 7.2 Honey Pot
http://unix.temple.edu/~stafford/l3com/
Background
I built a Red Hat Linux 7.2 system in my office but I did not install any of the
patches. The details of the system were:
Domain name - eta.cis.temple.edu
IP address - 155.247.182.67
Ethernet address - 00:48:54:60:80:4a
I connected the system to the Internet at about 1:00 P.M. on Wednesday February
12 and monitored packets to and from 00:48:54:60:80:4a with Ethereal. The IP
address and domain name have not been used for several years so almost any
traffic is probably related to hacking activity. Between Wednesday February 12
and Sunday February 16, I captured about 10 megabytes (about 100,000 packets)
traffic in four dump files.
The Players (in order of appearance)
name ip action
Wednesday
1, bzq...bezeqint.net 212.179.106.40 port 80 probe
5. host...business.it 62.211.195.145 port 21 probe
Thursday
1. bzq...bezeqint.net 212.179.106.40 http OPTIONS
2. no PRT record 64.159.86.99 SQL Slammer
3. lns...adsl.proxad.net 81.56.253.48 anonymous FTP
4. 216...ipset18.wt.net 216.119.138.160 Code Red
5. 200...telesp.net.br 200.204.122.60 Code Red
6. ...metropolis-inter.com 200.74.27.228 port probes
7. isr6657.urh.uiuc.edu 130.126.214.127 SQL Slammer
8. www.china-poso.com 61.64.133.46 80 probe,
9. www.china-poso.com 61.64.133.46 Slapper?,
10. httest.msufgp.msu.edu 35.8.147.186 Nimda virus
11. nycmny1...genuity.net 4.35.75.162 3 pings
Friday
1. req.ocis.temple.edu 155.247.166.134 SQL Slammer
2. 212.134.48.13 Code Red?
3. ool-...optonline.net 67.86.112.100 Single ping
4. md...charter-stl.com 24.171.104.77 HTTP options
5. chello...vie.surfer.at 212.186.94.130 Code Red
6. mu....missouri.edu 128.206.168.121 SQL Slammer
Saturday
1. ms...stevens-tech.edu 155.246.212.46 3 pings
2. cliente...supercable.es 217.216.233.67 HTTP options
3. n...netvigator.com 218.103.70.82 Slapper?
4. caco.go.ro 193.231.236.42 GET ss71.tgz
5. 213-....fastres.net 213.156.52.138 login to 8080
6. juniorionut.go.ro 193.231.236.42 GET selena,tgz
7. n...netvigator.com 218.103.70.82 Slapper?
8. www.capone.go.ro 193.231.236.42 GET iulianbot.tar.gz
9. media08.wxs.nl 195.121.6.196 IRC
10. proxyscan.undernet.org 193.109.122.5 telnet
11. proxypool-7.undernet.org193.109.122.7 HTTP CONNECT
12. step.polymtl.ca (port 1043). Chat sessions
sodium.mlink.net (1044)
ns.ensicaen.ismra.fr (1045)
Amsterdam2.NL.EU.undernet.org (1046)
undernet.irc.cableinet.net (1047)
195.159.135.99 (1049)
205.188.149.20 (1050)
babble-on.systems.cais.net (1051)
irc.connectnet.com (1052)
cfad1021.aros.net (1053)
irc.erols.com (1055),
irc.lvdi.net (1056)
donut.vuurwerk.nl (1058)
media08.wxs.nl (1059)
ircu.bredband.com (1060)
install.tu-graz.ac.at (1061)
irc.planetinternet.be (1062)
step.polymtl.ca (1063)
sodium.mlink.net (1064)
ns.ensicaen.ismra.fr (1065)
Amsterdam2.NL.EU.undernet.org (1066)
undernet.irc.cableinet.net (1067)
155.159.135.99 (1069)
205.188.149.20 (1070)
babble-on.systems.cais.net (1071)
irc.connectnet.com (1072)
cfad1021.aros.net (1073, now at frame 2188, time is 08:05
irc.erols.com (1075)
irc.lvdi.net (1077)
donut.vuurwerk.nl (1079)
media08.wxs.nl (1080)
13. n...netvigator.com 218.103.70.82 Slapper?
14. caco.go.ro 193.231.236.42 GET ss71.tgz
15. dial.xnet.ro 213.233.77.251 login to 8080
16. jalnicu.0catch.com 209.63.57.10 GET /jalpsy.tar.gz
17. juniorionut.go.ro 193.231.236.42 GET /selena.tgz
18. media08.wxs.nl 195.121.6.196 Slapper?
18. no PTR record 218.233.18.251 short https
20. no PTR record 218.233.18.251 Slapper?
21. node18065.a2000.nl 24.132.128.101 GET /
22. node18065.a2000.nl 24.132.128.101 Slapper?
Sunday
1. quivive.Colorado.EDU 128.138.120.13 Port scan
2. quivive.Colorado.EDU 128.138.120.13 DOS attack
3. pc129...tpnet.pl 217.99.50.129 Slapper
4. www.geocities.com 66.218.77.68 GET /ftp4ady/gigi
5. www.ronaldinio.com 66.218.65.94 GET /psy.tgz
6. pweb1.geo.vip.scd.yahoo.com
7. geo.premiumservices.yahoo.com
The Attacks (see www.cert.org)
1. SQLSlammer, (Microsoft SQL 2000 Web servers).
The worm targets SQL Server computers and is self-propagating
malicious code that exploits the vulnerability described in
VU#484891 (CAN-2002-0649). This vulnerability allows for the
execution of arbitrary code on the SQL Server computer due to a
stack buffer overflow. Once the worm compromises a machine, it
will try to propagate itself. The worm will craft packets of
376-bytes and send them to randomly chosen IP addresses on port
1434/udp. If the packet is sent to a vulnerable machine, this
victim machine will become infected and will also begin to propagate.
2. Code Red. From CERT
The "Code Red" worm is self-replicating malicious code that exploits
a known vulnerability in Microsoft IIS servers (CA-2001-13).
The "Code Red" worm attempts to connect to TCP port 80 on a randomly
chosen host assuming that a web server will be found. Upon a successful
connection to port 80, the attacking host sends a crafted HTTP GET
request to the victim, attempting to exploit a buffer overflow in the
Indexing Service described in CERT advisory CA-2001-13.
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a
3. Nimda. Nimda spreads to systems Systems running Microsoft
Windows 95, 98, ME, NT, and 2000 by email, open network
shares, and Microsoft IIS directory traversal vulnerabilities.
The traversals operating by sending http GET requests like:
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
4. Slapper
The Apache/mod_ssl worm is self-propagating malicious code that
exploits the OpenSSL vulnerability described in VU#102795.
This vulnerability allows a remote attacker to execute arbitrary
code as the apache user on the victim system.
5. OpenSSL vulnerability. OpenSSL is an open-source implementation
of the Secure Sockets Layer (SSL) protocol. Versions of OpenSSL
servers prior to 0.9.6e and pre-release version 0.9.7-beta2
contain a remotely exploitable buffer overflow vulnerability.
This vulnerability can be exploited by a client using a malformed
key during the handshake process with an SSL server connection
using the SSLv2 communication process.
The Hackers are Coming
Wednesday February 12
1. boot.log.1 - System booted at 12:12. Note that http not started
2. eta12feb03.dmp - First probe at 14:52 from 212.179.106.40.
bzq-179-106-40.cablep.bezeqint.net. Traceroute as far as
Newark.Teleglobe.net. HTTP not configured so RST returned.
3. boot.log.1 - System rebooted at 16:56, HTTP started
4. eta13.feb03.dmp - 16:10 reboot and sends an arp packet.
5. eta13.feb03.dmp frame 6 - 17:12 ftp from 62.211.195.145
host145-195.pool62211.interbusiness.it with no prior contact . Resets
original connection (port 21 to port 21, probably a scan) and starts
a second. Hacker knows FTP server is wu-2.6.1-18.
6. eta13.feb03.dmp frame 49. Code Red attack from 217.61.54.2 at 23:22.
(Code Red is a buffer overflow attach against unpached Microsoft IIS
servers.) Note the "default.ida?NNNNNNNNNNNNNNNNN..." in frame 51.
Thursday February 13 (eta13feb03.dmp)
1. frame 67 - 212.179.106.40 ( bzq-179-106-40.cablep.bezeqint.net) sends
an http OPTIONS request to get information on our apache web server.
2. frame 76 - SQLSlammer attach from 64.159.86.99 (no pointer record)
3. frame 79 - Anonymous FTP login from 81.56.253.48
(lns-th2-3-81-56-253-48.adsl.proxad.net). FTP session follows:
220 eta.stafford.temple.edu FTP server (Version wu-2.6.1-18) ready.
USER anonymous
331 Guest login ok, send your complete e-mail address as password.
PASS
230 Guest login ok, access restrictions apply.
CWD
500 'CWD ': command not understood.
CWD /pub/
250 CWD command successful.
MKD 030213133102p
550 030213133102p: Permission denied on server. (Upload dirs)
CWD /public/
550 /public/: No such file or directory.
CWD /_vti_pvt/
550 /_vti_pvt/: No such file or directory.
CWD /_vti_txt/
550 /_vti_txt/: No such file or directory.
CWD /_vti_cfg/
550 /_vti_cfg/: No such file or directory.
CWD /_vti_log/
550 /_vti_log/: No such file or directory.
CWD /_vti_cnf/
550 /_vti_cnf/: No such file or directory.
CWD /_private/
550 /_private/: No such file or directory.
CWD /incoming/
550 /incoming/: No such file or directory.
CWD /pub/incoming/
550 /pub/incoming/: No such file or directory.
CWD /public/incoming/
550 /public/incoming/: No such file or directory.
CWD /public_html/
550 /public_html/: No such file or directory.
CWD /upload/
550 /upload/: No such file or directory.
CWD /wwwroot/
550 /wwwroot/: No such file or directory.
CWD /mailroot/
550 /mailroot/: No such file or directory.
CWD /ftproot/
550 /ftproot/: No such file or directory.
CWD /home/
550 /home/: No such file or directory.
CWD /images/
550 /images/: No such file or directory.
CWD /web/
550 /web/: No such file or directory.
CWD /www/
550 /www/: No such file or directory.
CWD /html/
550 /html/: No such file or directory.
CWD /cgi-bin/
550 /cgi-bin/: No such file or directory.
CWD /usr/
550 /usr/: No such file or directory.
CWD /usr/incoming/
550 /usr/incoming/: No such file or directory.
CWD /temp/
550 /temp/: No such file or directory.
CWD /~temp/
550 /~temp/: No such file or directory.
CWD /tmp/
550 /tmp/: No such file or directory.
CWD /~tmp/
550 /~tmp/: No such file or directory.
CWD /outgoing/
550 /outgoing/: No such file or directory.
CWD /anonymous/
550 /anonymous/: No such file or directory.
CWD /anonymous/_vti_pvt/
550 /anonymous/_vti_pvt/: No such file or directory.
CWD /anonymous/_vti_cnf/
550 /anonymous/_vti_cnf/: No such file or directory.
CWD /anonymous/incoming/
550 /anonymous/incoming/: No such file or directory.
CWD /anonymous/pub/
550 /anonymous/pub/: No such file or directory.
CWD /anonymous/public/
550 /anonymous/public/: No such file or directory.
221 You could at least say goodbye.
4. frame 190 - Code Red attack from 216.119.138.160
(216-119-138-160.ipset18.wt.net). Note "default.ida?NNNNNNNNN..."
in frame 195.
5. frame 208 - Another Code Red attach this one from 200.204.122.60
200-204-122-60.dsl.telesp.net.br
6. frame 227 - Probes to ports 1080, 8080, and 80 from 200.74.27.228
(pc960-200-74-27-228.las-condes1.pc.metropolis-inter.com)
Thursday February 13, part 2 (eta14feb03.dmp)
1. eta14feb03.dmp frame 2. Ping from 130.126.214.127 (isr6657.urh.uiuc.edu)
at 16:47 followed by "slammer" attack to the ms-sql-s port, 1433. (Slammer
attacks unpatched versions of Microsoft SQL server.) Since noting is
listening on port 1433, eta resets the connection.
2. eta14feb03.dmp frame 23. Http from 61.64.133.46 (www.china-poso.com) at
17:44. Traceroute to Taiwan. The packets from port 3207 are a probe and
the packets from port 3318 are designed to get more information. The request
(GET / HTTP/1.1) on frame 29 causes eta to return the "Bad Request" in
frame 31. (In HTTP/1.1, a Host request header field (e.g. "Host: www.w3.org")
is requreed on every GET request.) Notice how much data about itself
Apache supplies in frame 31.
3. eta14feb03.dmp frames 34 and 38. 61.64.133.46 comes back to the HTTPS
port (port 443), which transmits web pages over the Novell SSL (Secure
Sockets Layer) protocol. 61.64.133.46 continues by opening about 20
https sessions (syn, syn-ack, and ack) through frame 105. The SSLV2 client
hello at frame 106 is followd by the server hello at frame 108 which
provides a lot of information. After receiving a [Unreassembled Packet:
SSL] message at frame 122 on the SSL session on port 3689, 61.64.133.46
closes all the SSL connections (through frame 192).
4. eta14feb03.dmp frame 197. Nimda virus attack from 35.8.147.186
(httest.msufgp.msu.edu). Nimda connects to port 80 and, assuming this
is a Microsoft Windows system, immediately tries to ".." up to the root
of the C: disk to get a command prompt in frame 200 with the GET request
"GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir\r\n".
5. eta14feb03.dmp frame 207. Our next visitor, 4.35.75.162
nycmny1-ar3-4-35-075-162.nycmny1.elnk.dsl.genuity.net, arrives at
21:40 with three pings. Perhaps he will return later.
Friday Febuary 14
1. eta14feb03.dmp frame 214. It is 45 minutes after midnight and
155.247.166.134 trys to slam eta (assuming it is a Windows machine
running SQL).
2. eta14feb03.dmp frame 221. At 14:13, a Code Red virus attack from
212.134.48.13 (an unregistered address that can be traced as far as
so0-0-0-0.br1.thlon.uk.easynet.net). In frames 224 and 226, note
the Code Red signature "GET default.ida?NNNNNNNNNNNNNNNNN..."
In the dump of frame 226, note the "HOST:www.worm.com", which is
also a CodeRed signiqure.
3. eta14feb03.dmp frame 236. At 14:44, 67.86.112.100,
(ool-43567064.dyn.optonline.net which can be traced to
ubr104.cmts.nrwlct.cv.net, which is probably Connecticut) sends us
a single ping.
4. eta16feb03.dmp frame 2. At 19:53, 24.171.104.77
(md.24.171.104.77.charter-stl.com, traceroute to
gar3-p360.sl9mo.ip.att.net sl is St. Louis, Missouri) sends us a
ping and then starts an HTTP session to port 80, sending us an HTTP
OPTIONS header (frame 7). We respond with our options (frame 9) and
the connection is closed.
5. eta16feb03.dmp frame 15. At 21:35, Code Red attack from 212.186.94.130
(chello212186094130.11.vie.surfer.at, .at is Austria). Note the
Code Red signature, "GET default.ida?NNNNNNNNN..." in frames 18 and 22.
Note the text, "Hacked by Chinese!" in frame 27, another signature
of Code Red.
6. eta16feb03.dmp frame 31. Another Slammer attempt, this one at 23:48
from 128.206.168.121 (mu-168121.dhcp.missouri.edu).
Saturday Febuary 15
1. eta16feb03.dmp frame 34. At 01:08, three pings from
155.246.212.46 (msimone.u05.stevens-tech.edu).
2. eta14feb04.dmp frame 41. At 03:14, ping from 217.216.233.67
(cliente-217216233067.uBRsec01.supercable.es, Spain) followed by
an OPTIONS request to our HTTP server (frame 46).
3. eta14feb04.dmp frame 54. At 06:45, 218.103.70.82
(n218103070082.netvigator.com, traced as far as California)
opens an https session (secure http using Secure Socket Layer
or SSL) between eta port 443 (the https server port) and port
36103 on navigator. Beginning at frame 61, netvigator opens an
http connection to eta port 80 and, in frame 64, sends an HTTP
GET request (GET / HTTP/1.1 \r\n\r\n) without the required
Host request-header field (e.g. "Host: www.w3.org"), which
causes eta to return an error message and other information.
4. frame 72. Beginning at frame 33, netvigator opens about 30 HTTPS
sessions to eta port 443 (packets to 72 through 173). After some exchange
of encrypted data (not very much), most of the connections are closed.
However, the https conversation on netvigator's port 55125, which begins
at frame 162, transfers several hundred bytes of application data.
The data transfer ends at frame 183, and the conversation ends at frame 308.
The https conversation beginning at frame 165 from port 55126 on netvigator
and subsequent https conversations are similar. However, the https
conversation from netvigator port 55128 beginning at frame 171 and ending
at frame 333 contains:
..//shh/bin...
TERM=xterm; export TERM=xterm; exec bash -i
uname -a;id;w;
bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a;id;w;
Linux eta.stafford.temple.edu 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
5. Frame 334 is a RST, ACK from port 1031 on eta to port 55128
(the https session above) on 218.103.70.182. eta should not be
sending anything from port 1031 unless someone sent something to
port 1031. This is probably a signal of a successful hack.
This is probably "Slapper", a worm that affects Linux machines that
are running Apache web server with OpenSSL enabled.
6. Frame 336 begins (and frame 437 ends) another block of 30 or so
https connections from 218.103.70.82. Through frame 578, most of
them are terminated. However, the SSL conversation on port 55264
which begins at frame 435 and continues through frame 987 contains: