Honeypot Compromise: Default FTP Login
Saturday, December 16. 2006
We had another compromise of one of our honeypots this week. The honeypot was running Windows 2000 Professional with latest service packs. In addition, a firewall blocked access to TCP ports 135 and 445, in order to block most of the automated attacks caused by bots and other autonomous spreading malware. The honeypot was running XAMPP, a free software package containing the Apache web server, MySQL database, FileZilla FTP server, and some other tools. XAMPP is not designed for use as a production system, but we choose it in the hope to find manual attacks.
Actually this was successful: we caught an attacker that used the default password of the FileZilla FTP server in order to upload netcat and a PHP shell backdoor. With the help of these tools, he got access to a command shell on the honeypot and installed his complete tool set. Some interesting tools (log sweeper for Windows, vulnerability scanner, ...) could be retrieved and we still analyze the incident.
The honeypot was set up and administrated by Torsten Stern as part of his internship at our lab.
Actually this was successful: we caught an attacker that used the default password of the FileZilla FTP server in order to upload netcat and a PHP shell backdoor. With the help of these tools, he got access to a command shell on the honeypot and installed his complete tool set. Some interesting tools (log sweeper for Windows, vulnerability scanner, ...) could be retrieved and we still analyze the incident.
The honeypot was set up and administrated by Torsten Stern as part of his internship at our lab.
".
