Honeypot Compromises III
We continue our tour of compromised honeypots at the German Honeynet Project, which all happened while Jan Göbel was mainly responsible for the honeypots. Back in April 2006, a honeypot running RedHat 8.0 was compromised due to a weak user password. Presumably you see quite frequently SSH brute-force attacks against your systems. And this blog post is about what can happen if one of your users has a weak password...
Introduction:
On 3rd April 2006, our Red Hat 8.0 based Honeypot was compromised, due to weak SSH passwords of both a user and the root account. Together with the Honeywall logfiles and the information gathered from the Honeypot itself, we will try to reconstruct the events that lead to the take over, as well as what modifications the intruder did to the system.
The intruder initiated a SSH brute force attack on the Honeypot, shortly after midnight. The attack originated from the university host in Norway (witch.xxx.no). Many different username and password combinations were tried, until the intruder finally managed to login as the root user. Once the system was compromised, several tools were downloaded from different webservers to facilitate the malicious actions of the attacker. Among these tools, were some SSH scanners, an IRC client and a rootkit. The Honeypot was then misused to scan for more weak SSH passwords on other systems. Besides the rootkit (zk.tgz), a backdoor was installed, listening to port 3209. Thus, the attacker was able to return to the Honeypot at any time and unnoticed. Additionally, the intruder tried to download the movie “Get Rich Or Die Tryin (Spanish)”, but failed to do so. At about 17:30:27 p.m., it was decided to shutdown the Honeypot and start the indepth investigation.
The complete write-up is available in PDF format.
Introduction:
On 3rd April 2006, our Red Hat 8.0 based Honeypot was compromised, due to weak SSH passwords of both a user and the root account. Together with the Honeywall logfiles and the information gathered from the Honeypot itself, we will try to reconstruct the events that lead to the take over, as well as what modifications the intruder did to the system.
The intruder initiated a SSH brute force attack on the Honeypot, shortly after midnight. The attack originated from the university host in Norway (witch.xxx.no). Many different username and password combinations were tried, until the intruder finally managed to login as the root user. Once the system was compromised, several tools were downloaded from different webservers to facilitate the malicious actions of the attacker. Among these tools, were some SSH scanners, an IRC client and a rootkit. The Honeypot was then misused to scan for more weak SSH passwords on other systems. Besides the rootkit (zk.tgz), a backdoor was installed, listening to port 3209. Thus, the attacker was able to return to the Honeypot at any time and unnoticed. Additionally, the intruder tried to download the movie “Get Rich Or Die Tryin (Spanish)”, but failed to do so. At about 17:30:27 p.m., it was decided to shutdown the Honeypot and start the indepth investigation.
The complete write-up is available in PDF format.
".
Honeypot Compromises IIIBeanShell Java Security Assessment ToolNovell aims to make Linux security easyWhat is the effect of Bayesian poisoning?Radio Frequency Interference and its Use as a WeaponTake a closer look at OpenBSD How To Prep Laptops For Airpo
Tracked: Aug 20, 13:05