Summary
The attacker first made contact with the honeypot on 29 Nov 2002
10:07hrs (GMT+1), from the IP address 195.209.225.152. This was followed
shortly by a successful root compromised attempt via the wu-ftpd file
globbing heap corruption vulnerability. The attacker left shortly
after the compromise, and revisited the honeypot 13 hours later, at 29
Nov 2002 2303hrs, exploiting the same vulnerability. These attacks were
identified as the 7350wurm wu-ftpd remote root exploit. A copy of the
exploit source code can be found here.
Shortly, after gaining access (root privilege) to the honeypot, a
superuser account with userid "ftpd" and password "catalin" was created.
This was immediately followed by connections from various IP
addresses (perhaps as a result of announcing this in an IRC channel) via
ssh and downloading of toolkits from various sources via http and ftp.
By late 29 Nov 2002, the attackers had already trojanised the system,
installed backdoors, ran sniffer, and "secured" the honeypot by patching
the wu-ftpd file globbing heap corruption vulnerability.
The attackers revisited the honeypot during noon 30 Nov 2002, and added
last.tgz to their arsenal. Not much was done to the honeypot though.
They paid the honeypot another visit during late 30 Nov 2002, around
23:30hrs. An outgoing ssh connection was initiated to 66.88.64.196 at
port 55211. The attacker was probably using the honeypot as another hop
to make connections to other hosts so as to hinder any forensics
attempts to trace back to his/her machine. At 03:17hrs 30 Nov 2002, the
attacker started a port scan for ftp service on the IP range128.0.0.0/8.
The port scan attempt lasted until the honeypot was brought
offline at around 08:21hrs 1 Dec 2002. The honeypot was brought offline
probably because the administrator did not want the honeypot to be used
as a launching pad.
The attackers are from a Romanian hacking group known as haxteam.
Details about one of their members, Nykey, can be found at http://www.securityorg.net/haxori.php?action=show&nick=Nykey.
Activities on the honeypot did not seem to be very co-ordinated as we
see repeated attempts to download hax.tgz. Their toolkits were derived
from various sources, including lrk5,t0rnkit
and adore.
Their toolkits were either compiled over time, or consolidated from
different group members (or both). We saw that the toolkits were
compiled using different compliers. There were even binaries that were
compiled in .tw domain machines. Some binaries were stripped, and some
were not stripped. In addition, at least two kinds of ELF virus were
found. Skill levels between members also varied. We saw one of them,
probably a script kiddie, who repeatedly tried to access the honeypot
using the wu-ftpd vulnerability even after a backdoored root account had
being created. On the other hand, it would take someone with at least
an intermediate understanding on Linux to be able to gel together their
toolkits.
The attackers accessed the honeypot via the following IP addresses:
- 62.142.9.8
- 62.231.97.141
- 62.231.97.142
- 62.231.97.143
- 62.231.97.144
- 80.97.37.66
- 80.97.37.79
- 80.96.39.47
- 193.231.112.211
- 195.209.225.152
- 213.150.165.194
These hosts would either be the attackers machines or hosts that had
being compromised by them. Judging from the IP addresses, about 2 to 4
members of the team were involved in attacking the systems.