Summary


The attacker first made contact with the honeypot on 29 Nov 2002 10:07hrs (GMT+1), from the IP address 195.209.225.152. This was followed shortly by a successful root compromised attempt via the wu-ftpd file globbing heap corruption vulnerability. The attacker left shortly after the compromise, and revisited the honeypot 13 hours later, at 29 Nov 2002 2303hrs, exploiting the same vulnerability. These attacks were identified as the 7350wurm wu-ftpd remote root exploit. A copy of the exploit source code can be found here. Shortly, after gaining access (root privilege) to the honeypot, a superuser account with userid "ftpd" and password "catalin" was created.  This was immediately followed by connections from various IP addresses (perhaps as a result of announcing this in an IRC channel) via ssh and downloading of toolkits from various sources via http and ftp. By late 29 Nov 2002, the attackers had already trojanised the system, installed backdoors, ran sniffer, and "secured" the honeypot by patching the wu-ftpd file globbing heap corruption vulnerability.

The attackers revisited the honeypot during noon 30 Nov 2002, and added last.tgz to their arsenal. Not much was done to the honeypot though. They paid the honeypot another visit during late 30 Nov 2002, around 23:30hrs. An outgoing ssh connection was initiated to 66.88.64.196 at port 55211. The attacker was probably using the honeypot as another hop to make connections to other hosts so as to hinder any forensics attempts to trace back to his/her machine. At 03:17hrs 30 Nov 2002, the attacker started a port scan for ftp service on the IP range128.0.0.0/8.  The port scan attempt lasted until the honeypot was brought offline at around 08:21hrs 1 Dec 2002. The honeypot was brought offline probably because the administrator did not want the honeypot to be used as a launching pad.

The attackers are from a Romanian hacking group known as haxteam. Details about one of their members, Nykey, can be found at http://www.securityorg.net/haxori.php?action=show&nick=Nykey. Activities on the honeypot did not seem to be very co-ordinated as we see repeated attempts to download hax.tgz. Their toolkits were derived from various sources, including lrk5,t0rnkit and adore. Their toolkits were either compiled over time, or consolidated from different group members (or both). We saw that the toolkits were compiled using different compliers. There were even binaries that were compiled in .tw domain machines. Some binaries were stripped, and some were not stripped. In addition, at least two kinds of ELF virus were found. Skill levels between members also varied. We saw one of them, probably a script kiddie, who repeatedly tried to access the honeypot using the wu-ftpd vulnerability even after a backdoored root account had being created. On the other hand, it would take someone with at least an intermediate understanding on Linux to be able to gel together their toolkits.

The attackers accessed the honeypot via the following IP addresses:
These hosts would either be the attackers machines or hosts that had being compromised by them. Judging from the IP addresses, about 2 to 4 members of the team were involved in attacking the systems.