Timeline


A detailed timeline of the attackers activities. The time stated is with reference to GMT+1.

Date Time (hh:mm) Event(s)
28/11/2002 16:43 Scanning from 158.64.60.71.
29/11/2002





























 10:07 First contact logged in capture file. (195.209.225.152).
Probably a scanner as there was another connection from the same IP within 1 second.
Also, connect + disconnected with 0.1 second.
10:12  Another connection to FTP server.
Connect + disconnect within 0.2 seconds.
10:13 Start of attack by 195.209.225.152.
Attack has been identified as 7350wurm wu-ftpd remote root exploit. Available at http://packetstormsecurity.org/0205-exploits/7350wurm.c
10:13 195.209.225.152 obtained root.
[click here for trace.]
10:30  left (exit).
10:46 System is probed at port 80.
23:03  Same exploit (7350wurm) again.
23:03  Obtained root [ lasted for 27 mins]
[click here for trace.]

Below is a summary of activities and their approx time. 
[23:03] unset HISTFILE;id;uname -a; 
[23:04] created user using cmd "/usr/sbin/adduser -u0 -g 0 ftpd" (password is catalin)
[23:05]  tried to issue adduser ftpd again. Cmd issued is "/usr/sbin/adduser ftpd"
[23:07] issued w
[23:09] issued ls -a
[23:14]  issued uptime
[23:14] issued ps -ax

The process output entries with terminal as pts/0 are command issued by the attacker. We can see that at this point of time, the sniffer, kde, had being ran. The attacker has also executed the command ptr to escalate its privilege even when it is already using a superuser account! The bigwar.tgz archive had also already being downloaded and is in the process of extraction. Ither processes ran include removing the strings yahoo.com from log files and running the setup script.
[23:17] ftp to haxteam.org (user haxteam.org, passwd tar-xzvf) to get hax.tgz
[23:30]  ls -a
[23:30] kill -9 $4
[23:30] kill -9 $$
23:04 ssh into 192.168.1.2 from 62.231.97.143 (duration abt 4 mins)
This ssh session came in abt 10 secs after the user ftpd was created.
The ssh client used by 62.231.97.143 has the banner of SSH-1.5-PuTTY-Release-0.52.
23:05 ssh connect from 62.231.97.142 (31 mins)
[note it overlaps with the ssh session above]
The ssh client used by 62.231.97.143 has the banner of SSH-1.5-PuTTY-Release-0.52.
23:06 get locale.tgz from rho-team.org (66.218.65.125) via http with Wget/1.7
(command issued by attacker from 62.231.97.142)
23:07  get hax.tgz from haxteam.org (208.185.127.162) via http with Wget/1.7
(this is actually the hax-small.tgz provided)
(command issued by attacker from 62.231.97.142)
23:08
 get hax.tgz from rho-team.org via http with Wget/1.7, but was unsuccessful (file not found error)
(command issued by attacker from 62.231.97.142)
23:08  ftp to 63.99.209.65 (user steamer/lamuie) to get hax.tgz
(command issued by attacker from 62.231.97.142)
23:10  sent mail about server to haxteam@yahoo.com (click here) via mta529.mail.yahoo.com
(command issued by attacker from 62.231.97.142)
23:10 sent mail about server to haxteam@haxteam.org (click here)
via mail.freeservers.com (hacker came in from 62.231.97.142)

Judging from the mail, we can deduce that this is the output of the script mailme in hax.tgz. As mailme is called from the script setup in hax.tgz, we suspect that by this time, the attacker had run the setup script. Of course, the hacker can invoke the mailme script by hand and not through script, but we deemed that the possibility of invoking the mailme script by the setup script is higher. By invoking the setup script, the create, replace, remove, modules, startfile, mailme and clean scripts being ran. Knowing this, we would be able to deduce the files that were trojanised and changes made to the system. These include
  • create the directory "/lib/security/   /tools" and placed sniffer in this directory
  • trojanised lsof, libproc.2.0.6, md5sum, ifconfig, netstat, ps, top, pstree, dir, vdir, killall, du, ls, and nscd (trojanised sshd).  
  • removed other rootkits if found
  • started nscd (trojanised sshd) and kde (sniffer)
  • modified initialisation script to start nscd and kde
  • collected system information and mailed to EnForCeR
  • cleaned logs to remove traces
23:12
 get bigwar.tgz from haxteam.org via http with Wget/1.7
(command issued by attacker from 62.231.97.142)
23:14 ssh connect from 62.231.97.144 (< 1 min duration)
The ssh client used by 62.231.97.144 has the banner of SSH-1.5-PuTTY-Release-0.52.
23:17
 get hax.tgz from haxteam.org via http with Wget/1.7
(this is actually the hax-small.tgz provided)
(command issued by attacker from 62.231.97.142)
23:20 ssh connect from 62.231.97.141 (duration 6 mins)
The ssh client used by 62.231.97.141 has the banner of SSH-1.5-PuTTY-Release-0.52.
23:22 ftp to haxteam.org (user:haxteam.org /passwd tar-xzvf) to get hax.tgz
23:23 ssh connect from 62.231.97.144 (duration 7 mins)
23:26 get secure.tgz from haxteam.org via http with Wget/1.7
(command issued by attacker from 62.231.97.144)
23:27 connected to updates.redhat.com to get /7.1/en/os/i386/wu-ftpd-2.6.1-16.i386.rpm
connected to updates.redhat.com to get /7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm (219510 bytes)
(trying to update wu-ftpd to patch vulnerability)
(command issued by attacker from 62.231.97.142)
23:30 ssh connect from 62.231.97.141 (duration 5 mins)
23:31 ssh connect from 62.231.97.144 (duration < 6 seconds)
23:32 ssh connect from 62.231.97.142 (duration 3 mins)
23:34 ssh connect from 62.231.97.143 (duration < 30 seconds)
(4 members of the team?)
23:44 ssh connect from 80.97.37.66 (1 hr 7 mins)
The ssh client used by 80.97.37.66 has the banner of SSH-1.5-PuTTY-Release-0.53b.
23:56 ssh connect from 80.97.37.79 (41 mins)
The ssh client used by 80.97.37.79 has the banner of SSH-1.5-PuTTY-Release-0.53b.
23:56 ftp to 62.233.240.203 (failed)
30/11/2002 








 00:06  ftp to 62.233.240.203 to get hax.tgz (user:nykey/passwd:10081986)
Failed to get file.
(command issued by attacker from 80.97.37.66)
00:40 ftp to asmo.net26.pl (62.233.240.203) to get haxteam.tgz
(user:nykey/10081986). Still cannot get file.
(command issued by attacker from 80.97.37.66)
12:14 195.209.225.152 tried to use same exploit to come in. Apparently, user ftp/mozilla@ has been disabled.
Ftp server is now wu-2.6.1-20. (not vulnerable to exploit)
12:22 ssh connect from 193.231.112.211 ( 40 secs)
The ssh client used by 193.231.112.211 has the banner of SSH-1.5-PuTTY-Release-0.53b.
12:25
 ssh connect from 62.231.97.143 (7 mins)
12:25  get last.tgz from rho-team.org via http with Wget/1.7
(command issued by attacker from 62.231.97.143)
12:46 ssh connect from 193.231.112.211 (5 mins)
22:35  195.209.225.152 tried to use same exploit (as in the 12:14) to come in again, and obviously was not successful.
23:36 ssh connect from 213.150.165.194 (20 mins)
The ssh client used by 213.150.165.194 has the banner of SSH-2.0-OpenSSH_2.5.2p2
Judging from the traffic volume, this attacker did not seem to issue a lot of command from this connections.
23:55 ssh connect from 213.150.165.194 (36 secs)
1/12/2002




 00:16 ssh connect from 62.231.97.141 (3 mins)
Quite a lot of exchange in traffic volume.
01:08
 ssh connect from 80.96.39.47 (10 secs)
The ssh client used by 80.96.39.47 has the banner of SSH-1.5-PuTTY-Release-0.53b.
01:15 ssh connect from 62.142.9.8 (3hr 20mins)
The ssh client used by 62.142.9.8 has the banner of SSH-1.5-OpenSSH_2.9 FreeBSD localisations 20011202
01:17
 attempt to connect to 155.230.124.65 at port 55211, but was unsuccessful
(command issued by attacker from 62.142.9.8)
01:18
 ssh connect TO 66.88.64.196 at port 55211 (1 hr 52mins)
This suggests that 66.88.64.195 is probably another compromised hosts by the attackers, and had being installed with rootkits from hax.tgz.
(command issued by attacker from 62.142.9.8)
03:14 get awu.tgz from haxteam.org via http with Wget/1.7
(command issued by attacker from 62.142.9.8)
03:17 scanning started - the whole of 128.0.0.0 for port 21
(command issued by attacker from 62.142.9.8)
03:21 ssh connect TO 213.150.165.194 (port 55211) (12 mins)
213.150.165.194 is yet another compromised hosts.
(command issued by attacker from 62.142.9.8)
03:35
 attempt to connect to 218.55.78.220 at port 55211, but was unsuccessful
(command issued by attacker from 62.142.9.8)
03:37  first exploit attempt to 128.2.12.10 using wu-ftpd exploit.
03:53 attempt to connect to 206.244.135.166 at port 22, but was unsuccessful
attempts lasted for abt 10 mins
(command issued by attacker from 62.142.9.8)
08:22
 No further logs available
presumably honeypot brought offline