From dayioglu@metu.edu.tr Sun Sep 23 07:58:49 2001 Date: Fri, 21 Sep 2001 21:01:32 +0300 (WET) From: burak dayioglu To: project@honeynet.org Subject: scan of the month #15 Hello, Here are my answers to questions of SOM #15: 1. The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster? The attackers used parallelized scanning and cracking. Normally, what we see script kiddies do is that they scan first and generate a list of vulnerable targets. Exploitation of those vulnerable targets form the second step. In this case, the attacker has scanned the honeynet MULTIPLE TIMES, attempting to exploit vulnerable targets as soon as they discover them. This increases the process speed. Also, the attacker used some automated technique to check out whether the exploit was successful or not. If the remote rpc.statd service responds to the exploit packet with some sort of error packet, the attacking software safely assumes that the exploitation has failed. If the remote host do not respond in a certain time window it is assumed that the target had been exploited. Even more, the attacking software has sent multiple exploit payload to the same destination. Combined with scanning of target network multiple times, the attacking software can be said to be extremely aggressive. 2. What system/country did the badguys come in from? The attacker logged in to the target via the shell bound to TCP port 39168 (0x9900). He then downloaded his rootkit from ftp.home.ro with username soane and password i2ttgcj1d. home.ro is a Romanian portal site giving out free accounts. The attacker came in from 211.185.125.124. The IP address is not associated with a DNS name but the traceroute goes to Korea. The whois information from nic.or.kr correlates with the traceroute results: [ ENGLISH ] Network Name: KSPURIM-E IP Address: 211.185.125.0 - 211.185.125.127 Connect ISP Name: PUBNET Connect Date: 20001120 Registration Date: 20001129 [ Organization Information ] Organization ID: ORG147082 Name: Kyongsan Purim Elementary School State: KYONGBUK Address: 171 puki-1ry jinrang-eup kyongsan-ci Zipcode: 712-830 [ Admin Contact Information ] Name: DAEDUN KYUN Org Name: Kyongsan Purim Elementary School State: KYONGBUK Address: 171 puki-1ry jinrang-eup kyongsan-ci Zipcode: 712-830 Phone: +82-53-851-9523 Fax: +82-53-851-9522 E-Mail: gum@hanmail.net [ Technical Contact Information ] Name: DAEDUN KYUN Org Name: Kyongsan Purim Elementary School State: KYONGBUK Address: 171 puki-1ry jinrang-eup kyongsan-ci Zipcode: 712-830 Phone: +82-53-851-9523 Fax: +82-53-851-9522 E-Mail: gum@hanmail.net The attacker came in from Korea. 3. What nationality are the badguys, and how were you able to determine this? I have had ftp'd to ftp.home.ro with the given user/pass combo. Among a bunch of exploit codes there was an mp3 song of a (most probably) Romanian singer Adrian M. Also the www.home.ro site is totally in Romanian language which makes it difficult to someone from another country to understand the member services provided. I believe that the attacker was Romanian but he used Korean host as a stepping stone to hide his identity. He was so lame that he left such a big clue behind. 4. What do the answers to questions #1 and #2 tell us about the tactics the badguys are using? The kiddies have started to used parallelized scanning and exploitation processes to increase their penetration rate. Also it is clear that one should expect attackers to use overseas hosts as stepping stones. From a honeynet attack, I was not expecting to see such a hiding attempt. 5. What did you learn from this challenge? Attackers coming in from hosts in other countries are not necessarily from those countries. This is such a wonderful example of the case. I was not expecting such a trick to be that common which is the most important thing that I learned from this challenge. 6. How long did this challenge take you? Analyzing Snort output took around 1 hour. Ftp'ing back, examining the home.ro system and thinking on the scenarios took 2 more hours. I spent 1 more hour to clean-up my findings and write a simple answer set. BQ. Can you recover the blackhat's rootkit from the Snort binary log file? If so, how? I couldn't be able to find a tool to do exactly this. Writing one on top of libpcap would be possible for me but I didn't have enough time. Once again, thanks for the Honeynet project. It is a great learning experience. Thank you, -bd