Some additional information: (For readers on the Honeypot list, please read my original post on Incidents Here: http://online.securityfocus.com/archive/75/268589) The honeypot was a Default fresh install of Redhat Linux 7.2. As many network services were enabled as possible. No patches were applied. This was installed in a VMware virtual machine, on a host-only network consisting of public IP addresses. Another /28 network was DNAT'd to the machine. They honeypot was online for a little over 24 hours. In that time, i believe it was compromised twice. Syslog logged a _lot_ of ftp connections from 1 particular IP address, indicating some kind of brute force wuftpd exploit. I believe the machine was also compromised via sshd, although i have not confirmed this. I had tcpdump -w running on the VMware host machine. It generated a lot of traffic, which i really need to analyse more. I have analysed the attackers download of this rootkit, obtained his username and password to the FTP site in question (albeit invalid). For anyone interested, here is some tcpdump output (tcpdump -w) of the host in question. I have not fully analyzed this, but im am sure others will. The gz file is about 800k. The logfile inside is around 2.7megs. It can be loaded into ethereal or tcpdump or whatever. This will be full of little secrets, no doubt. http://www2.linuxphreaks.org/pub/unsorted/tcpdump_log.gz I pulled that honeypot offline after about 24 hours. I did not want to be the source of a worm starting or spreading. In the days since, my network has recieved a LOT of port scans from networks in romania, looking for their "root". In particilar, i have noticed a lot of scans for port 1221, which appears to the the port the illogic rootkit's sshd binds to. I have also been on the Undernet IRC network in these guys channel, #h4ck3r, but not alot appears to go on. And for those who read my email signature, Security is a personal hobby of myn. The company for which i consult dont mind me reading/following security issues on their time. My boss is shit scared about being "hacked" or having downtime to viruses. The honeypot was on my own home network, and not here at Jackies. I originally planned to post all this information on a web page over the weekend, but never got around to it. Too much Coding. PS. This is only really the second time i have unleashed a honeypot on unsuspecting script kiddies; i am a relative honeypot newbee! - Dan. And Once Again, The rootkit et al: Here it is: http://www2.linuxphreaks.org/pub/security/rootkits/illogic.tgz Output from Installer: http://www2.linuxphreaks.org/pub/hp/20020418/illogic-install.txt chkrootkit output: http://www2.linuxphreaks.org/pub/hp/20020418/chkrootkit.log -- Dan Irwin - Systems Administrator Jackie's Wholesale Nurseries Pty Ltd Email: danat_private Phone: 07 3888 2481 Fax: 07 3888 2530 Postal: 10 Gleeson Road Burpengary Queensland 4505 Email: infoat_private Web: http://www.jackies.com.au -----Original Message----- From: Jerry_Pierceat_private [mailto:Jerry_Pierceat_private] Sent: Saturday, 20 April 2002 9:07 AM To: Dan Irwin Subject: Re: illogic rootkit Would love to see the rootkit and tcpdump. Did you use CTC to recover the deleted files and develop a timeline of the event? Jerry D. Pierce GCIA, GCIH ---------------------------------------------------------------------------- -- Warning : The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this message and then delete it from your computer. All e-mail sent to this address will be received by the Providian Financial corporate e-mail system and is subject to archiving and review by someone other than the recipient. ============================================================================ == ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Apr 21 2002 - 19:29:39 PDT