|
Among other benefits, running a honeynet makes one acutely aware about "what
is going on" out there. While placing a network IDS outside one's firewall
might also provide a similar flood of alerts, a honeypot provides a unique prospective
on what will be going on when a related server is compromised used by the intruders.
As a result of our research, many gigabytes of network traffic dumps are piling
up on the hard drives, databases are filling with alerts, rootkits and exploit-pack
collections are growing.
This paper is an attempt to informally summarize what was happening to our
exposed Linux machine connected to the Internet. The moment is even more appropriate
since we are now changing the platform of the victim machine.. Our Linux honeypot
survived dozens, if not more, system compromises including several massive outbound
denial-of-service attacks (all blocked by the firewall!), major system vulnerability
scanning and serving as an Internet Relay Chat (IRC) server for Romanian hackers
- and other exciting stuff.
I. Battleground: services and ports
First, let us summarize the common exploits hurled at the exposed Linux machine.
It won't likely be news to people who monitor activity outside their firewalls,
but it may provide some insight into current security threats to others. Scans,
"innocuous" connection attempts and various spam (on port TCP 25 and
UDP 13x) are not included.
a. RPC statd - the attack (http://www.cert.org/advisories/CA-2000-17.html)
is SO ancient, that one might think that nobody will hope to find a vulnerable
box with that flaw. After all, who in his right mind will be fielding (for example)
Linux RedHat 6.0 when half a dozen RedHat releases have come out since that
time. We are talking August 2000 - it was indeed during the last millennium.
Heavy scanning for this vulnerability was going on all through 2001 and even
parts of 2002. One might think that all machines with that hole are either secured
by the owners or by the intruders, upgraded or taken offline. However, lots
of "hopefuls" are still trying the long cemented "door".
Thus, the log files continue to be peppered with the classic:
Mar 4 11:51:31 victim 29>Mar 4 11:51:31 rpc.statd[493]: gethostbyname
error for ^X...^X...^Z...^Z...%8x%8x%8x%8x%
8x%8x%8x%8x%8x%62716x%hn%51859x%hn..............................................................................
................................................................................................................
................................................................................................................
................................................................................................................
................................................................................................................
................................................................................................................
................................................................................................................
.....................................................1..|Y.A^P.A^H...A^D.....^A.f...^B.Y^L.A^N..A^H^P.I^D.A^D^L.
^A.f...^D.f...^E0..A^D.f......1..?..
and snort continue spewing forth the good old:
Jan 24 20:46:41 bastion snort: [1:1282:1] RPC EXPLOIT statdx [Classification:
Attempted Administrator Privilege
Gain] [Priority: 1]: {UDP} 10.0.0.10:931 -> 1.2.3.4:1024
And here is how this attack looks to the anomaly-based Bro NIDS, recently deployed
in our honeynet:
1047644757.152094 10.0.0.10/939 > 1.2.3.4/portmap: bad_RPC_program
1047644757.152094 10.0.0.10/939 > 1.2.3.4/portmap: bad_RPC
Bro detects a different stage of the same attack.
b. WU-FTPD - this attack (http://www.cert.org/advisories/CA-2001-33.html)
can also be categorized as "Stone Agey", but it is still very popular
among the amateur attackers. It is this attack that led to those impressive
statistics publicized by the Project Honeynet - default RedHat box will be "owned"
within 3 days from being connected to the internet. An extremely popular choice,
this attack is used in countless autorooters, exploit scanners and other "tools
for beginners".
Here is how the attack looks to snort:
Jan 26 20:37:16 bastion snort: [1:1378:7] FTP wu-ftp file completion
attempt { [Classification: Misc Attack] [Pr
iority: 2]: {TCP} 10.0.0.10:33761 -> 1.2.3.4:21
Jan 26 20:37:16 bastion snort: [1:1622:5] FTP RNFR ././ attempt [Classification:
Misc Attack] [Priority: 2]: {TC
P} 10.0.0.10:33761 -> 1.2.3.4:21
and to Bro:
1048402337.496125 FTP_ExcessiveFilename 10.0.0.10/1641 > 1.2.3.4/ftp
#94 excessive filename: 0000000000
0000000000000000000000..[494]..
c. IIS exploits - we have observed dozens of
different Unicode strings and .ida requests aimed to hurt the Microsoft IIS
web server. Starting from the classic one used by the worms in 2001 to the more
obscure modern variant:
Here is the excerpt of the HTTP protocol decode by Bro:
/scripts/..%2f../winnt/system32/cmd.exe?/c+dir
/scripts/..%35c../winnt/system32/cmd.exe?/c+dir
/scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir
/scripts/..%5c../winnt/system32/cmd.exe?/c+dir
/scripts/root.exe?/c+dir
/scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
/scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
/scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
/scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
/MSADC/root.exe?/c+dir
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd
3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00
c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
It is obvious that those cannot affect the Linux Apache web server of the honeypot
and are provided here only due to their extreme volume. It is interesting to
note that some IP addresses receive much more than their share of such hits.
This phenomenon is not explained yet.
d. OpenSSL flaw (http://www.cert.org/advisories/CA-2002-23.html)
that allows the non-root access is a very popular choice as of today. While
not giving root, it seemingly helps the script kiddies to learn about local
exploits. It is suspected that its popularity is in part due to readily available
and reliable exploit openssl-too-open (...)
Here is the log trace of the openssl hit in Apache errror_log:
[Mon Mar 3 06:40:48 2003] [error] mod_ssl: SSL handshake failed
(server ns1.bkwconsulting.com:443, client 10.0.0.10) (OpenSSL library error
follows)
[Mon Mar 3 06:40:48 2003] [error] OpenSSL: error:1406908F:lib(20):func(105):reason(143)
And here is the snort message:
Feb 2 00:45:53 bastion snort: [1:1887:1] EXPERIMENTAL WEB-MISC
OpenSSL Worm traffic [Classification: Web Application Attack] [Priority: 1]:
{TCP} 10.0.0.10:2328 -> 1.2.3.4:443
e. MS-SQL Slammer, while being called a flash
worm, is still knocking on the UDP 1434. The volume has subsided as most of
the affected hosts are taken offline, butol Slammer is till there, slamming
away at closed ports of the Linux honeypot.
Here is what snort says upon seeing it:
Mar 10 22:01:11 bastion snort: [1:2003:2] MS-SQL Worm propagation
attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 10.0.0.10:1140 ->
1.2.3.4:1434
f. Here are some other less frequent attacks
that flash by. A number of hits against vulnerable PHP were observed. The attack
did not succeed and was seen only once or twice:
Mar 10 14:57:15 bastion snort: [1:1425:6] WEB-PHP content-disposition
[Classification: Web Application Attack] [Priority: 1]: {TCP} 10.0.0.10:57774
-> 1.2.3.4:80
Mar 10 14:57:15 bastion snort: [1:1423:7] WEB-PHP content-disposition memchr
overlfow [Classification: Web Application Attack] [Priority: 1]: {TCP} 10.0.0.10:57777
-> 1.2.3.4:80
g. What is not there? Old bind attacks (very
popular in 1999) are gone, hopefully for good, and new ones (based on the recent
Bind bigs) failed to materialize. SSH bugs are not actively exploited, while
version surveying is observed pretty often. It is not clear why this is the
case.
Here is a summary of all events and attacks:
<<<>>>
The color indicates alarm severity. It resembles what is reported by DShield.org
at http://www.dshield.org/topports.php
Web attacks (80,443) "top the charts", and are followed by the recent
MS-SQL hits (1434) and FTP (21) - the all time favorite. Proxy scans (1080,
3128,8080) are also very popular. Strangely, SNMP (161,162) is also in the picture,
though appear to be just probes and not exploit attempts.
II. Artifacts - exploits, rootkits and tools
Intruders who visit our friendly neighborhood honeynet, rarely come empty-handed.
They bring all sorts of gifts, such as exploit scanners, autorooters, rootkits,
DoS tools and other goodies.
A detailed analysis of some of the Linux rootkits we captured is provided here:
http://www.idefense.com/papers.html
Most of the captured kits are very simple, use only publicly available technology
and carry all the signs of being created by unskilled people. They often corrupt
the system and utilize such amazingly "stealthy" capabilities as using
the root directory of the system to store their files or changing the root password
("owned means owned, right?")
Exploits and automated exploitation tools, while seeming impressive, use very
old attacks (such as those described above) and are not even attempting to hide
their activities. Most of those tools are designed to scan huge pools of IP
addresses for one or two vulnerabilities, manifesting the ultimate "opportunity
hack" of going for the "low-hanging fruit".
However, new and innovative tools do get brought in by the tide. For example,
the covert channeling binary (http://project.honeynet.org)
or the IPv6 tunnel tool were discovered.
III. Example Incidents
Here are brief descriptions of several incidents that recently occurred in
our honeynet.
The classic WU-FTPD incident starts from an anonymous login to the FTP server.
Then in a few minutes or hours the server is hit by the TESO "wurm"
exploit. It has a recognizable signature of trying to create a directory 7350
(TESO).
In a few seconds, intruder tries to get his rootkit from a drop site (often
some free storage site or even a Yahoo account) which is then deployed. Most
observed rootkits start a ssh daemon on high port as a main backdoor method.
On the next session (which occurs within hours or even days), we often see him
getting scanners and trying to exploit more machines.
The more recent openssl incidents are more interesting since the attacker does
not have root upon breaking into the system (such as, user "apache").
One might think that owning a system with no "root" access is useless,
but we usually see active system use in these cases. Here are some of the things
that such non-root attackers do on such compromised systems:
1."IRC till you drop"
Installing an IRC bot or bouncer is a popular choice of such attackers. Several
IRC channels dedicated entirely for communication of the servers compromised
by a particular group were observed on several occasions. Running an IRC bot
does not require additional privileges.
2."Local exploit bonanza"
Throwing everything they have at the Holy Grail of root access seems common
as well. Often, the attacker will try half a dozen different exploits trying
to elevate his privileges from mere "apache" to "root".
3. "Evil daemon"
A secure shell daemon can be launched by a non-root user on a high numbered
port. This was observed in several cases. In some of these cases, the intruder
accepted the fact that he will not have root. He then started to make his new
home on the net more comfortable by adding a backdoor and some other tools in
"hidden" (".. " and other non printable names are common)
directories in /tmp or /var/tmp.
4. "Flood, flood, flood"
While spoofed DoS is more stealthy and harder to trace, many of the classic
DoS attacks do not require root access. For example, ping floods and UDP floods
can be initiated by non-root users. This capability is sometimes abused by the
intruders, using the fact that even when the attack is traced the only found
source would be a compromised machine with no logs present.
5. "More boxes!"
Similar to a root-owning intruder, those with non-root shells may use the compromised
system for vulnerability scanning and widespread exploitation. Many of the scanners,
such as openssl autorooter, recently discovered by us, do not need root to operate,
but is still capable of discovering and exploiting a massive (thousands and
more) system within a short time period. Such large networks can be used for
devastating denial of service attacks (for example, such as recently warned
by CERT).
Worms and other automated entities are also common. We observed many different
OpenSSL worms (for their taxonomy, see
http://isc.incidents.org/analysis.html?id=177),
including some with novel components such as Windows OpenSSL exploit, DoS agents,
IRC bot deployment by the worm, automated local exploitation via ptrace bug,
different backdoors, etc.
Windows worms are also on the prowl. CodeReds, MS SQL and others are not gone.
Their traces surface in the logs on the regular basis. They seem to be leading
their own lives with ups and downs, sudden bursts of activity, and never seem
to go away.
Many other "fun things" are also hitting the shores of our honeynet.
Among them are such beasts as the packets from 255.255.255.255, port 31337,
various kinds of spam (email, MS RPC, web forms), a lot of various reconnaissance
attempts (mostly scans and pings). Scans for proxies (1080,8080, 3128) are also
extremely popular, as mentioned above.
Anton Chuvakin, Ph.D., GCIA, GCIH (http://www.chuvakin.org)
is a Senior Security Analyst with a major information security company. His
areas of infosec expertise include intrusion detection, UNIX security, forensics,
honeypots, etc. In his spare time he maintains his security portal http://www.info-secure.org
|
