Report:March-2004

From Honeynet-PT

Contents 1 Current Setup(s) 2 Finding(s) and Development(s) 3 Conclusions 4 Presentations 5 Plans for next quarter

Current Setup(s)

We were running this four honeypots in GenII architecture honeynets. The bridges were running the Honeywall Linux 0.66a CD and the honeypots were default installations of Red Hat Linux 7.3, Red Hat Linux 9, Windows 2000 Server and Solaris 9 with some usual services activated.

Finding(s) and Development(s)

Malicious Activities:

The Red Hat Linux 7.3 honeypot was compromised after two days. The attackers took advantage of a samba security fault. It was used a remote root exploit to own the machine, then a rootkit, IRC Bot, bouncer and adore based kernel modules were installed.

The Red Hat Linux 9 honeypot was compromised after just three hours. The intruder took advantage, again, of a samba security fault and used a remote root exploit to own the machine, then a rootkit, a IRC Bot and bouncer were installed.

The Windows 2000 Server honeypot was compromised after three days. It was used the DCOM security fault to break into the machine. Nothing was installed afterwords, the intruder was taking a tour in the computer and then left.

The Solaris 9 honeypot was compromised four days after the installation. The attacker took advantage of the sadmin misconfiguration. This time the first thing done was running a rootkit detection tool in order to check if that machine was already compromised. Then a rootkit was installed, and some other backdoors (e.g. in.ftpd) were downloaded from remote servers.

The Linksys Wi-Fi router was compromised one week after power it up with default configuration. By default no WEP or other kind of encryption is configured. Just the SSID was changed.

Apart of this attacks, lots of worm scans were detected.

Conclusions

Since no new tools were found or new attacks detected, there is no need to give more detail than this to the reports. Anyway, it's amazing to notice how fast machines are attacked once they are connected to the Internet. Remember that those machines were not published by any means. With these reports we hope that people start thinking a little bit more about securing and patching machines properly before connect them to the "wild world" after a default installation.

Presentations

We were giving a talk in the Security World 2004 seminar in Portugal, organized by Computer World, where we have presented The Honeynet Project.

Plans for next quarter

- Continue to use Honeywall Linux CD and use the GenII architecture.

- Install more honeypots with different operating systems.

- Continue developing and testing our own tools.