A Day in the Life of...

If you use dial-up, DSL, cable, or FiOS, you are having to deal with an Internet Service Provider in the form of a phone company or a cable company. How does one find out how safe and ethical their ISP is? There are two tools to help the average person get a sense of how safe they are in trusting their ISP. One tool is FIRE which is an acronym for "Finding Rogue Networks". But to use FIRE, one needs an AS (Autonomous Systems) number. Fortunately, caida.org has a tool called AS Rank which will give you your ISP's AS numbers. One can also use Arbor Network's ATLAS to see the top 20 worst attackers currently on the Internet. (FIRE doesn't see some of those systems and networks, so there is filtering going on.) So, how does my ISP, verizon.net, stack up? Pretty well actually according to FIRE and AS Rank. There are no Exploit or Command and Control Servers on those networks. These are the only two systems that FIRE knows of on VZB and VZ networks:

65.209.177.10 US AS701 exploit server
70.107.249.167 US AS19262 C&C server

However, the ISP's may be preventing FIRE from seeing the whole picture. My honeypot has found these infected systems on my local verizon.net sub network:

[29082010 21:44:40] [192.168.1.12:445->71.97.10.85:50973]
[30082010 20:24:05] [192.168.1.12:445->71.96.233.69:1370]
[30082010 20:38:19] [192.168.1.12:445->71.97.151.10:3401]
[31082010 20:06:06] [192.168.1.12:445->71.96.77.124:54794]
[29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50969]
[30082010 18:02:09] [192.168.1.12:135->71.91.137.62:2013]
[30082010 20:24:04] [192.168.1.12:445->71.96.233.69:1368]
[30082010 20:38:19] [192.168.1.12:445->71.97.151.10:2800]
[31082010 16:37:35] [192.168.1.12:80->71.96.77.124:53541]

Now then, Verizon could be blocking or filtering their network such that these systems can not communicate with the outside world (blacklisting) or they could be blocking FIRE from seeing any of these systems that may be servers. With a P2P botnet, any infected system can be both a client and a server. That said, most of the infected systems in the world are likely IRC bots and are clients for the time being until all botnets evolve into true P2P botnets. So, for the present, FIRE's results are likely a lower, but fairly accurate limit of the true extent of the problem. Also, one must keep in mind that an ISP like Verizon has little control over subscribers' computers in their homes compared to an ISP whose clients lease a server or virtual server in a datacenter. But FIRE's results can still be useful as a qualitative measure of an ISP's security, ethical, and reputation mindset.

Let's compare hosting companies for instance. Here's

The Planet AS 21844
GoDaddy.com AS 26496
Rackspace AS 33070
Rackspace AS 10532
Rackspace AS 27357
Terremark Worldwide (all)

Clearly, some providers care more than others about who their clients are. Rackspace looks a bit dirty, but they host a larger network than the others. They are relatively clean compared to The Planet or GoDaddy.com.

Labels: ISPs malicious networks FIRE AS asrank

Building a Nation of Know-Nothings courtesy of Timothy Egan of The New York Times. In other words, don't believe someone just because they are a personality. Question authority and come to your own conclusions after researching the subject.

Labels: propaganda

Malus sieversii, native to the mountains of southern Kazakhstan, is the wild ancestor of the domestic apple tree according to the Malus domestica genomic sequence. Perhaps we will be wise enough to save the ancestral species in order to breed better tastier apples. The genomic sequence will now allow plant breeders to fine tune their breeding. They can do it without genetic modification, but it is a tedious process. Sooner or later, the apples you eat will be a genetically engineered crop because genetic engineering is a more exact process since one is only adding a known gene here and there instead of a portion of a chromosome here and there which contains a slew of genes and likely some you don't want along with the one you did want. It's kind of funny that botanists were still arguing over the ancestor to the apple until now. At least that argument is put to rest.

Labels: apple malus dometisca

Dionaea is a new honeypot application, the successor to Nepenthes, a low interaction honeypot. Dionaea is still a bit rough around the edges. The compiling and installation instructions are quite good. I would not install the optional openssl step via cvs though with a Debian or Ubuntu distribution. When I did, I got a segmentation fault in the libcrypto.so library. I did get dionaea to work the second attempt on a clean Ubuntu 10.04 x86_64 virtual machine. Installing the OS and the application takes about 1.5 hours. I am having trouble accessing the sqlite database. The readlogsqltree.py script works once you copy the modules directory from where you built it into the /opt/dionaea directory, and point the script to that location. However, I got no output or errors. Documentation is almost nonexistent since the application is still alpha code essentially. The honeypot is working according to the dionaea.log, but the dionaea.log file is even more cryptic than nepenthes.log.

Here are some preliminary data:

grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c
1 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:59895->71.53.70.248:0]
1 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 21:38:15] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:40904->]
1 [29082010 21:38:16] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:38:16] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 21:38:26] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:39:40] [192.168.1.12:59895->71.53.70.248:69]
1 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:44:40] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:52:07] [192.168.1.12:135->222.186.27.80:4716]
1 [29082010 21:52:08] [192.168.1.12:135->222.186.27.80:4716]
2 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1796]
2 [29082010 16:37:40]
2 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:2950]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56928]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56979]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57031]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57084]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57140]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57199]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57256]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57312]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57364]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57419]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57475]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57523]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57583]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57643]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57704]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57762]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57817]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57873]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57934]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57987]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58045]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58101]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58161]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58214]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58262]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58322]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58373]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58447]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58505]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58565]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58626]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58681]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58735]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58793]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58850]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58909]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58964]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59024]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59080]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59133]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59201]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59250]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59310]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59371]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59429]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59490]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59544]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59600]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59656]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59714]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59773]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59834]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59963]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:60017]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60078]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60131]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60187]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60250]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60313]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60373]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60431]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60491]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60553]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60614]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60676]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60745]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60805]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60867]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60925]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32812]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32871]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:60990]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32935]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32999]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33061]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33120]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33177]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33233]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33302]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33369]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33427]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33497]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33556]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33614]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33674]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33732]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33795]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33855]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33914]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:33977]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:34039]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34102]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34161]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34221]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34282]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34341]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34406]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34467]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34525]
2 [29082010 20:39:18] [192.168.1.12:80->77.220.185.190:34592]
2 [29082010 20:56:51] [192.168.1.12:80->64.126.23.234:53897]
2 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50969]
2 [29082010 23:20:25] [192.168.1.12:1433->61.164.148.33:5002]

grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c | grep 77.220.185.190 | wc -l
102

IP address 77.220.185.190 performed 102 attacks on port 80 in 40 seconds. It was obviously an automated attack, but I have no idea what tool performed the attack. The IP address maps to Moscow, Russia at the MNOGOBYTE colocation service.

grep sip dionaea.log
[29082010 19:50:44] sip dionaea/sip.py:827-info: SIP Session created
[29082010 19:50:44] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '202.103.52.147', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-24798344;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"; tag=47165868797092908688927622311368018385018985010\r\nAccept: application/sdp\r\nUser-Agent: sundayddr\r\nTo: "sipssc"\r\nContact: sip:100@192.168.1.9:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 267264826399318751054824843\r\nMax-Forwards: 70\r\n\r\n'
[29082010 19:50:44] sip dionaea/sip.py:1072-info: Received OPTIONS
[29082010 19:50:44] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"; tag=47165868797092908688927622311368018385018985010
From: 100
Contact: 100
[29082010 19:50:44] sip dionaea/sip.py:962-debug: io_in: returning 409
[30082010 01:15:34] sip dionaea/sip.py:827-info: SIP Session created
[30082010 01:15:34] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '125.88.105.44', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-13198307;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"; tag=19358999374944096893129611830352363137663012687\r\nAccept: application/sdp\r\nUser-Agent: sundayddr\r\nTo: "sipssc"\r\nContact: sip:100@192.168.1.9:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 267264826399345328022532865\r\nMax-Forwards: 70\r\n\r\n'
[30082010 01:15:34] sip dionaea/sip.py:1072-info: Received OPTIONS
[30082010 01:15:34] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"; tag=19358999374944096893129611830352363137663012687
From: 100
Contact: 100


Dionaea can handle sip attacks. Some people in China (202.103.52.147 maps to the CHINANET Hubei province network and 125.88.105.44 maps to CHINANET Guangdong province network) have modified sipvicious, altered the User Agent to sundayddr, and are probing various networks looking for private PBXs to hijack.

Dionaea is quite promising, but it's still very much a work in progress. It'll be a while before there's a Debian or RPM binary package for it.

Labels: dionaea honeypot sipvicious

# posted by jbmoore : 2:59 AM  9 comments

Thai officials found a sedated live two month old tiger cub in a woman's luggage. She was trying to smuggle the cub out of the country. The woman was boarding a flight to Iran, but it is not known what the final destination for the cub was. If it was a wild tiger cub, it's likely an orphan now.Traffic.org has a blurb about the cub and they were the organization that supplied the photo to the news outlets. Here's an update from the BBC.

Labels: illegal wildlife trafficking endangered species

The entire Keiser Report is at this link. I have edited out the first part of the show which is opinion and news commentary. While the Russians are in the best position currently to exploit the Arctic, the Chinese have started building icebreakers as well which I find surprising. Paul McLeary's blog, War, Security, COIN, and Stuff is a blog specializing on American national security.

Labels: Arctic exploitation global warming

Wired has a story about how the US military's secure networks were compromised by a known worm from 2007 via USB thumb drives in 2008. Here are some thoughts below.

Suggested solutions to the military's network security problems:

1. Quit issuing Windows laptops to people who use secret military networks. Make them use Linux (Ubuntu/RedHat), Apple OS, FreeBSD, anything but Windows. That cheap operating system can be replaced by an even cheaper one that is not as vulnerable and the government has people who can make the OS secure and as easy to use as Windows.

2. If you can't stop people from using Windows, then issue them a CD like the F-Secure Rescue CD. Customize the CD so that it writes a log file to the hard drive after it is used every time. Have a Windows login script running on sensitive networks such that a query is made for the presence of the file and a check is performed that the hard drive was scanned within the last 24 hours or some defined time interval. If the results are negative, access is only allowed for the F-Secure CD to download up-to-date virus definitions for scanning. The user is denied access until the system is checked and verified. It won't entirely stop infections from occurring since a virus or worm that is not in the passive scanner's database will not be discovered, but it will stop of lot of trivial and known attacks.

3. Do not have your secret military network directly connected to the wider Internet.

4. Run honeypots on the network. Any IP address that connects to them and uploads a worm should be immediately knocked off the sensitive network (DHCP license revoked or switch port turned off. Yes, the technology exists.) A message should be sent to the infected system telling the user to contact IT Security immediately.

5. Diversify your servers and harden them. Have a separate Windows domain for laptop systems to authenticate to as an additional safeguard to protect your Windows DCs on the main secure networks. Use Samba or a commercial solution that uses Samba for the domain controller if possible. That way, if the domain controllers are compromised on the laptop domain, you only have to rebuild those domain controllers and not your primary domain controllers on the main networks. I have seen a very secure network compromised by one compromised laptop and the only fix was to rebuild the domain controllers and change everyone's passwords. That's a lot of work for one slip up.

Links:
1. F-Secure Rescue CD
2. Adaptive Network Countermeasures
3. Adaptive Network Countermeasures Slide Presentation
4. Samba

Labels: SIPRnet JWICS lax IT Security

Fructose is a toxin like alcohol, but you don't even get a buzz from the high. This is a 1.5 hour long lecture and it has quite a bit of biochemistry. The take home lesson is

1. There's so much sugar in soft drinks to cover up the taste of the salt. The elevated salt is to make the drinker thirstier.
2. Fructose stimulates lipid biosynthesis in the liver.
3. Fructose turns off hepatic insulin signal recognition which leads to Type II diabetes.
4. These fructose effects lead to more hypertension and cardiovascular disease from increased fat.

The solution is drink more water, eat more fiber, and exercise more to change your liver metabolism. Exercise will not burn enough fat, but it prevents the fat from being made from the fructose.

Labels: Lustig UCSF lecture fructose metabolism lipid biosynthesis

It's a pen. No, it's a pencil!

Labels: pencil pen hybrid

If your flash player suddenly quit functioning in your Firefox browser and you run a 64-bit version of Debian Linux, visit this Flashplayer wiki for the fixes.

Labels: flash flashplayer 64-bit

From The Daily Zen:

Don't be surprised,
Don't be startled;
All things will arrange
Themselves.
Don't cause a disturbance,
Don't exert pressure;
All things will clarify
Themselves.

- Huai-nan-tzu

Labels: Present Patience

Attacks script:

#!/bin/bash
IPADDR=`ifconfig -a | grep "inet addr:" | grep -v 127.0.0.1 | awk '{ print $2 }' | sed -e 's/^addr://'`
#Debugging $IPADDR variable
#echo $IPADDR
echo "This script parses the nepenthes.log file for various attacks."
echo "It uses the IP address of the honeypot that created that log file"
sleep 1s
echo Listing of Attacks
echo "Date Attacker:Port Honeypot:Port"
echo ----------------------------------------------------------
grep accept /var/log/nepenthes.log | grep -v TCPSocket::acceptConnection | grep -v "spam net handler" | grep -v "debug net mgr" | grep -v "Connection Socket" | awk '{ print $1, $2, $3="", $9, $10, $11 }' | grep -v logged > /tmp/connect.tmp
grep $IPADDR /tmp/connect.tmp > /tmp/attacks.log
rm -rf /tmp/connect.tmp
cat /tmp/attacks.log
echo ----------------------------------------------------------
echo Approximate number of attacks:
cat /tmp/attacks.log | wc -l
echo ----------------------------------------------------------
echo Listing of Top 25 FTP Attacks
echo "# of Attacks IP Address of Attacker "
echo ----------------------------------------------------------
cat /tmp/attacks.log | grep $IPADDR:21$ | awk '{ print $3 }' | sed -e 's/:[0-9]*//' | sort -n | uniq -c | sort -n | tail -25
echo ----------------------------------------------------------
echo Listing of Top 25 SMTP Attacks
echo "# of Attacks IP Address of Attacker "
echo ----------------------------------------------------------
cat /tmp/attacks.log | grep $IPADDR:25 | awk '{ print $3 }' | sed -e 's/:[0-9]*//' | sort -n | uniq -c | sort -n | tail -25
echo ----------------------------------------------------------
echo Listing of 25 HTTP Attacks
echo "# of Attacks IP Address of Attacker "
echo ----------------------------------------------------------
cat /tmp/attacks.log | grep $IPADDR:80 | awk '{ print $3 }' | sed -e 's/:[0-9]*//' | sort -n | uniq -c | sort -n | tail -25
echo ----------------------------------------------------------


Using the above script which parses the /var/log/nepenthes.log file, one can get a summary of attacks on the honeypot. There appears to be a lot of traffic on the DCOM Service Control Manager port, port 135, after filtering out false positives from my laptop connecting to the honeypot due to the nmap test scans from yesterday.

root@apollo:~# ./attacks | grep :135 | grep -v 192.168.1.14:
[16082010 19:59:18 71.14.44.68:1810 -> 192.168.1.6:135
[16082010 19:59:18 71.14.44.68:4422 -> 192.168.1.6:135
[16082010 23:13:13 222.186.24.11:4613 -> 192.168.1.6:135
[16082010 23:13:14 222.186.24.11:4706 -> 192.168.1.6:135
[17082010 00:40:57 71.53.68.156:4936 -> 192.168.1.6:135
[17082010 00:40:57 71.53.68.156:1052 -> 192.168.1.6:135
[17082010 00:40:58 71.53.68.156:1256 -> 192.168.1.6:135
[17082010 04:15:17 71.55.245.220:2317 -> 192.168.1.6:135
[17082010 04:15:18 71.55.245.220:2336 -> 192.168.1.6:135
[17082010 04:15:18 71.55.245.220:2408 -> 192.168.1.6:135
[17082010 08:03:46 66.109.27.101:1617 -> 192.168.1.6:135
[17082010 08:03:49 66.109.27.101:2557 -> 192.168.1.6:135
[17082010 11:03:02 222.45.112.221:2359 -> 192.168.1.6:135
[17082010 11:03:03 222.45.112.221:2454 -> 192.168.1.6:135
[17082010 12:01:24 71.41.99.54:2899 -> 192.168.1.6:135
[17082010 12:01:25 71.41.99.54:3063 -> 192.168.1.6:135
[17082010 12:01:25 71.41.99.54:3175 -> 192.168.1.6:135
[17082010 13:49:17 71.41.107.253:4482 -> 192.168.1.6:135
[17082010 13:49:18 71.41.107.253:4512 -> 192.168.1.6:135
[17082010 13:49:18 71.41.107.253:4580 -> 192.168.1.6:135

Here's a summary thus far of attacks against common ports:

----------------------------------------------------------
Listing of Top 25 FTP Attacks
# of Attacks IP Address of Attacker
----------------------------------------------------------
1 221.226.17.14
6 125.45.109.166
----------------------------------------------------------
Listing of Top 25 SMTP Attacks
# of Attacks IP Address of Attacker
----------------------------------------------------------

----------------------------------------------------------
Listing of 25 HTTP Attacks
# of Attacks IP Address of Attacker
----------------------------------------------------------
2 88.191.70.74
----------------------------------------------------------

Please note that the script doesn't discriminate between a port enumeration scan and an attack. However, since the system is a honeypot, almost all external connections to it can be considered hostile in intent.

Here are the infected systems that attempted to upload a worm payload to the honeypot.

root@apollo:~# ./total*
All Infected Systems Sorted by Virulence
Events IP Address
==================
1 58.53.128.61
1 71.41.107.253
1 71.41.231.251
1 71.41.99.54
1 71.55.245.220
1 71.91.137.62
2 125.45.109.166
2 71.53.68.156
4 58.218.204.110

There is one variant of worm propagating on my ISP's subnet (Verizon.net).

root@apollo:~# cd /var/lib/nepenthes/binaries
root@apollo:/var/lib/nepenthes/binaries# clamscan .
./f8815cdca238ad5ab566f05f5a6335a4: Trojan.Agent-167520 FOUND
./bb39f29fad85db12d9cf7195da0e1bfe: Trojan.Agent-167520 FOUND
./14a09a48ad23fe0ea5a180bee8cb750a: Trojan.Agent-167520 FOUND

Searching www.virustotal.com with one of the hashes shows that the trojan is well known and analyzing it with CWSandbox shows it to be almost three years old. These systems are owned and likely don't have current antivirus software installed on them. Considering that free AV products exist such as Clamwin or AVG, this is a shame as it gives the crooks a toehold unless Verizon is blocking the traffic which is doubtful. I have no idea whether the Command and Control server for this trojan is still functional.

I am hoping that my modified version of nepenthes is fully functional. If it can not download hexdumps of shellcode attacks, I'll be forced to uninstall the modified modules and replace them with the normal modules that can be enumerated by nmap.

Labels: log parsing attack trends

Graphical depiction of unemployment rates by county from January 2007 to May 2010.

Labels: economy unemployment

I decided to build a Linux KVM honeypot using nepenthes. From earlier tests, I knew that nmap could detect a nepenthes honeypot via a string in the fake FTPd service. Unfortunately, a second signature has been added. The two signatures in the nmap-service-probes file are:

match ftp m|^220 ---freeFTPd 1\.0---warFTPd 1\.65---\r\n| p/Nepenthes HoneyTrap fake vulnerable ftpd/ ,

and

match netbios-ssn m|^\x82\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$| p/Nepenthes fake honeypot netbios-ssn/ .

One can use a hex editor to alter the affected string in the vuln-ftpd.so binary, but it's practically impossible to do the same for the vuln-netdde.so binary. Therefore, I undertook the exercise of modifying the source code. After wasting several hours modifying the original source code, I finally found an easy solution. It should take less than an hour to modify and build a nepenthes Debian binary package with these directions assuming that the source code isn't too old using the g++-4.4 compiler.

1. Uncomment the deb-src entry in /etc/apt/sources.list or debian.list in /etc/apt.sources.d. Then type the following commands to create a directory and download the source:

# mkdir -p /tmp/source
# cd /tmp/source
# apt-get update ; apt-get source nepenthes

2. You will then have a new subdirectory called nepenthes-0.2.2 and three other files called nepenthes_0.2.2-5.diff.gz, nepenthes_0.2.2.orig.tar.gz, and nepenthes_0.2.2-5.dsc.

3. Install the following files to meet any package dependencies:

# apt-get install libcurl3-dev libmagic-dev libpcre3-dev libadns1-dev libpcap0.8-dev iptables-dev autoconf automake1.9 autotools-dev libtool libpcap-dev libssh-dev bison flex libcap2-dev dpatch

4. Change directory to nepenthes-0.22/modules/vuln-ftpd

# cd nepenthes-0.22/modules/vuln-ftpd

5. Using your favorite editor, alter the following line in vuln-ftpd.cpp,

const char * banner1 = "220 ---freeFTPd 1.0---warFTPd 1.65---\r\n";
to
const char * banner1 = "220 ---fbsdFTPd 1.0---warFTPd 1.65---\r\n";

6. Repeat steps four and five on the NETDDEDialogue.cpp file in the vuln-netdde modules subdirectory (../nepenthes-0.22/modules/vuln-netdde/NETDDEDialogue.cpp). In the following switch statement,

case NETDDE_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x82;
msg->getResponder()->doRespond(reply,64);
m_State = NETDDE_SHELLCODE;
}
break;

change reply[0]=0x82; to reply[0]=0x81; so that it looks like this:

case NETDDE_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x81;
msg->getResponder()->doRespond(reply,64);
m_State = NETDDE_SHELLCODE;
}
break;

7. Repeat step 6 on the MSMQDialogue.cpp file in the vuln-msmq module. The same switch statement was also used in that file as well. If you don't change it, the netbios-ssn nmap signature will be triggered on tcp ports 2103, 2105, and 2107.

case MSMQ_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x82;
msg->getResponder()->doRespond(reply,64);
m_State = MSMQ_SHELLCODE;
m_Buffer->clear();

}
break;

Change reply[0]=0x82; to reply[0]=0x81; so that it looks like this:


case MSMQ_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x81;
msg->getResponder()->doRespond(reply,64);
m_State = MSMQ_SHELLCODE;
m_Buffer->clear();

}
break;

8. Change directory to the sqlhandler-postgres subdirectory within the modules directory. In the sqlhandler-postgres.cpp file, add the cstdlib include statement

#include "<"cstdlib">" (w/o quotation marks)

as the last include statement before the using namespace nepenthes; statement.

9. Change directory to the parent source directory, i.e. /tmp/source/nepenthes-0.22. Execute
dpkg-buildpackage -rfakeroot -uc -b, i.e.

#dpkg-buildpackage -rfakeroot -uc -b

You should not get any errors during the package build. If you do, they will be either unmet package dependencies and the dpkg-buildpackage program will tell you which packages you are missing and to run apt-get install to fix them, or you will get a make error which causes program termination. Take note of what error caused make to terminate. Chances are that you are missing an include statement that is not patched with the current source code patches by dpkg-buildpackage (see step 8). Note the file that the error occurred in. Search Google with words from the error message. If it is a scope error, google the keyword word in single quotes along with C++, i.e. "malloc C++" to find the library that defines the keyword malloc.

10. Once dpkg-buildpackage is finished, the deb package, nepenthes_0.2.2-5_amd64.deb in my case, will be found in the source directory /tmp/source. You can install it with dpkg:

#dpkg -i nepenthes_0.2.2-5_amd64.deb

11. Run nmap to test your installed modified honeypot:

#nmap -sV 192.168.1.6


Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-16 23:30 CDT
Nmap scan report for 192.168.1.6
Host is up (0.00078s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp
22/tcp open ssh OpenSSH 5.5p1 Debian 4 (protocol 2.0)
25/tcp open smtp?
42/tcp open nameserver?
80/tcp open http?
110/tcp open pop3?
135/tcp open msrpc?
139/tcp open netbios-ssn?
143/tcp open imap?
443/tcp open https?
445/tcp open microsoft-ds?
465/tcp open smtps?
993/tcp open imaps?
995/tcp open pop3s?
1023/tcp open netvenuechat?
1025/tcp open NFS-or-IIS?
2103/tcp open zephyr-clt?
2105/tcp open eklogin?
2107/tcp open unknown
3372/tcp open msdtc?
5000/tcp open upnp?
6129/tcp open unknown
10000/tcp open snet-sensor-mgmt?
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi

Update (08/24/10): To test hexdump functionality, use netcat to send arbitrary text strings to test hexdump functionality. For example,

nc localhost 445
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Ctrl-C

should suffice, then ls -al /var/lib/nepenthes/hexdumps to see if a bin file exists. One can also do tail -20 /var/log/nepenthes.log to verify that nepenthes logged the hexdump capture. Performing the netcat test from my laptop to the honeypot showed that my changes did not affect the download functionality. It seems however that Verizon is filtering traffic because I am not seeing any hexdumps thus far.

Labels: obfuscate nmap enumeration nepenthes

The LA Times has a story with the headline, "Medical treatment carries possible side effect of limiting homosexuality". A more accurate headline would be "Medical treatment eliminates painful surgery for female infants". The hormonal treament is a crude attempt to treat congenital adrenal hyperplasia, a defect in 21-hydroxylase, which affects 1 in 15,000 infants. The infants are homozygous recessive for the defective autosomal (non sex chomosome) allele, i.e. they have two bad copies of the gene. Male infants need hormone replacement. The severest form of the deficiency leads to loss of sodium leading to severe dehydration. The problem lies with the girl infants. Their brains and gonadal tissues are exposed to increased amounts of steroidal hormones that can result in masculinization in severest cases. In other words, the person is genetically female, but thinks and acts male. There are also gradations in between "normal" female and "male" female as far as clinical outcomes. In other words, the disease is both a pathological and a developmental one. Critics are complaining that this is treatment will limit homosexuality. I'm sorry, but just about every woman wants a healthy normal baby. Some will choose to carry a sick fetus to term, raise it, and give it a loving life. That is their moral choice as a parent. But many will choose either to abort the fetus or opt for the treatment. The treatment is carried out on girls to prevent developmental abnormalities in female infants that lead to surgical intervention. Whether or not the child becomes homosexual in later life is up to the individual and environmental factors, despite the underlying genetic factors. While doctors are not supposed to do any harm, not treating this known condition will cause more harm because the affected infants have a real condition that makes them sick. If you are given a pill to avoid painful surgery for your baby or aborting the fetus, isn't that alleviating physical suffering of the baby? If they could correct the genetic defect, then the critics will complain that doctors are genetically alterring the sexual orientation of the baby. The criticisms are only valid if you are knowingly taking the medicine for the sole purpose of surpressing a possible homosexual outcome for your child, and that is all you were told by the medical staff. But doctors have no way to gauge the severity of the disease prenatally. So, I believe that this is making a mountain out of a molehill.

Labels: medical ethics rare genetic homosexuality

Ubuntu version 10.04.1 LTS has an option to install proprietary drivers. Unfortunately, it does not work well with the ATI HD3300 series graphic chip on my M4A78T-E Motherboard. When I ran aticonfig --initial -f and tried to use the xorg.conf file it generated, the X11 server would generate a fatal error and die. So, in my case, aticonfig was generating a useless xorg.conf configuration file. I downloaded a Knoppix CD iso and burned a CD. Klaus Knopper has designed a pretty good program that probes video hardware and enumerates settings and then writes an xorg.conf file. I ran the CD on my system and recovered the generated xorg.conf file. I then copied and pasted everything except for the entries that corresponded to the aticonfig generated xorg.conf entries into the latter file. The hybrid xorg.conf file is below:

Section "ServerLayout"
Identifier "aticonfig Layout"
Screen 0 "aticonfig-Screen[0]-0" 0 0
### AIGLX for compiz 3D-Support with DRI & Composite
### This option doesn't hurt even if it's not supported by the individual card
Option "AIGLX" "true"
EndSection

Section "ServerFlags"
Option "AllowMouseOpenFail" "true"
Option "DPMS" "true"

EndSection

Section "Files"
ModulePath "/usr/lib/xorg/modules"
FontPath "/usr/share/fonts/X11/misc:unscaled"
FontPath "/usr/share/fonts/X11/75dpi:unscaled"
FontPath "/usr/share/fonts/X11/100dpi:unscaled"
FontPath "/usr/share/fonts/X11/Type1"
FontPath "/usr/share/fonts/X11/Speedo"
FontPath "/usr/share/fonts/X11/PEX"
# Additional fonts: Locale, Gimp, TTF...
FontPath "/usr/share/fonts/X11/cyrillic"
# FontPath "/usr/share/fonts/X11/latin2/75dpi"
# FontPath "/usr/share/fonts/X11/latin2/100dpi"
# True type and type1 fonts are also handled via xftlib, see /etc/X11/XftConfig!
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
FontPath "/usr/share/fonts/truetype"
FontPath "/usr/share/fonts/latex-ttf-fonts"
EndSection

Section "Module"
# Comments: see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346408
Load "dbe" # Double Buffering Extension, very important.
Load "dri" # This shouldn't be available choice if user has selected driver vga, vesa or nv.
Load "glx" # GLX Extension.
Load "freetype" # Freetype fonts.
Load "type1" # Type 1 fonts
Load "record" # Developer extension, usually not needed
Load "extmod" # This is okay, but if you look into "man xorg.conf" you'll find option NOT to include DGA extension with extmod, and for a good reason.. DGA causes instability as it accesses videoram without consulting X about it.
SubSection "extmod"
Option "omit xfree86-dga"
EndSubSection
# Load "speedo" # Speedo fonts, this module doesn't exist in Xorg 7.0.17
# The following are deprecated/unstable/unneeded in Xorg 7.0
# Load "ddc" # ddc probing of monitor, this should be never present, as it gets automatically loaded.
# Load "GLcore" # This should be never present, as it gets automatically loaded.
# Load "bitmap" # Should be never present, as it gets automatically loaded. This is a font module, and loading it in xorg.conf makes X try to load it twice.
EndSection

Section "Extensions"
# compiz needs Composite, but it can cause bad (end even softreset-resistant)
# effects in some graphics cards, especially nv.
Option "Composite" "Enable"
EndSection

Section "Monitor"
Identifier "aticonfig-Monitor[0]-0"
Option "VendorName" "ATI Proprietary Driver"
Option "ModelName" "Generic Autodetecting Monitor"
Option "DPMS" "true"
EndSection

Section "Device"
Identifier "aticonfig-Device[0]-0"
Driver "fglrx"
BusID "PCI:1:5:0"

# compiz, beryl 3D-Support with DRI & Composite
Option "XAANoOffscreenPixmaps"
Option "AllowGLXWithComposite" "true"
Option "EnablePageFlip" "true"
Option "TripleBuffer" "true"

# Tweaks for the xorg 7.4 (otherwise broken) "intel" driver
Option "Tiling" "no"
Option "Legacy3D" "false"

# These two lines are (presumably) needed to prevent fonts from being scrambled
Option "XaaNoScanlineImageWriteRect" "true"
Option "XaaNoScanlineCPUToScreenColorExpandFill" "true"
EndSection

Section "Screen"
Identifier "aticonfig-Screen[0]-0"
Device "aticonfig-Device[0]-0"
Monitor "aticonfig-Monitor[0]-0"

Option "AddARGBGLXVisuals" "true"
Option "DisableGLXRootClipping" "true"
SubSection "Display"
Depth 1

EndSubSection
SubSection "Display"
Depth 4

EndSubSection
SubSection "Display"
Depth 8

EndSubSection
SubSection "Display"
Depth 15

EndSubSection
SubSection "Display"
Depth 16

EndSubSection
SubSection "Display"
Depth 24

EndSubSection
SubSection "Display"
Depth 32

EndSubSection
EndSection

Section "DRI"
Mode 0666
EndSection

I am not sure why Canonical has not reverse engineered Knopper's program, but they ought to. Perhaps they should pay him for his program or a variant of it. It would solve a lot of display issues and X server problems that many users have.

Update:
Something is still broken. When I run fglrxinfo from the console, it segmentation faults.
I'm stumped, though I checked the Unofficial ATI Driver Wiki. Bummer!

Labels: aticonfig Knoppix

Process to make a simple KVM virtual server running KVM and libvirt.

1. Install libvirt-bin and kvm (apt-get install libvirt-bin kvm virt-manager).
2. Remove Network Manager (apt-get remove network-manager network-manager-gnome).
3. Modify /etc/network/interfaces to create a bridge. Here's an example:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
address 192.168.1.20
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off

Make sure /proc/sys/net/ipv4/ip_forward contains 1. You can modify /etc/sysctl.conf to make it permanent. For RedHat, you'll need to modify ifcfg-eth0 and create an ifcfg-br0 file to create the bridge.

4. Append vnc_listen = "0.0.0.0" to the /etc/libvirt/libvirtd.conf file.

5. Modify your KVM domain's XML file. Change

graphics type='vnc' port='-1' autoport='yes'

to

graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0' keymap='en-us' passwd='11111'

6. Restart networking, /etc/init.d/networking restart or service network restart.

7. Restart libvirt-bin, /etc/init.d/libvirt-bin restart or service libvirt-bin restart.

You should now be able to login remotely to your virtual machine using a vnc client like vinagre provided the ufw or iptables is disabled. How to configure iptables properly is beyond the scope of this post. Section 17.4 in the RedHat Virtualization Guide details which ports to open in iptables. This is not the most secure setup since it relies on passwords to secure libvirt's implementation of vncserver, so keep it behind a firewall for safety. I could not find one set of instructions on how to make the default configuration into a server at all.

Labels: remote access KVM virtual server Ubuntu Debian RedHat

Max Keiser interviews Professor William K. Black. The video below is just the interview itself. The entire show is here.

Labels: William K. Black

Wikileaks has published a file called insurance.aes256. What is the file for and what does it mean? Many people have speculated about the purpose of the file's existence. My guess is that the file is part of a get out of jail free card for Bradley Manning, though it could be an insurance policy just for Assange and Wikileaks itself. The file itself is an encrypted 7zip archive about 1.4 GB in size. Unless the NSA knows something the experts do not, the insurance.aes256 archive will remained encrypted until Wikileaks releases the key. I'm speculating that the file archive may just contain a list of files taken with some videos thrown in as proof, although the HuffPost piece says that there could be a lot of documents in the archive from the size of the file alone. The contents are likely damning and embarrassing evidence of high level cover ups within the military and government and may prove how high the cover ups go. All of this is speculation, but it appears that the kid discovered things that bothered him morally. He took an oath to protect the Constitution of the United States when he joined the military. He may have discovered evidence that superiors were defying national or international laws. It appears that he had access to the DVD burner on his analyst workstation and that he smuggled the information out of his secured area on CDs disguised as music CDs. (One can't tell whether a CD is a data CD or an audio CD by looking at it.)

“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”

“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”

There were at least two failures of security here. He had access and permissions to use the DVD burner on his analyst system and he had a way to backup files to a CDRW. (Windows has this ability by default without the need of third party software like Nero.) Army physical security let him leave a secure facility without noticing that he brought a rewriteable CD to work in a secure facility. The first problem could have been solved by physically removing the DVD burners or enabling a software policy to disable the device. The second problem is more difficult to solve. It is difficult to police what goes in and out of a facility unless those items are banned from the workplace which evidently they weren't. They likely are now, though. I am guessing that USB drives were banned or locked down which necessitated the need to burn backup CDs or DVDs. No information went out over a secure network that we know of, and likely never did. He could have mailed the CDs or DVDs to whomever he pleased or found a way to transfer them to Wikileaks securely without being discovered or having the information compromised.

Network monitoring programs do not do a good job of intercepting and breaking encrypted communications. Sure, one can see the traffic, but assembling and decrypting it is another story unless you have the cryptographic keys. The NSA and other agencies have likely made some headway in this area, but if you are a guy like Brad Manning, you know the strengths and weaknesses of the systems that you are trained on. He avoided all of those traps by not using those networks to transfer files and made the IT Security and system administrators of a highly secure facility look like idiots. (To be fair though, insider threats are difficult to counter and are the most damaging. This still shows that military networks are not very well compartmentalized, thanks Microsoft!) He did this theft over some period of time which means he could have smuggled out gigabytes worth of information. Documents would not take up a lot of storage, but videos would. My guess is that he has smuggled out more than a few video files along with countless documents, and that most of his evidence is likely video files. We know of video evidence of at least one incident being suppressed. Perhaps that is all he smuggled out. Only he, Wikileaks, and the military know for sure. But we know from Pat Tillman's friendly fire death, that other cover ups have happened. So, it is possible that he's got the government and DOD in a bind and they are proceeding carefully until some accommodation can be reached or the threat of embarrassing disclosure is nullified. This would explain the initial outrage of the administration followed by complete silence. We've heard nothing about his incarceration or court martial. It's being kept very low key for now.

Labels: data loss prevention extortion insurance Manning

Sixty-five years ago on August 6, 1945, the United States destroyed an entire city with one plane and one bomb. Sixty-five years ago today, my people destroyed another city of people. Now, many countries can kill millions with the push of a button. Are we any wiser?

Labels: Hiroshima Nagasaki