Tuesday, August 17, 2010

Hostile Traffic

Attacks script:

#!/bin/bash
IPADDR=`ifconfig -a | grep "inet addr:" | grep -v 127.0.0.1 | awk '{ print $2 }' | sed -e 's/^addr://'`
#Debugging $IPADDR variable
#echo $IPADDR
echo "This script parses the nepenthes.log file for various attacks."
echo "It uses the IP address of the honeypot that created that log file"
sleep 1s
echo Listing of Attacks
echo "Date Attacker:Port Honeypot:Port"
echo ----------------------------------------------------------
grep accept /var/log/nepenthes.log | grep -v TCPSocket::acceptConnection | grep -v "spam net handler" | grep -v "debug net mgr" | grep -v "Connection Socket" | awk '{ print $1, $2, $3="", $9, $10, $11 }' | grep -v logged > /tmp/connect.tmp
grep $IPADDR /tmp/connect.tmp > /tmp/attacks.log
rm -rf /tmp/connect.tmp
cat /tmp/attacks.log
echo ----------------------------------------------------------
echo Approximate number of attacks:
cat /tmp/attacks.log | wc -l
echo ----------------------------------------------------------
echo Listing of Top 25 FTP Attacks
echo "# of Attacks IP Address of Attacker "
echo ----------------------------------------------------------
cat /tmp/attacks.log | grep $IPADDR:21$ | awk '{ print $3 }' | sed -e 's/:[0-9]*//' | sort -n | uniq -c | sort -n | tail -25
echo ----------------------------------------------------------
echo Listing of Top 25 SMTP Attacks
echo "# of Attacks IP Address of Attacker "
echo ----------------------------------------------------------
cat /tmp/attacks.log | grep $IPADDR:25 | awk '{ print $3 }' | sed -e 's/:[0-9]*//' | sort -n | uniq -c | sort -n | tail -25
echo ----------------------------------------------------------
echo Listing of 25 HTTP Attacks
echo "# of Attacks IP Address of Attacker "
echo ----------------------------------------------------------
cat /tmp/attacks.log | grep $IPADDR:80 | awk '{ print $3 }' | sed -e 's/:[0-9]*//' | sort -n | uniq -c | sort -n | tail -25
echo ----------------------------------------------------------


Using the above script which parses the /var/log/nepenthes.log file, one can get a summary of attacks on the honeypot. There appears to be a lot of traffic on the DCOM Service Control Manager port, port 135, after filtering out false positives from my laptop connecting to the honeypot due to the nmap test scans from yesterday.

root@apollo:~# ./attacks | grep :135 | grep -v 192.168.1.14:
[16082010 19:59:18 71.14.44.68:1810 -> 192.168.1.6:135
[16082010 19:59:18 71.14.44.68:4422 -> 192.168.1.6:135
[16082010 23:13:13 222.186.24.11:4613 -> 192.168.1.6:135
[16082010 23:13:14 222.186.24.11:4706 -> 192.168.1.6:135
[17082010 00:40:57 71.53.68.156:4936 -> 192.168.1.6:135
[17082010 00:40:57 71.53.68.156:1052 -> 192.168.1.6:135
[17082010 00:40:58 71.53.68.156:1256 -> 192.168.1.6:135
[17082010 04:15:17 71.55.245.220:2317 -> 192.168.1.6:135
[17082010 04:15:18 71.55.245.220:2336 -> 192.168.1.6:135
[17082010 04:15:18 71.55.245.220:2408 -> 192.168.1.6:135
[17082010 08:03:46 66.109.27.101:1617 -> 192.168.1.6:135
[17082010 08:03:49 66.109.27.101:2557 -> 192.168.1.6:135
[17082010 11:03:02 222.45.112.221:2359 -> 192.168.1.6:135
[17082010 11:03:03 222.45.112.221:2454 -> 192.168.1.6:135
[17082010 12:01:24 71.41.99.54:2899 -> 192.168.1.6:135
[17082010 12:01:25 71.41.99.54:3063 -> 192.168.1.6:135
[17082010 12:01:25 71.41.99.54:3175 -> 192.168.1.6:135
[17082010 13:49:17 71.41.107.253:4482 -> 192.168.1.6:135
[17082010 13:49:18 71.41.107.253:4512 -> 192.168.1.6:135
[17082010 13:49:18 71.41.107.253:4580 -> 192.168.1.6:135

Here's a summary thus far of attacks against common ports:

----------------------------------------------------------
Listing of Top 25 FTP Attacks
# of Attacks IP Address of Attacker
----------------------------------------------------------
1 221.226.17.14
6 125.45.109.166
----------------------------------------------------------
Listing of Top 25 SMTP Attacks
# of Attacks IP Address of Attacker
----------------------------------------------------------

----------------------------------------------------------
Listing of 25 HTTP Attacks
# of Attacks IP Address of Attacker
----------------------------------------------------------
2 88.191.70.74
----------------------------------------------------------

Please note that the script doesn't discriminate between a port enumeration scan and an attack. However, since the system is a honeypot, almost all external connections to it can be considered hostile in intent.

Here are the infected systems that attempted to upload a worm payload to the honeypot.

root@apollo:~# ./total*
All Infected Systems Sorted by Virulence
Events IP Address
==================
1 58.53.128.61
1 71.41.107.253
1 71.41.231.251
1 71.41.99.54
1 71.55.245.220
1 71.91.137.62
2 125.45.109.166
2 71.53.68.156
4 58.218.204.110

There is one variant of worm propagating on my ISP's subnet (Verizon.net).

root@apollo:~# cd /var/lib/nepenthes/binaries
root@apollo:/var/lib/nepenthes/binaries# clamscan .
./f8815cdca238ad5ab566f05f5a6335a4: Trojan.Agent-167520 FOUND
./bb39f29fad85db12d9cf7195da0e1bfe: Trojan.Agent-167520 FOUND
./14a09a48ad23fe0ea5a180bee8cb750a: Trojan.Agent-167520 FOUND

Searching www.virustotal.com with one of the hashes shows that the trojan is well known and analyzing it with CWSandbox shows it to be almost three years old. These systems are owned and likely don't have current antivirus software installed on them. Considering that free AV products exist such as Clamwin or AVG, this is a shame as it gives the crooks a toehold unless Verizon is blocking the traffic which is doubtful. I have no idea whether the Command and Control server for this trojan is still functional.

I am hoping that my modified version of nepenthes is fully functional. If it can not download hexdumps of shellcode attacks, I'll be forced to uninstall the modified modules and replace them with the normal modules that can be enumerated by nmap.

Labels:


Comments: Post a Comment

Links to this post:

Create a Link



<< Home

This page is powered by Blogger. Isn't yours?