Who is invading my system?

Author: log0
Original Source: http://onhacks.org/
Source: evil baboons Information Security Team (www.eviloctal.com)

===

Who is invading my system?

1. who intruded me
2. What is a honeypot?
3. Set traps
4. Start counterattack
5. Analyze evidence
6. Improve Honeypot
7. Summary

===

1. who intruded me

Our computers are under attack all the time. How can we find out who it is?

This article will not give you an immediate answer, but will guide you to discover possible solutions to this problem. If you have never touched the honeypot before, it will be a very interesting concept.

2. What is a honeypot?

The only use of the honey pot is to control hackers. It looks like a common computer, and has programs on a common system, either Windows or Linux. Through this controlled computer, these uninformed hackers thought that they could get bots. When they do what they want, we can still look at what hackers do, so that we can learn and master their technologies and motivations. Using the evidence they leave with caution, and some information such as the IP address, we can grasp the real identity of hackers. According to the definition of honeypot, it has no other normal purposes and should not be used. Therefore, it should not be exposed to the outside world. Therefore, all accesses should be malicious, this removes the need for normal and malicious connections.

Honeypot is mainly divided into several types and can be combined into multiple types, but it is divided into the following two types:
1. Highly Interactive honeypot (high interaction honeypot)
2. low interaction honeypot (low interaction honeypot)

Highly Interactive honeypot-this type of honeypot is the same as an ordinary computer. They can be completely controlled and different from ordinary computers. The only difference is that all behaviors are recorded. Hackers can do whatever they like, but it also means that computers can be used to attack other innocent people. Therefore, we need to add intrusion detection systems and anti-bot to reduce the damage, in addition, a very important Honeywall should be set to isolate malicious intrusion. Therefore, high interaction is also dangerous. Such construction requires a single computer or virtual computer, so more resources are required. This article will not describe the installation method.

Low-interaction honeypot-a characteristic of this honeypot is that it only spoofs some automated or simple attack methods as if it had known vulnerabilities (Vulnerability), because it does not look like all functions of the program, because we only receive data and do not execute it, after we receive the Attack data (Attack vector), we will disconnect the link. At this time, we have recorded the desired information, therefore, this effectively reduces the risk. Unlike highly interactive Honeypot, this does not apply to programs that can be controlled by attacks.

This article will talk about how to build a low-interaction honeypot on Linux (Ubuntu 9.04. The author chooses Ubuntu (or Debian) because it is better to build this honeypot with storage.

3. Set traps

This time we are using the Nepenthes low interactive honeypot. Its concept is primarily a program that has known vulnerabilities. It is sufficient to cheat some programs and low-level hackers, and because the attacks are only recorded and not executed, therefore, it is safer. In addition, its functions are mainly Windows vulnerabilities. Even if it is attacked, Windows attacks will not affect Linux. It also has a very important function, that is, to download and store virus samples, so that you can gradually study and analyze hacker behavior or the latest virus in the wild.

Ubuntu/Debian users can install it like this:

$ Apt-get install nepenthes

Or go to the official website to download

Http://nepenthes.carnivore.it/

4. Start counterattack

$ Nepenthes

You can start!

If more information is required, modify/etc/nepenthes. conf to find the rows.

// Logging
41 "logattack. so", "log-attack.conf", ""
42 "logdownload. so", "log-download.conf", ""
43 // "logirc. so", "log-irc.conf", "" // needs configuration
44 // "logprelude. so", "log-prelude.conf", ""
45 "loghexdump. so"

Remove the comments of logattack. so and logdownload. so.

5. Analyze evidence

If you are lucky, it may take several hours to start/var/log/nepenthes. log, you will see some gains; if not, please wait patiently, and check whether the outside world can be connected to the honeypot:

(To protect the security of the original computer, I have modified all the network addresses. )

-
Socket | LUID = 0 × 9b6b290 | Start = 1246711030.266579 | Finish = 1246711030.638501 | Status = CONNECTED | Proto = TCP | Type = INCOMING | Local = 192.168.1.4: 135 | Remote = xxx.96.245.148: 61250 | RX = 3,532, a87bbacd0cd1c84a5991ccc690116866 | TX =, dc9b4e2f264c732eb5b239b2bd3a23bd | Dumpfile =
Shellcode | LUID = 0 × 9b6afd0 | Start = 1246711030.453659 | Finish = 1246711030.462127 | Type = UNKNOWN | Emulation = SUCCESS | Handler = execute :: createprocess | ISock = 0 × 9b6b290 | MD5 = 52e5dbe8fc84060525e965aa0c030f0c | Trigger = Generic Microsoft Windows DCOM
Download | LUID = 0 × 9b6bcb8 | Result = SUCCEEDED | Start = 1246711030.461798 | Finish = 1246711185.861585 | ISock = 0 × 9b6b290 | SSock = | MD5 = enabled | SHA512 = enabled | Trigger = Download initiated by Shell Command | URL = tftp: // xxx.96.245.148/ssms.exe
-
...
...

This is an attack packet sent from the remote terminal xxx.96.245.148: 61250, while my private domain network is 192.168.1.4, the attacked port is 135, and the MD5 hash of the Downloaded Program is 5069160ffe5a229ed2ee1ddd8ca14df6, I found it on VirusTotal and found it was a Net-Worm.Win32.Kolabc.gwr.

6. Improve Honeypot

Nmap is a tool that can be used for network scanning. Let's scan the honeypot 192.168.1.4.

Take a look at the following Nmap results:

# Nmap 4.90RC1 scan initiated Sat Jul 11 01:39:09 2009 as: nmap-oN 192.168.1.4.sS.txt-v-sS 192.168.1.4
Host 192.168.1.4 is up (0.000011 s latency ).
Interesting ports on 192.168.1.4:
Not shown: 975 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
42/tcp open nameserver
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
1023/tcp open netvenuechat
1025/tcp open NFS-or-IIS
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open unknown
3372/tcp open msdtc
5000/tcp open upnp
5901/tcp open vnc-1
6129/tcp open unknown
10000/tcp open snet-sensor-mgmt
10012/tcp open unknown

Read data files from:/usr/local/share/nmap
# Nmap done at Sat Jul 11 01:39:09 2009-1 IP address (1 host up) scanned in 0.17 seconds

For a hacker with a little experience, apart from a computer that may be poorly defended, it is also a very suspicious computer, just as it is a trap. To increase credibility, you can disable some ports. You can open/etc/nepenthes. conf and comment out some vulnerability modules:

57 // vulnerability modules
...
62 "vulniis. so", "vuln-iis.conf", ""
63 // "vulnkuang2.so", "vuln-kuang2.conf", ""
64 "vulnlsass. so", & nb