RSS

Introduction

On February 7th, 2011 a hacker found its way into my SSH honey pot (http://code.google.com/p/kippo/) and downloaded, while being logged into the honeypot, a couple of files:

  • http://freewebtown.com/codz/me/bootfloodnasha.tar
  • http://208.75.230.43/vrajitor/porro.tgz
  • http://BesT-HaCk.ClanTeam.Com/PsyBnc/psy.tar.gz

As my honeypot does not offer any helpful tools the unfortunate hacker could not harm my actual system. Trying to be smart he removed the downloaded files, but -- again -- unfortunately the honey pot faked the deletions and now I have some text files and binaries to play with in a virtual machine.

If you are interested in what the hacker has done exactly, you can have a look at the shell history.

Bootfloodnasha.tar

This little nice .tar archive contains a directory called .access.log. In the directory we find a series of text-files, another directory with text-files and two binaries

stealth


Figure:
Terminal screenshot showing output of the program for both investig cases.

This is aparently a flooding tool.

When called without arguments a informative Usage message is shown. When called correctly with a host and port the program starts to send UDP packets to the specified host and port.

Remember: Nobody likes to be attacked by a flooder! So, run attacks on yourself. But be careful thing can get ugly!

The content of the UDP packets look like this:

No.     Time        Source                Destination           Protocol Info
  21626 0.578938    192.168.56.101        192.168.56.1          UDP      Source port: 33337  Destination port: smtp

Frame 21626 (57 bytes on wire, 57 bytes captured)
    Arrival Time: Feb 25, 2011 16:11:00.759229000
    [Time delta from previous captured frame: 0.000010000 seconds]
    [Time delta from previous displayed frame: 0.000010000 seconds]
    [Time since reference or first frame: 0.578938000 seconds]
    Frame Number: 21626
    Frame Length: 57 bytes
    Capture Length: 57 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:data]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: CadmusCo_74:d8:16 (08:00:27:74:d8:16), Dst: 0a:00:27:00:00:00 (0a:00:27:00:00:00)
    Destination: 0a:00:27:00:00:00 (0a:00:27:00:00:00)
        Address: 0a:00:27:00:00:00 (0a:00:27:00:00:00)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    Source: CadmusCo_74:d8:16 (08:00:27:74:d8:16)
        Address: CadmusCo_74:d8:16 (08:00:27:74:d8:16)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.56.101 (192.168.56.101), Dst: 192.168.56.1 (192.168.56.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 43
    Identification: 0xfa42 (64066)
    Flags: 0x02 (Don't Fragment)
        0.. = Reserved bit: Not Set
        .1. = Don't fragment: Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0x4ec8 [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.56.101 (192.168.56.101)
    Destination: 192.168.56.1 (192.168.56.1)
User Datagram Protocol, Src Port: 33337 (33337), Dst Port: smtp (25)
    Source port: 33337 (33337)
    Destination port: smtp (25)
    Length: 23
    Checksum: 0xbd25 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Data (15 bytes)

0000  30 31 32 33 34 35 36 37 38 39 41 42 43 44 45      0123456789ABCDE
    Data: 303132333435363738394142434445
    [Length: 15]

syslogd

The program syslogd opens a port for UDP in the non-privileged range. Any further "features" of this program is a mystery to me at the moment.

porro.tgz

This archive contains a folder called inetd. In this folder one finds quite a lot files and further subfolders. Among those files are two binaries and many shell scripts. Calling the script inetd finally runs the program -bash which opens an UDP port. Somehow this seems to be related to the previously mentioned syslogd program.

psy.tar.gz

This archive contains a folder called .b. As it seems it's a customized version of psyBNC.

Obviously, the start program starts the psyBNC program. The autorun program defines a new cronjob for auto-starting the start program.