Some additional information:

(For readers on the Honeypot list, please read my original post on Incidents
Here:
http://online.securityfocus.com/archive/75/268589)

The honeypot was a Default fresh install of Redhat Linux 7.2. As many
network services were enabled as possible. No patches were applied. This was
installed in a VMware virtual machine, on a host-only network consisting of
public IP addresses.

Another /28 network was DNAT'd to the machine.

They honeypot was online for a little over 24 hours. In that time, i
believe it was compromised twice. Syslog logged a _lot_ of ftp connections
from 1 particular IP address, indicating some kind of brute force wuftpd
exploit.

I believe the machine was also compromised via sshd, although i have not
confirmed this.

I had tcpdump -w running on the VMware host machine. It generated a lot of
traffic, which i really need to analyse more. I have analysed the attackers
download of this rootkit, obtained his username and password to the FTP site
in question (albeit invalid).

For anyone interested, here is some tcpdump output (tcpdump -w) of the host
in question. I have not fully analyzed this, but im am sure others will. The
gz file is about 800k. The logfile inside is around 2.7megs. It can be
loaded into ethereal or tcpdump or whatever. This will be full of little
secrets, no doubt.

http://www2.linuxphreaks.org/pub/unsorted/tcpdump_log.gz

I pulled that honeypot offline after about 24 hours. I did not want to be
the source of a worm starting or spreading. In the days since, my network
has recieved a LOT of port scans from networks in romania, looking for their
"root". In particilar, i have noticed a lot of scans for port 1221, which
appears to the the port the illogic rootkit's sshd binds to.

I have also been on the Undernet IRC network in these guys channel, #h4ck3r,
but not alot appears to go on.

And for those who read my email signature, Security is a personal hobby of
myn. The company for which i consult dont mind me reading/following security
issues on their time. My boss is shit scared about being "hacked" or having
downtime to viruses. The honeypot was on my own home network, and not here
at Jackies.

I originally planned to post all this information on a web page over the
weekend, but never got around to it. Too much Coding.

PS. This is only really the second time i have unleashed a honeypot on
unsuspecting script kiddies; i am a relative honeypot newbee!

- Dan.

And Once Again, The rootkit et al:

Here it is:

http://www2.linuxphreaks.org/pub/security/rootkits/illogic.tgz

Output from Installer:

http://www2.linuxphreaks.org/pub/hp/20020418/illogic-install.txt

chkrootkit output:

http://www2.linuxphreaks.org/pub/hp/20020418/chkrootkit.log

--
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: danjackies.com.au
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: infojackies.com.au
Web: http://www.jackies.com.au
---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities. 
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]