Previous Page Next Page

10.4. Windows 2000 Compromise

As a second example of an attack against a high-interaction honeypot we take a closer look at a compromise of a honeypot running Windows 2000 Service Pack 2. This honeypot was on the latest patch level for the operating system, and all patches issued by Microsoft were installed. Thus, it cannot be easily compromised by automated attacks by worms or autonomous spreading malware. To offer some bait for an attacker, we installed again some web applications on the honeypot. This time we choose XAMPP version 1.5.5, an easy-to-install Apache distribution containing the tools Apache 2.2.3, MySQL 5.0.27, PHP 5.2.0 and PHP 4.4.4, phpMyAdmin 2.9.1.1, FileZilla FTP Server 0.9.20, and OpenSSL 0.9.8d.

As you can see, all applications are on a fairly recent version and thus should be rather secure. XAMPP itself is designed for a development environment, and the installation notes clearly mention that XAMPP should not be used in a production environment [109]:

XAMPP is configured to be as open as possible and to allow the web developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.

Here a list of missing security in XAMPP:

  • The MySQL administrator (root) has no password.

  • The MySQL daemon is accessible via network.

  • PhpMyAdmin is accessible via network.

  • Examples are accessible via network.

  • The user of Mercury and FileZilla are known.

Please secure XAMPP before publishing anything online.

Thus, the individual software tools are secure, but due to insecure configuration, the whole system is vulnerable to attacks. This is a common phenomenon in IT security, and we wanted to see whether this can also lead to interesting observations.

You could use a similar honeypot setup to protect your server: deploy a fairly secure honeypot near your valuable boxes (preferably in a separate VLAN) and closely monitor what happens. Again, this can be some kind of burglar alarm and help you to identify the reconnaissance phase of an attack against you.

10.4.1. Attack Summary

The attacker managed to access the FTP server provided by XAMPP using a default login and password. Via several steps, he gained access to the Windows command shell and then uploaded his own toolkit. It contains several common attack tools like a Trojan Horse with the capability to hide certain files, a keylogger, or a vulnerability scanner. With the help of an automated setup procedure, he installs all tools on the honeypot and then tries to attack other systems. This is, however, successfully blocked by the Honeywall.

10.4.2. Attack Timeline

December 11

10.4.3. Tools Involved

The other files uploaded by the attacker include another Trojan Horse and a keylogger. We refrain from describing them in more detail, since they are not used by the attacker during this attack.

10.4.4. Attack Evaluation

The attacker seems to be a little experienced. He knows what to look for and has his own, well-prepared toolkit to quickly overtake the compromised system. He knew the default password of XAMPP and then quickly had a command shell on the honeypot.

With the tool Dfind, he then scanned the local network for other vulnerable machines. This was picked up and blocked by the Honeywall. Based on this proceeding, we can guess that the attacker used the compromised system as a stepping stone to attack other machines.

Previous Page Next Page