LinuxQuestions.org - Low interaction Honeypot (based on nepenthes) worm infection, Advice needed

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Low interaction Honeypot (based on nepenthes) worm infection, Advice needed (https://www.linuxquestions.org/questions/linux-security-4/low-interaction-honeypot-based-on-nepenthes-worm-infection-advice-needed-914289/)

Low interaction Honeypot (based on nepenthes) worm infection, Advice needed

A quick check of my low interaction Honeypot (based on nepenthes) given as below. my question is; How would I move forward with the analysis of this incident, including an assessment of the threat, vulnerability, malware, and impact of the worm?

linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log
<snip>
[18032007 02:26:03 info module] 76 4
[18032007 02:26:03 info module] SMB Session Request 76
H CKFDENECFDEFFCFGEFFCCACACACACACA
[18032007 02:26:03 warn module] Unknown NETDDE exploit 76 bytes State 1
[18032007 02:26:03 module] Stored Hexdump var/hexdumps/850745ec6a9f3cc3d7ce4bdd7294e468.bin (0x0809fa80 , 0x0000004c).
[18032007 02:26:03 warn module] Unknown SMBName exploit 0 bytes State 1
[18032007 02:26:03 info handler dia] Unknown DCOM request, dropping
[18032007 02:26:11 crit sc handler] MATCH linkxor::link matchCount 5 map_items 5
[18032007 02:26:11 info sc handler] i = 1 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 2 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 3 map_items 5 , map = key
[18032007 02:26:11 info sc handler] i = 4 map_items 5 , map = post
[18032007 02:26:11 info sc handler] Found linkbot XOR decoder, key 0x1b, payload is 0x00b2 bytes long.
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330, key 0xaeed1ff8.
[18032007 02:26:11 info down mgr] Handler link download handler will download link://64.182.172.15:56330/ru0f+A==
[18032007 02:26:13 info handler dia] Download via linkbot filetransferr done! ( download is 114176 bytes)
[18032007 02:26:13 info mgr submit] File b6c9254853a642e90756cfb04efd67ea has type PE executable for MS Windows (GUI) Intel 80386 32-bit
[18032007 02:26:13 warn dia] Unknown ASN1_SMB Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1a40 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown PNP Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1638 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown LSASS Shellcode (Buffer 172 bytes) (State 0)

[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a08f0 , 0x000000ac).
[18032007 02:26:13 warn handler dia] Unknown DCOM Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 handler dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x0809fa80 , 0x000000ac).
<snip>
linux-sqos:/opt/nepenthes/var/binaries # ls -l b6c9254853a642e90756cfb04efd67ea
-rw-r--r-- 1 root root 114176 Mar 18 02:26 b6c9254853a642e90756cfb04efd67ea
linux-sqos:/opt/nepenthes/var/binaries # file b6c9254853a642e90756cfb04efd67ea
b6c9254853a642e90756cfb04efd67ea: PE executable for MS Windows (GUI) Intel 80386 32-bit
linux-sqos:/opt/nepenthes/var/binaries # cd /opt/nepenthes/var/hexdumps
linux-sqos:/opt/nepenthes/var/hexdumps # ls -l 16e9e789e405a1bc1e69a3a7f302416b.bin
-rw-r--r-- 1 root root 172 Mar 18 02:26 16e9e789e405a1bc1e69a3a7f302416b.bin
linux-sqos:/opt/nepenthes/var/hexdumps # file 16e9e789e405a1bc1e69a3a7f302416b.bin
16e9e789e405a1bc1e69a3a7f302416b.bin: data
linux-sqos:/opt/nepenthes/var/hexdumps # xxd -g 1 -u 16e9e789e405a1bc1e69a3a7f302416b.bin
0000000: 00 00 00 A8 FF 53 4D 42 72 00 00 00 00 08 01 40 .....SMBr......@
0000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 03 ..............,.
0000020: 02 08 10 3E 00 85 00 02 50 43 20 4E 45 54 57 4F ...>....PC NETWO
0000030: 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0..
0000040: 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 4F 52 MICROSOFT NETWOR
0000050: 4B 53 20 31 2E 30 33 00 02 4D 49 43 52 4F 53 4F KS 1.03..MICROSO
0000060: 46 54 20 4E 45 54 57 4F 52 4B 53 20 33 2E 30 00 FT NETWORKS 3.0.
0000070: 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E .LANMAN1.0..LM1.
0000080: 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 2X002..LANMAN2.1
0000090: 00 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 ..NT LANMAN 1.0.
00000a0: 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .NT LM 0.12.
linux-sqos:/opt/nepenthes/var/hexdumps #

Thank you in advance.

A quick check? You mean back in "^[18032007"? Any more honesty issues we should deal with? Like breaking the homework rule?

I know what you referring to, but that’s not the case.
i have been asked to answer this while i have never used application, and they didn't even tried to explain one example about these lines. So how u expecting me to interrupt these line by myself! i think even professional people will not find it easy.
Anyhow thank you for ur post.

Quote:

Originally Posted by Faris (Post 4527830)

I know what you referring to, but that’s not the case.

I'm not going to push this any further but then why would you pass it off as if you were running Nephentes? If you did then we at least could assert you knew what you were doing (I mean else why run a Honeypot?).

Quote:

Originally Posted by Faris (Post 4527811)

How would I move forward with the analysis of this incident

You've got one executable and a hexdump. I can't see anything from the latter except evidence of some Samba-ish dialects but the binary you could virusscan, dissect for PE compressors, libraries, strings, step it through a debugger in a sandbox (for deities sake restrict it to a completely isolated network), record process details and network traffic and compare it with Honeypot downloads elsewhere.

thanks for reply

Thank you very much for the information that you gave me.
I think, first of all I need to isolate the effected PC which has this IP address (64.182.172.15) by disconnecting it from the network to stop spreading the worm to other systems via the network.
Second, I need to scan the computer with antivirus program
But i am still confused abut the impact of the worm;
Did the worm spread into the network?
How the worm affected the system that it has been located in, did it change any file?
Did the worm send the root folder to the attacker?

If u can clarify these points and show it to me from the report that will be very kind from you ... because i am very keen to know how to read the logfile as much as i can. not just answer the question.

thank you in advance

regards,

http://forum.kaspersky.com/lofiversi...p/t168704.html
http://www.linuxquestions.org/questi...needed-808885/
And at least two more forums that have deleted the post.

You've been at this a while, and posting under different names. Care to explain what is going on?

Quote:

Originally Posted by Faris (Post 4534581)

I think, first of all I need to isolate the effected PC which has this IP address (64.182.172.15) by disconnecting it from the network to stop spreading the worm to other systems via the network.

If network policies mandate this be dealt with in a BOFH way, without proper investigation, then mitigating it by isolating the machine would be the procedure, yes. However the capturing process itself does not identify (as in confirm or deny) this as a worm. As such the questions you ask are either irrelevant or premature because you'd have to dissect it first...