Low interaction Honeypot (based on nepenthes) worm infection, Advice needed
A quick check of my low interaction Honeypot (based on nepenthes) given as below. my question is; How would I move forward with the analysis of this incident, including an assessment of the threat, vulnerability, malware, and impact of the worm?
linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log <snip> [18032007 02:26:03 info module] 76 4 [18032007 02:26:03 info module] SMB Session Request 76 H CKFDENECFDEFFCFGEFFCCACACACACACA [18032007 02:26:03 warn module] Unknown NETDDE exploit 76 bytes State 1 [18032007 02:26:03 module] Stored Hexdump var/hexdumps/850745ec6a9f3cc3d7ce4bdd7294e468.bin (0x0809fa80 , 0x0000004c). [18032007 02:26:03 warn module] Unknown SMBName exploit 0 bytes State 1 [18032007 02:26:03 info handler dia] Unknown DCOM request, dropping [18032007 02:26:11 crit sc handler] MATCH linkxor::link matchCount 5 map_items 5 [18032007 02:26:11 info sc handler] i = 1 map_items 5 , map = size [18032007 02:26:11 info sc handler] i = 2 map_items 5 , map = size [18032007 02:26:11 info sc handler] i = 3 map_items 5 , map = key [18032007 02:26:11 info sc handler] i = 4 map_items 5 , map = post [18032007 02:26:11 info sc handler] Found linkbot XOR decoder, key 0x1b, payload is 0x00b2 bytes long. [18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330 [18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330, key 0xaeed1ff8. [18032007 02:26:11 info down mgr] Handler link download handler will download link://64.182.172.15:56330/ru0f+A== [18032007 02:26:13 info handler dia] Download via linkbot filetransferr done! ( download is 114176 bytes) [18032007 02:26:13 info mgr submit] File b6c9254853a642e90756cfb04efd67ea has type PE executable for MS Windows (GUI) Intel 80386 32-bit [18032007 02:26:13 warn dia] Unknown ASN1_SMB Shellcode (Buffer 172 bytes) (State 0) [18032007 02:26:13 dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1a40 , 0x000000ac). [18032007 02:26:13 warn module] Unknown PNP Shellcode (Buffer 172 bytes) (State 0) [18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1638 , 0x000000ac). [18032007 02:26:13 warn module] Unknown LSASS Shellcode (Buffer 172 bytes) (State 0) [18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a08f0 , 0x000000ac). [18032007 02:26:13 warn handler dia] Unknown DCOM Shellcode (Buffer 172 bytes) (State 0) [18032007 02:26:13 handler dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x0809fa80 , 0x000000ac). <snip> linux-sqos:/opt/nepenthes/var/binaries # ls -l b6c9254853a642e90756cfb04efd67ea -rw-r--r-- 1 root root 114176 Mar 18 02:26 b6c9254853a642e90756cfb04efd67ea linux-sqos:/opt/nepenthes/var/binaries # file b6c9254853a642e90756cfb04efd67ea b6c9254853a642e90756cfb04efd67ea: PE executable for MS Windows (GUI) Intel 80386 32-bit linux-sqos:/opt/nepenthes/var/binaries # cd /opt/nepenthes/var/hexdumps linux-sqos:/opt/nepenthes/var/hexdumps # ls -l 16e9e789e405a1bc1e69a3a7f302416b.bin -rw-r--r-- 1 root root 172 Mar 18 02:26 16e9e789e405a1bc1e69a3a7f302416b.bin linux-sqos:/opt/nepenthes/var/hexdumps # file 16e9e789e405a1bc1e69a3a7f302416b.bin 16e9e789e405a1bc1e69a3a7f302416b.bin: data linux-sqos:/opt/nepenthes/var/hexdumps # xxd -g 1 -u 16e9e789e405a1bc1e69a3a7f302416b.bin 0000000: 00 00 00 A8 FF 53 4D 42 72 00 00 00 00 08 01 40 .....SMBr......@ 0000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 03 ..............,. 0000020: 02 08 10 3E 00 85 00 02 50 43 20 4E 45 54 57 4F ...>....PC NETWO 0000030: 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0.. 0000040: 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 4F 52 MICROSOFT NETWOR 0000050: 4B 53 20 31 2E 30 33 00 02 4D 49 43 52 4F 53 4F KS 1.03..MICROSO 0000060: 46 54 20 4E 45 54 57 4F 52 4B 53 20 33 2E 30 00 FT NETWORKS 3.0. 0000070: 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E .LANMAN1.0..LM1. 0000080: 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 2X002..LANMAN2.1 0000090: 00 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 ..NT LANMAN 1.0. 00000a0: 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .NT LM 0.12. linux-sqos:/opt/nepenthes/var/hexdumps # Thank you in advance. |
A quick check? You mean back in "^[18032007"? Any more honesty issues we should deal with? Like breaking the homework rule?
|
I know what you referring to, but that’s not the case.
i have been asked to answer this while i have never used application, and they didn't even tried to explain one example about these lines. So how u expecting me to interrupt these line by myself! i think even professional people will not find it easy. Anyhow thank you for ur post. |
Quote:
Quote:
|
thanks for reply
Thank you very much for the information that you gave me.
I think, first of all I need to isolate the effected PC which has this IP address (64.182.172.15) by disconnecting it from the network to stop spreading the worm to other systems via the network. Second, I need to scan the computer with antivirus program But i am still confused abut the impact of the worm; Did the worm spread into the network? How the worm affected the system that it has been located in, did it change any file? Did the worm send the root folder to the attacker? If u can clarify these points and show it to me from the report that will be very kind from you ... because i am very keen to know how to read the logfile as much as i can. not just answer the question. thank you in advance regards, |
http://forum.kaspersky.com/lofiversi...p/t168704.html
http://www.linuxquestions.org/questi...needed-808885/ And at least two more forums that have deleted the post. You've been at this a while, and posting under different names. Care to explain what is going on? |
Quote:
|
All times are GMT -5. The time now is 09:53 AM. |