LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-18-2011, 02:38 PM   #1
Faris
LQ Newbie
 
Registered: Nov 2011
Posts: 3

Rep: Reputation: Disabled
Low interaction Honeypot (based on nepenthes) worm infection, Advice needed


A quick check of my low interaction Honeypot (based on nepenthes) given as below. my question is; How would I move forward with the analysis of this incident, including an assessment of the threat, vulnerability, malware, and impact of the worm?

linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log
<snip>
[18032007 02:26:03 info module] 76 4
[18032007 02:26:03 info module] SMB Session Request 76
H CKFDENECFDEFFCFGEFFCCACACACACACA
[18032007 02:26:03 warn module] Unknown NETDDE exploit 76 bytes State 1
[18032007 02:26:03 module] Stored Hexdump var/hexdumps/850745ec6a9f3cc3d7ce4bdd7294e468.bin (0x0809fa80 , 0x0000004c).
[18032007 02:26:03 warn module] Unknown SMBName exploit 0 bytes State 1
[18032007 02:26:03 info handler dia] Unknown DCOM request, dropping
[18032007 02:26:11 crit sc handler] MATCH linkxor::link matchCount 5 map_items 5
[18032007 02:26:11 info sc handler] i = 1 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 2 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 3 map_items 5 , map = key
[18032007 02:26:11 info sc handler] i = 4 map_items 5 , map = post
[18032007 02:26:11 info sc handler] Found linkbot XOR decoder, key 0x1b, payload is 0x00b2 bytes long.
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330, key 0xaeed1ff8.
[18032007 02:26:11 info down mgr] Handler link download handler will download link://64.182.172.15:56330/ru0f+A==
[18032007 02:26:13 info handler dia] Download via linkbot filetransferr done! ( download is 114176 bytes)
[18032007 02:26:13 info mgr submit] File b6c9254853a642e90756cfb04efd67ea has type PE executable for MS Windows (GUI) Intel 80386 32-bit
[18032007 02:26:13 warn dia] Unknown ASN1_SMB Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1a40 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown PNP Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1638 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown LSASS Shellcode (Buffer 172 bytes) (State 0)

[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a08f0 , 0x000000ac).
[18032007 02:26:13 warn handler dia] Unknown DCOM Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 handler dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x0809fa80 , 0x000000ac).
<snip>
linux-sqos:/opt/nepenthes/var/binaries # ls -l b6c9254853a642e90756cfb04efd67ea
-rw-r--r-- 1 root root 114176 Mar 18 02:26 b6c9254853a642e90756cfb04efd67ea
linux-sqos:/opt/nepenthes/var/binaries # file b6c9254853a642e90756cfb04efd67ea
b6c9254853a642e90756cfb04efd67ea: PE executable for MS Windows (GUI) Intel 80386 32-bit
linux-sqos:/opt/nepenthes/var/binaries # cd /opt/nepenthes/var/hexdumps
linux-sqos:/opt/nepenthes/var/hexdumps # ls -l 16e9e789e405a1bc1e69a3a7f302416b.bin
-rw-r--r-- 1 root root 172 Mar 18 02:26 16e9e789e405a1bc1e69a3a7f302416b.bin
linux-sqos:/opt/nepenthes/var/hexdumps # file 16e9e789e405a1bc1e69a3a7f302416b.bin
16e9e789e405a1bc1e69a3a7f302416b.bin: data
linux-sqos:/opt/nepenthes/var/hexdumps # xxd -g 1 -u 16e9e789e405a1bc1e69a3a7f302416b.bin
0000000: 00 00 00 A8 FF 53 4D 42 72 00 00 00 00 08 01 40 .....SMBr......@
0000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 03 ..............,.
0000020: 02 08 10 3E 00 85 00 02 50 43 20 4E 45 54 57 4F ...>....PC NETWO
0000030: 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0..
0000040: 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 4F 52 MICROSOFT NETWOR
0000050: 4B 53 20 31 2E 30 33 00 02 4D 49 43 52 4F 53 4F KS 1.03..MICROSO
0000060: 46 54 20 4E 45 54 57 4F 52 4B 53 20 33 2E 30 00 FT NETWORKS 3.0.
0000070: 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E .LANMAN1.0..LM1.
0000080: 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 2X002..LANMAN2.1
0000090: 00 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 ..NT LANMAN 1.0.
00000a0: 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .NT LM 0.12.
linux-sqos:/opt/nepenthes/var/hexdumps #






Thank you in advance.
 
Old 11-18-2011, 02:50 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786
A quick check? You mean back in "^[18032007"? Any more honesty issues we should deal with? Like breaking the homework rule?

Last edited by unSpawn; 11-18-2011 at 02:52 PM.
 
Old 11-18-2011, 03:15 PM   #3
Faris
LQ Newbie
 
Registered: Nov 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
I know what you referring to, but that’s not the case.
i have been asked to answer this while i have never used application, and they didn't even tried to explain one example about these lines. So how u expecting me to interrupt these line by myself! i think even professional people will not find it easy.
Anyhow thank you for ur post.
 
Old 11-21-2011, 06:34 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786
Quote:
Originally Posted by Faris View Post
I know what you referring to, but thatís not the case.
I'm not going to push this any further but then why would you pass it off as if you were running Nephentes? If you did then we at least could assert you knew what you were doing (I mean else why run a Honeypot?).


Quote:
Originally Posted by Faris View Post
How would I move forward with the analysis of this incident
You've got one executable and a hexdump. I can't see anything from the latter except evidence of some Samba-ish dialects but the binary you could virusscan, dissect for PE compressors, libraries, strings, step it through a debugger in a sandbox (for deities sake restrict it to a completely isolated network), record process details and network traffic and compare it with Honeypot downloads elsewhere.
 
Old 11-26-2011, 12:52 PM   #5
Faris
LQ Newbie
 
Registered: Nov 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
thanks for reply

Thank you very much for the information that you gave me.
I think, first of all I need to isolate the effected PC which has this IP address (64.182.172.15) by disconnecting it from the network to stop spreading the worm to other systems via the network.
Second, I need to scan the computer with antivirus program
But i am still confused abut the impact of the worm;
Did the worm spread into the network?
How the worm affected the system that it has been located in, did it change any file?
Did the worm send the root folder to the attacker?

If u can clarify these points and show it to me from the report that will be very kind from you ... because i am very keen to know how to read the logfile as much as i can. not just answer the question.

thank you in advance


regards,
 
Old 11-26-2011, 02:03 PM   #6
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
http://forum.kaspersky.com/lofiversi...p/t168704.html
http://www.linuxquestions.org/questi...needed-808885/
And at least two more forums that have deleted the post.

You've been at this a while, and posting under different names. Care to explain what is going on?

Last edited by OlRoy; 11-26-2011 at 02:17 PM.
 
Old 11-27-2011, 04:55 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786
Quote:
Originally Posted by Faris View Post
I think, first of all I need to isolate the effected PC which has this IP address (64.182.172.15) by disconnecting it from the network to stop spreading the worm to other systems via the network.
If network policies mandate this be dealt with in a BOFH way, without proper investigation, then mitigating it by isolating the machine would be the procedure, yes. However the capturing process itself does not identify (as in confirm or deny) this as a worm. As such the questions you ask are either irrelevant or premature because you'd have to dissect it first...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Low interaction Honeypot (based on nepenthes) worm infection, Advice needed shahmeer75 Linux - Security 1 05-20-2010 04:41 PM
Nepenthes: low interaction honeypots glg Linux - Security 3 08-19-2009 04:03 AM
Nepenthes: low interaction honeypots OlRoy Linux - Security 8 03-18-2007 04:25 PM


All times are GMT -5. The time now is 03:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration