Low interaction Honeypot (based on nepenthes) worm infection, Advice needed
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Low interaction Honeypot (based on nepenthes) worm infection, Advice needed
A quick check of my low interaction Honeypot (based on nepenthes) given as below. my question is; How would I move forward with the analysis of this incident, including an assessment of the threat, vulnerability, malware, and impact of the worm?
linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log
<snip>
[18032007 02:26:03 info module] 76 4
[18032007 02:26:03 info module] SMB Session Request 76
H CKFDENECFDEFFCFGEFFCCACACACACACA
[18032007 02:26:03 warn module] Unknown NETDDE exploit 76 bytes State 1
[18032007 02:26:03 module] Stored Hexdump var/hexdumps/850745ec6a9f3cc3d7ce4bdd7294e468.bin (0x0809fa80 , 0x0000004c).
[18032007 02:26:03 warn module] Unknown SMBName exploit 0 bytes State 1
[18032007 02:26:03 info handler dia] Unknown DCOM request, dropping
[18032007 02:26:11 crit sc handler] MATCH linkxor::link matchCount 5 map_items 5
[18032007 02:26:11 info sc handler] i = 1 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 2 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 3 map_items 5 , map = key
[18032007 02:26:11 info sc handler] i = 4 map_items 5 , map = post
[18032007 02:26:11 info sc handler] Found linkbot XOR decoder, key 0x1b, payload is 0x00b2 bytes long.
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330, key 0xaeed1ff8.
[18032007 02:26:11 info down mgr] Handler link download handler will download link://64.182.172.15:56330/ru0f+A==
[18032007 02:26:13 info handler dia] Download via linkbot filetransferr done! ( download is 114176 bytes)
[18032007 02:26:13 info mgr submit] File b6c9254853a642e90756cfb04efd67ea has type PE executable for MS Windows (GUI) Intel 80386 32-bit
[18032007 02:26:13 warn dia] Unknown ASN1_SMB Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1a40 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown PNP Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1638 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown LSASS Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a08f0 , 0x000000ac).
[18032007 02:26:13 warn handler dia] Unknown DCOM Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 handler dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x0809fa80 , 0x000000ac).
<snip>
linux-sqos:/opt/nepenthes/var/binaries # ls -l b6c9254853a642e90756cfb04efd67ea
-rw-r--r-- 1 root root 114176 Mar 18 02:26 b6c9254853a642e90756cfb04efd67ea
linux-sqos:/opt/nepenthes/var/binaries # file b6c9254853a642e90756cfb04efd67ea
b6c9254853a642e90756cfb04efd67ea: PE executable for MS Windows (GUI) Intel 80386 32-bit
linux-sqos:/opt/nepenthes/var/binaries # cd /opt/nepenthes/var/hexdumps
linux-sqos:/opt/nepenthes/var/hexdumps # ls -l 16e9e789e405a1bc1e69a3a7f302416b.bin
-rw-r--r-- 1 root root 172 Mar 18 02:26 16e9e789e405a1bc1e69a3a7f302416b.bin
linux-sqos:/opt/nepenthes/var/hexdumps # file 16e9e789e405a1bc1e69a3a7f302416b.bin
16e9e789e405a1bc1e69a3a7f302416b.bin: data
linux-sqos:/opt/nepenthes/var/hexdumps # xxd -g 1 -u 16e9e789e405a1bc1e69a3a7f302416b.bin
0000000: 00 00 00 A8 FF 53 4D 42 72 00 00 00 00 08 01 40 .....SMBr......@
0000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 03 ..............,.
0000020: 02 08 10 3E 00 85 00 02 50 43 20 4E 45 54 57 4F ...>....PC NETWO
0000030: 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0..
0000040: 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 4F 52 MICROSOFT NETWOR
0000050: 4B 53 20 31 2E 30 33 00 02 4D 49 43 52 4F 53 4F KS 1.03..MICROSO
0000060: 46 54 20 4E 45 54 57 4F 52 4B 53 20 33 2E 30 00 FT NETWORKS 3.0.
0000070: 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E .LANMAN1.0..LM1.
0000080: 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 2X002..LANMAN2.1
0000090: 00 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 ..NT LANMAN 1.0.
00000a0: 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .NT LM 0.12.
linux-sqos:/opt/nepenthes/var/hexdumps #
I know what you referring to, but that’s not the case.
i have been asked to answer this while i have never used application, and they didn't even tried to explain one example about these lines. So how u expecting me to interrupt these line by myself! i think even professional people will not find it easy.
Anyhow thank you for ur post.
I know what you referring to, but that’s not the case.
I'm not going to push this any further but then why would you pass it off as if you were running Nephentes? If you did then we at least could assert you knew what you were doing (I mean else why run a Honeypot?).
Quote:
Originally Posted by Faris
How would I move forward with the analysis of this incident
You've got one executable and a hexdump. I can't see anything from the latter except evidence of some Samba-ish dialects but the binary you could virusscan, dissect for PE compressors, libraries, strings, step it through a debugger in a sandbox (for deities sake restrict it to a completely isolated network), record process details and network traffic and compare it with Honeypot downloads elsewhere.
Thank you very much for the information that you gave me.
I think, first of all I need to isolate the effected PC which has this IP address (64.182.172.15) by disconnecting it from the network to stop spreading the worm to other systems via the network.
Second, I need to scan the computer with antivirus program
But i am still confused abut the impact of the worm;
Did the worm spread into the network?
How the worm affected the system that it has been located in, did it change any file?
Did the worm send the root folder to the attacker?
If u can clarify these points and show it to me from the report that will be very kind from you ... because i am very keen to know how to read the logfile as much as i can. not just answer the question.
I think, first of all I need to isolate the effected PC which has this IP address (64.182.172.15) by disconnecting it from the network to stop spreading the worm to other systems via the network.
If network policies mandate this be dealt with in a BOFH way, without proper investigation, then mitigating it by isolating the machine would be the procedure, yes. However the capturing process itself does not identify (as in confirm or deny) this as a worm. As such the questions you ask are either irrelevant or premature because you'd have to dissect it first...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.