Internet Systematics Lab, Greek Honeynet Project, Quarterly Report Q4 2003
=============================================================

- Current Setup

no changes from Q3

- Honeypots

no changes from Q3

- Honeypot Services

no changes from Q3

- Data Capture Methods

No change from Q3

- Data Control Methods

1) Connection Rate Limiting - IPTables (rc.firewall 0.7.2 with local tc based extensions to implement bandwidth control)

2) Snort-inline 2.0 - DROP mode

- Management

No change from Q3

- Tools used

No change from Q3

- Findings

This quarter our honeynet has experienced the following scans:

socks proxy scan
webdav scan
smtp relay scans
syn fin scans
tcp scan
codered V2
sadmind backdoor
stacheldracht backdoor.

The following services were attacked:

a) IIS
IIS unicode directory traversal
IIS isapi .printer access

b) MS-SQL
MS-SQL sp_password
MS-SQL xp_cmdshell

c) FTP
anonymous login attempts
brute force password guess

d) DNS
named version attempt

e) portmap
rpc portmap listing

f) telnet

g) SNMP
SNMP tcp requests
SNMP public access

Monitoring of the warez community revealed some of their favorite tools:

a) ftp server: servUDaemon

b) ftp client: flashfxp

c) remote administration: shadow administrator, radmin

d) Scanners:

- xscan(www.xfocus.org),
    scan SNMP information;
    scan RPC vulnerability;
    scan SQL-Server weak password
    scan FTP weak
    scan NT-Server weak password
    scan Netbios information;
    scan SMTP-Server vulnerability
    scan POP3-Server weak password
    scan CGI vulnerability
    scan IIS vulnerability
    scan BIND vulnerability;
    scan Finger vulnerability;
    scan sygate vulnerability;
- fxscanner
  scan for vulnerable iis, ftp servers
- sfind
   scan port
   scan cgi hole
   scan .printer hole
   scan unicode hole
   scan .idq hole
   scan codered virus host
   Ftp default and admin accounts check
- sqlck: scan for MS-SQL servers


In addition we have captured several windows tools used to hide the existence of Window's processes, list/kill running processes, list open network ports. We have captured a batch script to perform bandwidth tests of newly compromised systems (ftp sites) around the globe

- Developments

1. Update final version Chapter 5 from the upcoming KYE-II book

2. Prepare initial version and update final version of Chapter 19 from the upcoming KYE-II book

3. Contribute to the debugging of Sebek.

4. Reach writing-up stage of graduate thesis "Buffer overflow snort
preprocessor tested on Honeynet data", reported in Q3.

5. Participate at a national conference, as planned in Q3:

Hackmath with Honeynet, Yannis Corovesis
At 1st Hellenic Conference about Cyber Crime
Athens War Museum, 24 -27 November 2003

http://www.md5sa.com/conf/ccc/cccen/index.htm

5. Release with Q4 report the package "Honey Stats" based on netgeo package
from Caida as planned in Q3

6. Released to Alliance the package “extended rc.firewall with tc bandwidth control”


- Plans for the Next Quarter

1. Promotion/Demonstration to one large organisation (part of the launched State drive for Open Source)

2. Present ISLab project "SNORT plug-in for detecting buffer overflows using HN data” to Tech. Inst. of Athens

3. Start a student thesis about Honeynet Data Analysis to promote as introductory ‘cource’ for students/admins to share with Greek security community and carry out in-house training of two new lab members

4. Continue involvement with the Honeynet book

5. Investigate virtual/distributed Honeynets (delayed due to some address sharing problem)

6. Carry out Alliance task, Q&A for Sebek