Internet
Systematics Lab, Greek Honeynet Project, Quarterly Report Q4 2003
=============================================================
- Current Setup
no changes from Q3
- Honeypots
no changes from Q3
- Honeypot Services
no
changes from Q3
- Data Capture Methods
No change from Q3
- Data Control Methods
1)
Connection
Rate Limiting - IPTables (rc.firewall 0.7.2 with local tc based
extensions to implement bandwidth control)
2) Snort-inline 2.0 - DROP mode
- Management
No change from Q3
- Tools used
No change from Q3
- Findings
This
quarter our honeynet has experienced the following scans:
socks
proxy scan
webdav scan
smtp relay scans
syn fin scans
tcp scan
codered V2
sadmind backdoor
stacheldracht
backdoor.
The following services were attacked:
a) IIS
IIS unicode directory traversal
IIS isapi .printer access
b) MS-SQL
MS-SQL sp_password
MS-SQL xp_cmdshell
c) FTP
anonymous login attempts
brute force password
guess
d) DNS
named version attempt
e) portmap
rpc
portmap listing
f) telnet
g) SNMP
SNMP tcp
requests
SNMP public access
Monitoring of the warez
community revealed some of their favorite tools:
a)
ftp
server:
servUDaemon
b)
ftp
client: flashfxp
c)
remote administration:
shadow administrator, radmin
d)
Scanners:
In addition we have captured
several windows tools used to hide the existence of Window's
processes, list/kill running processes, list open network ports. We
have captured a batch script to perform bandwidth tests of newly
compromised systems (ftp sites) around the globe
- Developments
1.
Update
final version Chapter 5 from the upcoming KYE-II book
2.
Prepare
initial version and update final version of Chapter 19 from the
upcoming KYE-II book
3.
Contribute to the debugging of Sebek.
4.
Reach writing-up stage of graduate thesis "Buffer overflow snort
preprocessor tested on Honeynet data", reported in
Q3.
5. Participate at a national conference, as planned in Q3:
Hackmath
with Honeynet, Yannis Corovesis
At 1st Hellenic Conference about
Cyber Crime
Athens War Museum, 24 -27 November 2003
http://www.md5sa.com/conf/ccc/cccen/index.htm
5.
Release with Q4 report the package "Honey Stats" based on
netgeo package
from Caida as planned in Q3
6. Released to Alliance the package “extended rc.firewall with tc bandwidth control”
- Plans
for the Next Quarter
1. Promotion/Demonstration to one large organisation (part of the launched State drive for Open Source)
2. Present ISLab project "SNORT plug-in for detecting buffer overflows using HN data” to Tech. Inst. of Athens
3. Start a student thesis about Honeynet Data Analysis to promote as introductory ‘cource’ for students/admins to share with Greek security community and carry out in-house training of two new lab members
4. Continue involvement with the Honeynet book
5. Investigate virtual/distributed Honeynets (delayed due to some address sharing problem)
6. Carry out Alliance task, Q&A for Sebek