Once the attacker found the honeypot, via any of the methods mentioned above, they typically tried to utilize it for a variety of different purposes - ranging from defacement to mounting phishing attacks. The following sub-sections explain specific purposes we observed.
The top 10 commands issued by attackers on the PHPShell honeypot are as follows:
1. 3251 times, 'ls' - Displays a list of files in the current directory
2. 1051 times, 'pwd' - Reports the current directory
3. 777 times, 'id' - Reports the current user
4. 619 times, 'uname -a' - Reports on details of the operating system and hostname
5. 600 times, 'w' - Reports on current users and the load the system is under
6. 556 times, 'ls -la' - Displays full information on all files in the current directory, including hidden ones
7. 543 times, 'ls -al' - Displays full information on all files in the current directory, including hidden ones
8. 386 times, 'dir' - Lists files in the current directory under Windows.
9. 363 times, 'cat /etc/shadow' - Lists the shadow password file, containing hashes of user's passwords
10. 353 times, 'cat config.php' - Displays the configuration file for PHPShell which contains usernames and passwords amongst other things.
In regards to number 9, 'cat /etc/shadow', a dictionary attack can be mounted against a hashed password file. Tools such as John the Ripper can try the hashing operation on many common passwords such as dictionary words. If the hash of the guessed word comes out the same as the hash in the password file, the attacker now knows the password for that user. Alternative methods such as Rainbow Tables can speed up the process of recovering the passwords. An exhaustive search through all possible passwords will usually take too long to be viable against modern UNIX password files.
We observed 15 attempts to inject mail into the web forms of one of our honeypots. The following data is an example:
The content is truncated to 255 characters as the honeypot is not designed to accept long strings. The actual HTML limits the text field to 60 characters, so any program submitting more than this is ignoring the limit. This means it is likely to be an automated attack, or at least is using a program other than a standard web browser. The fact that the email is being mistakenly submitted to a form which asks for a command is also suggestive of an automatic mechanism as a human should realise that the attack will not work.
We have also observed blog comment spam such as :
This must have been sent by an automated tool, since a human would have realized that the form did not pertain to blog comments, but instead provided access to PHPShell. During the period of operation, the PHPShell honeypot received 113 blog comments advertising pharmaceuticals, mortgages, home insurance, shoes, mobile phone ring tones, and of course, pornography.
We observed over 500 attempts to deface our PHPShell web site, most of which attempted to use the Chinese characters for "summon" to overwrite the index file. The following defacement attack can be found in many on-line tutorials:
Similarly, one attacker tried to deface the main page by issuing this operating system command :
This would have had the effect of replacing the default page on the website with just the text of the attacker's choosing. Obviously, defacement of a site can be a major public embarrassment which can lead to longer term financial losses, as well as the immediate problem of having the website unavailable to its users.
Multiple attempts were made to download files which seemed to be done only for hosting purposes. In one very specific attack, the attacker used over 50 commands to investigate the server and then attempted to download several files. The following shows one attempt to download a music file, and two attempts to download legitimate Windows applications (not related to cracking activities):
Other files that attackers attempted to download seemed to be intended to help in the exploitation of the server. A common action was to fetch a PHP shell application such as c99 shell (see Appendix B) to allow the attacker to issue shell commands, view the filesystem and perhaps to connect to local databases. Some attackers tried to download the eggdrop IRC bot or the psyBNC IRC proxy.
Among other tools, attackers commonly downloaded and attempted to use a variant of pscan. Pscan is an efficient port scanner that can discover hosts which are listening on a particular port. Typically, the attacker would run the tool, obtain a list of hosts with the port open and then proceed to run an exploit tool against the list of hosts.
Figure 2. An attempt by an attacker to download an archive including a variant of the pscan tool.
This archive contained SSH scanning tools, including pscan, a password list, and a list of servers and their root passwords or other user accounts that had been guessed already.
On one honeypot we observed 12 attempts to install IRC bots to join various botnets after system access was gained. In one example we analysed, a bot connected to a channel on a public IRC server to which 387 other clients had already connected. Typically, the vast majority of the bots supported commands for denial-of-service attacks. Since most Linux boxes tend to be servers rather than workstations, it is plausible that even a relatively small botnet of around 400 Linux machines would have a great deal of bandwidth available to mount a DoS attack, while being small enough to evade detection until used. For examples of two attacks that attempted to join botnets, see 'The Lupper Worm' and 'Mambo Exploit' in Appendix A. The paper Know Your Enemy: Tracking Botnets gives more detail on how botnets operate.
One attacker tried to download an archive containing HTML, graphics and scripts to create a Paypal phishing site. The site was designed to look like the real Paypal web site, but would have recorded usernames and passwords in a file residing on the web server. The attacker could then have retrieved this file later. For more information on phishing techniques, see Know Your Enemy: Phishing. Another attacker downloaded a similar phishing page for Orkut, Google's social networking site. In this case, the fake site would have emailed the username and password to a Gmail account controlled by the attacker.
The following graph shows attacks against a PHP honeypot which are trying to exploit several distinct flaws. The vulnerabilities attacked are Mambo remote code-inclusion as discussed above, AWStats configdir command injection, PHPBB admin_styles remote code-inclusion (note that this is different to the PHPBB flaw that Santy exploited), WebCalendar includedir remote code-inclusion and Coppermine Photo Gallery remote code-inclusion, in this case the problem with theme.php and THEME_DIR. We can see that the Mambo exploit is consistently popular but the usage of the AWStats vulnerability tails off towards the end of this period. Other exploits are only tried occasionally, such as the PHPBB flaw. Some sources attempt to exploit a single issue, while others try two or more. The total numbers of attacks observed during this period were as follows: Mambo 255, AWS 251, PHPBB 54, WebCalendar 9, Coppermine 10. Appendix D has individual graphs for each vulnerability.
The following graph shows the mean number of attacks per unique source:
By becoming a tool for an attacker to inflict harm on other systems, a site may be opening itself up to liability issues if they have not been paying sufficient attention to security. For example, if a machine is joined to a botnet it may be a participant in a denial-of-service attack against an external site, or may be used to recruit other machines into the botnet. Phishing sites are used for stealing identity information for various purposes, including transferring money away from victim's bank accounts. Files that are uploaded to compromised hosts may be subject to copyright issues or other more serious violations of obscenity laws in the country the server resides in. If the server is used to send Unsolicited Bulk Email (UBE aka 'spam'), the server may be placed on a blocking list and legitimate users of the server may find their email blocked by many Internet sites.
It is also possible that control of a website may be used to compromise computers that are browsing that site. For example, such an incident is described by Netcraft:
"Hackers have hijacked a large number of sites at web hosting firm HostGator and are seeking to plant trojans on computers of unwitting visitors to customer sites. HostGator customers report that attackers are redirecting their sites to outside web pages that use the unpatched VML exploit in Internet Explorer to install trojans on computers of users. Site owners said iframe code inserted into their web pages was redirecting users to the malware-laden pages."
In another incident, a banner advert was used to deliver exploit code to client machines : "During a 12-hour window over the weekend, hackers broke into a load balancing server that handles ad deliveries for Germany's Falk eSolutions and successfully loaded exploit code on banner advertising served on hundreds of Web sites."