Setup and Timeline for UK Honeynet Project Phishing Incident

The honeynet deployed and analysed by the UK Honeynet Project in the second phishing incident was a high interaction research honeynet deployed in a UK ISP data centre during August 2004.

[image:uk-honeynet_files/image001.jpg size=full]

The UK Honeynet deployment was similar in broad outline to the German honeynet configuration detailed above, being composed of a number of physical honeypots running default installations of common UNIX operating systems on Intel and Sparc hardware. The Honeynet Projects Honeywall bootable CDROM was used for data control, providing a transparent bridging iptables firewall and using network connection rate limiting plus the snort-inline IPS to restrict outbound attack traffic. Another snort IDS provided data capture in binary pcap format, along with snort and snort-inline alerting and automated daily script based data analysis.

Individual honeypots were hosted behind the Honeywall gateway, connected to an Ethernet hub, and the Honeynet project's Sebek loadable kernel module was covertly installed and enabled on each honeypot to allow full keystroke logging. All network traffic to and from the honeypots was logged in pcap format, as were any keystrokes recorded using Sebek. Any compromised hosts were eventually taken off line and imaged for later forensic examination.

The RedHat Linux 7.3 server on Intel hardware honeypot that was compromised and used to host a phishing attack was a default CDROM based installation with a number of common network services such as Apache and samba enabled and left un-patched.

Again, a timeline of the incident is given:

Date / Time Event
17/08/04 First data from honeypot
18/08/04

12:30 PM

Honeypot samba server compromised. Various IRC tools, backdoors and mass scanners installed by multiple groups
19/08/04 Attackers check result of network scans
20/08/04 New attackers compromise honeypot
22/08/04 More scanning activity
23/08/04
09:12 PM
Phishers arrive through back door set up by initial attackers and set up phishing website
23/08/04
09:23 PM
First web traffic arrives at web server for phishing site
27/08/04
09:30 AM
Honeypot disconnected for forensic analysis

A more detailed incident timeline of the UK phishing incident can be found here and more detailed analysis, including an analysis of the tools and techniques the attackers used, can be found here.