Tuesday, September 28, 2010

Intruder alert

It's 4 o clock in the morning and the CISCO intrusion alert system is flash red "Possible security breach" in the big wall screen whilst alerting the sysadmins with voice mails and e-mails ... or maybe I'm still dreaming and this was part of a movie. Still there is an alert on my telephone laying down on the floor next to me with a message, "there must be something here". This is a default message that I've put in a series of bash scripts running under cron every now and then, to alert me for possible filesystem changes and files or directories created where they are not supposed to be.

I've been running some custom honeypots windows and linux for some time now in order to collect malware bots and other goodies, mostly for hobby.

This time the alert came from a linux system, that's running an old phpmyadmin package, it's the second time during a month that the system gets compromised, so there is a lot of activity in phpmyadmin scans both on linux and on windows systems.

Logging in the system immediately i checked the processes running, it's common on these attacks that the attacker will be hiding bot or backdoor with a fake process name. Most of the attackers are masking their backdoors or bots under httpd or apache process making it less obvious for the sysadmin to locate the binary in the first glance.

This time the binary was running under rpc.idmapd name
nobody   15550  0.0  3.1  44368 30928 ?        S    04:11   0:06 rpc.idmapd

Easy to spot since the process didn't belong to this specific system configuration. Locating the location of the binary is easy using lsof command. lsof -p 15550 gave the where about of the binary and the open connections. Here most of the times I'm keeping a process dump for further analysis using pcat from tct ( http://www.porcupine.org/forensics/tct.html ) there are many good information that can be found in the active memory dump of the process, like connection strings, username and passwords etc.

This time the binary was, again, a mech bot ( http://www.energymech.net/ ) connecting to quakenet irc network, nothing interesting here :/ hope the attackers will be more creative next time.

Bot packed, http://www.deventum.com/research/15550.tar.gz

No comments:

Post a Comment