KeyFocus - KFSensor Extras - SubSeven, Example Attack KeyFocus

SubSeven Example Attack

Copyright(c) 2003 KeyFocus Ltd.
For latest version: http://www.keyfocus.net

This is an annotated record of a real life SubSeven attack on a KFSensor honeypot system, running kfSubSeven.
Both the attacker and honeypot are located in the UK and the times are in GMT, the UK's local time zone.

Start of attack :09/11/2003 00:22:49
Attack ended at :09/11/2003 01:45:45
Attacker's IP address: host81-128-52-200.in-addr.btopenworld.com
This is a ADSL connection. The IP is dynamicaly allocated, so please don't ping it, as it will now belong to someone else.

Notes: The attacker is refered to by the code name Hax0r and is assumed to be male, probably a safe bet.
Hax0r is not especially malicious. He does not try and corrupt our system by deleting files, or use it to launch attacks on others.
He is just sad and lonely on weekend and want to have some fun....

In the logs >>>> indicates data sent from the honeypot to Hax0r and <<<< data sent from Hax0r to the honeypot.
Where the log has been truncated it is indicated by [... ...]
Refer to the SubSeven Command List to understand what is going on in more depth.

Connection 1

Time: 09/11/2003 00:22:49 - 09/11/2003 00:22:53
The attack begins with a scan. The port is opened and Hax0r's scanner reads the banner and closes the connection.
He may well be using the scanner built in to the the SubSeven client.
He knows we are here. 
>>>>connected. 00:22 - November 9, 2003, Sunday, ver: Legends 2.1

Connection 2

Time: 09/11/2003 00:23:04 - 09/11/2003 00:27:05
11 seconds later he is back, this time in person. 
>>>>connected. 00:23 - November 9, 2003, Sunday, ver: Legends 2.1
<<<<GMI
>>>>GMIFINANCE
Administrator
C:\Documents and Settings\Administrator\WINDOWS
[... recorded 76 of 219 bytes...]
Hax0r goes straight for the get pc info feature that supplies a handy summary of the machine. 
<<<<GMI
>>>>GMIFINANCE
Administrator
C:\Documents and Settings\Administrator\WINDOWS
[... recorded 76 of 219 bytes...]
<<<<GHI
>>>>GHInot found
not found
not found
[... recorded 36 of 157 bytes...]
Now goes for 'get home info', but like menu prople we have not entered this into Windows. 
<<<<PSS
>>>>PSScached passwords:
[www.networks4u.com/finance]-[finance:secret69]
[*Rna\freeserve\rhsfinance123]-[secret69]
<<<<GPW
>>>>GPW010
<<<<RAS
>>>>RAS0299[Connection: freeserve]
login: rhsfinance123.fsnet.co.uk
password:
[... recorded 78 of 106 bytes...]
SubSeven is good at obtaining stored passwords, from where Windows hides them.
Internet Explorer has a handy feature which stores web site passwords.
He now thinks he can log onto networks4u.com, using our password. Good job its not real eh. 
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]

<<<<RSHC:\My Documents
>>>>RSH0223<..>
Mypasswords.doc
Hax0r opens SubSeven's File Manager and starts browsing the C: drive and goes straight for C:\My Documents.
It contains a word document called 'Mypasswords.doc'.
Very tempting, but will take the bait? 
<<<<NTFC:\My Documents\Mypasswords.doc
>>>>NTF042274x[9C ED]\kl[14
[... recorded 1572 of 2283 bytes...]
He cannot resist it. ;-)
This word document contains a bunch of dummy accounts and a dummy credit card pin number.

<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\My Music
>>>>RSH016<..>
<<<<RSHC:\My Music
>>>>RSH016<..>
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
Hax0r now starts exploting the rest of the hard disk.
He must be wondering why so many directories are empty. We have only populated a few of them. 
<<<<RSHC:\Program Files
>>>>RSH03518<..>
<Common Files>
<Plus!>
[... recorded 39 of 526 bytes...]
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]

<<<<RSHC:\My Documents
>>>>RSH0223<..>
Mypasswords.doc
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<IN2CL2PING

Connection 3

Time: 09/11/2003 00:27:07 - 09/11/2003 00:27:51

>>>>connected. 00:27 - November 9, 2003, Sunday, ver: Legends 2.1
<<<<IN2CL2CSS040
>>>>CSS
<<<<PING
Hax0r tries to take a screen shot to see what we are up to.
There is no response as we have not implemented that function.

Connection 4

Time: 09/11/2003 01:13:26 - 09/11/2003 01:20:19
45 Minutes later and he is back for a second helping of the honeypot. 
>>>>connected. 01:13 - November 9, 2003, Sunday, ver: Legends 2.1
<<<<GMI
>>>>GMIFINANCE
Administrator
C:\Documents and Settings\Administrator\WINDOWS
[... recorded 76 of 219 bytes...]
<<<<GHI
>>>>GHInot found
not found
not found
[... recorded 36 of 157 bytes...]
<<<<FFNF05*.jpgC:\
>>>>LOF010
Hax0r does a search for JPG files.
What sort of images is he looking for? =:-0
It is probably for the best that we don't know. 
<<<<GIP
>>>>GIP[icq not found]
<<<<GAP
>>>>GAPdefault aim user:
He is looking for passwords again. This time the AIM and ICQ. 
<<<<PSS
>>>>PSScached passwords:
[www.networks4u.com/finance]-[finance:secret69]
[*Rna\freeserve\rhsfinance123]-[secret69]
<<<<GDRRSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Program Files
>>>>RSH03518<..>

<Common Files>
<Plus!>
[... recorded 39 of 526 bytes...]
<<<<RSHC:\Program Files\Adobe
>>>>RSH016<..>
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\RECYCLED
>>>>RSH016<..>

<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Program Files
>>>>RSH03518<..>
<Common Files>
<Plus!>
[... recorded 39 of 526 bytes...]
<<<<RSHC:\Program Files\Internet Explorer
>>>>RSH016<..>
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]

<<<<RSHC:\Windows
>>>>RSH045465<..>
<command>
<options>
[... recorded 37 of 5474 bytes...]
<<<<RSHC:\Windows\Cookies
>>>>RSH016<..>
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Program Files
>>>>RSH03518<..>

<Common Files>
<Plus!>
[... recorded 39 of 526 bytes...]
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Windows
>>>>RSH045465<..>
<command>
<options>
[... recorded 37 of 5474 bytes...]
<<<<RSHC:\Windows\Temporary Internet Files

>>>>RSH016<..>
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\My Music
>>>>RSH016<..>
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\My Documents
>>>>RSH0223<..>
Mypasswords.doc
<<<<RSHC:

>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Windows
>>>>RSH045465<..>
<command>
<options>
[... recorded 37 of 5474 bytes...]
<<<<IN7CL7IN2CL2GMI
>>>>GMIFINANCE
Administrator
C:\Documents and Settings\Administrator\WINDOWS
[... recorded 76 of 219 bytes...]
<<<<FFNT05*.jpgC:\
>>>>LOF010
<<<<IRG
>>>>LT103139
This command opens the registry editor, but there is no response.

Connection 5

Time: 09/11/2003 01:20:19 - 09/11/2003 01:23:25
>>>>connected. 01:20 - November 9, 2003, Sunday, ver: Legends 2.1
<<<<GPR
>>>>GPR
<<<<RSHC:\Windows\Desktop
>>>>RSH016<..>

<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Windows
>>>>RSH045465<..>
<command>
<options>
[... recorded 37 of 5474 bytes...]
<<<<RSHC:\Windows\All Users
>>>>RSH016<..>
<<<<RSHC:\Windows\All Users
>>>>RSH016<..>

<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Windows
>>>>RSH045465<..>
<command>
<options>
[... recorded 37 of 5474 bytes...]
<<<<RSHC:\Windows\Favorites
>>>>RSH016<..>
<<<<RSHC:\Windows\Favorites
>>>>RSH016<..>

<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<PING

Connection 6

Time: 09/11/2003 01:23:27 - 09/11/2003 01:30:14
Hax0r has done exploring the machine and now wants to get personal.
He starts off by trying to spy on any messages we are sending or receiving and he then sets a the key stroke capture utility. 
>>>>connected. 01:23 - November 9, 2003, Sunday, ver: Legends 2.1

<<<<SPY154283,1Incoming Message [[F4]Incoming URL Message [[F4]Incoming WWPager Message [[F4] - Message Session[F4] - Instant Message[F4] - Instant Message[F4] - Direct Instant Message[F4] -- Instant Message[F4] - (Incoming) Message [[F4] - Conversation[F4]
>>>>SPY1
<<<<SPY0
>>>>SPY0
<<<<TKSon2773GMI
>>>>GMIFINANCE
Administrator
C:\Documents and Settings\Administrator\WINDOWS
[... recorded 76 of 219 bytes...]
<<<<IMX0047215+----------------------------+
| The Matrix v.3.8 build 145 |
+----------------------------+
not watching the eclipse?
>>>>matrix initiated

Its been a hour since the attack began. Hax0r has spent the time learning all about us and now he wants to make his presence known.
He opens the Matrix feature with a question about the lunar eclipse that is happening right now.

It is 1:30 in the morning on a weekend and he wants to chat to his victim.
How very sad and lonely he must feel. >:-(

Unfortunetly, the version of kfSubSeven he is hacking cannot answer him back.
The new version can, so he will be able to make a new friend if he returns.


<<<<PING

Connection 7

Time: 09/11/2003 01:30:14 - 09/11/2003 01:32:31
He is getting desparate for attention now.
Maybe if he opens and shuts our CD drive we will take notice.
Sad, sad, sad. 
>>>>connected. 01:30 - November 9, 2003, Sunday, ver: Legends 2.1
<<<<GOKRTD
>>>>RTD02003110900131
<<<<OCD
>>>>cd rom has been opened
<<<<CCD
>>>>cd rom has been closed

Connection 8

Time: 09/11/2003 01:42:57 - 09/11/2003 01:45:45
Hax0r goes back to browsing the directory structure again, one last time before calling it a night. 
>>>>connected. 01:42 - November 9, 2003, Sunday, ver: Legends 2.1
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Windows
>>>>RSH045465<..>

<command>
<options>
[... recorded 37 of 5474 bytes...]
<<<<RSHC:\Windows\FONTS
>>>>RSH016<..>
<<<<RSHC:\Windows\FONTS
>>>>RSH016<..>
<<<<RSHC:\Windows\FONTS
>>>>RSH016<..>

<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Program Files
>>>>RSH03518<..>
<Common Files>
<Plus!>
[... recorded 39 of 526 bytes...]
<<<<RSHC:\Program Files\Internet Explorer
>>>>RSH016<..>

<<<<RSHC:RSHC:
>>>>RSH016<..>
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Windows
>>>>RSH045465<..>
<command>
<options>
[... recorded 37 of 5474 bytes...]
<<<<RSHC:\Windows\Start Menu
>>>>RSH016<..>

<<<<RSHC:\Program Files\
>>>>RSH03518<..>
<Common Files>
<Plus!>
[... recorded 39 of 526 bytes...]
<<<<RSHC:
>>>>RSH03293SAVE2DSK.BIN
MSDOS.SYS
IO.SYS
[... recorded 41 of 301 bytes...]
<<<<RSHC:\Windows
>>>>RSH045465<..>
<command>

<options>
[... recorded 37 of 5474 bytes...]
<<<<RSHC:\Windows\DRWATSON
>>>>RSH016<..>