| KFSensor |
| About |
| Overview |
| Screen shots |
| Features |
| Enterprise edition |
| Compare editions |
Download trial  |
| Buy KFSensor |
| News |
| Manual |
| Knowledge Base |
| Links |
| Extras |
Factsheet (.pdf)  |
SubSeven Example Attack 2
kfSubSeven - information and downloadThis is an annotated record of a real life SubSeven attack on a KFSensor honeypot system, running kfSubSeven.
The attacker is in the US. The honeypot is located in the UK and the times are in GMT, the UK's local time zone.
Start of attack :17/07/2005 04:52:01
Attack ended at :17/07/2005 15:22:32
Attacker's IP address: ool-4570b420.dyn.optonline.net (69.112.180.32)
This is a ADSL connection. The IP is dynamically allocated, so please don't ping it, as it will now belong to someone else.
Notes: The attacker is referred to by the code name Mobman, a name provided by himself.
Mobman is malicious he attempts to steal passwords from the machine and infect it with an unpleasant virus.
In the logs >>>> indicates data sent from the honeypot to Mobman and <<<< data sent from Mobman to the honeypot.
Where the log has been truncated it is indicated by [... ...]
Refer to the SubSeven Command List to understand what is going on in more depth.
Connection 1
Mobman starts off by opening the SubSeven file manager and then uploading a file Winsock.exe.
This is the password stealing trojan Trojan.PWS.Wexd.
>>>>connected. 04:53 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<RSHC: >>>>RSH03293SAVE2DSK.BIN MSDOS.SYS IO.SYS [... recorded 41 of 301 bytes...] <<<<RTFC:\Winsock.exe >>>>TID <<<<SFT06737379MZP >>>>p:270336.p:393216.p:434176.p:0.file successfully uploaded.RSH03293SAVE2DSK.BIN MSDOS.SYS IO.SYS [... recorded 41 of 301 bytes...] RSH03293SAVE2DSK.BIN MSDOS.SYS IO.SYS [... recorded 41 of 301 bytes...] RSH03293SAVE2DSK.BIN MSDOS.SYS IO.SYS [... recorded 41 of 301 bytes...] TID
Connection 2
He opens the screen preview to look at what is running on the desktop.
>>>>connected. 05:05 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<IN2CL2
Connection 3
Turns off chat mode after checking it works
17/07/2005 05:06:31.703 <<<<MTC*nickless has left the chat.
Connection 4
He opens the process manager, opens the chat window and then grabs the cached windows passwords.
>>>>connected. 05:06 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<RPL >>>>RPL03713kernel32.dll C:\WINDOWS\SYSTEM\KERNEL32.DLL High [... recorded 60 of 721 bytes...] <<<<OCCnickless >>>>OpenClientChat <<<<GMI >>>>GMIFINANCE Administrator C:\Documents and Settings\Administrator\WINDOWS [... recorded 76 of 219 bytes...] <<<<IN2GPW >>>>GPW010 <<<<PSS >>>>PSScached passwords: [www.networks4u.com/finance]-[finance:secret69] [*Rna\freeserve\rhsfinance123]-[secret69] <<<<RAS >>>>RAS0299[Connection: freeserve] login: rhsfinance123.fsnet.co.uk password: [... recorded 78 of 106 bytes...] <<<<CL2
Connection 5
>>>>connected. 12:11 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<IN2
Connection 6
Mobman uploads server.exe, which contains the W32.Parite.B virus.
>>>>connected. 12:14 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<RSHC: >>>>RSH03293SAVE2DSK.BIN MSDOS.SYS IO.SYS [... recorded 41 of 301 bytes...] <<<<RTFC:\0.7 server.exe >>>>TID <<<<SFT06253700MZ >>>>p:0.file successfully uploaded.RSH03293SAVE2DSK.BIN MSDOS.SYS IO.SYS [... recorded 41 of 301 bytes...] RSH0223<..> Mypasswords.doc RSH0223<..> Mypasswords.doc TIDp:0.file successfully uploaded.
Connection 7
Mobman opens the subseven file manager looks at a few directories and uploads his Trojan.PWS.Wexd trojan again.
>>>>connected. 12:34 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<RSHC:\My Documents >>>>RSH0223<..> Mypasswords.doc <<<<RSHC:\My Documents >>>>RSH0223<..> Mypasswords.doc <<<<RSHC: >>>>RSH03293SAVE2DSK.BIN MSDOS.SYS IO.SYS [... recorded 41 of 301 bytes...] <<<<RSHC:\Program Files >>>>RSH03518<..> <Common Files> <Plus!> [... recorded 39 of 526 bytes...] <<<<RSHC:\Program Files\Microsoft Office >>>>RSH016<..> <<<<RSHC:\Program Files\Microsoft Office >>>>RSH016<..> <<<<RSHC:\Program Files >>>>RSH03518<..> <Common Files> <Plus!> [... recorded 39 of 526 bytes...] <<<<RSHC:\Program Files\Microsoft Windows Script >>>>RSH016<..> <<<<RSHC:\Program Files\Microsoft Windows Script >>>>RSH016<..> <<<<RSHC:\Program Files >>>>RSH03518<..> <Common Files> <Plus!> [... recorded 39 of 526 bytes...] <<<<RSHC:\Program Files\Microsoft Encarta >>>>RSH016<..> <<<<RSHC:\Program Files >>>>RSH03518<..> <Common Files> <Plus!> [... recorded 39 of 526 bytes...] <<<<COMc:\winsock >>>>command executed. <<<<RTFC:\Program Files\Winsock.exe >>>>TID <<<<SFT06737379MZP >>>>p:0.file successfully uploaded.command executed.RSH03518<..> <Common Files> <Plus!> [... recorded 39 of 526 bytes...] command executed.
Connection 8
<<<<MTC<nickless> hiMTC*nickless has left the chat.MTC<nickless> entered the chat.MTC*nickless has left the chat.
Connection 9
>>>>connected. 12:59 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<OCCnickless >>>>OpenClientChat <<<<CL2OCCnickless >>>>OpenClientChat
Connection 10
>>>>connected. 13:20 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<UPS >>>>TID <<<<SFT06737379MZP
Connection 11
Mobman gets some info on the PC and then opens the subseven Matrix chat feature!
>>>>connected. 13:46 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<PING >>>>PONG <<<<GMI >>>>GMIFINANCE Administrator C:\Documents and Settings\Administrator\WINDOWS [... recorded 76 of 219 bytes...] <<<<RSHC:\Program Files >>>>RSH03518<..> <Common Files> <Plus!> [... recorded 39 of 526 bytes...] <<<<IMX0047215+----------------------------+ | The Matrix v.3.8 build 145 | +----------------------------+ >>>>matrix initiated <<<<IN2
Connection 12
This is the transcript of a matrix chat session between Mobman and kfSubSeven's automated responses.
>>>> = kfSubSeven
<<<< = Hacker
>>>> = kfSubSeven
<<<< = Hacker
17/07/2005 13:55:08.953 >>>>You can't scare me with this Gestapo crap. I k <<<<i know >>>>now my right <<<<i just wanna talk to you >>>>s.[F6]What?[F6] <<<<are you located in the US >>>>Right.[F6] <<<<oh cool >>>>What?[F6] <<<<do you have an AIM screen name >>>>What the hell?[F6] <<<<sorry for bothering you >>>>Right.[F6] <<<<oh one other thing >>>>What, now?[F6] <<<<have this ever been done to you before? >>>>Follow the white rabbit?[F6] <<<<lolLOLLOL >>>>Oh shit. Oh shit shit shit![F6]Who are you?[F6] <<<<The call me Mobman >>>>what do you want[F6] <<<<nothing >>>>Oh <<<<your computer is weird >>>> shit. Oh shit shit shit![F6]Right.[F6] <<<<listen you have a nice day and we'll keep in touch >>>>How?[F6] <<<<i will find you dont worry >>>>Yeah...yeah...you're two hours late.[F6]You get <<<<you funny >>>>caught using that...[F6]What is the Matrix?[F6] <<<<1101000110 >>>>You can't scare me with this Gestapo crap. I know my rights.[F6] <<<<you know u >>>>I am calling the police[F6] <<<<ok >>>>Yeah...yeah...you're two hours late.[F6] <<<<male or female >>>>what do you want[F6] <<<<male or female >>>>I am calling the police[F6] <<<<this is not a real person >>>>What?[F6] <<<<you repeat the same things over and over >>>>This is insane! Why is this happening to me? What did I do?[F6]
Connection 13
Bored with the chat Mobman looks through the file system again and this time finds and downloads the file containing fake logon details, called Mypasswords.doc.
>>>>connected. 14:06 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<RSHC:\Program Files >>>>RSH03518<..> <Common Files> <Plus!> [... recorded 39 of 526 bytes...] <<<<RSHC: >>>>RSH03293SAVE2DSK.BIN MSDOS.SYS IO.SYS [... recorded 41 of 301 bytes...] <<<<RSHC:\My Documents >>>>RSH0223<..> Mypasswords.doc <<<<NTFC:\My Documents\Mypasswords.doc >>>>NTF042274x [... recorded 1572 of 2283 bytes...] <<<<NTFC:\My Documents\Mypasswords.doc >>>>NTF042274x [... recorded 1572 of 2283 bytes...]
Connection 14
>>>>connected. 14:59 - July 17, 2005, Sunday, ver: Legends 2.1 <<<<GHI >>>>GHInot found not found not found [... recorded 36 of 157 bytes...] <<<<SIS