Most of security researchers use special softwares called honeypots to capture malware samples or to monitor safety violations of vulnerable servers.But there is a riskier way to analyze the attacks, it is to provide a purposely made vulnerable server and wait for the attackers make their pitch. As you will see in the post that follows will do a few hours for a vulnerable server to be compromised and bent at the mercy of blackhat.
June, 8
We setup a server on which they have prepared vulnerable installations of osCommerce, Joomla and E107. These three applications are installed on three different sub-domains and each version has been deliberately made vulnerable by running the setup of dated and unsafe releases.
Rule number one: no antiquated versions of CMS. A high number of web sites are being violated due to lazy updates of vital applications.
June 8th, late evening
The server is equipped with an intrusion detection system (OSSEC) that is active but in fact sterile (no active response). OSSEC will send only reports of what happens on the machine but without performing actions contrary to the attacker.
Rule No. 2: A security system is useless without the necessary skill to use it in the best way.
June 8 at night
The intrusion detection system reports multiple bruteforces fromĀ some ip’s. This attack target common system account as admin, backup, www, user and root. To facilitate even more life to the attackers whe create on server a user named guest with password test.
Rule number three: no weak passwords! No inactive accounts to the system.
June 8th, 04:00
Virtual host with osCommerce setup was hit by a PHP shell upload. A group of Indonesian hacker takes control of the website and use the malicious PHP script to destroy, alter files and scan our honeypot in detail (running processes, database dumps etc.).
June 9, 12:00
Strategy of fiction has been successful, an attacker gains access to our system via the guest account with a password that has been made surprisingly weak.
June 9, 12:15
The attacker uses an exploit to gain root privileges on the server then create a new account that it will use for its unlawful purpose. OSSEC report use of the command useradd:
useradd [11303]: new user: name = notice, home = / tmp, shell = / bin / bash
At this point the attacker have full control of the server and can bend it to his will.
June 9, 13:00
The attacker upload a vulnerability scanner created by a team of Romanian blackhats. These new tools will be used to find vulnerable servers and then break them to create a network of compromised machines and bend to the will of the attacker. A the moment in which the attacker prepares the launch of the scanner we switched off the server and erase it by putting an end to raids of cybercriminals.
