UK Honeynet Project 

Today we received our first bit of spam from EC2. The message itself was pretty standard:

From: "Microsoft" 
Date: 29 June 2008 11:47:43 BST
To: XXX
Subject: Important Update Notification

Hello XXX,

You are receiving this notification because the version of Windows you are running is effected by a critical security issue.

For the protection of yourself and others using the Windows operating system, it is reccomended that all consumers update their operating system at their earliest convenience.

To do so, you may visit Microsoft Update by clicking here, and simply pressing "Open" or "Run" to begin the automatic update process.

Thank you for your cooperation in resolving this matter.

Kind Regards,
Microsoft Customer Support 

The link points to a phishing site

http://XXX/go.nhn?url=http%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E00000000000000000000000000000000000000000000000000000000000000%2Enet

So far, so standard. The interesting bit is in the headers of the message:

Received: (qmail 29794 invoked from network); 29 Jun 2008 09:53:08 -0000
Received: from ec2-75-101-198-26.compute-1.amazonaws.com (HELO ec2-75-101-198-26.compute-1.amazonaws.com) (75.101.198.26)
  by server-14.tower-117.messagelabs.com with SMTP; 29 Jun 2008 09:53:08 -0000
From: "Microsoft" 

How long before all email from EC2 is blacklisted? It was only a matter of time before services like this started to be used for sending spam, but this is the first time I’ve seen it in the wild.

A hideously simplistic PHP handler for the nepenthes submit-http module. It Works For Me ™.

<?php

$ts=date('U');
$log= "timestamp=$ts";
$log.=",remotehost=".$_SERVER['REMOTE_ADDR'];

foreach ($_POST as $key => $value)
{
        switch ($key)
        {

        case "url":
        case "trigger":
        case "md5":
        case "sha512":
        case "filetype":
        case "source_host":
        case "target_host":
        case "filename":
          $$key = $value;

          $log .= ",$key=$value" ;
          break;
        }
}
$log=$log."\n";
$myFile = "/tmp/submit-log";
$fh = fopen($myFile, 'a');
fwrite($fh, $log);
fclose($fh);

?>

You’ll want your config file /etc/nepenthes/submit-http.conf to give this script as the URL, e.g. “http://myserver.example.com/submit.php” and enable the submit-http module in /etc/nepenthes/nepenthes.conf. After that, you probably want to figure out how to collect the binaries that nepenthes has just captured.

First, read the posting by David about nepenthes on openWRT. Then get p0f from here http://lcamtuf.coredump.cx/p0f.tgz.

cd kamikaze_9.04/dl
tar zxf ~/p0f.tgz
cd p0f
vi mk/Linux

#change these lines to the full path to your compiler, include and library dirs
# probably a nicer way to do it, but i'm in a hurry :) 
CC      = /home/jamie/slug/kamikaze_7.09/staging_dir_armeb/bin/armeb-linux-uclibc-gcc
LIBS    = -lpcap -I/usr/include/pcap -I/usr/local/include/pcap -I/home/jamie/slug/kamikaze_7.09/build_armeb/libpcap-0.9.4/ -L/home/jamie/slug/kamikaze_7.09/build_armeb/libpcap-0.9.4/

cd ..
mv p0f p0f-2.0.8
tar zcvf p0f-2.0.8.tgz p0f-2.0.8

cd ..

Now, create the Makefile below in packages/p0f/Makefile – remember to make sure it has tabs, not spaces! Then compile:

make package/p0f-compile V=99

Copy the ipkg file onto your openWRT box and install, the just type p0f to run:

== output ==

root@OpenWrt:~# p0f -l
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
p0f: listening (SYN) on 'eth0', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'all'.
77.a.b.c:59460 - Linux 2.6 (newer, 2) (NAT!) (up: 200 hrs) -> 88.x.y.z:22 (distance 14, link: BT DSL (?))

== Makefile for p0f ==
#
# Copyright (C) 2006 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
# $Id: Makefile 9695 2007-12-09 18:59:01Z nbd $

include $(TOPDIR)/rules.mk

PKG_NAME:=p0f
PKG_VERSION:=2.0.8
PKG_RELEASE:=1

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tgz
PKG_SOURCE_URL:=http://www.stearns.org/p0f
PKG_MD5SUM:=unknown

include $(INCLUDE_DIR)/package.mk

define Package/p0f
SECTION:=net
CATEGORY:=Network
DEPENDS:=+libpcap
TITLE:=P0f
URL:=http://http://www.stearns.org/p0f/
endef

define Package/p0f/description
P0f
endef

CONFIGURE_VARS += \
CPPFLAGS="$$$$CPPFLAGS -g " \
LIBS="-nodefaultlibs" \

define Build/Configure
$(call Build/Configure/Default,)
endef

define Build/Compile
$(MAKE) -C $(PKG_BUILD_DIR) DESTDIR="$(PKG_INSTALL_DIR)"
endef


define Package/p0f/install
install -d -m0755 $(1)/usr
install -d -m0755 $(1)/usr/bin
install -d -m0755 $(1)/etc
install -d -m0755 $(1)/etc/p0f
install -m0755 $(PKG_BUILD_DIR)/p0f $(1)/usr/bin
cp -R $(PKG_BUILD_DIR)/p0f.fp $(1)/etc/p0f
endef
#
$(eval $(call BuildPackage,p0f))