Opportunistic hackers are far from the limelight these days but they still exist and can cause large amounts of damage if they manage to break into your systems. We’ve recently observed our Data Center Security Suite catch such a hacker, an “Alex” from Romania who has kindly enough supplied his own name and private domain for publicity.
Despite this being a very typical attack, we think it’s worth going over the entire flow in order to better highlight current techniques. We’ll be using screenshots from GuardiCore’s Security Suite to demonstrate “Alex’s” flow.
We can clearly see our attacker trying to connect to a target server, where our product silently redirected him to the honeypot dynamically . From here, we can observe the brute force root login attempts. It’s also easy to note that the attacker is a human being, automated attacks don’t wait 22 seconds between password guesses, nor wait 21 seconds after receiving a password prompt.
In the end, we let the attacker in for further observation.
After a quick look around, the attacker attempts to download files from multiple websites hosted under altervista.org and execute it. The honeypot allows the file downloads and intercepts them, and shortly after running the tools, we cut the honeypot off, ending the incident.
Further investigation on our end shows that the attacker downloaded a perl script that provides DoS capabilities and a custom toolkit that provides backdoor access to the server and tools for lateral movement in the network using a recompiled version of tcpdump and nmap.
A quick look around the hackers website(http://k3nz0rhacking.alter vista.org/ broken link) shows that he’s a freelance hacker for hire from Romania for Denial of Service services.
Incident closed, we think there are several interesting notes from such a simple attack.
- There are still freelance hackers who have very distinctive ‘human’ giveaways and work with amateur techniques such as password guessing and manually looking around an infected station.
- Protecting yourself from brute force password guessing is still relevant in the age of modern exploits.
- Being part of a DoS botnet is still an active risk in today’s Internet and you should monitor your network egress traffic to make sure you’re not infected.