The Honeynet Project is pleased to announce the next forensic challenge: Log Mysteries. This challenge takes you into the world of virtual systems and confusing log data. Figure out what happened to a virtual server using all the logs from a possibly compromised server.

Challenge 5 has been created by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, and Sebastien Tricaud from the French Chapter.

Submission deadline is September 30th and we will be announcing winners around October 21st. We have a few small prizes for the top three submission.

Good luck, and enjoy!

The latest month of scanning has seemed valuable for the hackers. A Norwegian municipality has been hacked and their PBX has been calling Somalia and a lot of others destinations we have picked up on our VoIP honeypots during the last month.

If you have an unsecure IP PBX on the net, now it will only take hours before it will be detected. Most normal cause for this is misconfiguration. The people setting up the IP PBX has not taken security seriously and the IP PBX is wide open for calling.

The simplest ways is that inbound calls is routed out again if no local destination is found.  A little harder is to just brute-force the password on extensions. I can only say, there will be more like this!

Norwegian version

English version

The hacker can sell this “gateway” to a third party dealing with calling cards. I have investigated frauds in Norway where they managed to send 1,2 million NOK (approx 200 000 USD) within 10 days. This was a Cisco installation, but misconfigured Asterisk installations are also abused a lot.

The Chinese speaking members of the Honeynet Project has translated it even to simplified Chinese! Have fun and learn a lot!

Update (26. jun): NB! Only a few days left to submit your answer! The deadline is June 30th.

Update (28. jul): The solution and the winners of this challenge is available here.

This is what’s being logged on honeynor.no when I (84.215.x.y) google the word “honeynor“.

84.215.x.y - - [18/May/2010:23:42:55 +0200] "GET / HTTP/1.1" 200 17832 "http://www.google.com/ \
search?hl=en&source=hp&q=honeynor&aq=f&aqi=g-s1g-sx7&aql=&oq=&gs_rfai=&fp=64bbd6d9727d98e0" \
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) \
Firefox/3.6.3"

I haven’t left google yet!, but my very intelligent browser thinks I might click on the first link (www.honeynor.no) so it goes ahead and access the site, way before my puny brain has had any chance on processing the search output. In true PKD-style, I hereby accuse firefox of a precrime!

Why is this action bad? Let me answer the question with a question; Do you always want to access the sites presented to you when you search the web? I can think of several cases where I’m not keen on letting some third party know of my interest in them; either that’s during an analysis or in case of possible repercussions against me for accessing a site in an unexpected or socially engineered manner.

It seems google is in cahoots with firefox on this one, because I’m unable to reproduce the same result using bing, yahoo or alltheweb. Only on google is the prefetch mechanism activated.

So, how can you disable this feature? Luckily it very easy; go to about:config in your firefox/mozilla browser and set the parameter network.prefetch-next to false. That’s it!

On your vmware server, go to the following directory:
/usr/lib/vmware/webAccess/tomcat/ \
apache-tomcat-6.0.16/webapps/ui/plugin/

Copy the appropriate vmrc plugin for your client platform (mine was a 32 bit Ubuntu 10.04 Desktop, so I grabbed vmware-vmrc-linux-x86.xpi).

On your client, unzip the xpi-file:

$ unzip vmware-vmrc-linux-x86.xpi

Run the vmrc executable (it’s actually just a wrapper script) manually by specifying the absolute path (I extracted the contents to /tmp):

$ /tmp/vmrc/plugins/vmware-vmrc

The vmrc UI starts, and you can connect to your vmware server by either specifying it’s hostname or it’s IP-address, together with your username and password (I also had to specify the port, e.g. <IP>:8333). When a connection has been established with the server, you will be presented with a selection of virtual machines you may connect to.

The Honeynet Project is proud to present our third Forensic Challenge 2010 created by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell’Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter. This challenge is a bit different than the previous two, as it involves investigating a memory image of an infected virtual machine. Read all the questions for this challenge over at the main blog and submit your answers by 17:00 EST, Sunday, April 18th 2010. Good luck!

UPDATE (12.Apr): There are now additional third-party incentives to participate in this forensics challenge. Both Volatile Systems and MANDIANT are offering their own prices to the top three winners that apply their memory analysis tools; The Volatility Framework, Memoryze and Audit Viewer respectively. But remember, there are now only a few days left until deadline, so get moving!

UPDATE (19.Apr): The submission deadline for this challenge has been extended till April 26th.

UPDATE (14.May): The solution and the winners of this challenge is available here.

The solution and winners of the second challenge are shown here.

A major issue with the RIR data (delegated-feeds) used by the CC2ASN service, is ASNs registered to a region instead of a specific country. There are currently two regions in use; European Union (EU) and Asia Pacific (AP). The reason for using this is the ever increasing globalization of corporations and organizations, and hence quite understandable. But when you want a list of AS numbers for any given country code, the regional registrations have to be included.

This is where the enhanced database comes into action. In this database we’ve manually overridden the country code assignments for those ASNs that in the RIR data were registered to either EU or AP. In addition we’ve also corrected a few other ASNs that we knew had a wrong country code. The list we’ve compiled is publicly available: asn_override.txt.

It’s all been a manual job, going through all the EU and AP ASNs, plus a good portion of the CCs also. The CC override decision is based on one or more of the following actions:

• Looking at references to location in whois descr, address or country records.
• Using location info in router names from tracepath of the AS prefixes.
• The nationality of peers and upstream providers.
• Location of corporate headquarters or regional headquarters.
• General googling/binging.

And this is a continuing job, whenever new ASNs are allocated to either EU or AP.

So, how do you access this new database? From the CC2ASN web-interface make sure you check the box labeled “Use Enhanced Database“. The database is also available by directly querying port 44/tcp (the normal CC2ASN database is available on standard whois port 43/tcp). Note that the enhanced database only outputs ASNs, not prefixes.

$ echo "GB" | nc atari.honeynor.no 44


Every day, when the latest RIR data are downloaded and parsed, all changes to the enhanced database are recorded. This allows us to provide you with an ASN history tool; CC2ASN Delta. The main page lists changes over the last 90 days for ASNs registered to a spesific country. By clicking on a county, you get a textual representation of all registered changes for that country. By further clicking on an ASN, you get a listing of potential country changes for that AS.

For more information, take a look at the documentation.

We’ve got a wide range of projects and develop tools using most of the popular programming languages, so if you are an eligible student interested in open source software, information security or honeynet technologies and think spending your summer being paid by Google to work on an exciting software development project sounds like a great plan, we look forward to hearing from you.

Simply connect to #gsoc-honeynet on irc.freenode.net to chat to our organizational admins and project mentors. Do remember that you don’t have to apply for one of our pre-defined project ideas, you can also propose your own project topic which we’ll try to find a suitable mentor for too. Google will start accepting student applications from Monday, March 29 at 19:00 UTC.

The Honeynet Project is proud to present our second Forensic Challenge 2010 created by by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter. Provided with our pcap file, you’re challenged to answer ten questions before the deadline at March 1. Read all about it at honeynet.org. Good Luck!

The solution and winners of the first challenge are shown here.