The trap was sweet, tempting -- and if you were a savvy enough hacker -- kind of obvious, with an unpatched Unix box and easily crackable passwords just asking for trouble.
But the researchers who run the Distributed Honeynets Project were purposely being as promiscuous as possible on their IPSec-based "VPN" and it paid off: They've gotten hacked at least twice now.
"[The] attackers came in... and started the process of 'owning' the machine," says Albert Gonzalez, a member of the Distributed Honeynets Project. Gonzalez and his partner on the project, Will McCammon, plan to go public with their findings on the attacks soon.
The first attack, which occurred in the past few months, was on a Red Hat 6.2 server that McCammon, a medical student, had built on the network of honeypot machines disguised as an enterprise network.
The project strings together distributed honeypots over the VPN to make it look like a large, contiguous network with multiple hosts. The goal is to give the researchers a bird's eye view of what attackers do once they get past the front door of the fake enterprise network.
"This project is aimed mainly at what we see after initial exploitation," Gonzalez says. "The tools at their disposal, the amount of customized tools we run into. Their technique -- do they manually input commands, copy and paste? What files are they touching and why?"
The first attacker used a known buffer overflow exploit to gain control of the server, says McCammon, who then followed the attacker to an Internet Relay Chat (IRC) channel and communicated directly with him. "I ended up connecting to a botnet in an IRC channel... and talked to him," he says. "I basically told him he had hacked into a honeypot and I was watching him."
McCammon says the attacker threatened to make a comeback after being shut down but never did. "He was limited in his repertoire" of attacks, he says. This attacker appears to be an example of one who isn't very skilled and must use known exploits because he's unable to write his own, he says.
"It was something very standard" that you can download and install as a rootkit, he says.
McCammon says he was surprised how simple it was to track the attacker and find him in the IRC chatroom. "I had access to every IP address of all the bots on his network," he says. "The question is, what can you do with that information?"
The second attack on the Distributed Honeynet Project came last week, when an attacker cracked McCammon's temptingly simple password and placed a rootkit on the victimized honeypot server. The researchers are still studying this attack, but it appears to have used an SSH exploit.
Meanwhile, the researchers are still fine-tuning the VPN and hoping to attract other organizations' honeypots to join. Gonzalez says the challenge is maintaining the illusion of a VPN infrastructure. "We need to be able to handle intense scans of the entire honeynet -- some of these links are on home cable links and others are on high-bandwidth sites," he says. "We are bridging these interfaces to make it look like one logical network."
McCammon says he's interested in taking the honeynet a step further, trapping more sophisticated attackers so they can study local exploits, not just remote ones. "We believe it would require that an attacker have a higher level of experience to run a local exploit versus a remote one with scanners," he says. "That would be the next step in [our] data-gathering."
Kelly Jackson Higgins, Senior Editor, Dark Reading