GEORGIA TECH HONEYNET REPORT

4^TH QUARTER – 2003

 

 

Overview

It has been a busy quarter here in Atlanta.  We participated in the University of California – Santa Barbara (UCSB) “Capture the Flag” Exercise held in December.  We used Snort-Inline as a defensive measure.   One of our teams placed third after two UCSB teams.  It was a worthwhile experience.

 

Our focus here continues to be the use of a Honeynet to secure the campus network in addition to collecting rootkit research.

 

Current Setup

      GEN II Honeynet running a variety of OSs of interest.  We continue to use live OSs as opposed to VMware or HoneyD.

 

Malicious Activity

      Detected 59 compromised Microsoft computers within the campus network that attempted to connect to the Honeynet.  Network Administrators responsible for these machines were contacted.

 

      On 1 NOV 2003 a Honeynet machine running MS2K was compromised on campus by another Georgia Tech Machine via an RPC exploit.  This compromised machine was then set up as an IRC bot.  Follow-on investigation revealed that 26 campus computers were compromised in a similar fashion and were participating in this same IRC.  A report on this incident prepared by Tim Jackson, a Georgia Tech College of Computing undergrad, is available on the web site for review.

 

      On 2 DEC 2003 the Honeynet detected an off campus machine targeting tcp port 593 on the Honeynet with a MS RPC exploit.   We could not find any reverence to this exploit.  Exploit code was turned over to campus network security personnel for analysis.