Tuesday, August 17, 2010

Error: Dionaea thread problem?

Yesterday, when I checked my dionaea's fruit, I found that the sensor stop function again. It is the second time as the problem happened previously as I blogged. Again, let's read the dionaea.log and I found the overall flow as below:

1. [16082010 21:03:08] logsql dionaea/logsql.py:410-info: accepted connection from 118.100.XXX.XX:61456 to 192.168.1.99:445 (id=186021)

2. ... NTLMSSP Authentication with GSSAPI...

3. [16082010 21:03:11] rpcservices dionaea/smb/rpcservices.py:64-info: Calling SRVSVC NetPathCanonicalize (1f) maybe MS08-67 exploit?
[16082010 21:03:11] rpcservices dionaea/smb/rpcservices.py:73-warning: DCERPCValueError path is too long (b"\\\x00FUnMLEvdNzjntXznAvcOSD......")

4. ... NTLMSSP Authentication without GSSAPI...
SMB_COM_TREE_CONNECT_ANDX
SMB NTcreate AndX Request

5. [16082010 21:03:28] rpcservices dionaea/smb/rpcservices.py:66-info: Calling SVCCTL OpenSCManagerA (1b)
[16082010 21:03:29] rpcservices dionaea/smb/rpcservices.py:66-info: Calling SVCCTL CreateServiceA (18)
-PSEXESVC
-%SystemRoot%\\System32\\PSEXESVC.EXE\
[16082010 21:03:29] rpcservices dionaea/smb/rpcservices.py:66-info: Calling SVCCTL CloseServiceHandle (0)

6. SMB Close

7. SMB Sessionsetup ESEC AndX ( For NTLMSSP without GSSAPI)

8. SMB_COM_TREE_CONEECT_ANDX
-\\118.100.XX.XX\IPC$
-\\118.100.XX.XX\ADMIN$

9. SMB Treeconnect AndX Response Extended (First time i saw this layer has used!)

[16082010 21:03:35] incident incident.c:185-debug: incident 0xa6aedc8 dionaea.download.offer
[16082010 21:03:35] incident incident.c:203-debug: con: (ptr) 0xa3bab20
[16082010 21:03:35] incident incident.c:203-debug: url: (string) smb://124.47.XX.163/system32\dumpsys.exe

[16082010 21:03:47] incident incident.c:210-debug: reporting 0xa1c0940
[16082010 21:03:47] incident incident.c:185-debug: incident 0xa1c0940 dionaea.download.offer
[16082010 21:03:47] incident incident.c:203-debug: con: (ptr) 0xa3bab20
[16082010 21:03:47] incident incident.c:203-debug: url: (string) smb://124.47.XX.163/System32\PSEXESVC.EXE

10.
[16082010 21:04:22] logsql dionaea/logsql.py:410-info: accepted connection from 124.47.XX.163:4715 to 192.168.1.99:445 (id=186026)

11. The error happen and the sensor stop.
[16082010 21:04:25] thread threads.c:90-critical: Threadpool is crowded 3/2, suspending *all* activity
[16082010 21:04:25] thread threads.c:90-critical: Threadpool is crowded 3/2, suspending *all* activity

12. The captures as recorded in var/dionaea/binaries
-rw------- 1 root root 60K 2010-08-16 21:03 8b48f59fb263b1b3ed5f9f2a8cd8fd26
-rw------- 1 root root 92K 2010-08-16 21:02 4a6e5980ad7d1a4bbe71ec46fa96755e

To do:
Keep observe the problem. If the problem happen again, it is time to dig the flaw. Thread problem due to OS issues? any dependencies issues? RPC call inproper reply such as SVCCTL CreateServiceA?

No comments:

Post a Comment