www.tekdefense.com
Open in
urlscan Pro
142.202.17.177
Public Scan
Submitted URL: http://tekdefense.com/
Effective URL: http://www.tekdefense.com/
Submission: On October 10 via manual from US — Scanned from US
Effective URL: http://www.tekdefense.com/
Submission: On October 10 via manual from US — Scanned from US
Form analysis
2 forms found in the DOMPOST https://www.paypal.com/cgi-bin/webscr
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="NDNPXGT2GJGYG">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
GET /display/Search
<form method="get" action="/display/Search">
<input type="hidden" name="moduleId" value="18374698">
<table class="search-form-pt-wrapper search-form-table" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr class="search-form-pt search-form-row">
<td class="queryFieldCell search-form-cell">
<span class="queryFieldWrapper">
<input type="text" class="text queryField" name="searchQuery" value="">
</span>
</td>
<td class="queryButtonCell search-form-cell">
<span class="queryButtonWrapper">
<input type="submit" class="button queryButton" value="→">
</span>
</td>
</tr>
</tbody>
</table>
</form>
Text Content
* News * Contact Us * Downloads * Automater * tekCollect * hashMonitor TEKDEFENSE * News * Contact Us * Downloads * Automater * tekCollect * hashMonitor Top * News * Contact Us * Downloads * Automater * tekCollect * hashMonitor Sponsor Search LINKS TekDefense Youtube TekDefense Twitter TekDefense Securitytube TekDefense Github Securabit TheNewTech Bruteforce Labs Pentest Labs Room362 Incoherent Ramblings Nova InfoSec InfoSecAlways Recent Articles * Network Challenge - 001 - Solution * Network Challenge - 001 - Linux * Automater Update .21 * BSidesNola 2015 Presentation on Honeypots * Over a year with Kippo * Automater version 2.1 released - Proxy capabilities and a little user-agent modification * Memory Forensics presentation from BSidesNola * Categorizing Maltrieve Output * Analyzing DarkComet in Memory * Automater Output Format and Modifications * October 2016 (1) * September 2016 (1) * November 2015 (1) * June 2015 (1) * July 2014 (1) * June 2014 (1) * May 2014 (1) * January 2014 (1) * December 2013 (5) * May 2013 (3) * April 2013 (3) * March 2013 (8) * February 2013 (7) * January 2013 (4) * December 2012 (5) * November 2012 (4) * October 2012 (3) * September 2012 (4) * August 2012 (5) * July 2012 (5) * June 2012 (1) * News RSS Security Videos OWASP MobiSec In this video kevin talk about Mobisec and this full video is all about OWASP Mobisec. The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing mobile environments, including devices, applications, and supporting infrastructure. The purpose is to provide attackers and defenders the ability to test their mobile environments to identify design weaknesses and vulnerabilities. The MobiSec Live Environment provides a single environment for testers to leverage the best of all available open source mobile testing tools, as well as the ability to install additional tools and platforms, that will aid the penetration tester through the testing process as the environment is structured and organized based on an industry‐proven testing framework. Using a live environment provides penetration testers the ability to boot the MobiSec Live Environment on any Intel-based system from a DVD or USB flash drive, or run the test environment within a virtual machine. https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_MobiSec Read More → Securing Android Applications with GoatDroid In this video you will learn how to secure Android Application using GoatDroid Using This tool we will also look at on Memory Analysis, Intercepting Layer 7 Traffic, Reverse Engineering Android Application and SQlite Database Analysis etc .. About GoatDroid : https://www.owasp.org/index.php/OWASP_Mobile_Security_Project Read More → Finding the Rogue DHCP server With Wireshark In this video you will learn how to detect a Rogue DHCP Server using Wireshark server. Rogue DHCP server are becoming more common these days and DHCP Rogue is easy to create and compromise a network. Read More → nullcon Delhi 2012: How secure is internet banking in India - By Ajit Hatti This Research covers 7 Major areas to evaluate the security of internet banking provided by banks in India 1. Access Control 2. Security of Data in Motion 3. System Design 4. Security on Hostile Platform 5. Enforcement of best practices 6. Handling Hostility or DDOS attacks 7. Security as a Responsibility Read More → Upload Shell via SQLi Injection This video is all about Web Application hacking and you will learn how to upload a shell using SQL Injection. Read More → python tektip Automater Malware analysis Kippo Malware analysis honeypot 1aN0rmus backtrack OSINT password ssh tekdefense Honeydrive Threat Down DFIR hash URL Github IP ipvoid MASTIFF Memory Network Network Security News Pipal regex Static 1aNormus Bruteforce lab crack Dionaea dns dump hashCollect information gathering Maltrieve network analsyis Notepad++ passive Ppcap Programming Scripting SET Snort Tekdefese Volatility Adobe android APT basic blacklist brute force Monday Oct032016 NETWORK CHALLENGE - 001 - SOLUTION Monday, October 3, 2016 at 8:09AM I Wanted to send a big thanks out to everyone who sent solutions in for the Network challenge. While there were many responses, two (2) stood out amongst the rest. I don't plan on doing prizes for all of these contests, but I was so impressed by these responses, that I wanted to do something special on this ocassion. The winners of this first challenge are: * First Place: @dfir_it ($150 amazon Gift Card) Solution is below * Second Place: @CYINT_DUDE ($50 Amazon Gift Card) Solution The first place solution is so well written, that I figured it was worth posting in it's entirety here (with permission from the author of course). See below for the solution, and keep any eye on dfir.it where the author intends to post more details on how he arrived at the answers you see below. @DFIR_IT WINNING CONTEST SUBMISSION: The below report attempts to provide answers to the objectives set in the "NETWORK CHALLENGE - 001 - LINUX": 1. Determine what likely occurred based on the evidence from the PCAP. 2. Identify any network and/or host artifacts that could be used to scope this incident further. 3. If applicable, write detection signatures (snort/suricata/yara) to increase coverage for this type of activity. The report comprises of multiple sections: * Findings - Describes main findings and provides an overview of malicious activity. * Analysis - Provides technical analysis of captured traffic and extracted artifacts. * Timeline - Provides chronologically ordered list of events. * Indicators - Provides a list of network and host indicators related with observed malicious activity. * References - Contains a list of external publications, indicators and resources used during analysis. FINDINGS * The Linux system behind the IP address 104.236.210.97 was compromised at approximately 2016-09-07T22:14:48Z when attacker successfully connected and authenticated to the system using SSH protocol. * At 2016-09-07T22:16:16Z attacker downloaded an instance of the BillGates trojan (java.log) from the remote IP address 120.210.129.29 running HFS server on TCP port 5198. * At 2016-09-07T22:19:03Z the compromised system sent first DNS Type A query for the domain top.t7ux.com. This event designates approximate time when attacker executed malicious file java.log. At the same time first "Hello" packet was sent by compromised system to the C&C domain top.t7ux.com. * At approximately 2016-09-07T23:43:06Z attacker likely initiated installation of the Apache httpd server by executing the following command: apt-get install apache2. * Between 2016-09-07T23:47:06Z and 2016-09-07T23:50:42Z attacker downloaded additional malware and tools from the remote IP address 120.210.129.29. The files comprised of multiple versions of BillGates trojan, reverse shell scrip, Netcat utility and backdoored version of OpenSSH. * Between 2016-09-07T23:52:18Z and 2016-09-07T23:53:05Z remote IP address 104.236.59.209 connected to the compromised system over TCP port 80 and downloaded two files: nc.exe and back.pl. Observed connections likely indicate that attacker successfully installed and ran Apache httpd server. * At 2016-09-08T01:22:06Z the attacker terminated SSH session from the remote IP address 46.101.128.129. * Packet capture contained additional SSH packets from the remote IP address 71.171.119.98 between 2016-09-08T01:22:09Z and 2016-09-08T01:22:25Z. Based on the time of event the connection was likely also initiated by the attacker. * At 2016-09-08T10:18:13Z the compromised host attempted to connect to the IP address 222.174.168.234 - resolution of C&C domain top.t7ux.com at that time. * At 2016-09-08T10:54:44Z last packet to the C&C IP address 118.192.137.245 was captured. * At 2016-09-09T13:46:05Z the compromised host sent 32038 UDP Flood packets to the IP address 23.83.106.115 over port 80. * At 2016-09-09T13:46:21Z last packet to the C&C IP address 222.174.168.234 was captured. ANALYSIS Analysis of the captured network traffic around the time (2016-09-07T22:16:16Z) when first alert for the "HFS [File Download]" Snort signature occurred revealed download of suspicious files java.log from the remote IP address 120.210.129.29 by the host 104.236.210.97. Initial analysis showed that the file was an instance of the BillGates trojan compiled for x86 Linux system and set with two C&C servers: top.t7ux.com and www.vnc8.com. Review of network connections to the system behind the IP address 104.236.210.97 around the time when malicious file was downloaded showed only one active SSH connection from the IP address 46.101.128.129. Based on this evidence and lack of other connections it was determined that attacker managed to successfully authenticate himself and establish interactive SSH connection to the system. System was likely initially compromised at approximately 2016-09-07T22:14:48Z. The SSH session was active for 3 hours and approximately one megabyte of data was exchanged between endpoint during that time. At 2016-09-07T22:19:03Z the compromised system issued first observed DNS Type A query for the domain top.t7ux.com. At the same time system established connection with the IP address 118.192.137.245 (resolution of top.t7ux.com at that time) over TCP port 16081 and sent data which has been identified as "Hello" packet generated by the BillGates trojan. The "Hello" packet contained kernel version of the compromised Linux system (Linux 4.4.0.0-36-generic) and version of the malware (G2.40). Between 2016-09-07T23:43:06Z and 2016-09-07T23:43:07 the compromised system established multiple HTTP connections to two legitimate domains mirrors.digitalocean.com and nyc2.mirrors.digitalocean.com and downloaded multiple .deb files. The files were determined to be legitimate software packages of Apache httpd server and its dependencies. In the absence of additional interactive connections to the compromised system it's likely that it was attacker who initiated installation of the Apache httpd server by executing the following command apt-get install apache2. Between 2016-09-07T23:47:06Z and 2016-09-07T23:50:42Z the attacker downloaded additional malware and tools from the remote IP address 120.210.129.29. The below table summarizes files downloaded by the attacker: Filename Md5 Type Architecture VT Detection C&C Description java.log f4b3ec28a7b92de2821c221ef0faed5b ELF x86 Linux/BillGates top.t7ux.com, www.vnc8.com BillGates trojan Linux binary 16081 c3a59d53af7571b0689e5c059311dbbe ELF x86 Linux/BillGates top.t7ux.com, www.vnc8.com BillGates trojan Linux binary 2.6.32 ff1e9d1fc459dd83333fd94dbe36229a ELF x64 CVE-2013-2094 - CVE-2013-2094 privilege escalation exploit (Source code) back.pl fbaeef2b329b8c0427064eb883e3b999 Perl - - - Reverse shell script written in Perl nc.exe 1c207af4a791c5e87dcd209f2dc62bb8 PE x86 Tool.Netcat - Windows Netcat tool (UPX packed) or.bin 09b62916547477cc44121e39e1d6cc26 Bash - - - Bash script. Contained compressed and DES-encrypted backdoored version of OpenSSH (openssh-5.9p1.tgz) SYN/Trustr cd291abe2f5f9bc9bc63a189a68cac82 ELF x86 Linux/BillGates top.t7ux.com, www.vnc8.com BillGates trojan Linux binary SYN_1902 3e9a55d507d6707ab32bc1e0ba37a01a ELF x86 Linux/BillGates liv.t7ux.com, www.vnc8.com BillGates trojan Linux binary winappes.exe/Windows_1902 a91261551c31a5d9eec87a8435d5d337 PE x86 BackDoor.Gates.8 liv.t7ux.com BillGates trojan Windows binary xmapp c5593d522903e15a7ef02323543db14c ELF x86 - liv.t7ux.com, www.t7ux.com BillGates trojan Linux binary Provided packet capture did not contain traces of traffic to C&C domains identified during initial analysis of the extracted files and this likely indicates that attacker did not execute additional instances of the BillGates trojan. One of the extracted files or.bin contained installation script that extracted, decrypted and installed likely backdoored version of OpenSSH daemon (openssh-5.9p1.tgz). Analysis of SSH server versions sent by the compromised host during negotiation of subsequent SSH connections did not reveal presence of OpenSSH-5.9p1 string. Between 2016-09-07T23:52:18Z and 2016-09-07T23:53:05Z the remote IP address 104.236.59.209 connected to the compromised system over TCP port 80 and downloaded two files: nc.exe and back.pl. The HTTP server on the compromised system identified itself as Apache/2.4.18 (Ubuntu) which suggests that the attacker successfully managed to install and ran Apache httpd server. The system behind the IP address 104.236.59.209 may indicate another host compromised by the same attacker. At 2016-09-08T01:22:06Z the attacker terminated SSH session from the remote IP address 46.101.128.129. Analysis of the traffic showed additional SSH session to be active around the same time and initiated from the IP address 71.171.119.98. The packet capture contained only small fragment of data exchanged between 2016-09-08T01:22:09Z and 2016-09-08T01:22:25Z. At approximately 2016-09-08T10:18:13Z the C&C domain top.t7ux.com started resolving to the new IP address 222.174.168.234. At the same time the compromised host attempted to connect to the new C&C IP address over TCP port 16081. At 2016-09-08T12:08:12Z the compromised host managed to successfully connect to the C&C address and sent "Hello" packet. At 2016-09-09T13:46:05Z the compromised host sent 32038 UDP Flood packets to the IP address 23.83.106.115 over port 80. Analysis of provided PCAP did not reveal any packets sent by the C&C server instructing BillGates trojan running on the compromised host to initiate Denial of Service attack against IP address 23.83.106.115. Between 2016-09-09T13:46:05Z and 2016-09-09T13:46:21Z the compromised host sent multiple packets containing string "23.83.106.115" to the C&C server, likely as a confirmation of performed UDP Flood attack. Last packet to the C&C server was captured at 2016-09-09T13:46:21Z. TIMELINE Timestamp Source IP Address Destination IP Address Protocol/Destination Port Event Description 2016-09-07T22:14:48Z 46.101.128.129 104.236.210.97 TCP/22 Initial SSH connection from the remote IP address 46.101.128.129. Duration: approximately 1m. 2016-09-07T22:16:07Z 46.101.128.129 104.236.210.97 TCP/22 Second SSH connection from the remote IP address 46.101.128.129. Duration: approximately 3h. 2016-09-07T22:16:16Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary java.log to the compromised host. 2016-09-07T22:16:16Z 120.210.129.29 104.236.210.97 TCP/47520 Initial alert on the HFS [File Download] Snort signature. 2016-09-07T22:19:03Z 104.236.210.97 8.8.8.8 UDP/53 First observed DNS Type A query for the domain top.t7ux.com. Resolution: 118.192.137.245. 2016-09-07T22:19:03Z 104.236.210.97 118.192.137.245 TCP/16081 First observed Hello beacon to the C&C IP address 118.192.137.245 2016-09-07T23:43:06Z 104.236.210.97 198.199.99.226 TCP/80 Initiated transfer of multiple legitimate Ubuntu packages from the remote host mirrors.digitalocean.com. 2016-09-07T23:43:06Z 104.236.210.97 192.241.164.26 TCP/80 Initiated transfer of multiple legitimate Ubuntu packages from the remote host nyc2.mirrors.digitalocean.com. 2016-09-07T23:47:06Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary 16081 to the compromised host. 2016-09-07T23:47:24Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the CVE-2013-2094 exploit file 2.6.32 to the compromised host. 2016-09-07T23:47:32Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the reverse shell script back.pl to the compromised host. 2016-09-07T23:47:41Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the Netcat PE binary nc.exe to the compromised host. 2016-09-07T23:47:50Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the Bash script or.bin to the compromised host. 2016-09-07T23:49:07Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary SYN to the compromised host. 2016-09-07T23:49:18Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary SYN_1902 to the compromised host. 2016-09-07T23:49:40Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary Trustr to the compromised host. 2016-09-07T23:50:06Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan PE binary winappes.exe to the compromised host. 2016-09-07T23:50:24Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan PE binary Windows_1902 to the compromised host. 2016-09-07T23:50:42Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary xmapp to the compromised host. 2016-09-07T23:52:18Z 104.236.59.209 104.236.210.97 TCP/80 Download of the Netcat PE binary nc.exe from the compromised host. 2016-09-07T23:53:05Z 104.236.59.209 104.236.210.97 TCP/80 Download of the reverse shell script back.pl from the compromised host. 2016-09-08T01:22:06Z 46.101.128.129 104.236.210.97 TCP/22 End of the second SSH connection from the remote IP address 46.101.128.129. 2016-09-08T01:22:09Z 71.171.119.98 104.236.210.97 TCP/22 First captured packet of SSH connection to the compromised host from the IP address 71.171.119.98. 2016-09-08T01:22:25Z 71.171.119.98 104.236.210.97 TCP/22 Last captured packet of SSH connection to the compromised host from the IP address 71.171.119.98. 2016-09-08T10:18:13Z 8.8.8.8 104.236.210.97 UDP/55022 First observed DNS response pointing top.t7ux.com domain to the new IP address 222.174.168.234. 2016-09-08T10:18:13Z 104.236.210.97 222.174.168.234 TCP/16081 First observed attempted connection to to the C&C IP address 222.174.168.234. 2016-09-08T10:54:44Z 104.236.210.97 118.192.137.245 TCP/16081 Last observed TCP packet sent to the C&C IP address 118.192.137.245. 2016-09-09T13:46:05Z 104.236.210.97 23.83.106.115 UDP/80 32038 UDP Flood packets sent to the remote IP address 23.83.106.115. 2016-09-09T13:46:21Z 104.236.210.97 222.174.168.234 TCP/16081 Last observed TCP packet sent to the C&C IP address 222.174.168.234. INDICATORS IP ADDRESSES AND DOMAINS The below list of network indicators is based solely on network traffic observed in the provided PCAP and analysis of extracted artifacts: IP Address/Domain Description 46.101.128.129 Source of suspicious SSH connection to the compromised host. 71.171.119.98 Source of suspicious SSH connection to the compromised host. 120.210.129.29 HFS server hosting attacker's malware and tools. 118.192.137.245 Resolution of top.t7ux.com. BillGates Trojan C&C. 222.174.168.234 Resolution of top.t7ux.com. BillGates Trojan C&C. 104.236.59.209 Downloaded nc.exe and back.pl from the compromised host. top.t7ux.com C&C of BillGates Trojan www.vnc8.com C&C of BillGates Trojan liv.t7ux.com C&C of BillGates Trojan www.t7ux.com C&C of BillGates Trojan SNORT SIGNATURES * BillGates Trojan - "Hello" packet alert tcp any any -> any any (msg:"BillGates Trojan [Hello]"; content:"|01 00 00 00|"; content:"|00 00 00 00 f4 01 00 00 32 00 00 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:5; pcre:"/(Linux|Windows)/"; byte_test:1,>,96,4; byte_test:1,<,160,4; dsize:<160; threshold:type limit, track by_src, count 1, seconds 3600; sid:999998; rev:1;) * BillGates Trojan - Transfer of Linux binary alert tcp any any -> any any (msg:"BillGates Trojan [Linux - Transfer]"; content:"GatesType"; content:"AttackBase"; distance:5; within:20; content:"ThreadShell"; distance:10; within:20; threshold:type limit, track by_src, count 1, seconds 60; sid:999997; rev:1;) * BillGates Trojan - Transfer of Windows binary alert tcp any any -> any any (msg:"BillGates Trojan [Windows - Transfer]"; content:"FakeDetectPayload"; content:"FakeDetectInfo"; distance:15 ;within:20 ; content:"ShellCmd"; distance:15; within:20; track by_src, count 1, seconds 60; sid:999996; rev:1;) * back.pl - Successfull reverse shell connection alert tcp any any -> any any (msg:"Reverse Shell [back.pl]"; flow: from_client, established; content:"Enjoy the shell.|0a|"; depth:17; dsize:<256; sid:999995; rev:1;) * 2.6.32 CVE-2013-2094 exploit - Transfer of the binary alert tcp any any -> any any (msg:"Exploit [CVE-2013-2094 - Transfer]"; content:"!close(fd)|00|map[i+1]|00|i<0x010000000/4"; sid:999994; rev:1;) * BillGates Trojan - UDP Flood packet alert udp any any -> any any (msg:"BillGates Trojan [UDP Flood]"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; pcre:"/\x00{900}/"; dsize:>900; threshold:type limit, track by_src, count 1, seconds 3600; sid:999993; rev:1;) YARA RULES * BillGates Trojan (Windows and Linux binaries) rule BillGates { strings: $elf = "\x7fELF" $mz = "MZ" $b1 = "ThreadShell" $b2 = "CheckGatesType" $b3 = "AttackBase" $b4 = "PacketAttack" $b5 = "agony.pdb" $b6 = "Gates.pdb" $b7 = "Beikong" condition: ($elf at 0 or $mz at 0) and 2 of ($b*) } * Reverse shell script back.pl rule Back { strings: $s1 = "Remote_IP Remote_Port \\n\";" $s2 = "\"Enjoy the shell.\\n\";" condition: 2 of ($s*) } * UPX-packed Netcat tool nc.exe import "pe" rule Netcat_UPX { condition: pe.characteristics and pe.sections[0].name == "UPX0" and pe.sections[1].name == "UPX1" and pe.sections[2].name == "UPX2" and pe.imports("WSOCK32.dll") and filesize == 28160 } * Bash script or.bin rule or_bin { strings: $o1 = "mkdir /tmp/.tmp123 -p && tail -n $line $0 |tar zx -C /tmp/.tmp123" $o2 = { 0a 1f 8b 08 00} condition: 2 of ($o*) } * CVE-2013-2094 exploit ELF binary 2.6.32 rule CVE_2013_2094_Exploit { strings: $elf = "\x7fELF" $s1 = "semtex.c" $s2 = "!close(fd)" $s3 = "map[i+1]" $s4 = "i<0x010000000/4" $s5 = "!setuid(0)" $s6 = "/bin/bash" $s7 = "2.6.37-3.x x86_64" $s8 = "sd@fucksheep.org 2010" condition: $elf at 0 and 3 of ($s*) } HOST INDICATORS Existence of the following files on a filesystem can indicate that BillGates Trojan was executed on a host. The list is based on execution of java.log file on a sandbox system: /tmp/gates.lod /tmp/moni.lod /usr/bin/.sshd /usr/bin/dpkgd/lsof /usr/bin/dpkgd/netstat /usr/bin/dpkgd/ps /usr/bin/dpkgd/ss /usr/bin/bsd-port/getty /usr/bin/bsd-port/getty.lock /etc/rc2.d/S97DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt /etc/rc2.d/S99selinux /etc/rc3.d/S99selinux /etc/rc5.d/S99selinux /etc/rc4.d/S99selinux /etc/rc1.d/S99selinux /etc/init.d/selinux REFERENCES * Malware Must Die: MMD-0039-2015: ChinaZ made new malware: ELF Linux/BillGates.Lite * Malware Must Die: China ELF botnet malware infection & distribution scheme unleashed * Malware Must Die: China ELF botnet malware infection scheme unleashed (video) * Akamai: BillGates Botnet Malware Used in Large DDoS Attacks * Novetta: The Elastic Botnet Report * Securelist: Versatile DDoS Trojan for Linux * Thisissecurity: When ELF.BillGates met Windows * Botconf: Chinese Chicken - Multiplatform DDoS botnets view raw DFIR_IT_Contest_Submission.md hosted with ❤ by GitHub Admin | Post a Comment | Share Article tagged Network, Network Security, Ppcap, ccontest, network analsyis in News Friday Sep162016 NETWORK CHALLENGE - 001 - LINUX Friday, September 16, 2016 at 9:04AM One of my favorite sites is "Malware Traffic Analysis" where the author routinely posts network challenges. In the spirit of contributing to this effort of providing material for analysts to sharpen their skills, I developed a challenge focused around a popular scenario I often come across in research and other analysis efforts. As a heads up, any malware you may come across in the analysis of this PCAP is in fact real malware. Please take care in how you analyze. When reviewing this PCAP and writing your response please keep in mind what you would really want in an investigation. The questions I ask at the end of this article are intentionally vague, as I didn't want to give too much away with the questions. What I am hoping to see in responses is that the analysts are able to adequately tell a story of what likely occurred, identify network and host indicators that can help further scope this incident, and write detection rules in the detection languages of their choice to find future instances of this activity. PCAP DOWNLOAD The due date for submissions is September 25, 2016. Enjoy! SCENARIO: Client provides a PCAP involving all traffic they have from a victim Linux server. A snort signature alerted for files downloaded from an HFS server. The client does not have any other context to provide. Other than the following is the Snort Signature that was alerted on: > alert tcp any any -> any any (msg:"HFS [File > Download]";flow:to_client,established; content:"HFS 2.";distance:0; > content:"HFS_SID="; classtype:suspicious; sid:999999; rev:1;) OBJECTIVE: 1. Determine what likely occurred based on the evidence from the PCAP. 2. Identify any network and/or host artifacts that could be used to scope this incident further. 3. If applicable, write detection signatures (snort/suricata/yara) to increase coverage for this type of activity. SUBMISSIONS: Feel free to submit your responses directly to NetChallenge[at]tekdefense.com or comment on this blog post with a link to your own article with a response. I'll review responses, and perhaps give out a few prizes to those with great writeups. Admin | Post a Comment | Share Article tagged Network, Network Security, Ppcap, Snort, contest, network analsyis in News Friday Nov202015 AUTOMATER UPDATE .21 Friday, November 20, 2015 at 8:30AM KEEPING AUTOMATER UP TO DATE: Download the latest version: https://github.com/1aN0rmus/TekDefense-Automater One of the more outstanding modifications added to version .21 of Automater is that users no longer need to worry about keeping on top of the GitHub site to ensure all of the python modules are the latest version. With a small addition of a –Vv in the command line arguments, Automater will check if the local python modules match the modules on the TekDefense Automater GitHub site. The –V (--vercheck) argument is actually the argument that tells Automater to check the modules, and the small –v (--verbose) is required to make Automater report the outcome. If the files don’t match, Automater will send a notification to stdout to alert the user to which module has been modified, so up to date modules can be pulled if the user wants. The –v (--verbose) option can be used to turn on or off any information sent to stdout to either silence or allow Automater to talk to stdout. Arguably an even better option added is yet another “version” check of sorts. The sites.xml file is still required locally so that Automater can get instructions on what sites to check and what regexs to report upon. However, a new tekdefense.xml file is also checked for and utilized if it is found locally. The significance of this is that with a –r (--refreshxml) switch included in the command line argument call, Automater will check the TekDefense Automater GitHub site and pull the tekdefense.xml file for use. If the –r switch is utilized, and the local tekdefense.xml file is found to be different on the local machine, the modified (updated) file on GitHub will be pulled and utilized. This ensures that you have the ability to do your own calls with the sites.xml file, while ALSO maintaining constant calls to sites and checks utilized by the TekDefense crew. Together this gives the Automater use the best coverage with no modifications required or manual processes followed. NEW REQUIREMENTS AND WHAT THEY MEAN: The new Automater has several updates. Out of the blocks, the requests module (version 2.7 or above) is now required to run Automater. For instructions on getting the requests module if you don't already have view http://docs.python-requests.org/en/latest/user/install/. This gives us better control of returning HTML and sets us up for further upgrades in the near future when we begin using JSON APIs and data collecting capabilities – more on this as things progress. Using requests, the default timeout of get calls to web sites has now been set to 5 seconds. This allows Automater to move on after 5 seconds of waiting for a response from a web site. However, if a web site does respond and provide some input, but the site is slow in its response time, the get request will not timeout. This timeout is only for those sites that just don’t respond. Further refinements on this subject will continue in future upgrades. There are several bug fixes and other modifications and we will soon thread Automater to provide better response times. For instance the delay feature was fixed. > .\Automater.py -h > usage: Automater.py [-h] [-o OUTPUT] [-b] [-f CEF] [-w WEB] [-c CSV] > [-d DELAY] [-s SOURCE] [--proxy PROXY] [-a USERAGENT] [-V] > [-r] [-v] > target > > IP, URL, and Hash Passive Analysis tool > > positional arguments: > target List one IP Address (CIDR or dash notation accepted), > URL or Hash to query or pass the filename of a file > containing IP Address info, URL or Hash to query each > separated by a newline. > > optional arguments: > -h, --help show this help message and exit > -o OUTPUT, --output OUTPUT > This option will output the results to a file. > -b, --bot This option will output minimized results for a bot. > -f CEF, --cef CEF This option will output the results to a CEF formatted > file. > -w WEB, --web WEB This option will output the results to an HTML file. > -c CSV, --csv CSV This option will output the results to a CSV file. > -d DELAY, --delay DELAY > This will change the delay to the inputted seconds. > Default is 2. > -s SOURCE, --source SOURCE > This option will only run the target against a > specific source engine to pull associated domains. > Options are defined in the name attribute of the site > element in the XML configuration file. This can be a > list of names separated by a semicolon. > --proxy PROXY This option will set a proxy to use (eg. > proxy.example.com:8080) > -a USERAGENT, --useragent USERAGENT > This option allows the user to set the user-agent seen > by web servers being utilized. By default, the user- > agent is set to Automater/version > -V, --vercheck This option checks and reports versioning for > Automater. Checks each python module in the Automater > scope. Default, (no -V) is False > -r, --refreshxml This option refreshes the tekdefense.xml file from the > remote GitHub site. Default (no -r) is False. > -v, --verbose This option prints messages to the screen. Default (no > -v) is False. Specific sites (already in the sites.xml or tekdefense.xml file) can be called in case the user only wants responses from specific sites. While previous versions of Automater allowed this function for one site using the –s (--source) switch, the new version allows multiple sites to be utilized by separating the required sites with a semicolon. So in the past, if the user had a sites.xml file with the totalhash_ip entry, the user could call Automater with –s totalhash_ip and only receive information about totalhash. However, if the user now wants more than totalhash output, but not all information in the sites.xml or tekdefense.xml file(s), he could enter something like Automater –s totalhash_ip;robtex to get totalhash and robtex information. Any site within the sites.xml or tekdefense.xml ca be joined in this way using the semicolon separator between sites. Lastly, there is now a bot output mode for those who want friendlier output for bots. For instance here is the output using Automater with -b in a skype bot. Admin | Post a Comment | Share Article tagged Automater, python in News Monday Jun012015 BSIDESNOLA 2015 PRESENTATION ON HONEYPOTS Monday, June 1, 2015 at 6:57PM Wow, it has been a long time since I have posted. I plan to rectify my posting frequency problems, starting now. Last weekend @p4r4n0y1ng and I (@TekDefense) gave a presentation on Honeypots called "Catch More Honeys when you are fly" at BSidesNola. See the slides below: I will be publishing a more detailed article on SSHPsychos soon! Admin | Post a Comment | Share Article tagged Dionaea, ELK, Kippo, SSHPsychos, honeypot in News Sunday Jul202014 OVER A YEAR WITH KIPPO Sunday, July 20, 2014 at 8:31PM UPDATE: After posting @ikoniaris of Honeydrive and Bruteforce fame recommended running these. Here are the results of kippo-stats.pl created by Tomasz Miklas and Miguel jacq. As many of you know from previous posts, I am a big fan of honeypots, particularly Kippo. My main Kippo instance sitting in AWS has been online for over a year now. Let's take a look at what we have captured and learned over this past year. If you want to validate any of these statistics I have made the raw logs available for download. GENERAL STATS: Unique values (135526 connections): *csv with geo location *Map Generated with JCSOCAL's GIPC Top 11 Countries China: 699 United States: 654 Brazil: 76 Russian Federation: 69 Germany: 65 Korea, Republic of: 57 Romania: 56 Egypt: 52 Japan: 50 India: 41 Indonesia: 41 Unique Usernames: 8600 (Username list) Unique Passwords: 75780 (wordlist) Unique Sources: 1985 (list of IPs) PASSWORDS: One of my favorite uses of kippo data is to generate wordlists from login attempts. I wrote a quick script to parse the kippo logs and pull out all passwords and unique them into a wordlist. Feel free to grab. Additionally I made the wordlists available for download. Using Pipal I performed analysis of all the login attempts over this year: This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters Show hidden characters remnux@remnux:~/custom_tools/pipal$ ./pipal.rb ../TekDefense/wordlist.txt Generating stats, hit CTRL-C to finish early and dump stats on words already processed. Basic Results Total entries = 203400 Total unique entries = 75627 Top 10 passwords 123456 = 3561 (1.75%) 12345 = 1550 (0.76%) password = 1539 (0.76%) changeme = 1303 (0.64%) 1234 = 1231 (0.61%) test = 1165 (0.57%) abc123 = 1000 (0.49%) 123 = 766 (0.38%) qwerty = 586 (0.29%) root = 529 (0.26%) Top 10 base words root = 2256 (1.11%) password = 2178 (1.07%) test = 1853 (0.91%) admin = 1538 (0.76%) changeme = 1391 (0.68%) qwerty = 1114 (0.55%) oracle = 802 (0.39%) p@ssw0rd = 709 (0.35%) qaz2wsx = 708 (0.35%) qwer = 591 (0.29%) Password length (length ordered) 1 = 2247 (1.1%) 2 = 1539 (0.76%) 3 = 5589 (2.75%) 4 = 15420 (7.58%) 5 = 17910 (8.81%) 6 = 38125 (18.74%) 7 = 23075 (11.34%) 8 = 33164 (16.3%) 9 = 18631 (9.16%) 10 = 14059 (6.91%) 11 = 8525 (4.19%) 12 = 8627 (4.24%) 13 = 3759 (1.85%) 14 = 2617 (1.29%) 15 = 2025 (1.0%) 16 = 1786 (0.88%) 17 = 826 (0.41%) 18 = 1256 (0.62%) 19 = 520 (0.26%) 20 = 892 (0.44%) 21 = 275 (0.14%) 22 = 190 (0.09%) 23 = 303 (0.15%) 24 = 386 (0.19%) 25 = 172 (0.08%) 26 = 181 (0.09%) 27 = 56 (0.03%) 28 = 77 (0.04%) 29 = 47 (0.02%) 30 = 67 (0.03%) 31 = 111 (0.05%) 32 = 261 (0.13%) 33 = 96 (0.05%) 34 = 90 (0.04%) 35 = 117 (0.06%) 36 = 75 (0.04%) 37 = 19 (0.01%) 38 = 22 (0.01%) 39 = 30 (0.01%) 40 = 9 (0.0%) 41 = 73 (0.04%) 42 = 7 (0.0%) 43 = 3 (0.0%) 44 = 12 (0.01%) 45 = 16 (0.01%) 46 = 15 (0.01%) 47 = 9 (0.0%) 48 = 9 (0.0%) 49 = 20 (0.01%) 50 = 5 (0.0%) 51 = 7 (0.0%) 52 = 8 (0.0%) 54 = 2 (0.0%) 56 = 22 (0.01%) 57 = 1 (0.0%) 60 = 1 (0.0%) 62 = 3 (0.0%) 63 = 1 (0.0%) 64 = 4 (0.0%) 66 = 1 (0.0%) 69 = 2 (0.0%) 71 = 3 (0.0%) Password length (count ordered) 6 = 38125 (18.74%) 8 = 33164 (16.3%) 7 = 23075 (11.34%) 9 = 18631 (9.16%) 5 = 17910 (8.81%) 4 = 15420 (7.58%) 10 = 14059 (6.91%) 12 = 8627 (4.24%) 11 = 8525 (4.19%) 3 = 5589 (2.75%) 13 = 3759 (1.85%) 14 = 2617 (1.29%) 1 = 2247 (1.1%) 15 = 2025 (1.0%) 16 = 1786 (0.88%) 2 = 1539 (0.76%) 18 = 1256 (0.62%) 20 = 892 (0.44%) 17 = 826 (0.41%) 19 = 520 (0.26%) 24 = 386 (0.19%) 23 = 303 (0.15%) 21 = 275 (0.14%) 32 = 261 (0.13%) 22 = 190 (0.09%) 26 = 181 (0.09%) 25 = 172 (0.08%) 35 = 117 (0.06%) 31 = 111 (0.05%) 33 = 96 (0.05%) 34 = 90 (0.04%) 28 = 77 (0.04%) 36 = 75 (0.04%) 41 = 73 (0.04%) 30 = 67 (0.03%) 27 = 56 (0.03%) 29 = 47 (0.02%) 39 = 30 (0.01%) 38 = 22 (0.01%) 56 = 22 (0.01%) 49 = 20 (0.01%) 37 = 19 (0.01%) 45 = 16 (0.01%) 46 = 15 (0.01%) 44 = 12 (0.01%) 47 = 9 (0.0%) 40 = 9 (0.0%) 48 = 9 (0.0%) 52 = 8 (0.0%) 51 = 7 (0.0%) 42 = 7 (0.0%) 50 = 5 (0.0%) 64 = 4 (0.0%) 43 = 3 (0.0%) 62 = 3 (0.0%) 71 = 3 (0.0%) 54 = 2 (0.0%) 69 = 2 (0.0%) 63 = 1 (0.0%) 66 = 1 (0.0%) 60 = 1 (0.0%) 57 = 1 (0.0%) | | | | | | | | | | ||| ||| ||||| |||||| ||||||| ||||||| ||||||||| |||||||||| |||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| 000000000011111111112222222222333333333344444444445555555555666666666677 012345678901234567890123456789012345678901234567890123456789012345678901 One to six characters = 80830 (39.74%) One to eight characters = 137069 (67.39'%) More than eight characters = 66331 (32.61%) Only lowercase alpha = 83305 (40.96%) Only uppercase alpha = 659 (0.32%) Only alpha = 83964 (41.28%) Only numeric = 23069 (11.34%) First capital last symbol = 1318 (0.65%) First capital last number = 4224 (2.08%) Single digit on the end = 10990 (5.4%) Two digits on the end = 5787 (2.85%) Three digits on the end = 19356 (9.52%) Last number 0 = 5035 (2.48%) 1 = 9472 (4.66%) 2 = 5868 (2.88%) 3 = 21244 (10.44%) 4 = 6911 (3.4%) 5 = 5498 (2.7%) 6 = 8139 (4.0%) 7 = 3273 (1.61%) 8 = 3836 (1.89%) 9 = 3934 (1.93%) | | | | | | | | | | | | | | || | |||||| ||||||| |||||||||| |||||||||| |||||||||| 0123456789 Last digit 3 = 21244 (10.44%) 1 = 9472 (4.66%) 6 = 8139 (4.0%) 4 = 6911 (3.4%) 2 = 5868 (2.88%) 5 = 5498 (2.7%) 0 = 5035 (2.48%) 9 = 3934 (1.93%) 8 = 3836 (1.89%) 7 = 3273 (1.61%) Last 2 digits (Top 10) 23 = 17068 (8.39%) 56 = 5973 (2.94%) 34 = 3792 (1.86%) 45 = 2980 (1.47%) 12 = 2109 (1.04%) 21 = 2072 (1.02%) 11 = 1976 (0.97%) 89 = 1578 (0.78%) 00 = 1135 (0.56%) 10 = 1016 (0.5%) Last 3 digits (Top 10) 123 = 16664 (8.19%) 456 = 5829 (2.87%) 234 = 3705 (1.82%) 345 = 2588 (1.27%) 321 = 1513 (0.74%) 111 = 1189 (0.58%) 789 = 1168 (0.57%) 678 = 758 (0.37%) 000 = 703 (0.35%) 567 = 672 (0.33%) Last 4 digits (Top 10) 3456 = 5452 (2.68%) 1234 = 3635 (1.79%) 2345 = 2578 (1.27%) 1111 = 980 (0.48%) 6789 = 858 (0.42%) 5678 = 737 (0.36%) 4321 = 656 (0.32%) 4567 = 649 (0.32%) 3123 = 643 (0.32%) 7890 = 496 (0.24%) Last 5 digits (Top 10) 23456 = 5439 (2.67%) 12345 = 2571 (1.26%) 56789 = 852 (0.42%) 11111 = 842 (0.41%) 45678 = 710 (0.35%) 34567 = 643 (0.32%) 23123 = 607 (0.3%) 54321 = 508 (0.25%) 67890 = 483 (0.24%) 00000 = 302 (0.15%) Character sets loweralpha: 83305 (40.96%) loweralphanum: 53690 (26.4%) numeric: 23069 (11.34%) mixedalphanum: 8112 (3.99%) loweralphaspecialnum: 7073 (3.48%) loweralphaspecial: 5802 (2.85%) mixedalphaspecialnum: 4159 (2.04%) mixedalpha: 3041 (1.5%) specialnum: 1849 (0.91%) special: 1738 (0.85%) upperalphanum: 1117 (0.55%) mixedalphaspecial: 1017 (0.5%) upperalphaspecial: 749 (0.37%) upperalpha: 659 (0.32%) upperalphaspecialnum: 364 (0.18%) Character set ordering allstring: 87005 (42.78%) stringdigit: 35764 (17.58%) othermask: 35359 (17.38%) alldigit: 23069 (11.34%) stringdigitstring: 6280 (3.09%) digitstring: 4939 (2.43%) stringspecialstring: 2298 (1.13%) stringspecial: 2217 (1.09%) stringspecialdigit: 1809 (0.89%) digitstringdigit: 1756 (0.86%) allspecial: 1738 (0.85%) specialstring: 831 (0.41%) specialstringspecial: 335 (0.16%) view raw Password Statistics from Kippo Honeypot using Pipal hosted with ❤ by GitHub Two items of note here are that over 60% of password attempts were 1-8 characters. 40% of attempts were for lowercase alpha characters only. The most used password was 123456. This is the default pass for Kippo. If a user attempts to create an account or change the root password in a Kippo session those passwords are captured and added to the allowed credentials list. The following credentials were created: > root:0:albertinoalbert123 > root:0:fgashyeq77dhshfa > root:0:florian12eu > root:0:hgd177q891999wwwwwe1.dON > root:0:iphone5 > root:0:kokot > root:0:nope > root:0:picvina > root:0:scorpi123 > root:0:test > root:0:xiaozhe > root:0:12345 > root:0:bnn318da9031kdamfaihheq1fa > root:0:ls > root:0:neonhostt1 > root:0:wget123 DOWNLOADS: When an attacker attempts to download a tool via wget, within Kippo we allow that file to be downloaded, although they cannot interact with it. With this we are able to get a copy of whatever is being downloaded. In most cases these are IRC bots, but not all. I have made them all available for download. Here is a listing of all the files: *Duplicates and obviously legitimate files have been removed from the list. > 20131030113401_http___198_2_192_204_22_disknyp > 20131103183232_http___61_132_227_111_8080_meimei > 20131104045744_http___198_2_192_204_22_disknyp > 20131114214017_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz > 20131116130541_http___198_2_192_204_22_disknyp > 20131129165151_http___dl_dropboxusercontent_com_s_1bxj9ak8m1octmk_ktx_c > 20131129165438_http___dl_dropboxusercontent_com_s_66gpt66lvut4gdu_ktx > 20131202040921_http___198_2_192_204_22_disknyp > 20131207123419_http___packetstorm_wowhacker_com_DoS_juno_c > 20131216143108_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz > 20131216143208_http___X_hackersoft_org_scanner_gosh_jpg > 20131216143226_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe > 20131217163423_http___ha_ckers_org_slowloris_slowloris_pl > 20131217163456_http___www_lemarinel_net_perl > 20131222084315_http___maxhub_com_auto_bill_pipe_bot > 20140103142644_http___ftp_gnu_org_gnu_autoconf_autoconf_2_69_tar_gz > 20140109170001_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_linux_x86_tar_gz > 20140120152204_http___111_39_43_54_5555_dos32 > 20140122202342_http___layer1_cpanel_net_latest > 20140122202549_http___linux_duke_edu_projects_yum_download_2_0_yum_2_0_7_tar_gz > 20140122202751_http___www_ehcp_net_ehcp_latest_tgz > 20140201131804_http___www_suplementar_com_br_images_stories_goon_pooler_cpuminer_2_3_2_tar_gz > 20140201152307_http___nemo_rdsor_ro_darwin_jpg > 20140208081358_http___www_youtube_com_watch_v_6hVQs5ll064 > 20140208184835_http___sharplase_ru_x_txt > 20140215141909_http___tenet_dl_sourceforge_net_project_cpuminer_pooler_cpuminer_2_3_2_tar_gz > 20140215142830_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_tar_gz > 20140219072721_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz > 20140328031725_http___dl_dropboxusercontent_com_u_133538399_multi_py > 20140409053322_http___www_c99php_com_shell_c99_rar > 20140409053728_http___github_com_downloads_orbweb_PHP_SHELL_WSO_wso2_5_1_php > 20140413130110_http___www_iphobos_com_hb_unixcod_rar > 20140416194008_http___linux_help_bugs3_com_Camel_mail_txt > 20140419143734_http___www_activestate_com_activeperl_downloads_thank_you_dl_http___downloads_activestate_com_ActivePerl_releases_5_18_2_1802_ActivePerl_5_18_2_1802_x86_64_linux_glibc_2_5_298023_tar_gz > 20140419144043_http___ha_ckers_org_slowloris_slowloris_pl > 20140420104056_http___downloads_metasploit_com_data_releases_archive_metasploit_4_9_2_linux_x64_installer_run > 20140420104325_http___nmap_org_dist_nmap_6_46_1_i386_rpm > 20140505073503_http___116_255_239_180_888_007 > 20140505093229_http___119_148_161_25_805_sd32 > 20140505111511_http___112_117_223_10_280_1 > 20140515091557_http___112_117_223_10_280__bash_6_phpmysql > 20140519193800_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz > 20140523120411_http___lemonjuice_tk_netcat_sh > 20140610174516_http___59_63_183_193_280__etc_Test8888 > 20140614200901_http___kismetismy_name_ktx > 20140625032113_http___ftp_mirrorservice_org_sites_ftp_wiretapped_net_pub_security_packet_construction_netcat_gnu_netcat_netcat_0_7_1_tar_gz > 20140720005010_http___www_bl4ck_viper_persiangig_com_p8_localroots_2_6_x_cw7_3 To see the full source for some of the scripts downloaded by the attackers you can go to this Github Repo. A couple of my favorite ones. TTY REPLAY SESSIONS: My absolute favorite feature of Kippo is the ability to replay interactive sessions of attacker activity. Watching these replays gives us an idea of what attackers do once inside a session. For instance almost every session begins with a "w" which shows logged in users and uptime, and then a "uname -a" to show them system details. I made a Youtube series called The Kippo Kronicles a while back to showcase some of these sessions. While I don't have the time necessary to continue putting up videos for each session I have put the output of each session up at this Github Repo. Here is a fun example: > AWSWeb:~# adduser > adduser: Only one or two names allowed. > AWSWeb:~# useradd > adduser: Only one or two names allowed. > AWSWeb:~# ls > AWSWeb:~# pwd > root > AWSWeb:~# cd /[1D[1P[1D[1P[1D[1P[1D[1Pcat /etc/passwd > root:x:0:0:root:/root:/bin/bash > daemon:x:1:1:daemon:/usr/sbin:/bin/sh > bin:x:2:2:bin:/bin:/bin/sh > sys:x:3:3:sys:/dev:/bin/sh > sync:x:4:65534:sync:/bin:/bin/sync > games:x:5:60:games:/usr/games:/bin/sh > man:x:6:12:man:/var/cache/man:/bin/sh > lp:x:7:7:lp:/var/spool/lpd:/bin/sh > mail:x:8:8:mail:/var/mail:/bin/sh > news:x:9:9:news:/var/spool/news:/bin/sh > uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh > proxy:x:13:13:proxy:/bin:/bin/sh > www-data:x:33:33:www-data:/var/www:/bin/sh > backup:x:34:34:backup:/var/backups:/bin/sh > list:x:38:38:Mailing List Manager:/var/list:/bin/sh > irc:x:39:39:ircd:/var/run/ircd:/bin/sh > gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > libuuid:x:100:101::/var/lib/libuuid:/bin/sh > richard:x:1000:1000:richard,,,:/home/richard:/bin/bash > sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin > AWSWeb:~# user > bash: user: command not found > AWSWeb:~# adduser obz > Adding user `obz' ... > Adding new group `obz' (1001) ... > Adding new user `obz' (1001) with group `obz' ... > Creating home directory `/home/obz' ... > Copying files from `/etc/skel' ... > Password: > Password again: > > Changing the user information for obz > Enter the new value, or press ENTER for the default > Username []: > Must enter a value! > Username []: obz > Full Name []: l[1D[1Padmin obz > Room Number []: 1 > Work Phone []: 1234567890 > Home Phone []: > Must enter a value! > Home Phone []: 0 > Mobile Phone []: 0 > Country []: cn > City []: xang > Language []: mand > Favorite movie []: 1 > Other []: 1 > Is the information correct? [Y/n] y > ERROR: Some of the information you entered is invalid > Deleting user `obz' ... > Deleting group `obz' (1001) ... > Deleting home directory `/home/obz' ... > Try again? [Y/n] y > > Changing the user information for obz > Enter the new value, or press ENTER for the default > Username []: obx > Full Name []: obx toor > Room Number []: 1 > Work Phone []: 1[1D[1P9089543121 > Home Phone []: 9089342135 > Mobile Phone []: 9089439012 > Country []: cn > City []: xang > Language []: man[1D[1P[1D[1P[1D[1Penglish > Favorite movie []: one > Other []: two[1D[1P[1D[1P[1D[1Pfour > Is the information correct? [Y/n] y > ERROR: Some of the information you entered is invalid > Deleting user `obz' ... > Deleting group `obz' (1001) ... > Deleting home directory `/home/obz' ... > Try again? [Y/n] n > AWSWeb:~# cat adduser obz user cat /etc/passwd > root:x:0:0:root:/root:/bin/bash > daemon:x:1:1:daemon:/usr/sbin:/bin/sh > bin:x:2:2:bin:/bin:/bin/sh > sys:x:3:3:sys:/dev:/bin/sh > sync:x:4:65534:sync:/bin:/bin/sync > games:x:5:60:games:/usr/games:/bin/sh > man:x:6:12:man:/var/cache/man:/bin/sh > lp:x:7:7:lp:/var/spool/lpd:/bin/sh > mail:x:8:8:mail:/var/mail:/bin/sh > news:x:9:9:news:/var/spool/news:/bin/sh > uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh > proxy:x:13:13:proxy:/bin:/bin/sh > www-data:x:33:33:www-data:/var/www:/bin/sh > backup:x:34:34:backup:/var/backups:/bin/sh > list:x:38:38:Mailing List Manager:/var/list:/bin/sh > irc:x:39:39:ircd:/var/run/ircd:/bin/sh > gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > libuuid:x:100:101::/var/lib/libuuid:/bin/sh > richard:x:1000:1000:richard,,,:/home/richard:/bin/bash > sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin > AWSWeb:~# cat /etc/shadow > cat: /etc/shadow: No such file or directory > AWSWeb:~# /etc/init.d\[1D[1P[1D[1PD/ssh start > bash: /etc/init.D/ssh: command not found > AWSWeb:~# [K/etc/init.D/ssh > start[1D[1D[1D[1D[1D[1D[1D[1D[1D[1D[1D[1Pd > bash: /etc/init.d/ssh: command not found > AWSWeb:~# > AWSWeb:~# > AWSWeb:~# > AWSWeb:~# > AWSWeb:~# > AWSWeb:~# > AWSWeb:~# > AWSWeb:~# > AWSWeb:~# > AWSWeb:~# exit > cConnection to server closed. > localhost:~# exit > Connection to server closed. > localhost:~# bye > bash: bye: command not found > localhost:~# exit > Connection to server closed. > localhost:~# admin > bash: admin: command not found > localhost:~# su > localhost:~# ls -l > drwxr-xr-x 1 root root 4096 2013-02-03 17:11 . > drwxr-xr-x 1 root root 4096 2013-02-03 17:11 .. > drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags > -rw------- 1 root root 5515 2009-11-20 09:08 .viminfo > drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude > -rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile > -rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc > localhost:~# pwd > /root > localhost:~# cd / > localhost:/# ls -l > drwxr-xr-x 1 root root 4096 2013-02-03 17:11 . > drwxr-xr-x 1 root root 4096 2013-02-03 17:11 .. > drwxr-xr-x 1 root root 0 2009-11-20 08:19 sys > drwxr-xr-x 1 root root 4096 2009-11-08 15:42 bin > drwxr-xr-x 1 root root 4096 2009-11-06 11:08 mnt > drwxr-xr-x 1 root root 4096 2009-11-06 11:08 media > lrwxrwxrwx 1 root root 25 2009-11-06 11:16 vmlinuz -> > /boot/vmlinuz-2.6.26-2-686 > drwxr-xr-x 1 root root 4096 2009-11-06 11:09 opt > lrwxrwxrwx 1 root root 11 2009-11-06 11:08 cdrom -> /media/cdrom0 > drwxr-xr-x 1 root root 4096 2009-11-06 11:08 selinux > drwxrwxrwx 1 root root 4096 2009-11-20 08:19 tmp > dr-xr-xr-x 1 root root 0 2009-11-20 08:19 proc > drwxr-xr-x 1 root root 4096 2009-11-08 15:41 sbin > drwxr-xr-x 1 root root 4096 2009-11-20 08:20 etc > drwxr-xr-x 1 root root 3200 2009-11-20 08:20 dev > drwxr-xr-x 1 root root 4096 2009-11-06 11:09 srv > lrwxrwxrwx 1 root root 28 2009-11-06 11:16 initrd.img -> > /boot/initrd.img-2.6.26-2-686 > drwxr-xr-x 1 root root 4096 2009-11-08 15:46 lib > drwxr-xr-x 1 root root 4096 2009-11-06 11:22 home > drwxr-xr-x 1 root root 4096 2009-11-06 11:09 var > drwxr-xr-x 1 root root 4096 2009-11-08 15:46 usr > drwxr-xr-x 1 root root 4096 2009-11-08 15:39 boot > drwxr-xr-x 1 root root 4096 2009-11-20 09:08 root > drwx------ 1 root root 16384 2009-11-06 11:08 lost+found > localhost:/# cd /home > localhost:/home# ls -l > ldrwxr-xr-x 1 root root 4096 2013-02-03 17:11 . > drwxr-xr-x 1 root root 4096 2013-02-03 17:11 .. > drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard > localhost:/home# exit > Connection to server closed. > localhost:~# > localhost:~# > localhost:~# > localhost:~# > localhost:~# > localhost:~# > localhost:~# ssh -D root@http://60.250.65.112/ 1337 > The authenticity of host '60.250.65.112 (60.250.65.112)' can't be > established. > RSA key fingerprint is 9d:30:97:8a:9e:48:0d:de:04:8d:76:3a:7b:4b:30:f8. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added '60.250.65.112' (RSA) to the list of known hosts. > root@60.250.65.112's password: > Linux localhost 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 > Last login: Sat Feb 2 07:07:11 2013 from 192.168.9.4 > localhost:~# uname -a > Linux localhost 2.6.24-2-generic #1 SMP Thu Dec 20 17:36:12 GMT 2007 i686 > GNU/Linux > localhost:~# pwd > /root > localhost:~# cd / > localhost:/# ls -l > drwxr-xr-x 1 root root 4096 2013-02-03 17:19 . > drwxr-xr-x 1 root root 4096 2013-02-03 17:19 .. > drwxr-xr-x 1 root root 0 2009-11-20 08:19 sys > drwxr-xr-x 1 root root 4096 2009-11-08 15:42 bin > drwxr-xr-x 1 root root 4096 2009-11-06 11:08 mnt > drwxr-xr-x 1 root root 4096 2009-11-06 11:08 media > lrwxrwxrwx 1 root root 25 2009-11-06 11:16 vmlinuz -> > /boot/vmlinuz-2.6.26-2-686 > drwxr-xr-x 1 root root 4096 2009-11-06 11:09 opt > lrwxrwxrwx 1 root root 11 2009-11-06 11:08 cdrom -> /media/cdrom0 > drwxr-xr-x 1 root root 4096 2009-11-06 11:08 selinux > drwxrwxrwx 1 root root 4096 2009-11-20 08:19 tmp > dr-xr-xr-x 1 root root 0 2009-11-20 08:19 proc > drwxr-xr-x 1 root root 4096 2009-11-08 15:41 sbin > drwxr-xr-x 1 root root 4096 2009-11-20 08:20 etc > drwxr-xr-x 1 root root 3200 2009-11-20 08:20 dev > drwxr-xr-x 1 root root 4096 2009-11-06 11:09 srv > lrwxrwxrwx 1 root root 28 2009-11-06 11:16 initrd.img -> > /boot/initrd.img-2.6.26-2-686 > drwxr-xr-x 1 root root 4096 2009-11-08 15:46 lib > drwxr-xr-x 1 root root 4096 2009-11-06 11:22 home > drwxr-xr-x 1 root root 4096 2009-11-06 11:09 var > drwxr-xr-x 1 root root 4096 2009-11-08 15:46 usr > drwxr-xr-x 1 root root 4096 2009-11-08 15:39 boot > drwxr-xr-x 1 root root 4096 2009-11-20 09:08 root > drwx------ 1 root root 16384 2009-11-06 11:08 lost+found > localhost:/# cd /root > localhost:~# ls -l > ldrwxr-xr-x 1 root root 4096 2013-02-03 17:19 . > drwxr-xr-x 1 root root 4096 2013-02-03 17:19 .. > drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags > -rw------- 1 root root 5515 2009-11-20 09:08 .viminfo > drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude > -rw-r--r-- 1 root root 140 2009-11-06 11:09 .profile > -rw-r--r-- 1 root root 412 2009-11-06 11:09 .bashrc > localhost:~# cd /ho[1D[1P[1D[1P[1D[1P[1D[1P[1D[1P[1D[1Pcd /home/ > localhost:/home# ls -l > drwxr-xr-x 1 root root 4096 2013-02-03 17:20 . > drwxr-xr-x 1 root root 4096 2013-02-03 17:20 .. > drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard > localhost:/home# exit > Connection to server closed. > localhost:~# exit > Connection to server closed. > localhost:~# CONCLUSION: After a year with Kippo, I have learned a lot about what these basic attackers do when connecting to seemingly open ssh hosts. There is plenty more to learn though. I have some plans on building out a larger honeypot infrastructure, and automating some of the data collection and parsing. Additionally I would like to spend more time analyzing the sessions and malware for further trends. I'll keep you all posted! *Big thanks to Bruteforce Labs for their tools and expertise in honeypots. Admin | 1 Comment | Share Article tagged Kippo, Pipal, honeypot, python, ssh in News Page 1 2 3 4 5 ... 13 Next 5 Entries » Copyright © 2011, TekDefense. All rights reserved.