Busybox Honeypot Fingerprinting and a new DVR scanner
My little "lab of vulnerable devices" is still getting regular visits from script kiddies world wide. By now, I replaced some of the simulated honeypots with actual devices, giving me a bit a more accurate view of what is happening and how attackers are distinguishing honeypots from real devices. For example, the DVR I set up with default telnet credentials is getting regularly visited and the following command tends to get executed first:
/bin/busybox;echo -e '\147\141\171\146\147\164'
The output is busybox "help" screen, followed by the characters represented by the "echo" command. The characters are represented in octal in this case.
For example, on my busybox DVR:
[root@dvrdvs /] # echo -e '\101\102\103\104\105\106'
ABCDEF
On the other hand, the same command on my MAC or a "normal" Linux system:
$ echo -e '\101\102\103\104\105\106'
\101\102\103\104\105\106
(the actual string used is a bit different but spells out a word I didn't feel comfortable posting here)
I also set up a little web based scanner to test for vulnerable DVRs. The scanner will try to connect via telnet using the common default credentials "root" and "12345". If the login is successful, the scanner will try to run "ps" to look for the "cmd.so" entry commonly associated with the litecoin miner we found recently on these devices. You can find the scanner at https://isc.sans.edu/tools/dvrtest.html . By default, it will just scan the IP address you are connecting from. If you log in, you may specify other IP addresses. Please only use against IP addresses you are authorized to scan.
And a quick update on the "honeypot fingerprinting": I am also seeing "echo -e \\x51\\x51" . But this appears to return "QQ" no matter if it is running on the DVR or a normal Linux system.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
$ man echo
DESCRIPTION
Echo the STRING(s) to standard output.
-e enable interpretation of backslash escapes
\0NNN byte with octal value NNN (1 to 3 digits)
NOTE: your shell may have its own version of echo, which usually supersedes the version described here. Please refer to
your shell’s documentation for details about the options it supports.
[root@be1 ~]# echo -e '\0101\0102\0103\0104\0105\0106'
ABCDEF
[root@be1 ~]# uname -srv
Linux 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013
[root@be1 ~]# type echo
echo is a shell builtin
[root@be1 ~]# echo $SHELL
/bin/bash
Anonymous
May 1st 2014
1 decade ago
http://lists.busybox.net/pipermail/busybox/2012-March/077492.html
You can replicate the behavior by using Busybox as your Echo:
# echo -e '\101'
\101
# busybox echo -e '\101'
A
# uname -a
Linux localhost 2.6.32-431.11.2.el6.x86_64 #1 SMP Mon Mar 3 13:32:45 EST 2014 x86_64 x86_64 x86_64 GNU/Linux
#
Anonymous
May 2nd 2014
1 decade ago