Last Updated: 2014-05-01 16:38:30 UTC
by Johannes Ullrich (Version: 1)
My little "lab of vulnerable devices" is still getting regular visits from script kiddies world wide. By now, I replaced some of the simulated honeypots with actual devices, giving me a bit a more accurate view of what is happening and how attackers are distinguishing honeypots from real devices. For example, the DVR I set up with default telnet credentials is getting regularly visited and the following command tends to get executed first:
/bin/busybox;echo -e '\147\141\171\146\147\164'
The output is busybox "help" screen, followed by the characters represented by the "echo" command. The characters are represented in octal in this case.
For example, on my busybox DVR:
[root@dvrdvs /] # echo -e '\101\102\103\104\105\106'
On the other hand, the same command on my MAC or a "normal" Linux system:
$ echo -e '\101\102\103\104\105\106'
(the actual string used is a bit different but spells out a word I didn't feel comfortable posting here)
I also set up a little web based scanner to test for vulnerable DVRs. The scanner will try to connect via telnet using the common default credentials "root" and "12345". If the login is successful, the scanner will try to run "ps" to look for the "cmd.so" entry commonly associated with the litecoin miner we found recently on these devices. You can find the scanner at https://isc.sans.edu/tools/dvrtest.html . By default, it will just scan the IP address you are connecting from. If you log in, you may specify other IP addresses. Please only use against IP addresses you are authorized to scan.
And a quick update on the "honeypot fingerprinting": I am also seeing "echo -e \\x51\\x51" . But this appears to return "QQ" no matter if it is running on the DVR or a normal Linux system.