Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A Couple of SSH Brute Force Compromises SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Couple of SSH Brute Force Compromises

One common and stupidly simple way hosts are compromissed is weak SSH passwords. You would think people have learned by now, but evidently there are still enough systems with root passwords like 12345 around to make scanning for them a worthwhile exercise. As a result, one of my favorite honeypot tools is kippo, and we have talked about the tool before. I figured it is a good time again to write a quick update on some recent compromisses

The basic compromisse tends to follow a basic pattern:

- user logs in as root
- looks a bit around the system (uname -a, cpuinfo and the like)
- sometimes performes a bandwidth test by downloading a large file, for example a Windows service pack.
- the installs some kind of rootkit/backdoor/bot
- sometimes adds a user to the system.

Here are some of the recent artifacts:

- a UID 0 user called "cvsroot" (this user CAN be found on normal systems, but not with a UID of 0)
- the usual "hidden" directory name of many spaces (e.g. cd /var/tmp; mkdir "    " )

Here are some of the domains I have seen used to download bots  and other tools from:

bnry.jorgee.nu, anglefire.com/komales88, donjoan.go.ro

One particular interesting attacker actually used a little trick to figure out if the system ran kippo, by installing a non-existing package. If the "apt-get" command is used, kippo will always simulate success, even if the packes wouldn't exist. So our enterprising hacker issued the following command:

apt-get install kippofuck

and of course, kippo pretended to install this package. The attacker of course immediatly disconnected.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

 Johannes

3693 Posts
ISC Handler
Subscribe Jul 25th 2013
6 years ago
Dr J -- here is a short video of one of my own Kippo visitors: hxxp://www.securitytube.net/video/7339

J
 HackDefendr

65 Posts
Quote Jul 26th 2013
6 years ago
Great video :) I really love how kippo provides a plausible shell with very little code. Have to patch it a bit to fix the "kippofuck" issue above. Isn't there also some script to turn the kippo tty log into a playable javascript?
 Johannes

3693 Posts
ISC Handler
Quote Jul 26th 2013
6 years ago
Quoting Johannes:.... Isn't there also some script to turn the kippo tty log into a playable javascript?


You can replay a tty log with kippo's playlog.py utility like this, assuming you are in the default kippo directory, (Of course, you would want to pick the tty logfile of interest that is on your system).

utils/playlog.py log/tty/yyymmdd-123456-789.log 0

Don't forget the zero at the end.

- n3kt0n
 Anonymous
Quote Jul 26th 2013
6 years ago

Sign Up for Free or Log In to start participating in the conversation!