I wrote a diary six months ago about using INetSim as a honeypot. Over the past few weeks I have captured only one package type uploaded through the FTP service to my honeypot, Bitcoin Miner. As for the web service, I have been getting several times the same command (captured as a file) as an ASCII encoded command (cmd=): cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74 The command translate into a UNIX command as follow: cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt Some of the web GET/POST traffic captured over HTTP/SSL: url=http://192.168.152.84/robots.txt The first 5 files are all the same file; the file was uploaded via FTP multiple times and is a well known Bitcoin Miner package. The last file was also uploaded a few days ago and is also a new type of Bitcoin Miner package (zip): [1] 1578496 Oct 25 00:49 2288866c1ed93431bc46df5c83977dda64272144 Virustotal Results [1][2][3][4][5] https://www.virustotal.com/en/file/807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d/analysis/ ----------- |
Guy 495 Posts ISC Handler Nov 13th 2016 |
Thread locked Subscribe |
Nov 13th 2016 4 years ago |
Again I know my lack of knowledge on this subject will stand out, but what is x3610cker?
|
jACKtheRipper 63 Posts |
Quote |
Nov 14th 2016 4 years ago |
According to https://www.protectwise.com/blog/observing-large-scale-router-exploit-attempts.html this is an attempt to ID vulnerable home routers
|
jACKtheRipper 1 Posts |
Quote |
Nov 14th 2016 4 years ago |
This command cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt attempts to create a file in /var/tmp x3610cker and then try to read it.
|
Guy 495 Posts ISC Handler |
Quote |
Nov 15th 2016 4 years ago |
ahhh im pretty on point with bash scripting, but sometimes stuff just flys right by me. I think it might be that in the dairy it is read to me as (this is due to font im sure)
cd /var/tmp && echo -ne ||x3610cker > 610cker.txt && cat 610cker.txt idk, thats what threw me off. edit: ahhhhh its cause it was all italicized and \\ italicized is || |
jACKtheRipper 63 Posts |
Quote |
Nov 15th 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!