Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Busybox Honeypot Fingerprinting and a new DVR scanner SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Busybox Honeypot Fingerprinting and a new DVR scanner

My little "lab of vulnerable devices" is still getting regular visits from script kiddies world wide. By now, I replaced some of the simulated honeypots with actual devices, giving me a bit a more accurate view of what is happening and how attackers are distinguishing honeypots from real devices. For example, the DVR I set up with default telnet credentials is getting regularly visited and the following command tends to get executed first:

/bin/busybox;echo -e '\147\141\171\146\147\164'

The output is busybox "help" screen, followed by the characters represented by the "echo" command. The characters are represented in octal in this case.

For example, on my busybox DVR:

[root@dvrdvs /] # echo -e '\101\102\103\104\105\106'

On the other hand, the same command on my MAC or a "normal" Linux system:

$ echo -e '\101\102\103\104\105\106'

(the actual string used is a bit different but spells out a word I didn't feel comfortable posting here)

I also set up a little web based scanner to test for vulnerable DVRs. The scanner will try to connect via telnet using the common default credentials "root" and "12345". If the login is successful, the scanner will try to run "ps" to look for the "" entry commonly associated with the litecoin miner we found recently on these devices. You can find the scanner at . By default, it will just scan the IP address you are connecting from. If you log in, you may specify other IP addresses. Please only use against IP addresses you are authorized to scan.

And a quick update on the "honeypot fingerprinting": I am also seeing "echo -e \\x51\\x51" . But this appears to return "QQ" no matter if it is running on the DVR or a normal Linux system.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Cloud Defender 2022


4311 Posts
ISC Handler
May 1st 2014
My CentOS 6.4 Linux system requires just a slightly different syntax, but does display escaped characters

$ man echo

Echo the STRING(s) to standard output.
-e enable interpretation of backslash escapes

\0NNN byte with octal value NNN (1 to 3 digits)

NOTE: your shell may have its own version of echo, which usually supersedes the version described here. Please refer to
your shell’s documentation for details about the options it supports.

[root@be1 ~]# echo -e '\0101\0102\0103\0104\0105\0106'

[root@be1 ~]# uname -srv
Linux 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013

[root@be1 ~]# type echo
echo is a shell builtin

[root@be1 ~]# echo $SHELL
It's a Busybox bug:

You can replicate the behavior by using Busybox as your Echo:

# echo -e '\101'
# busybox echo -e '\101'
# uname -a
Linux localhost 2.6.32-431.11.2.el6.x86_64 #1 SMP Mon Mar 3 13:32:45 EST 2014 x86_64 x86_64 x86_64 GNU/Linux
Mike Donovan

4 Posts

Sign Up for Free or Log In to start participating in the conversation!