Busybox Honeypot Fingerprinting and a new DVR scanner

Published: 2014-05-01
Last Updated: 2014-05-01 16:38:30 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

My little "lab of vulnerable devices" is still getting regular visits from script kiddies world wide. By now, I replaced some of the simulated honeypots with actual devices, giving me a bit a more accurate view of what is happening and how attackers are distinguishing honeypots from real devices. For example, the DVR I set up with default telnet credentials is getting regularly visited and the following command tends to get executed first:

/bin/busybox;echo -e '\147\141\171\146\147\164'

The output is busybox "help" screen, followed by the characters represented by the "echo" command. The characters are represented in octal in this case.

For example, on my busybox DVR:

[root@dvrdvs /] # echo -e '\101\102\103\104\105\106'
ABCDEF

On the other hand, the same command on my MAC or a "normal" Linux system:

$ echo -e '\101\102\103\104\105\106'
\101\102\103\104\105\106

(the actual string used is a bit different but spells out a word I didn't feel comfortable posting here)

I also set up a little web based scanner to test for vulnerable DVRs. The scanner will try to connect via telnet using the common default credentials "root" and "12345". If the login is successful, the scanner will try to run "ps" to look for the "cmd.so" entry commonly associated with the litecoin miner we found recently on these devices. You can find the scanner at https://isc.sans.edu/tools/dvrtest.html . By default, it will just scan the IP address you are connecting from. If you log in, you may specify other IP addresses. Please only use against IP addresses you are authorized to scan.

And a quick update on the "honeypot fingerprinting": I am also seeing "echo -e \\x51\\x51" . But this appears to return "QQ" no matter if it is running on the DVR or a normal Linux system.

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

2 comment(s)

Comments

My CentOS 6.4 Linux system requires just a slightly different syntax, but does display escaped characters

$ man echo

DESCRIPTION
Echo the STRING(s) to standard output.
-e enable interpretation of backslash escapes

\0NNN byte with octal value NNN (1 to 3 digits)

NOTE: your shell may have its own version of echo, which usually supersedes the version described here. Please refer to
your shell’s documentation for details about the options it supports.

[root@be1 ~]# echo -e '\0101\0102\0103\0104\0105\0106'
ABCDEF



[root@be1 ~]# uname -srv
Linux 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013

[root@be1 ~]# type echo
echo is a shell builtin

[root@be1 ~]# echo $SHELL
/bin/bash
It's a Busybox bug:

http://lists.busybox.net/pipermail/busybox/2012-March/077492.html

You can replicate the behavior by using Busybox as your Echo:

# echo -e '\101'
\101
# busybox echo -e '\101'
A
# uname -a
Linux localhost 2.6.32-431.11.2.el6.x86_64 #1 SMP Mon Mar 3 13:32:45 EST 2014 x86_64 x86_64 x86_64 GNU/Linux
#

Diary Archives