« Kippo Honeypot Video Gallery »

19 October 2014

Honeypots are rad. Their uses are varied, but I’ve used my own mostly for research (and entertainment.) It’s been running for over a year now, and I thought it would be worthwhile (and interesting) to summarize my findings.

This honeypot is running on one of my non-critical servers with relatively minimal exposure, so the findings contained herein could be considered a good snapshot of internet background noise – no particular reason to target my host, but a public IP and open port 22 are enough to hook quite a few bad actors.

I’ll be reviewing a portion of malicious artifacts, shell activity, and related data that I’ve collected.

The Setup

I’ve got a cheap buyvm OpenVZ container running one of my subdomains for tjll.net with an open port 22. Kippo is running under a user account listening on port 2222, and an iptables rule rewrites inbound ssh packets to instead be rerouted to my kippo honeypot process.

Most connections I observe initiate then terminate almost instantaneously – whether this means that I’ve been logged as vulnerable and noted to be revisted later, or just a victim of simple scans, isn’t clear.

The Haul

With all that being said, let’s dive into the spoils!

Driving Drunk at the Shell

This one is purely for fun: I’ve never seen any other attacker struggle so much to issue simple commands at the terminal.

Some IP address checking via ifconfig, a ping, and an epic struggle to determine the server’s hostname. No artifacts or malware here, just an amusingly-poor typist.

The Bitcoin Miner

This is a fairly new find, and only showed up recently in the honeypot: cryptocurrency miners.

Given the rising popularity of bitcoin and the ease of translating stolen CPU time into cash, I’d guess this type of malware is only going to rise (there’s certainly been an increase in bitcoin-related malware.)

I did some light forensics on the miner artifact (minerd, an ELF executable) and along with some of the command-line arguments seen in the recording, found some interesting things:

  • A quick run of strings over minerd shows that the executable identifies itself as cpuminer 2.3.3
  • The hacker’s invocation of minerd shows that he’s connecting to 54.194.173.83:3333. After poking around that endpoint, it turns out a site called middlecoin.com is offering a fairly straightforward payout program for miners: hook in your miner with a wallet ID for a username and dummy password, and you’ll get easy payouts for many disparate mining processes. It doesn’t appear to be inherently malicious, just an easy endpoint to plug rogue miners into (you can actually find this specific hacker’s public ID on the site, but he hasn’t made much BTC, sadly.)
The Hidden /dev/shm

This one is interesting for two covert techniques that get used:

  • The first one I hadn’t observed directly before: the attacker tries to hide in /dev/shm – makes sense, download stuff into shared memory where it’ll be (relatively) transient.
  • Using the " " filename is also a tricky one – I’ve also seen files named things like ..  in the past, which is similarly annoying to deal with.

The artifact in this session is (yet another) IRC bot (using psybnc), albeit thinly disguised as a binary called ntpd. The attacker also tries to retrieve a file via ftp using wget, which just fails.

The 99%: IRC Bots

This is, by far, the most common strain of malware that’s landed in the honeypot. IRC botters usually follow this modus operandi:

Note that kippo does a pretty good job of faking a package installation, and ticks off the intruder with segmentation faults to the point that they just give up an quit.

Nearly every IRC bot I’ve collected has been perl. What this says about the masochism of hackers, I can’t say (yeah, I know, it’s because perl is ubiquitous), but there are some interesting trends.

  • There are some general IRC bot scripts that seem to be popular and reused many times. I only have a couple of unique IRC bot scripts that appear to be custom jobs, the others either carry a common banner in the header from the orginal author or identical subroutine names, configuration variables, and so on.
  • Many bots try to masquerading under process names such as /usr/sbin/httpd and gnome-pty-helper. Certainly implies that a simple ps isn’t enough to catch malicious processes.

In any case, the variants are many as are their uses – take a look at some of the commands one of these bots accepts. The first set provides lots of different DoS options, ranging from UDP to HTTP:

## [ Flood ] ################################
#############################################
# !u @udp1 <ip> <port> <time>              ##
# !u @udp2 <ip> <packet size> <time>       ##
# !u @udp3 <ip> <port> <time>              ##
# !u @tcp <ip> <port> <packet size> <time> ##
# !u @http <site> <time>                   ##
#                                          ##
# !u @ctcpflood <nick>                     ##
# !u @msgflood <nick>                      ##
# !u @noticeflood <nick>                   ##
# !u @maxiflood    <who>                   ##
#                                          ##
#                                          ##
#############################################

This bot also accepts some utility commands, such as !u @portscan for easy remote port scanning:

#### [ Utils ] #########################
########################################
##  !su @conback <ip> <port>          ##
##  !u @downlod <url+path> <file>     ##
##  !u @portscan <ip>                 ##
##  !u @mail <subject> <sender>       ##
##           <recipient> <message>    ##
##  !u pwd;uname -a;id <for example>  ##
##  !u @port <ip> <port>              ##
##  !u @dns <ip/host>                 ##
##                                    ##
##                                    ##
##                                    ##
##                                    ##
########################################

Other bots accept similar commands and share other common traits, such as:

  • randomized sequences of possible IRC nicks
  • connection parameters (which I don’t share here, but I’ve found… weird IRC server endpoints)
  • perl shudder

Conclusion

This is just a sample of the logs the honeypot has collected. As it continues to hook ssh crackers, I’m sure there will be more content to dig into, and hopefully interesting enough to summarize and share.

ty@tjllgmail.net