Andrew Morris has got some great points on the vulnerabilities prevalently used by remote attackers on the Internet, so read this part to learn what those are.
If you ever feel like checking your SSH logs or anything like that, I guarantee you 100% you’re going to have authentication attempts from them. And the thing is, you’ll look at the passwords that they try, and they do “password 1” and then “Password 1”. They do that stuff, but they actually try some really-really advanced crazy passwords that I’m pretty sure have come from password dumps from elsewhere, or they just are actually banking on doing brute-force attacks that are real, actual brute-force attacks. They are just going to keep on doing it forever.
Usually the stuff behind the SSH people is just automated scripts. You don’t really see actual operators too often log into Kippo instances. It’s usually something to log in, run an automated “uname –a”, wget a piece of malware based on the output of that, and then it will execute it or whatever. But you do still get actual operators because, obviously, that’s not going to work all the time, and so sometimes you’ll see an actual person, a human being, that logs in and actually checks “Oh, what’s going on here?”Again, a lot of really cool SSH data – these are the passwords that people actually have been trying (see right-hand image). I’ve seen around 24,000 instances of people trying “root” as the password and so on and so forth. There’s a bunch of SSH library versions that people use as well (see left-hand image). The most common is SSH-2.0-PuTTY. That’s kind of a weird statistic here just because that is actually just what the Hong Kong group that I’ve been talking about uses. It’s not actual PuTTY, it’s just whatever they configured the brute-forcer that they wrote to use as the banner. You can think of it kind of like a user agent. A funny thing about this is you’ll see the names of hacking tools in the library versions. It will be, like, SSH-2.0_Medusa. Well, that’s definitely not a regular remote administration tool. A couple of SSH gotchas (see right-hand image). Bad guys love using SFTP, and Kippo doesn’t include SFTP by default. So, if they try to negotiate an SFTP session or whatever, it’s going to fail by default. But some guy who’s a lot smarter than me wrote an SFTP patch. You can incorporate that into your honeypots, and you will get so much more malware when you do that. A lot of people log in to do ‘wget’, but bad guys are going to want to just do it in line with SFTP. So I actually forked over a version of Kippo. I added an SFTP patch, an option to disable this weird fake jail that Kippo does, which I hate. I added some more default creds and I got rid of the port 80 ‘wget’ limitation that Kippo has by default. And the reason the developer put a limitation on Kippo was because he didn’t want people using Kippo instances as port scanners, but I don’t care, I’d rather get more malware. You are going to see a lot of this (see right-hand image) when you start doing this. You are going to see a ton of these HFS web servers when you start looking at attacks like this. They are all in Chinese, of course. And you are going to see the filename, the size of the file in here, the date uploaded, and the amount of downloads, which is important because that can let you track how big a botnet may be. If you see that something was uploaded three days ago and you see that it’s got 9,000 downloads, then you can usually say, okay, these people probably have 8,000-9,000 bots sitting on their thing – just from this as the source. And you are going to see a ton of these (see left-hand image). I mean, they are everywhere. This one version in particular – bad guys just love this stuff. I don’t know why. It literally does the same thing as Apache. It has directory listing enabled by default, so if there’s one sample or ten samples, you can get all of them just as a result of getting access or seeing the path of one. So, some no budget tactics for this kind of stuff (see right-hand image). You can Google dork for these web servers. Google is weird about indexing things that aren’t on port 80, though, so that’s a little bit difficult. Intext:“httpfileserver” – you can look for that. If you feel like grotesquely violating the Computer Fraud and Abuse Act, HFS is vulnerable to a really bad RCE bug, and no one ever uses the updated version. So, if you do feel like getting criminal and executing code on their boxes or whatever – you can, there’s an exploit for it, it works.
Read previous: No Budget Threat Intelligence 2: Setting up Cheap Honeypots