Logging to file with node scan -t

[PMBNL]

I've tried the commands below but none writes of the node scan the output to a file. python3 mozitools.py -t --output ./log.txt python3 mozitools.py -t --output ./log.txt sudo python3 mozitools.py -t --output ./log.txt python3 mozitools.py -t | tee log.txt python3 mozitools.py -t > log.txt

I would appriciate any help to fix this.

My knowledge of elastisearch is low/zero so this didn't help to see & analyse if there was logging there. I checked on several places but could find logging data stored.

Best regards,

Peter

P.s. compliments on your sharing efforts, analysis and tooling!

[PMBNL]

After more research I realize that logging is sent to stderr. So now I fix it (probably very ugly) with adding 2> file. Still interested in the best & preferred solution.

[kn0wl3dge]

Hi @PMBNL , The tracker feature of Mozitools is intended to store the result data inside an Elasticsearch database. The ELK stack provided better indexing and visualization features than a simple logfile. It is also easier to extract statistics without adding any code (number of nodes on the same IP but a different port, finding every unique Mozi configuration etc..)

By redirecting logs output to a file, you will only get Mozi nodes addresses because I didn't want to store the results inside a file.

I can add a little component to replace the ELK injector and instead store results inside a file, maybe in json-lines format so it's easy to parse. So when running Mozitools in tracker mode you could choose between the ELK injector and the file injector.

[PMBNL]

That sounds nice but at the same time, I don't like that you are working on something because I don't have the knowledge to use the ELK stack & Elasticsearch properly. ;-) I will see if I get that configured.

I ran your script for about an hour and found 29771 nodes and only one of those was of type "sk". I also searched for the meaning of the sk type but couldn't find it. Only "reference" I found was Twitter message met DDOS malware payload on mozi.m node in AS: SK Broadband (ASN 9318).

[kn0wl3dge]

The last interesting article I read about Mozi was The Mostly Dead Mozi and Its’ Lingering Bots. They go over every possible bot roles, ftp, ssh but not sk nor sns. I remember askip myself the same question few months ago but I never found the answer.

This article also makes me think that this tool may not be up to date to catch every Mozi configuration.

[PMBNL]

Interesting article! Can the tool be extended with the new roles or is that a lot of work? Curious if the roles that are pushed to the nodes are changing.

[kn0wl3dge]

Currently, the following tags are being parsed:
https://github.com/kn0wl3dge/mozitools/blob/37d389f2ea8f3c9eb13fa29d0fab60423633db54/mozitools/conf.py#L33-L49 So, the bot role will be extracted without any issue. It's more about the subtasks related to ssh and ftp versions of Mozi as explained in the article. The fields related to subtask are not parsed. I would need Mozi samples with these kind of configuration to correctly update the tool. In any case, the configuration is still available in raw format so you will be able to get every config (even if the parser does not recognize new fields) retrieved from the peer-to-peer network.

[PMBNL]

Thanks for clarifying!

Best regards, Peter