If ET were a Hacker, he would just try to phone home...

Up until now, all of the honeypot compromises I've logged have simply been attempts to propagate network scanning and IRC bots.

Today's compromise was a little different.

It started off with a regular SSH dictionary crack attempt which ultimately succeeded..




2011-11-16 23:54:51-0500 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 95.168.218.166:45132 (192.168.1.165:22) [session: 6]
2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] Remote SSH version: SSH-2.0-libssh-0.1
2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] outgoing: aes256-cbc hmac-sha1 none
2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] incoming: aes256-cbc hmac-sha1 none
2011-11-16 23:54:52-0500 [HoneyPotTransport,6,95.168.218.166] NEW KEYS
2011-11-16 23:54:53-0500 [HoneyPotTransport,6,95.168.218.166] starting service ssh-userauth
2011-11-16 23:54:53-0500 [SSHService ssh-userauth on HoneyPotTransport,6,95.168.218.166] root trying auth password
2011-11-16 23:54:53-0500 [SSHService ssh-userauth on HoneyPotTransport,6,95.168.218.166] login attempt [root/r00tb33r] succeeded
2011-11-16 23:54:53-0500 [SSHService ssh-userauth on HoneyPotTransport,6,95.168.218.166] root authenticated with password
2011-11-16 23:54:53-0500 [SSHService ssh-userauth on HoneyPotTransport,6,95.168.218.166] starting service ssh-connection
2011-11-16 23:54:53-0500 [SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] got channel session request
2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] channel open
2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] pty request: xterm (24, 80, 0, 0)
2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] Terminal size: 24 80
2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] getting shell
2011-11-16 23:54:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] Opening TTY log: log/tty/20111116-235453-7554.log
2011-11-16 23:54:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] /etc/motd resolved into /etc/motd
2011-11-16 23:54:54-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,6,95.168.218.166] /var/run/motd resolved into /var/run/motd


Then the attacker proceeded to login from his/her Windows system several hours later, and gather some basic info...

2011-11-17 05:32:25-0500 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 203.97.206.63:18085 (192.168.1.165:22) [session: 23]
2011-11-17 05:32:25-0500 [HoneyPotTransport,23,203.97.206.63] Remote SSH version: SSH-2.0-PuTTY_Release_0.61
2011-11-17 05:32:25-0500 [HoneyPotTransport,23,203.97.206.63] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2011-11-17 05:32:25-0500 [HoneyPotTransport,23,203.97.206.63] outgoing: aes256-ctr hmac-sha1 none
2011-11-17 05:32:25-0500 [HoneyPotTransport,23,203.97.206.63] incoming: aes256-ctr hmac-sha1 none
2011-11-17 05:32:28-0500 [HoneyPotTransport,23,203.97.206.63] NEW KEYS
2011-11-17 05:32:28-0500 [HoneyPotTransport,23,203.97.206.63] starting service ssh-userauth
2011-11-17 05:32:41-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] root trying auth none
2011-11-17 05:32:41-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] root trying auth keyboard-interactive
2011-11-17 05:32:50-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] login attempt [root/r00tb33r] succeeded
2011-11-17 05:32:50-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] root authenticated with keyboard-interactive
2011-11-17 05:32:50-0500 [SSHService ssh-userauth on HoneyPotTransport,23,203.97.206.63] starting service ssh-connection
2011-11-17 05:32:50-0500 [SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] got channel session request
2011-11-17 05:32:50-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] channel open
2011-11-17 05:32:50-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] pty request: xterm (24, 80, 0, 0)
2011-11-17 05:32:50-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Terminal size: 24 80
2011-11-17 05:32:51-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] getting shell
2011-11-17 05:32:51-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Opening TTY log: log/tty/20111117-053251-4322.log
2011-11-17 05:32:51-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] /etc/motd resolved into /etc/motd
2011-11-17 05:32:51-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] /var/run/motd resolved into /var/run/motd
2011-11-17 05:32:57-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: w
2011-11-17 05:32:57-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command found: w
2011-11-17 05:33:12-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: cat /proc cpuinfo
2011-11-17 05:33:12-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command found: cat /proc cpuinfo
2011-11-17 05:33:12-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] /root/cpuinfo resolved into /root/cpuinfo
2011-11-17 05:33:19-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: cat /proc/cpuinfo
2011-11-17 05:33:19-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command found: cat /proc/cpuinfo
2011-11-17 05:33:19-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] /proc/cpuinfo resolved into /proc/cpuinfo
2011-11-17 05:33:19-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Updating realfile to honeyfs//proc/cpuinfo

This is when things started to turn interesting. The rest of the commands used by the attacker seemed to have one specific purpose...

2011-11-17 05:33:41-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: cd /etc/asterisk
2011-11-17 05:33:41-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command found: cd /etc/asterisk
2011-11-17 05:33:46-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: locate
2011-11-17 05:33:46-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command not found: locate
2011-11-17 05:33:49-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: yum
2011-11-17 05:33:49-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command not found: yum
2011-11-17 05:33:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: apt-get
2011-11-17 05:33:53-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command found: apt-get
2011-11-17 05:34:09-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: find /|grep sip.conf
2011-11-17 05:34:09-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command not found: find /|grep sip.conf
2011-11-17 05:34:25-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] CMD: exit
2011-11-17 05:34:25-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] Command found: exit
2011-11-17 05:34:25-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] sending close 0
2011-11-17 05:34:25-0500 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,23,203.97.206.63] remote close
2011-11-17 05:34:25-0500 [HoneyPotTransport,23,203.97.206.63] connection lost

The attacker was looking for an Asterisk server.

This is rather interesting, since the number of attacks against Asterisk (open source VoIP/PBX software) has been increasing recently, per the SANS Internet Storm Center.

Is it possible this relates to the recent User Enumeration Weakness which was patched in June 2011?

Why are attackers targeting Asterisk?  Are they simply trying to phone home for free?

The originator of this attack is 203.97.206.63, a customer of the New Zealand broadband provider TelstraClear.

The ISP has been notified

No comments:

Post a Comment