Posts

Showing posts from March, 2015

What's in the honeypot? CVE-2014-4019 - Attack on SOHO Router to Download Admin Password

Image
Looking at the honeypots one more time today I found the miscreants searching for an unprotected router configuration that provides the username and password.  By utilizing the router it has been known that they can modify the DNS settings of these routers to conduct man-in-the-middle attacks intercepting or relaying all traffic through their servers.

Below is the log entry that I found:

According to the exploit published by exploit-db located here by requesting, through a GET request, the rom-0 file contains the admin username and password.  Then in the following link are instructions how to decompress the file.

The following CVE's have been recorded for these vulnerabilities that have been identified:
CVE-2014-4018CVE-2014-4019CVE-2014-4154CVE-2014-4155Also applicable is http://www.exploit-db.com/exploits/33737Here is an article by SC Magazine about 300,000 SOHO routers that were compromised due to this vulnerability: http://www.scmagazine.com/attackers-alter-dns-configurations-r…

What's in the honeypot? Shellshock to Remote Control / DDoS Bot

Image
Today in searching through what is gathered in the honeypots we found yet another attempt attempt at executing commands through the Shellshock vulnerability.  Below is the log that we are going to look at closer.


Looking at the information provided in the log above we gather the following 2 IP Addresses.

222.66.95.253 - Using APNIC.net the below information is returned about the IP Address
descr:CHINANET shanghai province networkdescr:China Telecomdescr:No1,jin-rong Streetdescr:Beijing 100032country:CN

61.160.212.172 - Using APNIC.net the below information is returned about the IP Address
descr:CHINANET jiangsu province networkdescr:China Telecomdescr:A12,Xin-Jie-Kou-Wai Streetdescr:Beijing 100088country:CN Inside the User Agent where they are executing the command through the shellshock vulnerability is the download of a file called java. After downloading this file you can see that it is a "ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linu…

What's in the honeypot? SSH Scanning leads to Interesting Domain

Image
SSH scanning appears to be a popular activity for a honeypot to capture.  I thought I would share what I have seen in my honeypots thus far.

Below are the top 10 IP Addresses that have scanned my honeypots with the number of occurrences they appear in the logs: 1: 103.41.124.109 - 2,390 2: 103.41.124.64 - 2,332 3: 103.41.124.38 - 2,125 4: 58.218.211.166 - 2,104 5: 113.195.145.12 - 1,728 6: 103.41.124.65 - 1,683 7: 182.100.67.112 - 1,604 8: 113.195.145.80 - 1,555 9: 59.47.0.152 - 1,472 10: 103.41.124.28 - 1,371
These statistics were pulled from multiple honeypots into a single file and then I wrote the below python script to aggregate the total number of occurrences:
#!/usr/bin/python
priorLine='' priorCalc=0 file = open('stats.temp', 'r') for line in file: item = line.split(' ') if priorLine == item[0]: priorLine = item[0] priorCalc = priorCalc + int(item[1]) else: print priorLine + " " + str(priorCalc) priorLine = item[0] priorCalc=int(item[1])
From the t…

What's in the honeypot? Banner Information Gathering System by gatech.edu

Image
I have been watching for a while the IP Address of 128.61.240.66 which would appear in the logs almost everyday as shown in the picture below:

Noticing the URL or what appears to be a URL in the banner.  I wanted to know more about this scan or these scan occurrences.  First I googled and then I visited the site and this is what you see upon visiting "http://netscan.gtisc.gatech.edu":

I find this project intriguing that they are collecting the banners and then monitoring them as they change.  This would provide information of patches that are deployed to webservers, up-time, and change amongst the web servers.  I thought I would go a little further and try and find if they release this information on their website at https://gtisc.gatech.edu/index.html.

From the links provided at this site I could not find this information but I did find the following links to be of interest:

Emerging Cyber Threats Report 2015 

2014 Georgia Tech Cyber Security Summit






What's in the honeypot? "The Moon" malware is self-replicating and impacts Linksys E Routers - CVE-2013-5122

Image
As I was looking through the logs of the honeypot I found the following occurring:



Well if you google "/tmUnblock.cgi" you find that this scan is related to "The Moon" malware.  This malware impacts Linksys E series routes that are used by multiple home users.  After a Linksys E series router is infected it will then scan and try and find other routers that are vulnerable and infect them.
Since this malware came out Linksys has since patched the vulnerability but to implement it a firmware update has to be done on the router.  Well, maybe the IP addresses that are scanning my honeypot are infected Linksys routers.

Well without actually scanning them I will not know if they are vulnerable, but I thought I would look up using arin.net or other registrars to see if the network the IP is on indicates it possibly could be based on being a residential ISP or a small business.

103.30.91.46 - PT Metroptix Lintas Nusa - Indonesia173.89.8.170 - RRMA Time Warner Cable - US74.1…

What's in the honeypot? CVE-2012-1823 execute arbitrary code in PHP before 5.3.12 and 5.4.x before 5.4.2

Image
I thought I would create a series of posts about what I have collected and will collect in my honeypot that is running.  This is again only meant for educational purposes, and as I discuss what is found I am not attributing it to anyone.

Here is one of the first items that I would like to touch on:

The POST request to the honeypot was not found and displayed the 404 error.  However, I wanted to understand what was hex encoded.  I dug back into my archive and found my hex decoder at the following link.

Notice also that when I copy the hex encoded pattern the letters are in upper-case and my decoder is in lower-case.  So I found a quick sed command to convert the letters to lower-case, as shown below.


After I decoded the hex I found the following text:

Ok noticing that the -d looks to be an option.  So I did a search for PHP options.  
So from the above command switch it appears that they are trying to change the php.ini entries.  Then after a little more searching the following exploit…

The One Who Inspired My Career in Computers passed on Recently

Image
The man who inspired me at an early age to get into computers, recently died, so I would like to take a moment and post about him.  I will refer to him as @brothersthree through-out this post.  Just prior to his passing I received from him multiple items that he continued to maintain in his possession.

@brothersthree went to college and during his time their he became familiar with computers and took an interest in them.  He decided to take some classes in which he would have to rent time on the mainframe to complete his assignments.  The access to the mainframe was limited based on seats and scheduling.  Most of the scheduling was taken up due to those advanced further in their collegiate courses.  The times that were available were often during late hours of the night or early in the morning hours.

Then a telephone line or modem access was made available to the mainframe, again this was limited to number of connections but alleviated some of the congestion.  I am not sure if at this…

Utilizing PowerUp.ps1 to Escalate Privileges on Windows 7 using an Unquoted Path Vulnerability

Image
I found a great write-up by the Veris Group on how to use PowerUp.ps1 @ http://www.verisgroup.com/2014/06/17/powerup-usage/.  I thought I would take some time and walk through this tutorial on a Windows 7 box with a non-privileged user.

Following the Veris groups instructions:

1. I downloaded the PowerUp.ps1 script from their github repo at https://github.com/HarmJ0y/PowerUp.  Notice as of Dec 2014 this repo is no longer supported.

2. Drop the file PowerUp.ps1 into a location you can write to.  I have a folder I created called c:\PowerUp.

3. Then execute "powershell.exe -nop -exec bypass" to enable the execution bypass.

4. Then execute "import-module c:\PowerUp\powerup.ps1" of the full path plus the filename of the powershell script.

5. To setup the stage of having a vulnerable service to demonstrate with, I modified the following registry key to allow for an unquoted path vulnerability.


6. I removed the quotes around the path listed in the ImagePath of the registr…

Extract List of IP Addresses from a File using grep

I have run into multiple occurrences where I only want to see the IP Addresses in a given file.  Today I found with the help of Command Line Fu a quick way to parse a file and only return the unique IP Addresses found:

cat tmp.txt | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq

Sometimes I will use this to quickly parse out IP Addresses in an email.  The regulary expression can be changed to extract domain names out of an email also.