Wednesday, March 25, 2015

What's in the honeypot? SSH Scanning leads to Interesting Domain

SSH scanning appears to be a popular activity for a honeypot to capture.  I thought I would share what I have seen in my honeypots thus far.

Below are the top 10 IP Addresses that have scanned my honeypots with the number of occurrences they appear in the logs:
1: - 2,390
2: - 2,332
3: - 2,125
4: - 2,104
5: - 1,728
6: - 1,683
7: - 1,604
8: - 1,555
9: - 1,472
10: - 1,371

These statistics were pulled from multiple honeypots into a single file and then I wrote the below python script to aggregate the total number of occurrences:


file = open('stats.temp', 'r')
for line in file:
item = line.split(' ')
if priorLine == item[0]:
priorLine = item[0]
priorCalc = priorCalc + int(item[1])
print priorLine + " " + str(priorCalc)
priorLine = item[0]

From the top 10 IP addresses above I wanted to see if any of them appeared in more than 1 honeypot. Surprisingly enough the below 3 IP Addresses appeared in more than 1:

Using a whois lookup on these IP Addresses the below information can be derived.  Again the information returned does not provide attribution in any way to the country or owners of the IP Addresses.

IP Address:
IP Range: -
Country: CN (China)

IP Address:
IP Range: -
Description: CHINANET jiangsu province network
Description: China Telecom
Country: CN

IP Address:
IP Range: -
Description: China Telecom
Country: CN

I also wanted to see if these IP Addresses showed up in virustotal as serving malware or having a history of malicious websites associated with them:

IP Address: came back with no malicious domains being associated so far.

IP Address: came back with the following information:
IP Address: came back with the following information:

From the above research about the IP Addresses we identify some domains and URL's of interest. First I am going to look at the registrations of the domains:

IP Address:
By searching for this domain the following IP Addresses over time have been associated with it.
It appears in the above listing the most recent URL utilized for this domain is currently pointing to IP Address  After looking at this IP Address I wanted to see if the last file uploaded from that domain still existed.  Sure enough the below file I could still download:

Finding that the file was an APK or an Android package I pulled it down.  An APK file is nothing more than a zip file.  We are looking for the dex file inside of the APK so I unzipped it with the following command:

Checksum of APK: 77696c5fc37ce4881a319c1b962b74f1
unzip sosmap_android.apk classes.dex

Then with the classes.dex file I needed to extract the Java source code.  I can convert the dex file to Java class files by executing the following command:

Checksum of the dex file: fee0756c47a10382161d720083342c65
dex2jar classes.dex

This creates the following file of classes_dex2jar.jar.  Then the jar file can also be unzipped at this point-in-time.  

The decompiled jar file has a checksum of the following: 06538782eaa69970f54b59f1d30c60bc

Well I have chased this down the rabbit hole as far as I want to go.  Enjoy!


No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...