Slightly interesting find from sshranking

Found something somewhat interesting via my ssh-ranking project
for the IP 218.28.116.247   (info page | mirror )
So when I notice the attacker has some http server going, I like to take a screenshot of said server.
this IP got:
218.28.116.247--1394113763So I downloaded those files, and ran file on them:

1:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
3:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
4:      C source, ASCII text, with CRLF line terminators
5.out:  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x5e73ee3d92c18d1fb20e666626500eb580f0be39, not stripped
DDos:   ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, BuildID[sha1]=0x3e423c19e481cf3b53b66fa8fd9857338565206a, stripped
DDos64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, BuildID[sha1]=0x2a987952391f567270d8c656b68613f38b00cc5c, not stripped

So yay, looks like I found some server that’s set up to host stuff for botnets:
Lets start with that C source code: (view it here)

 The comment on the c code is: /*
* jessica_biel_naked_in_my_bed.c
*
* Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
* Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
* Stejnak je to stare jak cyp a aj jakesyk rozbite.
*
* Linux vmsplice Local Root Exploit
* By qaaz
*
* Linux 2.6.17 - 2.6.24.1
*
* This is quite old code and I had to rewrite it to even compile.
* It should work well, but I don't remeber original intent of all
* the code, so I'm not 100% sure about it. You've been warned ;)
* 
* -static -Wno-format  
*/

the first part is in Slovak: (google translate)
* Doval of Knajpa and stare from Wojtas again has nothing to do, kura.
* Gizdi, mate cosyk Here you will find the edge, while a Flow and blabbed.
* Anyway this is old as well as CYP jakesyk crack.

So it’s a rather old linux exploit.  So this is most likely post-exploitation stuff (eg attacker already has user-level shell on a out of date linux box and will use this to get root)

lets take a look at the executables. I’m going to use my awesome reverse engineering skills here (aka, lets run strings on it)

  1. Starting with the file named ‘1’ (view the strings output here)
    • This binary is one for trying to get root from user privs
  2. binary: 2 (strings output)
  3. binary: 3 (strings output)
    • Looks to be similar to binary 2 bet with some ‘l33tsp3ak’ added, and other things
    • “3v3ryth3ng f41l3d!!*@&^@&*^ () * try an0th3r 0d4y L0l”   –> “Everything failed ….. try another 0day lol”
  4. binary: 5.out (strings output)
    • from google’ing looks like yet another linux 0day
  5. binary: DDos·(strings output)
    • From the name, I’m going to assume this is for running DDos attacks once the attacker has root
    • Found domain in the strings though: jeck.f3322.org   (which goes to the same server)  I’ll talk more about this later.
  6. binary: DDos64
    • same thing as DDos; just compiled for 64bit

So lets take a look more at that domain name, and the IP

% nslookup jeck.f3322.org
Non-authoritative answer:
Name:   jeck.f3322.org
Address: 218.28.116.247

% nslookup 218.28.116.247
Non-authoritative answer:
247.116.28.218.in-addr.arpa     name = pc0.zz.ha.cn.

Authoritative answers can be found from:
28.218.in-addr.arpa     nameserver = ns.hazzptt.net.cn.
28.218.in-addr.arpa     nameserver = ns.halyptt.net.cn.

% nslookup pc0.zz.ha.cn
** server can't find pc0.zz.ha.cn: NXDOMAIN

so none of that matches up at all…  and by the time i got back to writing this things went down; anyways…

I also found another very similar Server: 122.226.102.99

info page | mirror

122.226.102.99--1394556350

1:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
3:     ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
4:     C source, ASCII text, with CRLF line terminators
5.out: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x5e73ee3d92c18d1fb20e666626500eb580f0be39, not stripped
txma:  ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped

So the files seem to be similar:

  1. File ‘1’: an md5sum shows its the same file from the first IP
     md5sum */1
    a3e718751e600c4e8503ac6836b84aba  122.226.102.99/1
    a3e718751e600c4e8503ac6836b84aba  218.28.116.247/1
  2. file ‘2’
        again, same file
    $ md5sum */2
    e62089b51f3b485b891359accdb11bdc  122.226.102.99/2
    e62089b51f3b485b891359accdb11bdc  218.28.116.247/2
  3. file ‘3’
        again, same file
    $ md5sum */3
    585be83c1ee0ad009379369717ba988c  122.226.102.99/3
    585be83c1ee0ad009379369717ba988c  218.28.116.247/3
  4. file ‘4’
        again, same file
    $  md5sum */4
    9a501b92f3cf548ba13478f1b5855c68  122.226.102.99/4
    9a501b92f3cf548ba13478f1b5855c68  218.28.116.247/4
  5. file ‘5.out’
        again, same file
    $ md5sum */5.out
    ff1e9d1fc459dd83333fd94dbe36229a  122.226.102.99/5.out
    ff1e9d1fc459dd83333fd94dbe36229a  218.28.116.247/5.out
  6. New File: ‘txma’ ‘txma: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped’
    • strings output
    • basically all gibberish because of This file is packed with the UPX executable packer
    • im sure someone could ‘unpack it’ chances are its similar to one of the other binaries

     

link to all the binary: (warning: its obv malware, don’t be running whats in this unless you know what you’re doing)

 

Soon to follow: another server with the same HttpFileServer, but way different files. Also another with files via anonymous ftp

How I use autossh

autossh is nice little program that will auto restart ssh connections when they drop
This is extremely useful if you use ssh-tunnels a lot.

  • autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. The idea is from rstunnel (Reliable SSH Tunnel), but implemented in C.
  • Connection monitoring using a loop of port forwardings or a remote echo service.
  • Backs off on rate of connection attempts when experiencing rapid failures such as connection refused.

I have my raspberrypi at home using autossh to do a remote port foward of ssh to my server.

 

To set this up I created an account on my server I just for tunneling.
User called tunnel with the shell set to /bin/false
On the rpi I generated ssh-keys (with no password)

Toss the public key into the tunnel account of the remote servers  ~/.ssh/authorized_keys

now test it with out auto ssh:

root@rpi:~# ssh -N -R 3333:localhost:22 tunnel@server
the -N is for no shell; the -R is forwarding the rpi’s ssh’d to your remote server on port 3333
now from the server you can do  ssh user@localhost -p 3333   and login :D

 

Now for autossh!
i use autossh in cron; not _sure_ if that’s how its meant to be used… but it works very nicely
as roots , crontab -e
*/1 * * * * autossh -M 20001 -R 3333:localhost:22 -N tunnel@server
this will check the tunnel every minute, and if its not up it will bring it up

 

 

Its like a lazy mans vpn! :D

Shmoocon 2014 slides I’ve found

 Still being updated

Friday, January 17, 2014
Time One Track Mind
1230 Registration Opens
1430 Opening Remarks, Rumblings, and RantsBruce Potter
1530
Attacker Ghost Stories: Mostly Free Defenses That Give Attackers Nightmares
Mubix “Rob” Fuller
<–SLIDES–>
1600
The Evolution of Linux Kernel Module Signing
Rebecca “.bx” Shapiro
<–SLIDES–>
1630
How Hackers for Charity (Possibly) Saved Me a Lot of Money
Branden Miller and Emily Miller
1700
CCTV: Setup, Attack Vectors, and Laws
Joshua Schroeder and Spencer Brooks
1730
Security Analytics: Less Hype, More Data
Aaron Gee-Clough
1800
Dissipation of Hackers in the Enterprise
Weasel
1830 Keynote AddressPrivacy Online: What Now?Ian Goldberg
1945 Fire Talks
Saturday, January 18, 2014
Time Build It! Belay It! Bring it On!
0930 Registration Opens
1000
Genuinely “Trusted Computing:” Free and Open Hardware Security Modules
Ryan Lackey

Introducing DARPA’s Cyber Grand Challenge
Mike Walker

Technology Law Issues for Security Professionals
Shannon Brown
1100
Malicious Threats, Vulnerabilities, and Defenses in WhatsApp and Mobile Instant Messaging Platforms
Jaime Sanchez and Pablo San Emeterio
<–SLIDES–>

Unambiguous Encapsulation – Separating Data and Signaling
Dominic Spill and Michael Ossmann

I Found a Thing and You Can (Should) Too: ISP’s Unauthenticated SOAP Service = Find (Almost) All The Things!
Nicholas Popovich
1200
SafeCurves: Choosing Safe Curves for Elliptic-Curve Cryptography
Daniel J. Bernstein and Tanja Lange
<–SLIDES–>

A Critical Review of Spatial Analysis
David Giametta and Andrew Potter

Arms Race: The Story of (In)-Secure Bootloaders
Lee Harrison and Kang Li
1300 Lunch Break
1400
Controlling USB Flash Drive Controllers: Expose of Hidden Features
Richard Harman
<–SLIDES–>

Data Whales and Troll Tears: Beat the Odds in InfoSec
Davi Ottenheimer and Allison Miller

Syncing Mentorship Between Winners And Beginners
Tarah Wheeler Van Vlack and Liz Dahlstrom
1500
0wn the Con
The Shmoo Group

Operationalizing Threat Information Sharing: Beyond Policies and Platitudes
Sean Barnum and Aharon Chernin

The NSA: Capabilities and Countermeasures
Bruce Schneier
1600
AV Evasion With the Veil Framework
Christopher Truncer, Will Schroeder, and Michael Wright
<–SLIDES–>

The “Science of Cyber” and the Next Generation of Security Tools
Paulo Shakarian

How to Train your Snapdragon: Exploring Power Frameworks on Android
Josh “m0nk” Thomas
<–SLIDES–>
1700
ADD — Complicating Memory Forensics Through Memory Disarray
Jake Williams and Alissa Torres
<–SLIDES–>

Timing-Based Attestation: Sexy Defense, or the Sexiest?
Xeno Kovah, Corey Kallenberg, and John Butterworth

LTE vs. Darwin
Hendrik Schmidt and Brian Butterly
1815 Fire Talks
2015 Saturday Night Party @ The Hilton, International Center Ballroom
Paul and StormDJs: Keith Meyers, Zack Fasel, and Erin Jacobs
Sunday, January 19, 2014
Time Build It! Belay It! Bring it On!
0930 Registration Opens
1000
An Open and Affordable USB Man in the Middle Device
Dominic Spill

“How I Met Your Mother” or The Brief and Secret History of Bletchley Park and How They Invented Cryptography and the Computer Age
Benjamin Gatti

Malicious Online Activities Related to the 2012 U.S. General Election
Joshua Franklin, Robert Tarlecki, Matthew Jablonski, and Dr. Damon McCoy
<–SLIDES–>
1100
unROP: A Tool for In-Memory ROP Exploitation Detection and Traceback
Kang Li, Xiaoning Li, and Lee Harrison

Raising Costs for Your Attackers Instead of Your CFO
Aaron Beuhring and Kyle Salous
<–SLIDES–>

Vehicle Forensics – The Data Beyond the Dashboard
Courtney Lancaster
1200
Introducing idb – Simplified Blackbox iOS App Pentesting
Daniel A. Mayer
<–SLIDES–>

Practical Applications of Data Science in Detection
Mike Sconzo and Brian Wylie

You Don’t Have the Evidence
Scott Moulton
1300 Room Split Break
1330 Closing PlenaryLarge Scale Network and Application ScanningBruce Potter (moderator), Robert David Graham, Paul McMillan, Dan Tentler, and Alejandro Caceres
1430 Closing Remarks

Ingress in Brave gifs

from the movie Brave we can describe Ingress! :D

 succefully defending a portal via recharge
successfully defending a portal via recharge

 getting help defending a portal
getting help defending a portal
what it feels like being level 8
what it feels like being level 8
when your newly deployed portal gets taken over as you leave the area
when your newly deployed portal gets taken over as you leave the area
getting lucky on portal submission
getting lucky on portal submission
asking your fellow teammates to take down a portal/feild for you
asking your fellow teammates to take down a portal/feild for you
 been playing ingress to much lately and need a break as people ask you to do things
been playing ingress to much lately and need a break as people ask you to do things
 brand spanking new L8 farm goes down
brand spanking new L8 farm goes down

non-ingress people seeing people playing ingress
non-ingress people seeing people playing ingress

when you think the enemy faction might be in the area
when you think the enemy faction might be in the area

getting ready for a build'n'burn
getting ready for a build’n’burn

SSH ranking update!

Firstly, links!:

http://vps2.pronto185.com/ssh_rank/lists/all
https://github.com/pronto/SSH-Ranking
also: follow me: https://github.com/pronto/ https://twitter.com/moo_pronto

Now for “wtf is all this?!”

Intro bit:
On linux boxes theres a file called /var/log/auth.log where all login attempts to the system are logged, and other things.
If you’ve ever run a linux box on the web with port 22 open you’ll know that it gets hit, and hit hard (especially so if your IP is in a well known ‘server range’ eg:linode.com)
Now most sane people will either just use fail2ban(or something similar) or change the ssh port.
But craycray people like myself like it when auth.log* gets filled up with these attempts for a fun dataset!
About the project:
This project mainly started as something to do using python, sql-alchemy, flask/jinja2 and other things.
What it does is parse though auth.log getting very failed login attempt and tosses it into a database.
then the web-part will query the DB and display interesting things, e.g: http://vps2.pronto185.com/ssh_rank/user/r00t  which IP’s have tried the user name ‘r00t’
Remember this project is still in the early phases, and could be unstable. I wouldn’t run this on production boxes. If you want to see data from production boxes, I recommend moving the auth.logs off to some test-server and telling the sshrank.py to parse those
Whats next?:
Going to start doing more digging into the top offenders. Doing port scans, keeping an rdns history for changes, grab the whois data to compare with other offenders.
Also thinking about logging the passwords for failed attempts, Eric Gragsone had an interesting idea on how to do that with pam

‘This is neat, i want this’ and ‘how can i help?’

Get it running?

The readme on github should help you get started. note: it was tested on debain7.2 so if you use something else, you might have to do things different
i have gotten it working on python 2.7 and 2.6.6

How I help?

All the code is on github, feel free to fork/etc… and if I like your changes, I’ll merge it into the main one.
If you don’t know how to use github, I high recommend learning how to use it you can find a lot of links here to figure it out :)

Talk to ….me?!

Best way is via: irc(pronto on: efnet,freenode,snoonet,and other nets…) email: pronto185@gmail.com, or google chat/hangouts