15 Apr

     Honeypots are an important part of any cyber-defense analysis. It shows exactly what vector the cyber-criminals are attempting to exploit in order  to gain control of resources.      Currently, the most exploited resource is SSH. With most servers using SSH for administration, a lax SSH configuration easily allows criminals access to the servers. SSH is easily scanned for and once found, the attackers (usually bots) brute force the username and password. 

   Here is what we have seen on our honeypots, where we purposefully allow users to gain access via SSH. Once they are allowed to login as root, this command was run:

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3Nzac1(keydata)...+oRw==mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~ ; chattr -ia .ssh ; lockr -ia .ssh"

     Explained, this chain of commands starts with 1) " cd ~ && rm -rf .ssh" to delete the ssh configuration folder of the root directory. This removes access to the server by the actual root user. By the way, you should never have ssh configured to allow root to login, you can always sudo after login (if enabled and needed). Next, the bot 2)"&& mkdir .ssh && echo 'ssh-rsa AAAAB3NzaC...==mdrfckr'>>.ssh/authorized_keys" . 

     These commands recreate the user's (root) ssh config directory and recreates the authorized_keys file with the hacker's own rsa key. This will allow the hacker to gain access using ssh again. This persistent access allows further action in the future. It could be for downloading malware to make the server part of a bot to run DDOS attacks, or it could be for encrypting the drive and holding it for ransom. That's just two of the more common purposes criminals will compromise a server. 

     Next in the command chain, the command entered is 3) "&& chmod -R go= ~/.ssh && cd ~" . Chmod sets the group and owner of the ssh config directory to root, then changes directory to root home again before 4) "chattr -ia .ssh ;" . This command makes the directory immutable and amendable. (Experienced sysadmins eyebrows raise here. Purposefully not explained here, but you know the issue.)

      Next, and last in the chain of commands, came 5) "lockr -ia .ssh". lockr is an ssh key management program. (https://www.lockr.io/ (tm)). The criminals attempt to use this program ( an enterprise algorithm, paid for by the owners of the server) against the server.( Again, experienced sysadmins eyebrows will raise. ) 

     That's the command. And it repeats over and over, not actually making any changes on the honeypot. But we do get the IP addresses and the ssh rsa key to their server. And the exact repetition and varied IP addresses indicate a bot-net swarm on our Honeypot. 

     The ssh brute force attack is constant. Once an open ssh port is found, bots will swarm to it, stealing bandwidth from the server's owner. In the past, after having been online for 18 hours, our honeypot was getting more than a thousand attempted logins in an hour, from too many different IPs to whois them all.

      Another attack that did not follow the same pattern, but sought to determine the system type, contained:

cat /proc/cpuinfo | gre name | wc -l ; echo root:(mixed numbers & letters) | chpasswd | bash cat /proc/cpuinfo | grep name | head -n1 | awk {print $4,$5,$6,$7,$8,$9;} ; free -m | grep Mem | awk {print $2,,$3,$4,$5,$6,$7} ; ls -lh $(which ls) ; crontab -l ; uname -m ; cat /proc/cpuinfo | grep model | grep name | wc -l ; top uname ; uname -a lscpu | grep Model

     In another attack using a different honeypot, criminals determined the type of cpu we had (much like above) and downloaded the Hikvision (tm) type security system malware to it ( an ARM based server ). We were able to easily determine that the server connected to our honeypot was a compromised server, owned by a corporation in Canada. And we found out there is no one in Canada to report a compromised server, and no one in Canada cared (circa. 2018). We contacted the server's listed administrators (whois) and the Canadian government.  

     A public facing server faces a constant barrage of brute force attacks. Cyber criminals building their bot-net of compromised servers constantly look for the 'low-hanging fruit' to add to their arsenal. 

    A well placed honeypot can help you defend your network. It can also alert you to when you are facing a determined criminal "a-i-s" at the keyboard, or just the usual bots looking for easy targets. 

    We can supply a honeypot that mimics your stack and supply you with information about the threat vector your systems face daily.