kippo
kippo copied to clipboard
desaster
connection problems with dropbear based malware
From cptnrd on January 24, 2011 10:37:08
Hi, I'm using kippo and I think it's great! Unfortunately, I have problems with some connections.
What is the expected output? What do you see instead?
This is what I find in the logs when attackers connect with malware apparently based on dropbear code ->
2011-01-23 xx:xx:x0+0100 [HoneyPotTransport,1,attacker.ip.addr] connection lost 2011-01-23 xx:xx:x2+0100 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: attacker.ip.addr:3137 (my.ip.addr:65022) [session: 2] 2011-01-23 xx:xx:x2+0100 [HoneyPotTransport,2,attacker.ip.addr] Remote SSH version: SSH-2.0-dropbear_0.49 2011-01-23 xx:xx:x2+0100 [HoneyPotTransport,2,attacker.ip.addr] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2011-01-23 xx:xx:x2+0100 [HoneyPotTransport,2,attacker.ip.addr] outgoing: aes128-cbc hmac-sha1 none 2011-01-23 xx:xx:x2+0100 [HoneyPotTransport,2,attacker.ip.addr] incoming: aes128-cbc hmac-sha1 none 2011-01-23 xx:xx:x4+0100 [HoneyPotTransport,2,attacker.ip.addr] NEW KEYS 2011-01-23 xx:xx:x4+0100 [HoneyPotTransport,2,attacker.ip.addr] starting service ssh-userauth 2011-01-23 xx:xx:x4+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] root trying auth none 2011-01-23 xx:xx:x4+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] root trying auth keyboard-interactive 2011-01-23 xx:xx:x4+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] login attempt [root/] failed 2011-01-23 xx:xx:x4+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] root failed auth keyboard-interactive 2011-01-23 xx:xx:x4+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] unauthorized login: 2011-01-23 xx:xx:x5+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] root trying auth keyboard-interactive 2011-01-23 xx:xx:x5+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] login attempt [root/] failed 2011-01-23 xx:xx:x5+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] root failed auth keyboard-interactive 2011-01-23 xx:xx:x5+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] unauthorized login: 2011-01-23 xx:xx:x5+0100 [SSHService ssh-userauth on HoneyPotTransport,2,attacker.ip.addr] root trying auth keyboard-interactive (...this goeas on for ~20 more times - to often to be realistic )
It seems it can't get to authenticate. There should be a password after the " [root/]" part of the log.
Kippo works great with attackers using libssh ->
2011-01-23 yy:yy:y0+0100 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: some.attacking.ip:38519 (my.ip.addr:65022) [session: 9] 2011-01-23 yy:yy:y1+0100 [HoneyPotTransport,9,some.attacking.ip] Remote SSH version: SSH-2.0-libssh-0.1 2011-01-23 yy:yy:y1+0100 [HoneyPotTransport,9,some.attacking.ip] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2011-01-23 yy:yy:y1+0100 [HoneyPotTransport,9,some.attacking.ip] outgoing: aes256-cbc hmac-sha1 none 2011-01-23 yy:yy:y1+0100 [HoneyPotTransport,9,some.attacking.ip] incoming: aes256-cbc hmac-sha1 none 2011-01-23 yy:yy:y2+0100 [HoneyPotTransport,9,some.attacking.ip] NEW KEYS 2011-01-23 yy:yy:y2+0100 [HoneyPotTransport,9,some.attacking.ip] starting service ssh-userauth 2011-01-23 yy:yy:y2+0100 [SSHService ssh-userauth on HoneyPotTransport,9,some.attacking.ip] root trying auth password 2011-01-23 yy:yy:y2+0100 [SSHService ssh-userauth on HoneyPotTransport,9,some.attacking.ip] login attempt [root/123!@#] failed
What version of the product are you using? On what operating system?
I am using the current kippo 0.5 on a ubuntu 10.10 i386.
Please provide any additional information below.
I was tracking the attacker which uses the dropbear cased malware for some time with a specially rigged openssh daemon. The daemon logs the passwords that are tried. That's why I think kippo does not work correctly but the malware does - or does at least with a current openssh server.
Any hints as how to proceed are very welcome.
Regards Andreas
Original issue: http://code.google.com/p/kippo/issues/detail?id=30
From desaster on February 06, 2011 02:13:31
I tested this some time ago with dropbear 0.49, but couldn't reproduce the problem.
Would be nice to find the actual malware they are using.. but it's a chicken/egg problem I guess :)
Status: Accepted
From dvarjen on April 27, 2011 16:25:48
Try to add a new password with the command:
./passdb.py ../data/pass.db add ""
That will allow those sessions to work, but then you will get rather funny errors when they run their scripts. It seems kippo is trying to run HoneyPotAvatar.execCommand and that fails because it raises NotImplementedError.
I have the URLs for the two binaries that they are trying to download.
From desaster on April 29, 2011 05:30:58
Ah, maybe I should implement that.
If the binaries they were trying to download contain their dropbear based scanners, it would be interesting to see.
My plan has been to setup a non-kippo honeypot to catch these, but I've been to lazy.
From dvarjen on May 02, 2011 14:21:30
I see that I didn't include the practical parts:
2011-05-02 11:07:47+0200 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,4028,xxx.xxx.xxx.xxx] Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, _args, *_kw)
File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 59, in callWithContext
return self.currentContext().callWithContext(ctx, func, _args, *_kw)
File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 37, in callWithContext
return func(args,*kw)
File "/usr/lib/python2.6/dist-packages/twisted/conch/ssh/channel.py", line 137, in requestReceived
return f(data)
---
Also i found a neat way to reproduce the error. I suspect that they use a bash script that iterates over a list of common passwords and change the env variable named DROPBEAR_PASSWORD and then use a command similar to : dbclient -T root@$TARGET "ls -la"
That command has been tested on my instance of kippo and it produces the same output as the one above.
From desaster on October 24, 2011 00:04:57
I think the ssh scanner is actually this: http://en.wikipedia.org/wiki/Psyb0t The scanner is a mipsel binary, so i haven't managed to test it yet.
I can't reproduce the problem using a normal dropbear binary and DROPBEAR_PASSWORD.
Will investigate more...
From michel.oosterhof on April 14, 2013 04:06:10
Okay. I'm running into a similar problem with some recent scan attempts as well.
In this case they don't open an interactive session, but just try to run a single command through the honeypot.
Easy way to reproduce
ssh root@honeypot id
exec request failed on channel 0
On the kippo logs we get the same notImplemented error as mentioned below. I can provide more logs, but I think the is the problem kippo does not implement channels to run a single command, as opposed to a complete interactive session.
From desaster on April 16, 2013 05:32:36
Indeed the exec method is just not implemented.
This is a bit different from the original problem in this issue report, but should be added too.
From michel.oosterhof on April 20, 2013 04:31:39
I've created a new ticket for the exec method, so we can track things separately.