Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots, (Thu, Jul 11th)

Category :

SANS Full Feed

Posted On :

Some of the commands observed can be confusing for a novice looking at ssh honeypot logs. Sure, you have some obvious commands like “uname -a” to fingerprint the kernel. However, other commands are less intuitive and are not commands a normal user would use. I am trying to summarize some of the more common ones here, focusing on commands attackers use to figure out if they are inside a honeypot.

busybox dd if=$SHELL bs=22 count=1||dd if=/proc/self/exe bs=22 count=1||while read i;do busybox echo -n $i;done</proc/self/exe||cat /proc/self/exe

There is a lot going on with this line. Let’s take it apart one command at a time:

busybox: Busybox is a special binary found on many IoT style systems. It fulfills the role of various other Linux utilities in one small package. It is often symlinked from other names like “ls”. 

dd: “dd” (disk dump) is often used to copy disk images. But it can be used to read/write any binary file. Here the attacker reads the first 22 bytes of the “$SHELL” binary, usually something like “/bin/bash”. A typical output would be ” ELF>” for an ELF binary.

Next, the attacker is doing the same to the current binary (/proc/self/exe). I believe the purpose of this command line may be to eliminate some honeypots as this command will not work in simulations like cowrie.

I have seen variations of this like for example:

dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s

/bin/busybox dd if=/bin/busybox bs=22 count=1||while read i;do /bin/busybox echo -n $i;done</bin/busybox||cat /proc/self/exe

The next line uses a slightly different trick to figure out if the attacker is inside a honeypot:

cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox ZRKTA

/dev/shm is the “ramdisk”, a special file system found on most Linux systems. Here the attacker just copies a file to it to see if the copy succeeds. The attacker first views the content of the file “.s”, and later copies the echo command to .s just to see if there are any errors. The busybox command at the end just serves as a simple marker to note that the commands completed.

Next a partial command I see a lot:

(/bin/busybox echo -e “\x44\x49\x52″||echo -e “\x44\x49\x52”)

“echo -e” will output the text identified by he ASCII hex codes. The exact output may vary a bit from system to system as “-e” is not a standard option. But you will get something like

$ echo -e “\x44\x49\x52”

Adding this as an argument to busybox is an attempt to execute a “DIR” command. The goal is not to execute the “DIR” command (it does not exist in Linux). Instead, seeing the “DIR” output will tell the attacker that the command succeeded. 

Seen any other tricks used by attackers lately? Any questions about an odd command logged by cowrie? Let me know! 🙂 

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.