So far my Kippo honeypot installation has recieved a number of successful log ins from maliciuos users, some of which have been helpful enough to provide some tools for further analysis. A lot of the archives which have been downloaded show that the kits have been in use for a while, with some archive timestamps going back as far as 2004 (of course this could simply be an incorrect clock on the machine that created the archive). Picking on the most recent download (2010-07-18) I’ve taken a look at the archive containing gosh.tgz.
The archive was downloaded from linux<dot>hostse<dot>com<slash>gosh<tgz>, system is down at time of writing but take care if attempting to investigate yourself. Before downloading the user checked around the system with commands: w, uname -a and cat /proc/cpuinfo, and archive was downloaded and extracted in /dev/shm/.
Once extracted, the archive contains a number of files:
| 1: | ISO-8859 English text, with CRLF line terminators |
| 2: | ASCII text |
| 3: | ASCII C++ program text, with CRLF line terminators |
| 4: | ASCII text |
| 5: | ASCII text |
| a: | ISO-8859 text, with CRLF line terminators |
| common: | ASCII C++ program text |
| gen-pass.sh: | Bourne-Again shell script text executable |
| go.sh: | ASCII text |
| mfu.txt: | ASCII text |
| pass_file: | ASCII text |
| pscan2: | ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped |
| scam: | Bourne-Again shell script text executable |
| secure: | Bourne-Again shell script text executable |
| ss: | ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.0.0,stripped |
| ssh-scan: | ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.0.0, stripped |
| vuln.txt: | empty |
- Interesting files:
- Files 1 to 5, common and pass_file are password lists, totalling 235,523 potential passwords.
- mfu.txt is a list of IP addresses, mostly in the 38.99.0.0/16 address space.
- pscan2 is a fairly common and generic port scanner.
- scam is a shell script that appears to be the core brains of the toolkit. It essentially looks through scanning a different ranges of IP addresses while periodically emailing the contents of vuln.txt back to it’s master (mafia89tm@yahoo.co.uk).
- ss: appears to be another scanner used for looking for potential targets.
- ssh-scan: appears to be a Romanian tool from the message provided if run without arguments, according to Google Translate (possibly NSFW), and as you would guess from the file name is a scanner for SSH services.
- vuln.txt is blank in the archive, and will be the output of vulnerable systems located by the scanners.
All told this appears to be a kit for performing further scans for unsecured SSH sessions, and it is likely that a similar kit hosted on a different compromised machine was responsible for identifying my installation in the first place. Kits like this also quickly show the problem with tracking down the malicious user behind an compromise or attempt, it is rare for attacks to be launched from systems that can easily be traced back to the malicious user.
A quick Google search confirms that this kit (and user) has been seen in the wild attacking other systems, this posting on the Shell Person blog writes up the aftermath after a production system was compromised by the same kit.
–Andrew Waite
Leave a comment