syslog Data format

If you want to write your own honeypot and want to use LongTail to analyze the data you should follow the format below.

 

YYYY-MM-DDTHH:MM:SS<.milliseconds(optional)>-HH-MM(GMT offset)  honeypotName process_name: IP: IP_ADDRESS PassLog: Username:  <Username tried> Password: <Password tried>

All data is single space delimited

Field  1 is a date/time stamp.  Date is YYYY-MM-DD, followed by a “T”  character, followed by a time stamp HH:MM:SS.milliseconds (milliseconds  is optional), a “dash” character, and then a GMT offset.
Field 2 is the honeypot name
Field 3 is the sshd process name
Field 4 is a string “IP:”
Field 5 is the IPv4 ip address
Field 6 is a string indicating which type of honeypot
PassLog indicates port 22
Pass2222Log indicates port 2222
Field 7 is a string “Username:”
Field 8 is the username attempted
Field 9 is the string “Password:”
Field 10 is the password tried (Might be blank, 1-n spaces, or a password)

examples below:
2016-04-19T05:40:58-04:00 ecdal2 sshd-22[9306]: IP: 183.3.202.102 PassLog: Username: root Password: sunbird
2016-04-19T05:40:58-04:00 AWS sshd-22[24509]: IP: 183.3.202.106 PassLog: Username: root Password: gemini123
2016-04-19T05:40:59-04:00 ecdal2 sshd-22[9306]: IP: 183.3.202.102 PassLog: Username: root Password: 1234asdf
2016-04-19T05:40:59-04:00 edu_c sshd-22[26957]: IP: 222.186.34.200 PassLog: Username: root Password: anna
2016-04-19T05:40:59-04:00 ecdal2 sshd-22[9306]: IP: 183.3.202.102 PassLog: Username: root Password: gandalf1

sshCrazies: Son of sshPscyho?

Since the beginning of this year there has been yet another botnet coming out of China, and since they (apparently) have not been named yet, I’m calling them sshCrazies.

As of May 2nd, they have performed 10975 attacks with a total of 6,784,525 ssh login attempts against my honeypots. While there have only been 30 IP addresses associated with them (so far) (listed below) they have 6.4 times the number of login attempts as the second place class C subnet, and 14.8 times the number of login attempts as the second place class C subnet. (See http://longtail.it.marist.edu/honey/class_c_hall_of_shame.shtml for more details.)

What sets these bad actors apart from the original sshPsychos is that their first password tried has almost always (>99% of the time) been !@ (Exclamation mark and an Ampersand), followed by:
123456
password
root
wubao
jiamima

The passwords wubao and jiamima were hallmarks of the sshPscyho team. It appears (IMHO) that another team of hackers now has a new password (Exclamation mark and an Ampersand), hat they set root to when they have hacked a server,
and then they try to steal the old sshPsycho servers.

Another difference is that where the sshPsychos were attacking from 4 class c subnets, I have only seen 30 IP addresses from sshCrazies so far. This MIGHT be indicative of them better distributing their attacks so there were not as many repeat attacks as with sshPsychos.


Whois information

[username@longtail attacks_purdue]$ whois 183.3.202.190

[Querying whois.arin.net]

[Redirected to whois.apnic.net]

[Querying whois.apnic.net]

[whois.apnic.net]

% [whois.apnic.net]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to ‘183.0.0.0 – 183.63.255.255’

inetnum: 183.0.0.0 – 183.63.255.255

netname: CHINANET-GD

descr: CHINANET Guangdong province network

descr: Data Communication Division

descr: China Telecom

country: CN

admin-c: IC83-AP

tech-c: IC83-AP

status: ALLOCATED PORTABLE

remarks: service provider

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

remarks: To report network abuse, please contact the IRT

remarks: For troubleshooting, please contact tech-c and admin-c

remarks: For assistance, please contact the APNIC Helpdesk

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

mnt-by: APNIC-HM

mnt-lower: MAINT-CHINANET-GD

source: APNIC

mnt-irt: IRT-CHINANET-CN

changed: hm-changed@apnic.net 20091009

irt: IRT-CHINANET-CN

address: No.31 ,jingrong street,beijing

address: 100032

e-mail: anti-spam@ns.chinanet.cn.net

abuse-mailbox: anti-spam@ns.chinanet.cn.net

admin-c: CH93-AP

tech-c: CH93-AP

auth: # Filtered

mnt-by: MAINT-CHINANET

changed: anti-spam@ns.chinanet.cn.net 20101115

source: APNIC

person: IPMASTER CHINANET-GD

nic-hdl: IC83-AP

e-mail: gdnoc_HLWI@189.cn

address: NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU

phone: +86-20-87189274

fax-no: +86-20-87189274

country: CN

changed: ipadm@189.cn 20110418

changed: zhengzm@gsta.com 20140922

mnt-by: MAINT-CHINANET-GD

remarks: IPMASTER is not for spam complaint,please send spam complaint to abuse_gdnoc@189.cn

abuse-mailbox: antispam_gdnoc@189.cn

source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

[username@longtail attacks_purdue]$


IP addresses associated with sshCrazies
183.3.202.88
183.3.202.101
183.3.202.102
183.3.202.103
183.3.202.104
183.3.202.105
183.3.202.106
183.3.202.107
183.3.202.108
183.3.202.109
183.3.202.110
183.3.202.112
183.3.202.113
183.3.202.114
183.3.202.119
183.3.202.120
183.3.202.170
183.3.202.178
183.3.202.183
183.3.202.184
183.3.202.185
183.3.202.187
183.3.202.189
183.3.202.190
183.3.202.191
183.3.202.192
183.3.202.197
183.3.202.199
183.3.202.200
183.3.202.201


Comments, as always are welcome. Please post them to https://groups.google.com/forum/#!forum/longtail-log-analyzer

How to send Apache HTTPD access.log to syslog

In the file:/etc/http/conf/httpd.conf

Look for this line

CustomLog logs/access_log combined

And then add this line right after it:

CustomLog |/usr/local/etc/LongTail_send_access_to_syslog.pl combined

Run this command to load the right Perl module

cpan Sys::Syslog

Then create this file and make it executable: LongTail_send_access_to_syslog.pl

#!/usr/bin/perl
    use Sys::Syslog qw( :DEFAULT setlogsock );
setlogsock('unix');
openlog('LongTail_apache', 'pid', 'auth');
# I use 'auth' for LongTail, you can choose something else.
while ($log =<STDIN>){
                syslog('notice', $log);
    }
    closelog;

Then restart apache and your access.log logfile will go to syslogg.

Quick Notes On Kippo For Centos 6.5


# mostly stolen from
# http://www.karmicsangoma.co.za/2014/03/installing-kippo-honeypot-on-centos.html
adduser <username>
passwd <username>
yum install wget unzip twisted
vi /etc/ssh/sshd_config # Change port to 65000, PermitRootLogin no
ssh <username>@<hostname> -p 65000
iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 2222

wget https://github.com/desaster/kippo/archive/master.zip
unzip master.zip
cd kippo-master/
cp kippo.cfg.dist kippo.cfg
vi kippo.cfg # change ssh_version_string
vi data/userdb.txt  #Add users and passwords

chown -R <username> .
su <username>
./start.sh
sh <username>@<hostname> # to test

FAQ: Are you performing any logins, on IRC connections to the botnets?

One of the frequent questions I got at DerbyCon 2015 ( https://www.derbycon.com/ ) was: “Are you performing anu logins, on IRC connections to the botnets?”

Well, A) I don’t have time to, and B) it’s against our Acceptable Use Policy.

Section 1.2.3 of the Marist Security Manual ( http://security.marist.edu/aup.pdf ) says, in sentence 8…

8. All individuals using Marist’s technical resources will not attempt to gain unauthorized access to system both on and off campus.

Now if somebody else wants to, I can’t stop them 🙂

>>>>>>>Ericw

Level 3 is actively blocking sshPsycho (yippee)

I have an interesting chart at http://longtail.it.marist.edu/honey/graphics_all.shtml which shows sshPsycho-2 is only attacking ONE of my eduational honeypots (edu_c, and it’s mostly red) My cloud providers are also getting slammed from them.

Either
A) They are only interested in edu_c and my cloud provider, or
B) Somebody is blocking them.

I just confirmed this with somebody else who is running a honeypot for LongTail. Level 3 Communications ( http://www.level3.com/en/ ) appears to be, in fact, actively blocking sshPsycho-2 from their backbone. (See this Wall Street Journal article –> http://www.wsj.com/articles/level-3-tries-to-waylay-hackers-1432891803 ).

edu_c can ping an sshpsycho IP address, as can my clound servers, but none of my other hosts can.

And that explains it (sadly).

EMAIL EXCHANGE BELOW…

—–USER wrote: —–
To: Eric Wedaa
From: USER
Date: 09/30/2015 02:29PM
Subject: Re:

Hi Eric,

No problem, here goes. Does not look like Level3 is involved for us for this connection.

Ping:

ping 43.229.53.80
PING 43.229.53.80 (43.229.53.80) 56(84) bytes of data.
64 bytes from 43.229.53.80: icmp_seq=1 ttl=47 time=111 ms
64 bytes from 43.229.53.80: icmp_seq=2 ttl=47 time=108 ms
64 bytes from 43.229.53.80: icmp_seq=3 ttl=47 time=110 ms
64 bytes from 43.229.53.80: icmp_seq=4 ttl=47 time=109 ms
^C
— 43.229.53.80 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 108.939/110.215/111.302/0.992 ms

Traceroute:

traceroute 43.229.53.80
traceroute to 43.229.53.80 (43.229.53.80), 30 hops max, 60 byte packets

7 bu-ether22.chcgildt87w-bcr00.tbone.rr.com (107.14.19.34) 98.112 ms 66.109.3.238 (66.109.3.238) 95.719 ms bu-ether12.chcgildt87w-bcr00.tbone.rr.com (66.109.6.25) 90.144 ms
8 so-3-1-0.c0.sjc75.tbone.rr.com (66.109.3.241) 93.545 ms 94.212 ms 66.109.3.243 (66.109.3.243) 96.894 ms
9 bu-ether11.snjucacl67w-bcr00.tbone.rr.com (66.109.6.8) 90.268 ms * 95.834 ms
10 0.ae2.pr0.sjc10.tbone.rr.com (66.109.1.17) 90.144 ms 0.ae0.pr0.sjc10.tbone.rr.com (66.109.6.141) 90.655 ms 90.625 ms
11 66.109.10.214 (66.109.10.214) 93.381 ms 93.374 ms 93.350 ms
12 202.97.50.61 (202.97.50.61) 90.632 ms 90.635 ms 90.628 ms
13 202.97.49.145 (202.97.49.145) 101.313 ms 101.288 ms 101.309 ms
14 203.14.186.2 (203.14.186.2) 92.570 ms 92.587 ms 92.579 ms
15 218.30.44.138 (218.30.44.138) 98.209 ms 218.30.44.130 (218.30.44.130) 106.918 ms 218.30.44.126 (218.30.44.126) 94.337 ms
16 66.102.253.218 (66.102.253.218) 99.676 ms 66.102.253.230 (66.102.253.230) 94.307 ms *
17 43.229.53.80 (43.229.53.80) 111.813 ms 66.102.253.218 (66.102.253.218) 100.458 ms 100.475 ms

—————————————

In your oh so copious spare time, can you run the following commands and send me the results?

ping 43.229.53.80
traceroute 43.229.53.80

I’m trying to verify that time warner isn’t going through Level 3 at all.

When I do it, I can’t ping or traceroute that address, and I see that I am going through Level 3 to get there.

Thanks!

>>>>>Ericw

Subtle “Bugs” in Perl Regex and LongTail Botnets

Wowza, I just learned a valuable lesson in Perl Regex.

For some reason my botnet analyze script was pulling in IP addresses into big_botnet that had no visible connection (no matching md5sum).

As seen in a prior post, I gather IP addresses together, and then use the md5sums of the attacks to try and add more IP addresses to the botnet.

The code I was using was this:


$ip=$_ ; # Ip is a line from the botnet definition file
open (SUMDATA, “/var/www/html/honey/attacks/sum2.data”);
while (){
$line=$_;
if (/$ip/){

And the file it is searching through looks like this:


a71ac83fc03ca530136e2adb4e175f48 62.4.9.24.shepherd.1-2015.02.04.12.57.09
ad53ba7b3ea9d177559bcea56fc44448 62.4.9.2.shepherd.1-2015.01.18.15.11.05
f06669ab489d368448e6238460ba060f 62.4.9.2.shepherd.3-2015.01.21.12.23.03
f06669ab489d368448e6238460ba060f 62.4.9.2.shepherd.4-2015.01.22.13.59.13
02d62d45952d93d1dab97aedb7443df5 43.229.53.25.edu_c.573-2015.08.17.04.38.58
7fcba4c6bba56214f9c2473ab2b471f8 43.229.52.134.kippo2.28-2015.05.24.17.02.42
7fcba4c6bba56214f9c2473ab2b471f8 43.229.52.137.edu_c.22-2015.05.24.20.02.27
7fcba4c6bba56214f9c2473ab2b471f8 43.229.52.148.kippo2may.27-2015.05.24.17.02.55
7fcba4c6bba56214f9c2473ab2b471f8 43.229.52.156.edub.16-2015.05.24.19.59.58
31fb7e10045de0476964c6af769d465a 62.4.9.2.shepherd.2-2015.01.19.14.50.50
62d7d6a8d9360c4bab7a7c46277b459e 62.4.9.24.shepherd.2-2015.02.08.01.29.47
7556cd86e6aa22a6b9f171fcf05687cb 62.4.9.2.shepherd.5-2015.01.23.12.40.52
7556cd86e6aa22a6b9f171fcf05687cb 62.4.9.2.shepherd.6-2015.01.30.01.39.15
11604da37fe8e63e252aa255a4119e05 62.4.9.24.shepherd.3-2015.02.10.07.56.53

See the problem?

Nope? OK, here it is. Searching for an ip address of 62.4.9.2 not only finds , but also 62.4.9.24.

AND

Since the “.” means “match any single character”. So it also matches the MD5 checksums:


7fcba4c6bba56214f9c2473ab2b471f8
^^ ^ ^ ^^

So this explains why my botnet script is pulling in weird hosts.

My code now looks like this:


if (/\Q$ip.\E/){

The \Q and the \E is equivalent to the “-F” (Fixed strings) in grep. And that last “.” makes sure that I don’t match extra numbers in the last part of the IP address.

Now it’s time to start making botnets from scratch!

How do I catetgorize IPs into Botnets?

Step 0-Get Attack Patterns

LongTail uses the clock times ssh login attempts occur, along
with the source and destination IP addresses to group ssh
login attempts into “Attack Patterns”. After these attack
patterns are created, a word count of the attack pattern
and an MD5 checksum of the attack pattern are created.

While LongTail uses MD5 checksums, and stores the infomation
required in several files, this demonstration uses
2 letter checksums for ease of understanding, and bundles
all of the information into a single line in a table.

Table 0 shows the (hypothetical) results of
aggregating ssh login attempts into attack patterns.

Table 0
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15
BZ Address-1 10
CQ Address-2 15
QW Address-3 15
IO Address-4 11
LL Address-5 75
AZ Address-6 15
BZ Address-7 10
AZ Address-8 15
BZ Address-9 10
BZ Address-0 10
PQ Address-0 3
PZ Address-10 1

Step 1-Eliminate “Small” Attack Patterns

While there are several types of attacks possible, it is easiest
to elimintate IP addresses that use single ssh login
attempts. For instance, multiple botnets try “root:root”
and “root:123456” as account and password pairs. Under
the methodology LongTail currently uses it is impossible
to categorize those botnets together. LongTail currently
eliminates any attack patterns that contain 3 or less attempts.
LongTail is also currently unable to categorize botnets
that use a large period of time between single ssh login attempts.
(Also known as “Slow Scan” attacks.)

Table 1 shows the results after elminating those
attack patterns.

Table 1
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15
BZ Address-1 10
CQ Address-2 15
QW Address-3 15
IO Address-4 11
LL Address-5 75
AZ Address-6 15
BZ Address-7 10
AZ Address-8 15
BZ Address-9 10
BZ Address-0 10

Step 2-Sort Attack Patterns by Checksum

The next step is to sort the data by checksum. The
next example shows that there are 6 different checksums
in 10 lines of data. (AZ, BZ, CQ, IO, LL, and QW).

Table 2 shows the sorted data

Table 2
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15
AZ Address-6 15
AZ Address-8 15
BZ Address-9 10
BZ Address-0 10
BZ Address-7 10
BZ Address-1 10
CQ Address-2 15
IO Address-4 11
LL Address-5 75
QW Address-3 15

Step 3-Name Botnets That Are Using Identical Attack Patterns

Table 3 shows that IP addresses using attacks with the checksum of AZ are now part of Botnet 1,
and that IP addresses using attacks with the checksum of BZ are now part of Botnet 2.

Table 3
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15 Botnet 1
AZ Address-6 15 Botnet 1
AZ Address-8 15 Botnet 1
BZ Address-9 10 Botnet 2
BZ Address-0 10 Botnet 2
BZ Address-7 10 Botnet 2
BZ Address-1 10 Botnet 2
CQ Address-2 15 Not able to be classified
IO Address-4 11 Not able to be classified
LL Address-5 75 Not able to be classified
QW Address-3 15 Not able to be classified

Step 4-Determine If There Are Different Botnets With Identical Source Addresses In Common

Table 4 shows that the two botnets share an identical source IP
address.

Table 4
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15 Botnet 1
AZ Address-6 15 Botnet 1
AZ Address-8 15 Botnet 1
BZ Address-9 10 Botnet 2
BZ Address-0 10 Botnet 2
BZ Address-7 10 Botnet 2
BZ Address-1 10 Botnet 2
CQ Address-2 15 Not able to be classified
IO Address-4 11 Not able to be classified
LL Address-5 75 Not able to be classified
QW Address-3 15 Not able to be classified

Step 5-Combine Botnets With Identical Source Addresses In Common

Table 5 shows that Botnet 1 and Botnet 2 have now been merged into a
single botnet (Called Botnet 1). Longtail combines them by combining
the second botnet with the first botnet.

Table 5
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15 Botnet 1
AZ Address-6 15 Botnet 1
AZ Address-8 15 Botnet 1
BZ Address-9 10 Botnet 1
BZ Address-0 10 Botnet 1
BZ Address-7 10 Botnet 1
BZ Address-1 10 Botnet 1
CQ Address-2 15 Not able to be classified
IO Address-4 11 Not able to be classified
LL Address-5 75 Not able to be classified
QW Address-3 15 Not able to be classified

Step 6-Repeat Step 4 Until No More Botnets Are Combined

What’s The Difference Between a Botnet and a Botnet Fragment?

As far as LongTail’s software is concerned, they are the same thing.
In reality, any botnet found that only has a few IP addresses is probably
(but not provably so) part of a larger botnet. As a practical matter
though, botnet fragments have a tendency to eventually use the same
attack pattern as a larger botnet and are then merged into the larger
botnet. Some of the botnet fragments may never be merged into a larger
botnet if for some reason they go offline. (For example, they are detected and deleted
by the person who is responsible for the IP address that the botnet
was using.)

What the heck is “wubao” and “jiamima” in ssh Brute Force Attacks?

According to my sources in Hong Kong,

> wubao = 誤報, means something wrongly reported
> jiamima = 加密碼, can mean ‘add password’ or ‘encryption code’

None-the-less, these two passwords are the first ones tried from sshPsycho when they start attacking a server.

I think that this shows that sshPsycho doesn’t have a centralized server to record which IP addresses they already have taken control of.

>>>>>>Ericw