Honeypot Update
On april 19th, the day after my last honeypot post and two days after the honeypot was started, the server was logged into by two new IPs. The two new IPs were from Italy and Romania. The Italian IP did the brute forcing and the Romanian IP logged in after the brute force was finished. My guess is the Romanian IP was the command and control, while the other IP was just a bot.
After receiving the text message alerts from OSSEC, I reviewed my .bash_history file to discover the perpetrator had left some clues! First, it downloaded windows 2000 service pack 3 to test my bandwidth, then it downloaded some other software, which it promptly deleted. It then ran the software. I think I am missing some of the history because my /var/log/auth.log file does not contain the IP address. I think it covered up some of its tracks, but not all. I replayed the steps and downloaded the software to discover it was an IRC bot called EnergyMech, which is an open source IRC bot. To protect myself, I have since pulled the server off the internet and plan on wiping the hard drive.
Overall the experience was excellent! OSSEC was a must have for this exercise. If I had more time I would have setup something to capture all the commands run by Root through SSH that way I could have seen all the commands run. I have attached this time line to show how fast the SSH server started being brute forced and how quickly the usernames and passwords were guessed.
Leave a Reply