Cracking voyeurism
March 11, 2011 8:35 AM   Subscribe

Using honeypots and logging tools, some server admins have logged actual server break-in attempts by nincompoop crackers.

The honeypot in question is Kippo. You might want to run fail2ban to partially combat break-in attempts.
posted by Foci for Analysis (50 comments total) 19 users marked this as a favorite
 
What triggers the owl prompt?
posted by demiurge at 8:45 AM on March 11, 2011


I don't wget it.
posted by seventyfour at 8:45 AM on March 11, 2011 [3 favorites]


I enjoyed listening to 'Still Alive.' I'm going to need need help with the rest.
posted by bicyclefish at 8:49 AM on March 11, 2011 [1 favorite]


Seems like the owl prompt is triggered when he tries to install the rootkit. I'm kinda guessing That the honeypot spits it out whenever you try to do something unsupported.
posted by Ad hominem at 8:51 AM on March 11, 2011


The "owl prompt" is the result of the downloaded exploit scripts being prevented from actually running any malicious code. Some of the stuff Kippo does:
Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
Session logs stored in an UML compatible format for easy replay with original timings
Just like Kojoney, Kippo saves files downloaded with wget for later inspection
Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc
posted by Foci for Analysis at 8:52 AM on March 11, 2011


so, now I'm curious, how rigorous/secure is kippo ? The articles say it's a honeypot, shell of a shell.. Does it have any vulnerabilities ?
posted by k5.user at 8:58 AM on March 11, 2011


Looks like we've hosed kippo.rpg.fi (the "by" and "nincompoop" links).
posted by zamboni at 8:59 AM on March 11, 2011


The most amusing thing about this (besides the constant retry of "perl") is that one of the related videos is "How to view other computers' IP addresses," which is a video that purports you can get IPs of people looking at a site by trace routing to it from a cmd prompt. The kid trace routes to google.com and claims the ten IPs showing up are all people viewing Google. That made me giggle.
posted by routergirl at 9:00 AM on March 11, 2011 [14 favorites]


Oh, god, I love that some people actually respond "y" to the owl prompt, and that it replies with "NO WAI!". Priceless.
posted by equalpants at 9:00 AM on March 11, 2011 [3 favorites]


Does it have any vulnerabilities ?

What a strange thing to ask. if anyone here knew about any vulnerabilities in klippo, the script kiddies would too and it'd be useless.
posted by George_Spiggott at 9:02 AM on March 11, 2011


Ok, I take it back. The owl prompt and the reactions to it are really quite funny.
posted by routergirl at 9:04 AM on March 11, 2011


given the competency demonstrated by most of the logged folks, yeah, I wouldn't worry about it too much..

But, at least one person did figure out the system was a honeypot and walked away, I wouldn't be openly running a honeypot with out some serious consideration about the honeypot software.. (Now that opens the question the guy that figured it out, since we only get a small part of the log where he cusses out the operator, did the hacker go on to other lower-hanging fruit ? And if the hacker were of the destructive mindset, might have looked into the software to see what it's vulnerabilities are..)
posted by k5.user at 9:08 AM on March 11, 2011


These are hilarious, thank you for the links.

denyhosts is similar to fail2ban but uses the crowd to watch and report attacks as they happen, preemptively blocking them once they reach a certain threshold.
posted by ChrisHartley at 9:08 AM on March 11, 2011


I don't really follow what's going on but let me just say you guys are so adorable especially with those cute little owls.
posted by special-k at 9:09 AM on March 11, 2011 [7 favorites]


I wonder if some of the stupid behaviour we're seeing is the result of attacks that are semi-automated. I imagine there are tools to help facilitate hacking many boxes quickly, in parallel, with macros.
posted by Nelson at 9:16 AM on March 11, 2011


(Now that opens the question the guy that figured it out, since we only get a small part of the log where he cusses out the operator, did the hacker go on to other lower-hanging fruit ? And if the hacker were of the destructive mindset, might have looked into the software to see what it's vulnerabilities are..)

You are totally missing the point of a honeypot.
posted by Threeway Handshake at 9:19 AM on March 11, 2011


I would agree, Nelson, except for the fact that one of those hackers tried responding to the owl several times. Responses included "O", "RLY", "YES", and my favorite "oui" (because clearly O RLY is au Francais). No computer is that stupid.
posted by mcstayinskool at 9:20 AM on March 11, 2011 [4 favorites]


For the sake of compare/contrast, does anyone have a link to a video showing a good hacker at work? It's just that I have very little comprehension of what goes on in the nuts and bolts of hacking (at the level of code) and would be interested to see it in action.
posted by Osrinith at 9:24 AM on March 11, 2011


No computer is that stupid.

Clearly, you never had to admin a windows NT box.
posted by lumpenprole at 9:24 AM on March 11, 2011 [5 favorites]


Oh absolutely, Nelson; automated attacks are everyday stuff. On the production server that I manage we get hundreds of attacks each day - and that's pretty normal if you ask around the web. I don't, however, believe that these logged attacks were automated, they are too lazy and stupid. I mean, typing mikdir instead of mkdir?!
posted by Foci for Analysis at 9:25 AM on March 11, 2011


Dunno, if I was a hacker and I kept running into these kippo honeypots I would grab the kippo source and look for vulnerabilities. It is no different than any other daemon and kippo running on port 22 has got to have root privs to bind to that port. Does it run through Inetd or some sort of modern equivalent?

I haven't looked that the source but it is using twisted so that makes it python right?
posted by Ad hominem at 9:28 AM on March 11, 2011


does anyone have a link to a video showing a good hacker at work?

Try this

posted by Threeway Handshake at 9:28 AM on March 11, 2011 [8 favorites]


Hahah Hack The Planet.
posted by Ad hominem at 9:30 AM on March 11, 2011


Does it run through Inetd or some sort of modern equivalent?

Kippo is not a daemon: it uses Twistd's (python) ssh server. So good luck with that.
posted by Threeway Handshake at 9:30 AM on March 11, 2011


Osrinith, while not this visual or detailed, the story of how Anonymous compromised HBGary's servers is interesting. Ars ran several stories on the attacks (no need to buy the e-book, all articles are below Further reading).

What really intrigues me about the HBGary saga? The initial attack vector was a CMS and pretty much everything Anon did was 101 stuff.
posted by Foci for Analysis at 9:31 AM on March 11, 2011


It is no different than any other daemon and kippo running on port 22 has got to have root privs to bind to that port.

You can be sure it runs on another port and the launcher forwards port 22 to it. Anybody who writes a honeypot that runs as root (or any other well-known user with any privileges to speak of) should find a new line of work.
posted by George_Spiggott at 9:34 AM on March 11, 2011 [1 favorite]


Osirinth, that's why it's funny (to those of us it's funny to).

These logs don't show people comparing badly to "real" hackers. They show people comparing badly to completely inept everyday users.

Imagine watching someone attempting to steal a bike. First they examine it thoughtfully for several minutes, while poking at bits of the frame and nodding sagely. Then they pull the brake lever several times, and finish by shuffling their feet quickly.

Maybe once or twice someone actually gets a leg up and over the frame, and you cheer for them a bit inside. But then they fail to grasp the purpose of the pedals, and sit on the seat backwards, and fall off.

And then you laugh and come here and post something like, "Hilarious!"
posted by ErikaB at 9:42 AM on March 11, 2011 [5 favorites]


You can be sure it runs on another port and the launcher forwards port 22 to it.

You make it run on any unprivileged port, through Twistd. Again, Kippo is not a daemon, it is a fake, jailed, shell that people can connect to through the twistd ssh server.
posted by Threeway Handshake at 9:43 AM on March 11, 2011


Ok now that I look at the site it uses iptables to forward port 22 so you are right that it probably has no privs. It can still write to the filesystem, probably not much you can do with that since there is no way for the attacker to control anything beyond the contents of the log files. So what about whatever the admin will be using to read the log files?
posted by Ad hominem at 9:43 AM on March 11, 2011



___
{o,o}
|)__)
-”-”-
O RLY?

posted by Faint of Butt at 9:44 AM on March 11, 2011 [2 favorites]


So what about whatever the admin will be using to read the log files?

I'm pretty sure vi, tail, cat, and the like won't go and run arbitrary code out of a logfile format.
posted by Threeway Handshake at 9:46 AM on March 11, 2011 [3 favorites]


The hacking scene from one of the Matrix movies where Trinity shuts down the power grid was (surprisingly) fairly realistic. Here is a transcript.

She uses nmap to scan for open ports, then runs a script to exploit what was a real vulnerability in the ssh daemon to reset the root password, then she ssh's in and shuts down the power grid. If that doesn't help explain things just imagine that she walked around the perimeter of a building looking for doors, found one and then jimmied the faulty lock with a credit card.

I like to picture these keystone cops hackers wearing black leather suits while typing "mikdir" in the honeypot.
posted by ChrisHartley at 9:47 AM on March 11, 2011 [3 favorites]


I'm pretty sure vi, tail, cat, and the like won't go and run arbitrary code out of a logfile format.

You are right, dumber things have happened though. I once got a logging until to overwrite /etc/crontab with arbitrary crap. That was in the stone ages though.
posted by Ad hominem at 9:50 AM on March 11, 2011


Thanks for the good examples, everyone. Le sigh. Despite being a child of the 80s and 90s and growing up with the internet, I completely missed out on the basic computer programming skills. I'm a fairly tech-savvy person, but only at the GUI level. Command line stuff makes me feel like a monkey with a stick.
posted by Osrinith at 9:59 AM on March 11, 2011 [1 favorite]


Anybody who writes a honeypot that runs as root
Note that the launcher for kippo checks for this and bails if you try to run as root..

And we could argue semantics because the person who writes it ain't the guy running it .. (ie we're laughing here at the folks 'running' hacks/scripts..).

But, given python, twisted, etc, are they known strong ? No funny crafted packets to send it off the deep end ? (most of my security works deal with non-interpreted languages, but google says python isn't immune from buffer overflows..)
posted by k5.user at 10:03 AM on March 11, 2011


You are right, dumber things have happened though.

Yes, dumber things happen, and feel free to look at the source code for the jailed shell runs as an unpriv user. And also the server daemon that is from python for all of its vulns. If you find any, let everybody know!

Hamburger. But anyway, it sure seems silly to heap all of this "WHAT IF TEH HONEYPOTZ ARE HAXD?" on this, but similar things aren't asked of other stuff, like say, every other program in the entire world?
posted by Threeway Handshake at 10:03 AM on March 11, 2011 [1 favorite]


Haha, thanks for the morning laughter. We're constantly dealing with this kind of nonsense at the university (they want to use our machines to spend spam over the massively quick internet connection). We've similarly setup honeypots, although slightly more asshole-y -- they actually believe they're in root when they're in a sandbox, ruining a completely useless piece of the file system.
posted by spiderskull at 10:08 AM on March 11, 2011 [2 favorites]


Also, I really need to say that the fake exit command which looks like you've disconnected but really actually keeps you in the shell is the most hilarious thing ever. When I originally set one of these up and tested it out to make sure it worked, it 100% fucking fooled me, and the logfile probably would look really funny to anybody looking at is when suddenly my "own system" was acting incredibly strange.

The thing about a honeypot like this is that it would make anybody seem comical -- anybody who didn't realize they're in a fake honeypot shell. Somebody brought up a stolen bike analogy, but this would be more like if say, Lance Armstrong were to steal a bike, and when he got on and pedaled, oh, I don't know, the bike wheels spun backwards, and turning right would make the bike go left.
posted by Threeway Handshake at 10:10 AM on March 11, 2011


Ok ok I give up. Things running exposed to the Internet should get far more scrutiny than most programs though.
posted by Ad hominem at 10:16 AM on March 11, 2011


I gotta change my password.
posted by steef at 10:17 AM on March 11, 2011


Things running exposed to the Internet

So basically, every single program on every computer?
posted by Threeway Handshake at 10:20 AM on March 11, 2011


So basically, every single program on every computer?

You know what I mean. Programs accepting connections from anyone with an ssh client.

I'm not sure why you think it is so nuts to put some thought into how one would attack kibbo even as a thought exercise.
posted by Ad hominem at 10:37 AM on March 11, 2011 [1 favorite]


Actually Ad hominem is totally right. Any program that accepts data from the world must be treated as suspect and log analysis tools have been attacked before.

That said it's a rather small attack surface and trivially easy to mitigate by doing your analysis in a jail/chroot/vm/whatever.
posted by Skorgu at 10:46 AM on March 11, 2011


Eenie, meenie, chili beanie, give root to this attacking meanie

(Just invoked a secret backdoor in your browser with that incantation... Christ, you sure have a lot of porn in your cache.)
posted by George_Spiggott at 11:21 AM on March 11, 2011


because clearly O RLY is au Francais

Oui!
posted by evidenceofabsence at 12:47 PM on March 11, 2011


Again, Kippo is not a daemon

Twisted has facilities to fork twice, close file descriptors, set the process group, and all that jazz, and normally if you've got a long-running Twisted program you'll invoke twistd with options to do that stuff automatically, so I'm not sure why you're so confident that Kippo isn't a daemon.
posted by kenko at 1:41 PM on March 11, 2011


Fine, everybody. The next time somebody posts something about a new car or whatever, i'm going to jack the thread and derail it into a discussion about how somebody could drive it off a cliff.
posted by Threeway Handshake at 8:20 PM on March 11, 2011 [1 favorite]


How about: when there's a thread about an anti-theft device for cars that lets a car thief get into your car and videotapes him, you post and say "any chance the dude could still figure out how to get that car running?"
posted by free hugs at 8:32 AM on March 12, 2011 [2 favorites]


My favorite hacking story goes back to college. I was working on the disk image for a robot for my school's entry in an autonomous underwater vehicle competition. The target hardware ( a small embedded x86 board ) mounted its root file system over NFS from a host machine. The host machine also had a serial console into the board - I could ssh into the host machine and pretty much do whatever.

At the time, I had an unhealthy obsession with being able to work from starbucks. At first this was fine - the host machine was a basic debian install, and the only service running was ssh. However, eventually I got the video capture working and wanted to stream video from the lab. There are safe ways to do this, but being young and foolish I just asked the school's IT department to put the target machine on the internet.

The root password for the target was "root". In less than a day of being exposed to the public internet, it had been breached. I probably wouldn't even have noticed, but luckily they changed the root password. Luckily, I was able to blow away the root file system from the host machine and shut it down remotely, but that was pretty embarrassing. It's not surprising to me that it got hacked - I'm just surprised it happened so darn quickly.

tldr; before you put your autonomous sub on the internet, make sure it has a good password
posted by heathkit at 4:07 PM on March 12, 2011


How about: when there's a thread about an anti-theft device for cars that lets a car thief get into your car and videotapes him, you post and say "any chance the dude could still figure out how to get that car running?"

Honeypots and tarpits are not security measures.
posted by Threeway Handshake at 4:46 PM on March 14, 2011


« Older The Cockroach   |   Blind dog gets his own dog guide Newer »


This thread has been archived and is closed to new comments