Building a Honeypot To Observe Shellshock Attacks In the Real World

← Back to Stories (view on slashdot.org)

Building a Honeypot To Observe Shellshock Attacks In the Real World

Posted by timothy on Thursday October 2, 2014 @03:39AM from the distract-them-with-fresh-targets dept.

Nerval's Lobster writes A look at some of the Shellshock-related reports from the past week makes it seem as if attackers are flooding networks with cyberattacks targeting the vulnerability in Bash that was disclosed last week. While the attackers haven't wholesale adopted the flaw, there have been quite a few attacks—but the reality is that attackers are treating the flaw as just one of many methods available in their tool kits. One way to get a front-row seat of what the attacks look like is to set up a honeypot. Luckily, threat intelligence firm ThreatStream released ShockPot, a version of its honeypot software with a specific flag, "is_shellshock," that captures attempts to trigger the Bash vulnerability. Setting up ShockPot on a Linux server from cloud host Linode.com is a snap. Since attackers are systematically scanning all available addresses in the IPv4 space, it's just a matter of time before someone finds a particular ShockPot machine. And that was definitely the case, as a honeypot set up by a Dice (yes, yes, we know) tech writer captured a total of seven Shellshock attack attempts out of 123 total attacks. On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug. PHP was the most common attack method observed on this honeypot, with various attempts to trigger vulnerabilities in popular PHP applications and to execute malicious PHP scripts.

41 comments

Min score:

Reason:

Sort:

Article was low in details by Anonymous Coward · 2014-10-02 03:47 · Score: 5, Informative

Well that was a waste of time to read (yeah yeah, I know...). Essence is: a vulnerable server is created, and watching logfiles of people connecting, it can be seen that people first recon the honeypot, to see if it's exploitable, and then try to exploit the shellshock vulnerability.
Well d'oh. Was the author surprised by this? How is this different to /any/ other vulnerability? First recon, then exploit. The article sounds like it was written by somebody who's never heard of "computer security" and is trying to wrap his head around basic concepts.
1. Re:Article was low in details by Anonymous Coward · 2014-10-02 03:55 · Score: 1
  
  Or just trying to dumb it down for a "general" audience.
2. Re:Article was low in details by Stan92057 · 2014-10-02 04:05 · Score: 1
  
  This is Slashdot.com not Reddit.com. :}
  
  --
  Jack of all trades,master of none
3. Re:Article was low in details by Anonymous Coward · 2014-10-02 04:22 · Score: 0
  
  Right, so the article needs more dumbing down than it would at Reddit.
4. Re:Article was low in details by s.petry · 2014-10-02 04:50 · Score: 1
  
  So replies will include sarcasm and scrutiny instead of fart memes and goatse, got it!
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
5. Re: Article was low in details by Anonymous Coward · 2014-10-02 05:38 · Score: 0
  
  Right, so comments will devolve into an argument about partisan politics instead of cuddly memes and such
6. Re:Article was low in details by Zaiff+Urgulbunger · 2014-10-02 07:40 · Score: 2
  
  The article sounds like it was written by somebody who's never heard of "computer security" and is trying to wrap his head around basic concepts.
  And also someone who is presumably not running any web-servers - otherwise they'd only need to check their own web logs. I've got hosting with Bytemark and DigitalOcean and both have had a hand full shellshock attempts amongst all the usual PHP/WordPress/MySQLAdmin/whatever attempts.
  
  The only very moderately interesting thing I've noticed is that Shellshock attempts seem to only by IP address and not by host (I'm hosting multiple websites per VM), so presumably most shellshock-bots are just sweeping IP ranges rather than using a list of known hosts.
7. Re:Article was low in details by Anonymous Coward · 2014-10-02 15:19 · Score: 0
  
  actually its Slashdot.org
  theres your problem, you be on the wrong site Stan
order of magnitude hilarty, 7 out of 123 by iggymanz · 2014-10-02 03:49 · Score: 0

my domains that have been around for 15 years get hundreds of attacks a day, over a dozen bash vulnerability probe attackers per day in the last week.
Worthless article using invalid wording by Anonymous Coward · 2014-10-02 03:51 · Score: 2, Interesting

What "popular" php apps are passing variables unsanitized to the shell?
They are the vectors that need to be described. What software is vulnerable.
To date I've not read a single thing that clarifies this.
FUD
1. Re:Worthless article using invalid wording by Anonymous Coward · 2014-10-02 04:29 · Score: 0
  
  FUD? Or you plugging your ears and shouting "LA LA LA NOT LISTENING"?
  The fact is it's exploitable in the wild and this is just a quick-and-dirty PoC scan that was looking for vulnerable servers by requesting the root page.
  Enumerating all the exploitable PHP scripts is intractable - the vector is just plain old CGI standard populating environment with HTTP headers. If the script uses something like system() for some reason and calls something that is, or calls, a bash script, it can trigger the vulnerability.
2. Re:Worthless article using invalid wording by Anonymous Coward · 2014-10-02 06:56 · Score: 1
  
  Yeah, don't bash php
  lulz
CloudFlare did a similar analysis by heypete · 2014-10-02 03:54 · Score: 5, Informative

See https://blog.cloudflare.com/inside-shellshock/.
Not the remote exploit many are looking for by damn_registrars · 2014-10-02 04:01 · Score: 4, Interesting

My home box has seen a dramatic up-tick in frequency of ssh attempts - particularly as root (even though I don't allow remote logins as root regardless of whether the password is right or not) - but the frequency of attacks via PHP and other potential shellshock vectors hasn't changed much.

I recently had one IP address in China make over 10,000 attempts to log in as root via ssh in one morning. By comparison on the same day I saw only 109 failed attempts to load various php configuration pages.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:Not the remote exploit many are looking for by Anonymous Coward · 2014-10-02 04:10 · Score: 1
  
  A simple iptable rule would throttle the rate at which you accept ssh connection would solve this problem. Why are you allowing them to hammer your server and fill your logs with crap?
2. Re:Not the remote exploit many are looking for by damn_registrars · 2014-10-02 04:20 · Score: 1
  
  A simple iptable rule would throttle the rate at which you accept ssh connection would solve this problem.
  That is one of many options.
  
  Why are you allowing them to hammer your server and fill your logs with crap?
  I find it amusing to see how hard some people will work to try to compromise my inconsequential system. I set my messages log to turn over at a very high file size now so I can see the activities more readily through only one file. Even with people attacking at this frequency they pose no real danger to my system, either by way of filling my "logs with crap" or by actually trying to get it (as a prohibited user name).
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
3. Re:Not the remote exploit many are looking for by Skylinux · 2014-10-02 04:20 · Score: 1
  
  Why do you allow anybody to connect to a port they have to business using?!?!?!?!
  My servers limit connections on port 22 to the IP-range of my ISP and my static IP from work.
  Zero unauthorized login attempts over SSH for the past years.
  
  --
  Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
4. Re:Not the remote exploit many are looking for by Skylinux · 2014-10-02 04:24 · Score: 1
  
  Fuck Slashdot.
  Why would you allow anybody to connect on a port they have no business using?!?!?!?!
  My servers limit connections on port 22 to the IP-range of my ISP and my static IP from work.
  
  Zero unauthorized login attempts over SSH for the past years.
  
  --
  Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
5. Re:Not the remote exploit many are looking for by dcollins117 · 2014-10-02 04:44 · Score: 2
  
  I find it amusing to see how hard some people will work to try to compromise my inconsequential system.
  Lol, same here. The only thing of value on my file server is the stuff I'm sharing publically anyways. When I look through my logs at all the fancy attack vectors I think to myself they'd be better off pointing a web browser at index.html, it would sure save them a lot of trouble.
6. Re:Not the remote exploit many are looking for by Anonymous Coward · 2014-10-02 04:59 · Score: 0
  
  I modified the logging to also save the passwords on failed attempts, most are just the usual qwerty123 types but a lot of them look like they have been harvested from successful attempts on compromised systems.
7. Re:Not the remote exploit many are looking for by Anonymous Coward · 2014-10-02 05:23 · Score: 1
  
  Geeze, you must love sifting through millions of lines of crap in your logs.
  Here, let me help you:
  $ wget http://www.snafu.priv.at/mystuff/pam_recent.c
  $ gcc -shared -fPIC -Xlinker -x -o pam_recent.so pam_recent.c -lpam
  Read the instructions on the .c file, its pretty clear cut.
  Then download and install xtables_addons and enable the TARPIT module. Load it, tweak your init scripts to modprobe it automatically on boot.
  Then, add the following to your /etc/sysconfig/iptables or equivalent, where appropriate:
  -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
  -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 2 --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH_BRUTE_FORCE " --log-level 7
  -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 2 --name SSH --mask 255.255.255.255 --rsource -j TARPIT --tarpit
  There. This way you're rate-limiting your ssh port to exactly one connection per minute, except if you manage to log in successfully. The pam_recent module clears the appropriate connection tracking tables if you are able to log in successfully, which in effect means real, actual users are not rate-limited at all. If you can't log in, the second time you connect you will be tarpitted for 60 seconds. Any additional connection during those 60 seconds will extend the tarpit period for another 60 seconds. To me, at least, tarpitting is better than simply rejecting the connection outright, as most attacks arent that smart or sophisticated and will just continue hammering, thus having more and more connections open that lead to a black hole, slowing them down.
  Also, from the same xtables_addons there's xt_geoip.ko, which is pretty nifty. I just reject all traffic from russia and china, and 80% of all crap goes away.
8. Re:Not the remote exploit many are looking for by Anonymous Coward · 2014-10-02 05:36 · Score: 0
  
  Because his and your situation and needs are obviously the same so one size fits all... come on, have some imagination - theres plenty of situations where whitelisting a handfull of ips is not going to work. (also, use key-based login and disable password login in ssh)
9. Re:Not the remote exploit many are looking for by Anonymous Coward · 2014-10-02 05:43 · Score: 0
  
  It's not about the files. They don't care about those. They want your computer as part of their botnet.
10. Re:Not the remote exploit many are looking for by Anonymous Coward · 2014-10-02 06:09 · Score: 0
  
  Exactly, and they're not trying hard to take over YOUR system. They're trying hard to take over everyone's. It's no more effort to try and take over yours at the same time.
  Nerds are idiots.
11. Re:Not the remote exploit many are looking for by BringsApples · 2014-10-02 06:12 · Score: 1
  
  Hell, what's yer IP?
  
  --
  Politics; n. : A religion whereby man is god.
12. Re:Not the remote exploit many are looking for by Anonymous Coward · 2014-10-02 08:05 · Score: 0
  
  I find it amusing to see how hard some people will work to try to compromise my inconsequential system.
  These are automated attack that scan whole ip range. You are not target for being pretty. The hammering waste bandwidth, cpu cycle and electricity. It may not be much but is is still a waste. More importantly, doping the packets will keep their scanner hanging for several minutes; slowing the progression of malware over the intertubes. Just use a rate limiting firewall like everyone else, the only down side is that you may not be able to brag about large numbers (that really everyone has, you are not special.)
13. Re:Not the remote exploit many are looking for by goarilla · 2014-10-02 08:14 · Score: 1
  
  Congratulations now someone can deduce your passwords from your failed attempts.
14. Re:Not the remote exploit many are looking for by polymath69 · 2014-10-02 12:44 · Score: 1
  
  How do you figure? The keyspace is too vast for exploitation by enumeration... by any but the most well-funded adversaries, anyway. And if they're after you, there are easier ways.
  
  --
  
  --
  I don't want to rule the world... I just want to be in charge of mayonnaise.
15. Re:Not the remote exploit many are looking for by goarilla · 2014-10-02 21:08 · Score: 1
  
  He doesn't have to enumerate the whole keyspace.
  He's got the failed password values in cleartext in his /var/log/messages !
16. Re:Not the remote exploit many are looking for by damn_registrars · 2014-10-03 15:32 · Score: 1
  
  I find it amusing to see how hard some people will work to try to compromise my inconsequential system.
  These are automated attack that scan whole ip range.
  
  i am well aware that there is nothing special about my system being targeted. I don't pretend that my system harbors great secrets of immense value to the Chinese. Indeed they would probably use my system to try to compromise other open systems.
  
  Just use a rate limiting firewall like everyone else, the only down side is that you may not be able to brag about large numbers
  Has it occurred to you that maybe I find this interesting? Sure there are solutions to it, and many of them. I know I can solve this problem if I want but I actually rather enjoy watching it take place. it's rather like watching an animal repeatedly try for a bit of food that was intentionally placed just out of reach; how long until it gives up?
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
17. Re:Not the remote exploit many are looking for by knarf · 2014-10-04 07:27 · Score: 1
  
  Well, no, not really. They're mostly after the server resources in the first place, to be (ab)used as spambots or DDoS drones. That is something 'pointing a web browser at index.html' will not help them with, so they try other tactics.
  
  --
  --frank[at]unternet.org
Shared hosting by QuietLagoon · 2014-10-02 04:05 · Score: 2

...Since attackers are systematically scanning all available addresses in the IPv4 space...
If your site is on a server that does shared (or virtual) hosting, then IP address scans will usualy not trigger shellshock from your site because your site needs to be accessed via its URL. Accesses via IP address will usually go to a main site on that server, and that main site may not have any exploitable content.

... On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug....
This is a straw man. Of course the bad guys are not going to walk away from all the other exploits in their toolbox. No one said they would.
Most of the shellshock accesses I see are just scans, i.e., the bad guys are building an inventory of what hosts are vulnerable. I haven't seen too many (i.e., only a very few) attempts to take over the host.... yet.
simole! by Anonymous Coward · 2014-10-02 04:29 · Score: 0

Step 1: Install Linux
Step 2: Plug in network
Step 3: Observe
Just grep for () in your /var/log/apache2/referer. by ArsenneLupin · 2014-10-02 04:44 · Score: 1

If you run a web server of any kind, just grep for () in your /var/log/apache2/referer.log, and you'll see plenty of hits:
fgrep '()' /var/log/apache2/referer.log
... if not, maybe you're simply running a site that is too obscure?
Duh by s.petry · 2014-10-02 04:53 · Score: 1, Redundant

You can't advertise massive numbers if you throttle or run something like fail2ban!

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Pardon the sarcasm by s.petry · 2014-10-02 05:05 · Score: 2

I replied directly as sarcasm, and perhaps should have added this as an addendum to the same post. I used to do the same at home where I had no concerns if a hacker was actually successful. I never gave free access like you, I was still running both tcpwrappers and an application called Netwatch (similar to fail2ban). I did log everything, and spent a good deal of time probing the people attempting to hack my stuff, tracking their traffic, etc... Partially this was a bit of morbid curiosity, partially learning how hackers operate, but also to give me ideas of what to be protecting at the office..
Assuming you know the risks, which it seems like you do, there is nothing wrong with what you are doing. Quite frankly, I learned a lot by doing this and attempting to build honeypots at home.
An office environment is quite different, different actions, different tolerances, and different expectations.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:Pardon the sarcasm by damn_registrars · 2014-10-02 06:48 · Score: 1
  
  An office environment is quite different, different actions, different tolerances, and different expectations.
  Agreed. Systems at work I keep locked down and secured much differently. At home only one system is accessible to the outside world at all, and only on two ports.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Wordpress? by s.petry · 2014-10-02 05:10 · Score: 2

They seem to have problems with every other vulnerability, why would they want to leave this one out?
Yes, that is *snark* directed against Wordpress and their history of poor security. No, I do not know if there are any actual Wordpress exploits.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Re:Just grep for () in your /var/log/apache2/refer by Anonymous Coward · 2014-10-02 05:47 · Score: 0

Wow. Seven of them total, across at least 5 vhosts I run on my system. I feel... inadequate.
Everyone be sure to spam wget http://82.221.105.197/bash-cou...
Names by pitchpipe · 2014-10-02 06:36 · Score: 1

It seems like viruses and exploits are getting names like rock bands.

I went to VirusPalooza!!! The headliners were ShellSHOCK and Heartbleed. They were great. Also saw a bunch of others: Viruses from yesteryear like Wabbit and Creeper System, awesome viruses from the '80s CyberAIDS, Festering Hate Apple ProDOS, and Ghostball, modern stars like Stuxnet and CryptoLocker, and who could forget Y2K?!?

--
Look where all this talking got us, baby.
Grep for () in web logs by Anonymous Coward · 2014-10-02 10:36 · Score: 0

One doesn't need a "honeypot". Just grep for () in your web server logs. Also, the language of the web query has little to do with anything since the shell attach works via environment variables, which a web server forms based on query content. So saying ".... PHP was the most common attack method .." displays an enormous amount of ignorance by the author.