相关文章
版权相关
翻译人:StoneDemo,该成员来自云+社区翻译社
原文链接:What SSH Hacking Attempts Look Like
原文作者:Doug Rickert
What SSH Hacking Attempts Look Like
题目:(SSH 尝试攻击是什么样子的)
With jobs that have been so tied to secure software design and government compliance, I constantly fall back on the assumption “if it’s insecure, you’ll eventually be hacked”. But what does being hacked actually look like? If I set up a server and don’t make myself an obviously vulnerable target (i.e. not going to show up in common shodan.io searches) what would actually happen?
由于我的工作与安全软件设计以及政府合规性密切相关,我会不断地告诉自己:“如果它不安全,你最终会被黑客攻击”。但实际上,被黑客攻击是怎样一种情况?如果我设置一个服务器,并且不使自己成为一个明显易受攻击的目标(即不会出现在常见的 shodan.io 搜索中),这样,会发生什么事呢?
Queue the honeypot concept. A “honeypot” is an intentionally vulnerable “thing” that can be used to study malicious traffic and activity on a network. This “thing” can be anything, a single port on a server, an HTML element on a webpage, or even a network with multiple servers. Once it’s set up, any malicious traffic towards the server can be studied and turned into actionable intel.
先来梳理一下蜜罐(Honeypot)的概念。“蜜罐” 是一种故意置于易受攻击状态的 “东西”,它可用于研究网络上的恶意流量与活动。这个 “东西” 可以是任何事物 —— 服务器上的单个端口,网页上的某个 HTML 元素,甚至是具有多个服务器的网络。一旦设置完成,任何针对服务器的恶意流量都可以被研究分析,并转变为有用的信息。
So I went searching for honeypot software that I could run myself. I ended up using Cowrie, a Python based SSH/Telnet emulator that is based on the prior work of the Kippo project. I was attracted to it for a few reasons: it had a lot of support articles, it was written in Python, and the Cowrie worked with Kippo’s lightweight visualization software Kippo-Graph. With Kippo-Graph I could keep an eye on things from my phone without having to SSH into the server.
所以我去找了可以让我自己运行的蜜罐软件。最终我选用了 Cowrie,这是一个基于 Python 的 SSH / Telnet 模拟器,它基于 Kippo 项目的早先的工作。我被它吸引,有这几个原因:它有很多支持文章,它是用 Python 编写的,而且 Cowrie 还使用了 Kippo 的轻量级可视化软件 Kippo-Graph。通过 Kippo-Graph,我无需通过 SSH 连接到服务器,就能够随时关注手机中的内容。
I’ll skip the gory details of the setup, but if you’re interested “Use the Cowrie SSH Honeypot to Catch Attackers on Your Network” was an awesome tutorial.
我将跳过关于设置的 “血淋淋的” 细节,但如果你对此感兴趣,那么 “使用 Cowrie SSH Honeypot 来抓住入侵你的网络的攻击者” 这篇文章会是一个很棒的教程。
So, I fired up the honeypot software and set the SSH emulator on port 22 to allow the usernames root and admin with the passwords changeme and 1234567, respectively. I sat back and watched and…
于是,我启动了蜜罐软件,并在端口 22 上设置了 SSH 模拟器,以允许用户名 root 和 admin 分别使用登录密码 changeme 和 1234567。然后开始坐下来吃瓜看戏……
People tried to guess my SSH password a lot. Anywhere from 200 to just over 1200 times per day. The tries mostly came from:
人们多次试图猜测我的 SSH 密码。每天会有 200 到 1200 多次。并且这些尝试大多来自:
And with the passwords set at what I thought were very insecure (remember, passwords were just changeme and 1234567) only 4 attempts were successful. I was hacked by:
- Feb 11th: An IP in Hefei, Anhui, China that tried 42 times before guessing user root and password changeme. After the success, it stopped and I was immediately compromised by an IP in Seoul (I assume the same actor changing IP’s). The IP attempted to run the Linux command “uname -srmo” and the command worked, but the emulated honeypot command didn’t handle the “-srmo” options and the actor disconnected.
- Feb 20th: An IP in Haarlem North Holland, Netherlands that tried 15 times with user root and password changeme. It mimicked the same behavior as the last actor.
- Feb 24th: A Tor node using user root and password changeme. It only tried once and then immediately disconnected without running a command. Since it guessed the username/password combination on the first try I assume it was one of the prior actors checking back in on its access.
密码设置为我觉得非常不安全的字串(记住,密码只是 changeme 和 1234567),但只有 4 次尝试是成功的。我被这些黑客成功入侵:
- 2 月20日:中国安徽合肥的 IP 地址,它在猜到用户名为 root 以及密码为 changeme 之前尝试了 42 次。在成功之后,它便停止了,而我立刻被首尔的一个 IP 所侵入(我假设这是同一个攻击者改变了 IP)。该 IP 尝试运行了 Linux 命令 “uname -srmo” 并且该命令成功执行,但模拟器上的蜜罐命令行并未处理 “-srmo” 选项,并且与攻击者断开了连接。
- 2 月 24 日:荷兰的北荷兰哈勒姆的一个 IP,对用户名 root 和密码 changeme 共尝试了 15 次。它模仿了与上一个攻击者相同的行为。
- 2 月 24 日:一个使用用户名 root 和密码 changeme 的 Tor 节点。它只尝试了一次,然后立即断开了连接而不运行命令。由于它在第一次尝试时就猜到了用户名/密码组合,我认为它是先前的一个攻击者在检查其访问权限。
All of this was honestly pretty anti-climactic and boring. My job is to tell people if they do insecure things they’ll be hacked! And yet here I was, using bad username/password combinations and barely getting compromised. So, I decided to turn it up.
这一切都是非常平淡且无聊的。我的工作是告诉人们,如果他们做不安全的事情,他们就会被黑客攻击!然而此处我使用差劲的用户名/密码组合,却几乎没有受到损害。所以,我决定把它完全开放。
I looked at the graphic that Kippo-Graph provides of the username-password combinations.
我查看了 Kippo-Graph 提供的用户名/密码组合的示意图。
I was still a little weary about the consequences of a lot of action in my honeypot, so I avoided all of these default IoT credential-looking passwords and chose two new combinations to add. The first was admin/admin1 (I saw a few attempts on these) and the second was one I thought was very interesting, pi/raspberryraspberry993311.
我仍然对在我的蜜罐中的大量操作的结果感到有些厌倦,所以我避免了所有这些默认的 IoT 认证密码,并选择了两个新的组合来添加。第一个是 admin / admin1(我看到过数次尝试),第二个是我认为非常有趣的一组,pi / raspberryraspberry993311。
Pi is the default user for the popular Raspbian distro that is used widely with the Raspberry Pi systems. However, the default password is raspberry not raspberryraspberry993311. A quick Google search of the password brought up a lot of raw honeypot data but no explanation! So, I decided to accept it and see what the deal was.
Pi 是 Raspberry Pi (树莓派)系统广泛使用的流行 Raspbian 发行版的默认用户名。但是,默认密码是 raspberry 而不是 raspberryraspberry993311。用谷歌快速搜索密码,得到了很多原始蜜罐数据,但并没有对这些数据的相应解释!所以,我决定接受它,看看这是怎么回事。
And right away I was hacked by the French! Well, someone coming from a French IP. And it curiously used that raspberryraspberry993311 password. The threat actor immediately uploaded a bash script and attempted to run it. The bash script was a worm that configured the server to:
- Periodically report back to a Undernet IRC Channel for command and control
- Change the password to raspberryraspberry993311 (so that’s why we were seeing these attempts!)
- Start scanning public IP space to attempt to spread the worm further. When it was doing this scanning, it would try both pi/raspberry and pi/raspberryraspberry993311 presumably as a way to spread updates if command and control went down.
于是我马上被法国人搞了!没错,有某个来自法国 IP。它奇怪地使用了 raspberryraspberry993311 这个密码。攻击者立即上传了一个 bash 脚本并尝试运行它。这个 bash 脚本是一种蠕虫,它将服务器配置为:
- 定期向 Undernet IRC 频道报告以进行命令与控制
- 将密码更改为 raspberryraspberry993311(这就是我们看到这些尝试的原因!)
- 开始扫描公共 IP 空间以尝试进一步传播蠕虫。当它进行这种扫描时,它会尝试 pi / raspberry 和 pi / raspberryraspberry993311 这两种组合,想必这是一种在命令和控制失效时传播更新的方法。
This Raspberry Pi Botnet malware did quite quite a few other things and I plan to get around to an entire post dedicated to dissecting that.
这个 Raspberry Pi Botnet 恶意软件做了很多其他的事情,我打算在一个完整的帖子里把它剖析出来。
After the French, I was hacked by an IP in Switzerland that switched to an IP in Ireland after it found successful credentials. The threat actor attempted to load malware onto the machine that used the phrase “gweerwe323f” throughout. The malware mostly contained shellcode, and I haven’t had the time to really pick that apart either. But based on further compromises, this was definitely another botnet running through scripted actions.
在法国人之后,我被瑞士的 IP 攻击了,在该 IP 获得成功后就转变为爱尔兰的 IP。攻击者试图将恶意软件加载到整个使用短语 “gweerwe323f” 的机器上。该恶意软件主要包含了 shellcode,不过我也没有时间把它拆解分析。但基于进一步的妥协,这绝对是另一个运行脚本操作的僵尸网络。
Finally I wanted to see what would happen if I just set the credentials to accept username admin and password admin. Over the next day I just kept getting hacked by the same gweerwe323f botnet over and over.
最后,我想看看若我将认证信息设置为 “接受用户名 admin 和密码 admin”,会发生些什么。第二天,我一直被同一个 gweerwe323f 僵尸网络反复攻击。
At this point the fun had started to dwindle so I killed the honeypot. For those interested, here are the top 10 passwords attempted:
这时候,乐趣开始减少,所以我关闭了蜜罐。对于那些有兴趣了解详情的人,这里列出了尝试的前 10 个密码:
And here are the top 10 username/password combinations that were attempted on my honeypot:
以下是在我的蜜罐上尝试的前 10 个用户名/密码组合:
They all felt extremely Internet of Things oriented at first glance. It absolutely shocked me that it is worth the time of these drive-by attacks to try combinations like root/password, root/root, or root/admin. Apparently they have enough successes using those incredibly insecure combinations that it is worth their time.
乍一看,感觉它们都非常具有物联网风格。让我震惊的是,尝试诸如 root / password,root / root 或 root / admin 这样的组合是值得的。显然,他们使用那些令人难以置信的不安全组合取得了足够的成功,所以这值得他们花时间。
I also did a quick analysis of my Apache access log to see what was attempted on my password protected web-server. Since the web-server wasn’t vulnerable there was not much malicious activity to dissect, but I did see a lot of requests to access the path /manager/html that would exist by default for an ApacheTomcat installation. Otherwise, it was just the classic attempts to find phpMyAdmin.
我还快速分析了我的 Apache 访问日志,看看我的密码保护 Web 服务器上有哪些尝试。由于 Web 服务器不易受攻击,因此没有太多的恶意活动需要解析,但我确实看到了许多对默认情况下 Apache / Tomcat 安装的 path / manager / html 的请求访问。否则,这只是寻找 phpMyAdmin 的经典尝试。
I wouldn’t feel like this post is complete without suggesting the open source software Fail2Ban. For those of you who got to the bottom of this and was wondered “well, why don’t I just block those IPs”, you are absolutely correct. Software like Fail2Ban can monitor your log files for malicious activity like this and block future attempts from those IPs. There’s also plenty more you could do with this data or a honeypot. Put a honeypot internally on your company network and watch for malicious activity such as network scanning. Put it in your company’s Public IP space and see if there’s any targeted attacks unique to your company or industry.
如果没有建议使用开源软件 Fail2Ban,我觉得这篇文章就不是完整的。对于那些已经深究这一点的人而言,他们想知道 “为什么我不能阻止这些 IP 呢”,你绝对是正确的。像 Fail2Ban 这样的软件可以监控您的日志文件是否存在这样的恶意活动,并阻止这些 IP 的进一步尝试。您还可以使用此数据或蜜罐进行更多操作。将蜜罐内部放在公司网络上,并监视网络扫描等恶意活动。将它放在公司的公共 IP 空间中,看看是否存在针对您公司或行业的特定攻击。
Maybe in the future I’ll revisit the data and search for more interesting patterns like what lead me to the Raspberry Pi botnet. For now, my honeypot is turned off and I’d call it a successful experiment.
也许未来我还会重新查阅数据,并寻找更多有趣的模式,例如导致我进入 Raspberry Pi 僵尸网络的模式。但现在,我已经关闭了我的蜜罐,我认为本次实验很成功。