If you're interested in the same and want to display stats about the connection attempts, passwords tried etc. I have developed a "kippo stats" webapp in Perl/Mojolicious, at https://github.com/mfontani/kippo-stats
-hacker +script kid. The most emotional part what when Perl was downloaded from the Microsoft site. An excellent display of how dangerous automated exploits can be in the wrong hands. Enabling emotions to run wild without assuming any risks at all. Yay, I got into a box with my script. Yay, I'm going to run a script to packet flood someone. Yay, that was meaningless.
I also enjoy how the tar had a file called "scam." Shows the generation gap in what used to be in a swiss army tar. Bot nets and things of that nature aren't fully utilized to terrorize the infected and targets! They can be used to click ads, send emails, give website hits; oh endless possibilities for MONEY.
A script kiddie [1] hacks into a computer and goes out of its way to demonstrate its ignorance by doing stupid things like downloading a file, but being unable to locate it or downloading Windows Service Pack on what seems to be a *nix system.
Luckily, the hacked computer wasn't a real computer but a honey pot [2] and everything the script kiddie does is recorded for our amusement.
It's a bit like watching a bank robber sporting a big gun without knowing which way to point it.
A script kiddie got SSH access to this honeypot (system setup to catch this type of activity and log it). He then attempted to download and run various rootkits/hacks/flooders/whatever. He repeatedly tried to change to a non-existant directory, run perl (which wasn't installed), and downloaded a Windows update (pointless on a non-Windows system).
To summarize, a wannabe hacker got access to a system and didn't know what to do.
Still, this leaves you wondering how someone with such little knowledge of even the most basic Linux commands could ssh in there in the first place. Any idea ?
Or a disguised-kiddie which gets very cleverly in but then does very stupid things in order to get caught and get a couple of things:
1. Get others involved by leaving fake tracks.
2. Distract attention.
3. Make you think your honey pot is doing right while some other heavy duty scripts are running on the 'right' direction.
There are tons of brute force ssh bots. All they do is try every password in their password list. If you want to see one, search for brute force ssh bot on YouTube and watch script kiddies teach other script kiddies how to use them.
Did anyone else start experiencing physical pain when the hacker accessed the right file in the wrong place for the hundredth time without typing "ls" ONCE?
I had no idea the reflex was so strong, but I almost starting twitching. I caught myself reaching for the keyboard to hammer out "ls -l". What a tragedy.
(I leave it as an exercise to the reader to determine whether the tragedy is the hacker's incompetence or my reflexive neckbeard response to it.)
I felt myself being urged to type on a non-existent keyboard as well. If it was a person near me at the keyboard, I would have felt compelled to tell them to move out of the chair and let me do the work.
This reminds me (uh-oh, another neckbeard old-timer story) of the very early days of the ARPAnet when there about 20 nodes or so...
Back then there were free guest accounts on all the systems (mostly TOPS-10 and TENEX systems along with some wierd one-off machines like the UCSB symbolic math system on a 360/65), and we (at HARV-10) had a hacker who'd come in and mess things up.
So the sysadmin (Geoff Steckel) started a logging process that dumped all suspicious incoming telnet connections input to a local TTY (yes, a physical teletypewriter).
We used to gather around the TTY when it started chattering, to watch the hacker at work. Geoff pretty quickly figured out what he was doing and patched our TOPS-10 monitor source.
'cd ". "' is valid; it means "set the current directory to the one named [dot][space]".
I assumed it was something he'd seen as a way to sortof-conceal a directory, since it's both hidden and looks a lot like the [dot] directory that you'd expect to find everywhere.
Actually, you guys are both right. Speaking from experience (administrator at a popular webhosting company), he likely a lot of his rootkits macroed, so he can just login to the box, alt+1 (or whatever he has his macro set to) and then pop out. When the macros fail, he demonstrates his lack of actual knowledge of *nix systems and starts acting erratically.
44 comments
[ 3.3 ms ] story [ 42.7 ms ] threadEdit: Another would-be hacker: http://www.youtube.com/watch?v=fPypZSZiF3g
If you're interested in the same and want to display stats about the connection attempts, passwords tried etc. I have developed a "kippo stats" webapp in Perl/Mojolicious, at https://github.com/mfontani/kippo-stats
I also enjoy how the tar had a file called "scam." Shows the generation gap in what used to be in a swiss army tar. Bot nets and things of that nature aren't fully utilized to terrorize the infected and targets! They can be used to click ads, send emails, give website hits; oh endless possibilities for MONEY.
Also, this is pretty funny, and seems like it could be the same guy: http://kippo.rpg.fi/playlog/?l=20100316-233121-1847.log
I found it curious that he was copy/pasting those wget links so quickly though. THAT part nearly seemed automated. Strange behaviour.
Luckily, the hacked computer wasn't a real computer but a honey pot [2] and everything the script kiddie does is recorded for our amusement.
It's a bit like watching a bank robber sporting a big gun without knowing which way to point it.
[1] http://en.wikipedia.org/wiki/Script_kiddie [2] http://en.wikipedia.org/wiki/Honeypot_%28computing%29
I guess one should be really careful before calling someones actions stupid. Lesson learned.
To summarize, a wannabe hacker got access to a system and didn't know what to do.
http://themostboringblogintheworld.wordpress.com/2006/09/13/...
1. Get others involved by leaving fake tracks. 2. Distract attention. 3. Make you think your honey pot is doing right while some other heavy duty scripts are running on the 'right' direction.
I could just here the steam start to build.
telnet 94.255.168.108
I had no idea the reflex was so strong, but I almost starting twitching. I caught myself reaching for the keyboard to hammer out "ls -l". What a tragedy.
(I leave it as an exercise to the reader to determine whether the tragedy is the hacker's incompetence or my reflexive neckbeard response to it.)
Back then there were free guest accounts on all the systems (mostly TOPS-10 and TENEX systems along with some wierd one-off machines like the UCSB symbolic math system on a 360/65), and we (at HARV-10) had a hacker who'd come in and mess things up.
So the sysadmin (Geoff Steckel) started a logging process that dumped all suspicious incoming telnet connections input to a local TTY (yes, a physical teletypewriter).
We used to gather around the TTY when it started chattering, to watch the hacker at work. Geoff pretty quickly figured out what he was doing and patched our TOPS-10 monitor source.
1) not doing ls commands
2) having rescue plans like trying different directories in case a directory doesn't exist
3) doing instant URL pastes
4) doing stuff in loop
5) acting similarly to a robot
6) [feel free to add more here]
A script sophisticated enough to replicate the behaviour of a real user at a shell like this would likely actually achieve something.
Anyone clever enough to write a script that does this, wouldn't, because they'd also be clever enough to realise that it's utterly pointless.
The win2k service pack was likely filling the role of "a big file from a fast CDN," for the purposes of testing the machine's connection.
I assumed it was something he'd seen as a way to sortof-conceal a directory, since it's both hidden and looks a lot like the [dot] directory that you'd expect to find everywhere.
Oh yeah, he's really covered his tracks now...