Exec Sessions Being Blocked

Question

Exec Sessions Being Blocked

daleiii opened this issue 7 years ago · 5 comments

Hi - I'm having trouble with my honeypot and EXEC session commands being blocked. Please see the snip below for the blocking that's occuring.

20180315_084840_937683 - [POT ] xxx.xxxxxxx - xxx.xxx.xxx.xxx:22
20180315_084840_937683 - [SSH ] Incoming Connection from 210.121.164.xxx:49520 - Korea, Republic of
20180315_084841_340552 - [SSH ] Login Successful: root:iJ93MnFj4VnWf0sA78gCx
20180315_084841_340552 - [SSH ] Login was spoofed
20180315_084841_635142 - [EXEC0] Opened Channel
20180315_084841_636056 - [EXEC0] Command Blocked: uname -a
20180315_084841_639233 - [EXEC0] Closed Channel
20180315_084841_936323 - [SSH ] Lost Connection with 210.121.164.xxx

This is my configuration file: honssh.cfg.txt

Any thoughts and suggestions would be appreciated, thanks.

Answer 1 · 2018-03-16T08:15:18.000Z

Hi, can you share your honssh.log as well please?

Answer 2 · 2018-03-16T17:14:34.000Z

Hi, @tnich. Please see below, thank you.

honssh.log

Answer 3 · 2018-03-17T02:29:57.000Z

A little more discovery, I get this error when I try and remotely execute a command on the honeypot.

PTY allocation request failed on channel 0

Thanks

Answer 4 · 2018-03-17T10:12:42.000Z

Hey,

So I've just pushed out a bugfix to properly parse the exec disabling config item.

Is it any different now?

Answer 5 · 2018-03-18T00:56:53.000Z

Resolved, thanks for the prompt response.