diff --git a/kippo/commands/__init__.py b/kippo/commands/__init__.py index 170962f..01cdddf 100644 --- a/kippo/commands/__init__.py +++ b/kippo/commands/__init__.py @@ -13,4 +13,5 @@ __all__ = [ 'adduser', 'last', 'fs', + 'malware', ] diff --git a/kippo/commands/malware.py b/kippo/commands/malware.py new file mode 100644 index 0000000..e83e1f6 --- /dev/null +++ b/kippo/commands/malware.py @@ -0,0 +1,117 @@ +# Copyright (c) 2009 Upi Tamminen +# See the COPYRIGHT file for more information + +# Commands mapped to common malware + +from kippo.core.honeypot import HoneyPotCommand + +commands = {} +clist = {} # names +slist = {} # sizes + +# 9729c037cb0a32811ba3eb15e3c8a789 +class command_nop(HoneyPotCommand): + def call(self): + pass +slist[317] = command_autorun +clist['autorun'] = command_autorun + +# 158c35ecfd4a4a490b613d87a22088fa +class command_start1(HoneyPotCommand): + def call(self): + self.writeln('=====>Created by PuFoS<=====') + self.writeln('++++++ *Asta e o arhiva privata* ++++++++') + self.writeln('Exemplu : ./start canal ') + self.writeln('P.S : FARA DIEZ!') +slist[750] = command_start1 +clist['start'] = command_start1 + +# d4655a3bdcb9e18c6718c29eda91725b +class command_start2(HoneyPotCommand): + def call(self): + self.writeln('Exemplu: ./start canal (fara diez)') +slist[608] = command_start2 + +# 9428fcc48cf2c01668678e9ea4874de4 +class command_start3(HoneyPotCommand): + def call(self): + self.writeln('####################################################################') + self.writeln('# ______') + self.writeln('# .-. .-.') + self.writeln('# / \\') + self.writeln('# | zRR |') + self.writeln('# |, .-. .-. ,|') + self.writeln('# | )(z_/ \z_)( |') + self.writeln('# |/ /\ \|') + self.writeln('# _ (_ ^^ _)') + self.writeln('# _\ ____) \_______\__|IIIIII|__/_________________________') + self.writeln('# (_)[___]{}<________|-\IIIIII/-|__zRR__zRR__zRR___________\\') + self.writeln('# / )_/ \ /') + self.writeln('# \ ______ /') + self.writeln('# SCANER PRIVAT') + self.writeln('# SCANER FOLOSIT DOAR DE TEAMUL zRRTEAM') + self.writeln('# SACNERUL CONTINE UN PASS_FLIE DE 3MEGA !!') + self.writeln('####################################################################') +slist[6649] = command_start3 + +# f3511c928dbc381c0d7b35d63821ea01 +class command_start_sh1(HoneyPotCommand): + def call(self): + self.writeln('Enjoy FloodBot based on OverKill') +slist[67] = command_start3 + +# 3c56bd3a394c1a842ec57226d8ee5d81 +class command_go_sh1(HoneyPotCommand): + def call(self): + if not len(self.args): + self.writeln('A must be between 1 and 254') + else: + self.writeln('scanning network %s.*' % self.args[0]) + self.writeln('usec: 30000, burst packets 50') + self.writeln('using interface eth0') + self.writeln('using "(tcp[tcpflags]=0x12) and (src port 22) and (dst port 15232)" as pcap filter') + self.writeln('my detected ip on eth0 is 127.0.0.1') + self.writeln('capturing process started pid 2259') + # much more happens after this, but I'm lazy + self.writeln('Toata \033[31mdragostea\033[0m mea pentru \033[32mdiavola\033[0m!!!!!!') +slist[92] = command_go_sh1 +clist['go.sh'] = command_go_sh1 + +# 978cc6e3ce07787898519aa26f3b429c +# dc7b9585c47ab44830dc84a11e0272fe +class command_bash(HoneyPotCommand): + def call(self): + self.writeln('EnergyMech 2.9.3, May 16th, 2003') + self.writeln('Compiled on Mar 4 2005 15:06:49') + self.writeln('Features: DBG, LNE, SEE, LNK, TEL, PIP, DYN, ALS, SEF') +slist[492135] = command_bash # bash +slist[29] = command_bash # run +clist['bash'] = command_bash + +# e41604f2449fb75eebbf5530ee3a8c2c +class command_a(HoneyPotCommand): + def start(self): + if not len(self.args): + self.writeln(' usage: ./a ') + self.exit() + return + self.writeln('\033[1;31m\xAB\033[1;32m Created bY MaLa \033[1;31m\xBB\033[0m') + self.writeln('INCERC SA DAU VIATZA CIBERNETICI') + self.write('# scanning: %s (total: 0) (0.01%% done)' % self.args[0]) +slist[1287] = command_a +clist['a'] = command_a + +# b51a52c9c82bb4401659b4c17c60f89f +class command_ss(HoneyPotCommand): + def call(self): + if not len(self.args): + self.writeln('usage: ./ss [-a | -b ] [-i ]') + return + self.writeln('usec: 1000000, burst packets 50') + self.writeln('using "(tcp[tcpflags]=0x12) and (src port 22) and (dst port 38659)" as pcap filter') + self.writeln('my detected ip on eth0 is 127.0.0.1') + self.writeln('capturing process started pid 2282') +slist[453972] = command_ss +clist['ss'] = command_ss + +# vim: set sw=4 et tw=0: diff --git a/kippo/commands/tar.py b/kippo/commands/tar.py index 324679b..71c0669 100644 --- a/kippo/commands/tar.py +++ b/kippo/commands/tar.py @@ -3,11 +3,20 @@ from kippo.core.honeypot import HoneyPotCommand from kippo.core.fs import * -from kippo.commands import dice +from kippo.commands import dice, malware import time, random, tarfile, os commands = {} +def pick_handler(cmd, size): + if size in malware.slist: + handler = malware.slist[size] + elif cmd in malware.clist: + handler = malware.clist[cmd] + else: + handler = random.choice(dice.clist) + return handler + class command_tar(HoneyPotCommand): def mkfullpath(self, path, f): l, d = path.split('/'), [] @@ -66,7 +75,8 @@ class command_tar(HoneyPotCommand): elif f.isfile(): self.mkfullpath(os.path.dirname(dest), f) self.fs.mkfile(dest, 0, 0, f.size, f.mode, f.mtime) - self.honeypot.commands[dest] = random.choice(dice.clist) + self.honeypot.commands[dest] = \ + pick_handler(os.path.basename(dest), f.size) else: print 'tar: skipping [%s]' % f.name commands['/bin/tar'] = command_tar