teppay’s log

技術ブログです。

T-PotのCowrieにplaylogを導入した

f:id:teppay:20171222110557g:plain

はじめに

やったこと

git clone

$ sudo su
# cd /opt
# git clone https://github.com/micheloosterhof/cowrie

alias を設定する。

playlog/opt/cowrie/bin/配下にあるのですが、そこにPATHを通すほどでもないと思うので、.bashrcに以下の記述を追加しました。

alias playlog=/opt/cowrie/bin/playlog

これで、playlogというコマンドでどこでも実行可能になります。

実行してみる

cowrieのttyのログは/data/cowrie/log/tty/ 配下にあるので、cdコマンドで移動して、、

f:id:teppay:20171222110557g:plain

表示されている内容は、

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

system@ubuntu:~$ sh
system@ubuntu:~$ /bin/busybox Fixed
Fixed: applet not found
system@ubuntu:~$ /bin/busybox ps; /bin/busybox Fixed
 PID TTY         TIME COMMAND
5673 pts/0       0:00 -bash
5679 pts/0       0:00 ps 
Fixed: applet not found
system@ubuntu:~$ /bin/busybox kill 5673
system@ubuntu:~$ /bin/busybox kill 5679
system@ubuntu:~$ /bin/busybox cat /proc/mounts; /bin/busybox Fixed
rootfs / rootfs rw 0 0
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,relatime 0 0
udev /dev devtmpfs rw,relatime,size=10240k,nr_inodes=997843,mode=755 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,relatime,size=1613336k,mode=755 0 0
/dev/dm-0 / ext3 rw,relatime,errors=remount-ro,data=ordered 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
/dev/sda1 /boot ext2 rw,relatime 0 0
/dev/mapper/home /home ext3 rw,relatime,data=ordered 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
Fixed: applet not found
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68' > /.n; /bin/busybox cat /.n; /bin/busybox rm /.n
kamh
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/sys' > /sys/.n; /bin/busybox cat /sys/.n; /bin/busybox rm /sys/.n
kamh/sys
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/proc' > /proc/.n; /bin/busybox cat /proc/.n; /bin/busybox rm /proc/.n
kamh/proc
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/dev' > /dev/.n; /bin/busybox cat /dev/.n; /bin/busybox rm /dev/.n
kamh/dev
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/dev/pts' > /dev/pts/.n; /bin/busybox cat /dev/pts/.n; /bin/busybox rm /dev/pts/.n
kamh/dev/pts
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/run' > /run/.n; /bin/busybox cat /run/.n; /bin/busybox rm /run/.n
kamh/run
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68' > /.n; /bin/busybox cat /.n; /bin/busybox rm /.n
kamh
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/dev/shm' > /dev/shm/.n; /bin/busybox cat /dev/shm/.n; /bin/busybox rm /dev/shm/.n
kamh/dev/shm
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/run/lock' > /run/lock/.n; /bin/busybox cat /run/lock/.n; /bin/busybox rm /run/lock/.n
kamh/run/lock
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/proc/sys/fs/binfmt_misc' > /proc/sys/fs/binfmt_misc/.n; /bin/busybox cat /proc/sys/fs/binfmt_misc/.n; /bin/busybox rm /proc/sys/fs/binfmt_misc/.n
kamh/proc/sys/fs/binfmt_misc
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/sys/fs/fuse/connections' > /sys/fs/fuse/connections/.n; /bin/busybox cat /sys/fs/fuse/connections/.n; /bin/busybox rm /sys/fs/fuse/connections/.n
-bash: /sys/fs/fuse/connections/.n: No such file or directory
cat: /sys/fs/fuse/connections/.n: No such file or directory
rm: cannot remove `/sys/fs/fuse/connections/.n': No such file or directory
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/boot' > /boot/.n; /bin/busybox cat /boot/.n; /bin/busybox rm /boot/.n
kamh/boot
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/home' > /home/.n; /bin/busybox cat /home/.n; /bin/busybox rm /home/.n
kamh/home
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/proc/sys/fs/binfmt_misc' > /proc/sys/fs/binfmt_misc/.n; /bin/busybox cat /proc/sys/fs/binfmt_misc/.n; /bin/busybox rm /proc/sys/fs/binfmt_misc/.n
kamh/proc/sys/fs/binfmt_misc
system@ubuntu:~$ /bin/busybox echo -e '\x6b\x61\x6d\x68/dev' > /dev/.n; /bin/busybox cat /dev/.n; /bin/busybox rm /dev/.n
kamh/dev
system@ubuntu:~$ /bin/busybox Fixed
Fixed: applet not found
system@ubuntu:~$ rm /.t; rm /.nh; rm /.human
system@ubuntu:~$ rm /sys/.t; rm /sys/.nh; rm /sys/.human
system@ubuntu:~$ rm /proc/.t; rm /proc/.nh; rm /proc/.human
system@ubuntu:~$ rm /dev/.t; rm /dev/.nh; rm /dev/.human
system@ubuntu:~$ rm /dev/pts/.t; rm /dev/pts/.nh; rm /dev/pts/.human
system@ubuntu:~$ rm /run/.t; rm /run/.nh; rm /run/.human
system@ubuntu:~$ rm /.t; rm /.nh; rm /.human
system@ubuntu:~$ rm /dev/shm/.t; rm /dev/shm/.nh; rm /dev/shm/.human
system@ubuntu:~$ rm /run/lock/.t; rm /run/lock/.nh; rm /run/lock/.human
system@ubuntu:~$ rm /proc/sys/fs/binfmt_misc/.t; rm /proc/sys/fs/binfmt_misc/.nh; rm /proc/sys/fs/binfmt_misc/.human
system@ubuntu:~$ rm /boot/.t; rm /boot/.nh; rm /boot/.human
system@ubuntu:~$ rm /home/.t; rm /home/.nh; rm /home/.human
system@ubuntu:~$ rm /proc/sys/fs/binfmt_misc/.t; rm /proc/sys/fs/binfmt_misc/.nh; rm /proc/sys/fs/binfmt_misc/.human
system@ubuntu:~$ rm /dev/.t; rm /dev/.nh; rm /dev/.human
system@ubuntu:~$ cd /
system@ubuntu:/$ /bin/busybox cp /bin/echo bigbotPein; >bigbotPein; /bin/busybox chmod 777 bigbotPein; /bin/busybox Fixed
Fixed: applet not found
system@ubuntu:/$ /bin/busybox cat /bin/echo
cat: /bin/echo: No such file or directory
system@ubuntu:/$ /bin/busybox Fixed
Fixed: applet not found
system@ubuntu:/$ 

これはおそらく話題のMIRAIによるアクセスですね。 (参考: Typical Mirai log - Pastebin.com

まとめ

  • git cloneしただけです
  • playlogみてると時間が溶けます
  • ただ、MIRAIっぽいアクセスが多すぎてつまらない
  • なかなか難しいでしょうが、自動じゃない、人力で入力してるっぽいアクセスログ見てみたいですね。