It’s been about 8 years or so since I had run some honeypots. It’s now time I get back into it, to see whats new in the world of hackers.
This video shows a bot gain access to Cowrie honeypot. A medium to high interaction honeypot based on Kippo. The bot attempts to download 2 files, and run them in 1 inline command. It fails to execute the binary files.
The bot then looks to see what architecture it is on. And then attempts to download the binary files in a different way. It uses the echo command to write binary in plain text and append it into a file. This is a creative way to get a binary onto a server via only a shell.
It then attempts to run them and obviously fails, since this is a fake environment, and the binary files cannot run in it.
To me I would guess that this.. SSHMIDORI is an SSH back door. A modified version of SSH that the bot would use to replace the current SSH server on the compromised machine. This would allow an attacker to gain access any time, and log all passwords and usernames that log into this machine.