Scripts on the attack server

Linux Version

Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)

System information as of Sat Dec 6 10:18:30 PST 2014

Crontab Entries

High-privilege crontab

One files runs as root every minute:


root@attack:~# crontab -l
...
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
*/1 * * * * /var/www/html/crontab/root-crontab

Low-privilege crontab

One file runs with a non-administrative account: ftp, every minute:


*/1 * * * * /var/www/html/crontab/ftp-crontab

Contents of crontab scripts

/var/www/html/crontab/root-crontab


#!/bin/bash

pgrep apache2
if [ $? -eq 1 ]; then
service apache2 start
fi

pgrep mysql
if [ $? -eq 1 ]; then
service mysql start
fi

pgrep knockd
if [ $? -eq 1 ]; then
nohup /usr/sbin/knockd -c /etc/knockd.conf &
fi

/var/www/html/crontab/ftp-crontab


#!/bin/bash

pgrep listen3000.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen3000.py &
fi

pgrep listen3001.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen3001.py &
fi

pgrep listen3100.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen3100.py &
fi

pgrep listen3200.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen3200.py &
fi

pgrep listen3300.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen3300.py &
fi

pgrep listen3400.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen3400.py &
fi

pgrep listen3500.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen3500.py &
fi

pgrep listen5000.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen5000.py &
fi

pgrep listen5090.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen5090.py &
fi

pgrep listen6000.py
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/listen6000.py &
fi

pgrep numlisten
if [ $? -eq 1 ]; then
nohup /var/www/html/init.d/numlisten &
fi

pgrep knockd
if [ $? -eq 1 ]; then
nohup /usr/sbin/knockd -c /etc/knockd.conf &
fi

Listen.py Scripts

All the listen scripts are similar to this one:


#!/usr/bin/python 

# Listener for CNIT 124 proj 3

# Save as /etc/init.d/listen3000
# run with nohup /etc/init.d/listen3000 &

# Ref: http://odedrabanitips.blogspot.com/2011/11/how-to-run-script-as-service-in-ubuntu.html

# Ref: http://ridingpython.blogspot.com/2011/08/turning-your-python-script-into-linux.html

import socket
s = socket.socket()
s.bind(("0.0.0.0", 3000))

s.listen(5)
while True:
	c, addr = s.accept()
	# print 'Got connection from ', addr
	c.send('Congratulations!  You found the hidden service on port 3000!')
	c.close()


Port Knocking
/etc/knockd.conf

  [options]
        logfile = /var/log/knockd.log

  [openclose3003]
        sequence      = 3100:tcp,3700:tcp
        seq_timeout   = 10
        tcpflags      = syn
        start_command = nohup /var/www/html/init.d/listen3003.py &
        cmd_timeout   = 10
        stop_command  = pkill listen3003.py



Posted 12-17-14 4:02 am by Sam Bowne