There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

@RedPhoenix@aussie.zone cover
@RedPhoenix@aussie.zone avatar

RedPhoenix

@[email protected]

This profile is from a federated server and may be incomplete. Browse more on the original instance.

RedPhoenix ,
@RedPhoenix@aussie.zone avatar

A medium interaction SSH honeypot backed by a basic LLM that believes it’s bash.

I’m impressed at the ability to retain limited state, and respond ‘reasonably enough’ that it’ll probably allow first stage automated attacks to be captured… but at the moment, it’s way too easy to peer behind the curtain.

It’s quite jarring when your bash terminal starts telling you a story about a happy dragon in response to some weird command.

RedPhoenix ,
@RedPhoenix@aussie.zone avatar

Yep… sigh


<span style="color:#323232;">me@somewhere:~$ ssh -p 8022 root@localhost
</span><span style="color:#323232;">The authenticity of host '[localhost]:8022 ([127.0.0.1]:8022)' can't be established.
</span><span style="color:#323232;">ECDSA key fingerprint is SHA256:W6aKaaaaaaaaaaaaaaaaaaaaaaaa+cvaaaaaaaaaaaw.
</span><span style="color:#323232;">This key is not known by any other names
</span><span style="color:#323232;">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
</span><span style="color:#323232;">Warning: Permanently added '[localhost]:8022' (ECDSA) to the list of known hosts.
</span><span style="color:#323232;">root@localhost's password: 
</span><span style="color:#323232;">Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.4-31-generic x86_64)
</span><span style="color:#323232;">
</span><span style="color:#323232;">* Documentation:  https://help.ubuntu.com
</span><span style="color:#323232;">* Management:     https://landscape.canonical.com
</span><span style="color:#323232;">* Support:        https://ubuntu.com/advantage
</span><span style="color:#323232;">
</span><span style="color:#323232;">54 packages can be updated.
</span><span style="color:#323232;">20 updates are security updates.
</span><span style="color:#323232;">
</span><span style="color:#323232;">
</span><span style="color:#323232;">----------------------------------------------------------------
</span><span style="color:#323232;">Ubuntu 16.04.1 LTS                          built 2016-10-10
</span><span style="color:#323232;">----------------------------------------------------------------
</span><span style="color:#323232;">last login: Sun Nov 19 19:40:44 2017 from 172.99.99.99
</span><span style="color:#323232;">root@host:~$ whoami
</span><span style="color:#323232;">root
</span><span style="color:#323232;">root@host:~$ ls
</span><span style="color:#323232;">README log.txt
</span><span style="color:#323232;">root@host:~$ cat README
</span><span style="color:#323232;"># NOTE: Do not reset this server, as it provides essential services.
</span><span style="color:#323232;">root@host:~$ cat log.txt
</span><span style="color:#323232;">Mar  3 15:37:01 root kernel: Boot time configuration written to /etc/default/grub
</span><span style="color:#323232;">Mar  3 15:37:02 root kernel: Loading initial ram disk images...
</span><span style="color:#323232;">Mar  3 15:37:03 root kernel: Linux version 4.9.0-6-amd64 (buildid@Debian) (gcc version 8.2.0 ( Ubuntu 8.2.0-14-ga )) #1 SMP Debian 4.9.141-1 (2017-03-09)
</span><span style="color:#323232;">Mar  3 15:37:03 root kernel: Linux command line options: ro root=UUID=6f8e4a7c-35d5-4b2d-93a4-a4335a95f58c rw initramfs-version=4.9.0-6-amd64 rd.driver.video=i915
</span><span style="color:#323232;">Mar  3 15:37:03 root kernel: Boot arguments: ro root=UUID=6f8e4a7c-35d5-4b2d-93a4-a4335a95f58c rw initramfs-version=4.9.0-6-amd64 rd.driver.video=i915
</span><span style="color:#323232;">Mar  3 15:37:03 root kernel: Kernel arguments: ro root=UUID=6f8e4a7c-35d5-4b2d-93a4-a4335a95f58c rw initramfs-version=4.9.0-6-amd64 rd.driver.video=i915
</span><span style="color:#323232;">Mar  3 15:37:03 root kernel: Mounting system...
</span><span style="color:#323232;">Mar  3 15:37:03 root kernel: Mounted system...
</span><span style="color:#323232;">root@host:~$ echo "testing1234" > somefile.txt
</span><span style="color:#323232;">root@host:~$ echo "testing 23456" >> somefile.txt
</span><span style="color:#323232;">root@host:~$ cat somefile.txt
</span><span style="color:#323232;">testing1234
</span><span style="color:#323232;">testing 23456
</span><span style="color:#323232;">root@host:~$ echo tell me a story about a dragon
</span><span style="color:#323232;">Once upon a time, in a land far, far away, there lived a magnificent dragon named Scorch. Scorch was the most feared creature in all the land, with scales that shone like gold in the sunlight and eyes that glowed like embers. He roamed the countryside, breathing fire and destruction wherever he went, and no one dared to cross...
</span>
RedPhoenix ,
@RedPhoenix@aussie.zone avatar

Tempting, but in order to reduce the potential attack surface, I’m likely just to create a simple simulator instead now.

If it’s good enough to fool the first few interactions of an automated script, that’ll probably do. That’ll give me the curl/wget target they’re trying to insect me with, most likely.

It means I can potentially create a single binary docker instance that can be reset practically instantly by deleting/reimporting.

RedPhoenix ,
@RedPhoenix@aussie.zone avatar
  • socat
  • ngrep
  • vim
  • pv
  • htop
  • jq

Generally, everything else I need is there by default depending on the distro.

Home workstation-wise… maybe:

  • meld
  • kdenlive
  • openscad
  • Qtvlm, zygrib and OpenCPN
  • gimp extras
  • golang
  • Inkscape
  • Wireshark
  • audacity
  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • lifeLocal
  • goranko
  • All magazines
    •