Hi all,

I was recently reading an interesting article about setting up an SSH honeypot to track malicious activity (article avaliable here http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts)

The article mentions that after an attacker gained SSH access to a server, they installed an IRC bot. Now, my knowledge of IRC is very limited, but I imagine that this allows the compromised server to listen for future commands.

After thinking about this for a while I realised how clever this is, since it would remain active even if the SSH credentials were altered or the port closed completely. However, the main benifit would be that the attacker could issue a single command to multiple compromised servers simultaneously, and that could be incredibly useful in a non-malicous enviroment.

For example, I have a moderate sized Internet of Things network at home. Being able to communicate with each one at the same time would be amazing compared to open up individual SSH connections. But I am still confused about how this works.

Am I right in thinking that:

  1. There is a central IRC server
  2. Each client can connect to the server and listen for commands
  3. The client grabs the command and executes it as a linux command.

I.e., if I 'said' in my message, "free -m", each client would read the message and copy it to the command console, execute the command, and then maybe send the result back as another message.

If this is the case, does anyone know of any tutorials for this sort of setup? I've looked quite a lot online but can't really find anything useful.


Recommended Answers

All 4 Replies

Your honeypot needs to be a virtual machine that you can shut down and nuke as required. Also, you can block out-going messages (may not be helpful) and still see what the malware perps are trying to do. I'd tell you exactly how to do that, but since I have never done that, I can't tell you exactly how. A quick google/duckduckgo search should get you that info however.

I'm more looking at how I can adapt the IRC network for legitimate purposes, so there would be no need to run on a destructible virtual machine.

I've looked at setting up IRC servers and clients, however, what I cannot find out is how to make the client take the IRC messages and execute them as a terminal command.

So, what is your purpose for this? Are you trying to put together a tool that you can use to manage a pool of systems without the overhead of direct access to each system? Very dangerous, but possibly doable. Your best choice would be irssi - a command-line interface (CLI) IRC client with scripting (using perl) capabilities. Here is a link to their documentation page: https://irssi.org/documentation/

Thanks - I'll take a look. I realise that it could be dangerous, but interesting to try as an experiment.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.