Wading through the chaos and confusion of cybersecurity attacks can sometimes feel reminiscent of old-school detective crime shows. Often, you need more than one viewpoint to successfully crack a case. Just look at Starsky and Hutch—this duo’s problem-solving skills became unmatched when they successfully combined Starsky’s streetwise, brash manner with Hutch’s quiet intellect. For internet-related cases in particular, we can call on the unique strengths of Rapid7 Labs’ Project Sonar and Project Heisenberg.
Heisenberg is a collection of low- to medium-level honeypots distributed both geographically and in the cloud-oriented IPv4 space. The honeypots allow us to passively collect data that helps us understand attackers’ methods and patterns. Project Sonar, on the other hand, allows us to conduct internet-wide scans to investigate the global exposure of vulnerabilities.
In this post, we will explore how data from both projects can be combined to offer a clearer picture of attackers’ activities. Specifically, we will look into TCP Port 2004, which was chosen after observing scan and probe attempts using Rapid7’s Early Warning System. We discovered the patterns on 2004 are related to Webuzo, which is a software application used for the deployment of web services.
Hutch and Heisenberg
Heisenberg passively records metadata related to all requests, including source IP address, destination port, and protocol, among other data. With this honeypot data, we can look at the set of ports a single IP address tried to access during an arbitrary timespan.
This investigation looks at data grouped together by day. If we treat the set of ports as a fingerprint, we can then get statistics on groups of different fingerprints. One analysis we can perform is looking at the number of IP addresses per fingerprint for a given day.
The top 25 fingerprints on July 17 are shown below in Figure 1. Unsurprisingly, SMB, Telnet, and HTTP ports are at the top of the list. Something interesting that pops out, though, is the fingerprint [80, 81, 2004, 8080, 8888]. Ports 80, 81, 8080, and 8888 are most likely HTTP-related, but what is Port 2004?
|271||[80, 81, 2004, 8080, 8888]|
Figure 1: The number of IPs probing for a specific fingerprint on July 17, 2018.
Looking a little deeper at all fingerprints with 2004 in them, we see that 2004 is queried either with sequential port scanners or along with HTTP ports.
|271||[80, 81, 2004, 8080, 8888]|
|3||[80, 81, 2004, 8888]|
|1||[1000, 1001, 1002, 1003, 1004, 1005, 1006,....]|
|1||[80, 81, 2004, 8080]|
|1||[81, 2004, 8080, 8888]|
|1||[1000, 1001, 1002, 1003, 1004, 1005, 1006, ...]|
Figure 2: Number of IPs for fingerprints with Port 2004 in them.
The honeypots save the data that was sent with initial requests. Looking at this data, we see these probes seem to be searching for
Figure 3: Data being sent to Heisenberg on Port 2004.
GET=20/install.php=20HTTP/1.1 Connection:=20Keep-Alive Keep-Alive:=20300 User-Agent:=20Mozilla/5.0=20(Windows=20NT=2010.0;=20Win64;=20x64)=20AppleWe= bKit/537.36=20(KHTML,=20like=20Gecko)=20Chrome/63.0.3239.132=20Safari/537.3= 6 Host:=2035.199.41.164
GET=20/=20HTTP/1.1 Host:=2054.169.210.117:2004 Connection:=20close Accept-Encoding:=20gzip User-Agent:=20Mozilla/5.0=20(Macintosh;=20Intel=20Mac=20OS=20X=2010_11_5)= =20AppleWebKit/537.36=20(KHTML,=20like=20Gecko)=20Chrome/50.0.2661.102=20Sa= fari/537.36
Figure 4: Some of the Heisenberg results shown in greater detail.
Starsky and Sonar
This is the picture that emerges with the Heisenberg data. Let’s see what we can now discover with Project Sonar, which luckily lets us run studies for specific reports. We ran a HTTP GET study for Port 2004 to see whether that produced any leads.
Project Sonar produces json.gz files for its GET studies. For examples, you can look at the latest Sonar HTTPS GET public datasets, available here. With this data, we can use something such as Apache Drill to get the table below, which is a count of the different “server” header fields returned in the response area.
|240||WebSphere Application Server/7.0|
|161||Linux/2.x UPnP/1.0 Avtech/1.0|
Figure 5: Count of IPs that responded on Port 2004 by the "server" header field.
Here, we see that Webuzo seems to have the highest count. It turns out that Webuzo is software from Softaculous that allows you to deploy web apps such as WordPress, Drupal, and web app stacks (i.e., LAMP) on the cloud or virtual machines. Looking at its documentation, it appears its admin panel runs on Port 2004. Looking deeper, it seems its admin panel has a launch API that allows users to install and configure these machines remotely. Here is a snippet of the commands the API uses:
curl 'http://18.104.22.168:2004/install.php?prepareapps=lamp&license=WEBUZO-0000-0000-0000-0000' curl 'http://22.214.171.124:2004/install.php?prepareinstall=26&license=WEBUZO-0000-0000-0000-0000' curl 'http://126.96.36.199:2004/install.php?onlyone=26' curl --data "firstname.lastname@example.org&pass=password&rpass=password&domain=example.com&ns1=ns1.example.com&ns2=ns2.example.com&lic=WEBUZOemail@example.com&submit=1&api=serialize" http://188.8.131.52:2004/install.php
Notice that the URL is similar to the data seen in Heisenberg honeypot data! It looks like the scanners are trying to figure out which IPs on the internet are running Webuzo’s admin panel. Attackers could use this information to then try to access the API with a list of default usernames and passwords in an attempt at remote execution.
Figure 6: A world tile map based on the IP’s geographical information shows that the majority of the Webuzo apps exist in the United States and Europe.
In conclusion, we’ve shown how Project Heisenberg and Project Sonar data can be used together. By observing attackers’ access patterns on the Heisenberg honeypots, we were able to notice behavior on a strange port. Using that data, we could recognize its behavior is related to other HTTP ports and the data that was being sent. We then used Project Sonar to further inform our investigation by looking at global HTTP exposure on the specific port. With this, we were able to fully realize what the attackers were up to in the first place.
For more information on these projects and datasets, visit Rapid7 Open Data.