Mirai Botnet User: Pass Tracking

Below is a basic CSV of the number attempts from the Mirai BotNet to one of my VPS servers. The list of User and Passwords came directly from the Mirai source code on GitHub and is listed in the same order as the source code. Some interesting observations:

  1. The number of attempts very closely correlates to the order in which usernames and passwords are listed in the source code
  2. Adminstrator:admin had no attempts
  3. guest:guest had no attempts
  4. guest:12345 is listed twice in the source code


User Pass Number of Attempts
root xc3511 246
root vizxv 234
root admin 215
admin admin 186
root 888888 116
root xmhdipc 100
root default 105
root juantech 103
root 123456 90
root 54321 110
support support 94
root (none)
admin password 116
root root 146
root 12345 120
user user 64
admin (none)
root pass 67
admin admin1234 67
root 1111 68
admin smcadmin 43
admin 1111 38
root 666666 44
root password 46
root 1234 41
root klv123 63
Administrator admin
service service 19
supervisor supervisor 20
guest guest
guest 12345 38
guest 12345 38
admin1 password 23
administrator 1234 16
666666 666666 19
888888 888888 21
ubnt ubnt 26
root klv1234 25
root Zte521 54
root hi3518 24
root jvbzd 24
root anko 95
root zlxx. 19
root 7ujMko0vizxv 22
root 7ujMko0admin 22
root system 24
root ikwb 22
root dreambox 28
root user 22
root realtek 16
root 0 26
admin 1111111 21
admin 1234 19
admin 12345 24
admin 54321 17
admin 123456 22
admin 7ujMko0admin 15
admin 1234 19
admin pass 24
admin meinsm 18
tech tech 14
mother fucker 6

TelNet Logger and HoneyNetIP Automation

This is a follow up to my previous post on the initial deployment of TelnetLogger and HoneyNetIPCed. Typically while I do one of these sort of projects I keep notes at each step, things went a bit differently this time. I was quite giddy while initially setting things up so it took me a bit to retrace my steps. So let’s kick things off.

As typical let’s get things updated and downloaded.

sudo apt-get update -y && sudo apt-get upgrade -y 

If you don’t have git already installed go ahead and knock that out as well. This will also make you life much easier in the future.

sudo apt-get install git -y

As for the two scripts, which directory you clone them is up to you, but I recommend you clone them into /opt/.

sudo git clone https://github.com/robertdavidgraham/telnetlogger.git
sudo git clone https://github.com/danielmiessler/HoneyCredIPTracker.git

Robert is nice enough to help out some of us newbies on how to get TelNetLogger complied and ready to go. So first thing is to change directories to where TelnetLogger resides. Then as Robert recommends run the following string.

gcc telnetlogger.c -o telnetlogger -lpthread

If this fails on you make sure you have gcc installed.

sudo apt-get install gcc

Once you have gcc and TelnetLogger installed you can go ahead and run TelNetLogger and get the output right on you screen. It will also output the information to ips.txt and passwords.txt. Get things up and running with

./TelnetLogger

Now we can incorporate the bash script from Daniel Meissler. This is a great addition to the whole process because it cleans up the output from TelNetLogger into sorted lists. In my haste I didn’t clone this script directly into the TelNetLogger so I went ahead and edited the script to point to the full file path of the TelNetLogger output. At this point I set up a few cron jobs. Two of them copy the output of TelNetLogger to a archive folder on the same server and the other to run HoneyCredIPTracker.

0 * * * * cp /opt/telnetlogger/ips.txt /telnetlogger_logs/ips-$(date +%Y.%m.%d-%H.%M.%S).txt
0 * * * * cp /opt/telnetlogger/passwords.txt /telnetlogger_logs/passwords-$(date +%Y.%m.%d-%H.%M.%S).txt
0 * * * * ./opt/HoneyCredIPTracker/HoneyCredIPTracker.sh

At this point it is was time to automate the startup of TelNetLogger. This was as simple as adding a entry to rc.local.

sudo vi /etc/rc.local

I like to add a note in rc.local so I don’t forget what it is for, so mine looks like the following.

</pre>
#Start telnet logger

./opt/telnetlogger/telnetlogger

So at this point you could restart the server and all the tasks would kick off and you would get an updated ips.txt and passwords.txt file every hour on the hour. In my case I didn’t want to restart the server because I am concerned with maintaining my current uptime. So in order to start the process and keep it running when I close my terminal I disown the process when I start it.

./opt/telnetlogger/telnetlogger &  disown

At this point it should all be up and running. You can see the output from my servers at the following links:

 

Sorted Ip’s

Sorted Passwords

Thanks for taking the time to read this and i hope it was helpful. Let me know if there is anything I should do differently.