PHP Webshells, vBulletin, and Equifax Mode

This is just a quick post about some of the stuff behind an exploit I wrote for CVE-2020-7373. If you want to know more about the vulnerability itself, I’d suggest reading this blog post by zenofex. Effectively the vulnerability gives us a method of executing arbitrary PHP code on a vulnerable vBulletin installation. When I …

Honeypot Detection: SSH Host Keys

In this post I’ll outline a method to detect Cowrie honeypots in both “shell” and “proxy” mode based on SSH Host Keys, post authentication. The method involved is quite simple. It also works on some other honeypots. Firstly, we grab the hosts SSH public key. This can be easily done by using the ssh-keyscan utility. …

Detecting Cowrie in “proxy” Mode

So in “proxy” mode, Cowrie is pretty damn powerful. It proxies you through to a backend pool of live systems or virtual machines. It is god damn awesome. My previous detection methods based on shell stuff don’t work, because you are proxied through to a live system. Also, if you hit the honeypot twice from …

procfs/bash tricks and detecting Cowrie

Yep, I’m messing with Cowrie again. Just a quick post, about another category of post-authentication detection mechanisms I found for Cowrie. These should detect honeypots that the previous hassh trick fails to detect. This time, due to how the “procfs” on Linux works, and some bash fun. There are actually a couple of detection methods …