An ssh honeypot with the XZ backdoor. CVE-2024-3094
An ssh honeypot with the XZ backdoor. CVE-2024-3094
TODO: hook the backdoor and/or sshd. log rsa keys for decryption.
notes:
PLEASE run this on a separate isolated system. Docker is configured in a way that allows a threat actor to easily escape it. Docker is only used to get all the shared libraries working and configured.
Install notify by projectdiscovery using the following command:
go install -v github.com/projectdiscovery/notify/cmd/notify@latest
Run the following command to start the honeypot:
./monitor.sh DISCORD_WEBHOOK_URL
e.g.
./monitor.sh https://discord.com/api/webhooks/12345678909876/aaaaaaaa
This will use notify to send all logs to a discord webhook.
The vulnerable version of xz (5.6.1) and the liblzma linked version of sshd from the fedora repositories are ran in the configuration that activates the backdoor. Monitoring is provided by bpftrace
, strace
, tcpdump
, and the sshd
process itself.
bpftrace
strace
sshd
process.tcpdump
sshd
set_log_mask
to change the logging behaviour when the attacker attempts to login)