Archive for March, 2012

Tor exit node used for attack

Wednesday, March 21st, 2012

One recent reply to a kippo-attack complaint explained that the attacking ip is a TOR exit node.

Of course there is no way for us to find the real attacker when he/she is using TOR

for making this attack. Sad that this important service is abused in this way.

The system you have identified ( / is an exit node on the Tor network. Tor is a distributed cryptographic anonymizing proxy service. The network traffic you detected was merely relayed through this system, and did not originate there. It is not possible to trace these connections back to their original source.

sshd complaints – update

Wednesday, March 14th, 2012

The automatic complaint-mechanism is now active. A X-ARF complaint is generated
for each session where a successful login into the kippo-honeypot produced some
recorded commands. The email address where the complaint is sent to is generated
like always – check own database, check ripe-website and check abusix.
Here is an example of the second mime-part:

MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="report.yaml"

Category: abuse
Report-Type: login-attack
Destination-System: kippo – sshd honeypot
User-Agent: PHREAK 1.3
Date: 2012-03-14 03:45:28
Service: sshd
Port: 22
Source: 89.129.**.** (obfuscated)
Source-Type: ipv4
Attachment: text/plain
Version: 1.0.1

and the third MIME-part looks like this:

MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="command.txt"

recorded commands during this session:

uname -a
tar zxvf udp.tgz
rm -rf udp.tgz
chmod +x *


Friday, March 9th, 2012

I am pretty close to start sending out complaints
for successful sshd – logins on my kippo honeypot.
The X-ARF part is ready. I decided to add the recorded
commands in the 3rd MIME-part. The ttylog could also
be useful, but the receiver of the complaint is probably
not so interested in starting the playlog utility for
each complaint.
I still need to implement a database check so that receivers
only get a handful complaints and are not overwhelmed by the
number of complaints..
Additionally the catched ips will be added in our blacklist,
just like in the attacks cachted by nepenthes.
Dionaea-attacks will come next 🙂