Was bored, decided to make a simple honeypot - sharing results

P

PornoSatan

2[H]4U
Joined
Sep 3, 2004
Messages
3,493
So with everyone behind firewalls these days that autoblock unsolicited requests, I was kinda curious what actually is going on if you 'expose' a system to the net. These are the results.

I made this little script which binds netcat to a port, and when someone connects, it sends them a message from that port's "banner" file. It then records the response. It's essentially my way of emulating various services.

Code: 
#!/bin/bash
PORT=$1
i=1
NC=`which nc`
BDIR='/root/banners'
if [ ! -f $BDIR/$PORT.txt ]; then
	echo Banner file $PORT.txt not found, creating defaults
        echo default >> $BDIR/$PORT.txt
fi

BANNER=`cat $BDIR/$PORT.txt`
while [ $i -lt 10 ];
	do
	echo "----------------------------------------" >> $BDIR/$PORT.log;
	echo -e $BANNER | $NC -l -n -v -p $PORT 1>> $BDIR/$PORT.log 2>> $BDIR/$PORT.log;
	echo "Connection attempt on: $PORT at" `date "+%a %b %d %r"`;
	echo >> $BDIR/$PORT.log;
	echo "Attempted on:" `date "+%a %b %d %r"` >> $BDIR/$PORT.log;
	echo "----------------------------------------" >> $BDIR/$PORT.log;
	i=$(($i+1))
done


Example of my telnet banner file (fake login prompt):

Code: 
Debian GNU/Linux 6 brofist tty1\r\n\r\nbrofist login:

Logs for telnet:

Code: 
----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [190.128.5.98] 41513
admin
admin
sh

Attempted on: Wed Jul 03 06:42:25 AM
----------------------------------------

----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [65.170.233.196] 4012
root
admin

Attempted on: Wed Jul 03 08:54:29 AM
----------------------------------------

----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [37.113.87.216] 49582

Attempted on: Wed Jul 03 10:45:00 AM
----------------------------------------

----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [86.6.209.222] 42479

Attempted on: Wed Jul 03 10:45:04 AM
----------------------------------------

----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [60.240.111.47] 53608

Attempted on: Wed Jul 03 10:48:01 AM
----------------------------------------

----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [60.240.111.47] 35547
root
root

Attempted on: Wed Jul 03 10:55:06 AM
----------------------------------------

----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [75.92.71.3] 43929

Attempted on: Wed Jul 03 05:45:27 PM
----------------------------------------

----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [75.92.71.3] 47477
root
root

Attempted on: Wed Jul 03 05:57:58 PM
connect to [192.168.1.107] from (UNKNOWN) [175.205.156.30] 2848

Attempted on: Mon Jul 08 06:20:06 AM
----------------------------------------

----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [114.253.103.38] 1534

Attempted on: Mon Jul 08 06:22:01 AM
----------------------------------------

----------------------------------------
listening on [any] 23 ...
connect to [192.168.1.107] from (UNKNOWN) [175.205.156.30] 4865
root
dreambox

Attempted on: Mon Jul 08 06:32:00 AM
----------------------------------------

The last entry is interesting, it turns out that's a default set of credentials for some german TV set top box that runs Linux.


Fake web server (port 80) logs:

Code: 
----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [98.210.100.233] 51406
xŽÕ	ºN/YÐ
îH
îë«|
ÛïvyU¨F'Ó@HMuN
ßdÜgRYî7ՁÀ]{!
Attempted on: Mon Jul 08 04:45:20 AM
----------------------------------------

----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [115.238.185.136] 33119
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: 
Connection: Close


Attempted on: Mon Jul 08 08:45:09 AM
----------------------------------------

----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [115.238.185.136] 35641
GET /pma/scripts/setup.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: 
Connection: Close


Attempted on: Mon Jul 08 08:45:15 AM
----------------------------------------

----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [115.238.185.136] 36221
GET /MyAdmin/scripts/setup.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: 
Connection: Close


Attempted on: Mon Jul 08 08:45:21 AM
----------------------------------------

----------------------------------------
listening on [any] 80 ...
connect to [192.168.1.107] from (UNKNOWN) [115.238.185.136] 36347
GET /admin/scripts/setup.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: 
Connection: Close


Attempted on: Mon Jul 08 08:45:27 AM
----------------------------------------

Various presumably automated attempts at breaking into badly configured servers. That w00tw00t one is kinda funny though.


Fake web proxy (port 8080) logs:

Code: 
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [183.60.48.25] 42384
GET http://www.baidu.com/ HTTP/1.1
Host: www.baidu.com
Accept: */*
Content-Type: text/html
Proxy-Connection: Keep-Alive
Content-length: 0


----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [183.60.48.25] 50230
CONNECT tcpconn2.tencent.com:443 HTTP/1.1
Host: tcpconn2.tencent.com:443
Accept: */*
Content-Type: text/html
Proxy-Connection: Keep-Alive
Content-length: 0


Attempted on: Tue Jul 02 10:42:33 AM
----------------------------------------
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [183.60.48.25] 43704
CONNECT tcpconn2.tencent.com:443 HTTP/1.1
Host: tcpconn2.tencent.com:443
Accept: */*
Content-Type: text/html
Proxy-Connection: Keep-Alive
Content-length: 0


Attempted on: Tue Jul 02 03:17:53 PM
----------------------------------------
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [60.173.11.153] 2418
GET /manager/html HTTP/1.1
Content-Type: text/html
Host: 
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Authorization: Basic Og==


Attempted on: Tue Jul 02 07:02:05 PM
----------------------------------------
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [60.173.11.153] 1994
GET /manager/html HTTP/1.1
Content-Type: text/html
Host: 
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Authorization: Basic Og==


Attempted on: Tue Jul 02 07:04:17 PM
----------------------------------------
----------------------------------------
listening on [any] 8080 ...
connect to [192.168.1.107] from (UNKNOWN) [60.173.11.153] 1800
GET /manager/html HTTP/1.1
Content-Type: text/html
Host: 
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Authorization: Basic Og=
Attempted on: Tue Jul 02 07:09:36 PM
----------------------------------------

Alot of chinese users scanning my ip range and attempting to connect through my fake proxy to "Baidu" a chinese search engine. Also a couple attempts at getting access to badly configured web servers (ie GET /manager/html)


Anyways, thought it was kinda interesting and figured you all might like to know the various types of shit going on to boxes exposed to the net.
 
nice one

I use to have one that would record the IP, ban the IP then post that IP to a twitter feed :D
 
Always fun stuff to play around with. It surprises me to some extent that people are even trying these things anymore. I assume they must be pretty successful in order to keep it up. Just boggles me that such trivial things are still an issue in this day and age I suppose. I have seen some pretty appalling things open to the web however, live web cams and printers especially.

Jay_oasis said:
nice one

I use to have one that would record the IP, ban the IP then post that IP to a twitter feed :D
Click to expand...

That's always fun. :D
 
Yep it's crazy the amount of attacks out there. What's fun is leaving a PC on with SSH access on the default port with root access enabled and a standard alpha numeric 8 character password. Idealy just a simple dictionary word or something.

Give it a few hours and it will be brute forced. Shows the importance of brute force protection measures such as fail2ban.
 
You must log in or register to reply here.
Back
Top