If you build it they will come

Thanks to Kippo SSH Honeypot and those who generously have donated their rootkits and bot software, now I have six interesting malware samples to play with. I’ve examined three of these files on an isolated machine and these are my first impressions: People from Western Europe are really bored so they like to write amusing [...]

Read Full Post »

Kippo SSH Honeypot

Thanks to Lukas Rist’s suggestion I found Kippo SSH Honeypot. Kippo is developed by Upi Tamminen and according to the project’s homepage, “Kippo is inspired, but not based on Kojoney.”, so I decided to give it a try. Kippo setup and installation is quite simple. You only have to download it, uncompress it, edit the [...]

Read Full Post »

Kojoney – An SSH Honeypot

In the last weeks I’ve been inspecting what kind of traffic is sent to my DSL Router (I will soon post a report) and I’ve found many telnet and ssh connection attempts. I’m very curious about that traffic so I’ve decided to test Kojoney SSH Honeypot. Kojoney was developed by Joxean Koret and there’s a [...]

Read Full Post »

Amun – Malware detected

Thanks to Amun, 78 malware samples have been currently collected. Unfortunately my ISP has recently blocked ports 135 and 445, so for a while there will be no more attacks for that ports. I wanted to know what kind of malware was downloaded so I used an antivirus. Initially I used ClamAV but 35% of [...]

Read Full Post »

Glastopf – Init.d script for Debian

I want to share with you this init script for Glatopf web honeypot in Debian. If you find it useful let me know Download Enjoy! Updated: PDF was not a good storage option for this script, so I have moved the script to Google Code. My apologies for those who found errors using the PDFs

Read Full Post »

Glastopf – First experiences

Hi, I’m back again after being sick for a few days (more than I expected) so I’m sorry but I have no chance to write a single post. Today I would like to share with you my first impressions about glastopf.  Glastopf is a truly interesting honeypot project but I wasn´t sure that it would report any attack [...]

Read Full Post »

Amun Honeypot – First analysis

Hi! According to my Amun logs, the most exploited vulnerabilties are DCOM and MS08-067 so I’ve decided to change my honeypot’s configuration file (amun.conf). I’ve forced my honeypot to look like a Windows machine and so I’ve disabled all but the following vuln_modules: vuln-ms08067 vuln-dcom vuln-lsass Now only ports 80 (glastopf), 135 and 445 (amun) [...]

Read Full Post »

Time for Glastopf

Now that Amun is running and collecting malware, it’s time for Glastopf to emulate web application vulnerabilities. Developed by Lukas Rist, Glastopf collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion attacks. It is very easy to install and configure following the instructions available in Glastopf’s [...]

Read Full Post »

Amun Statistics

Andrew Waite from Infosanity.co.uk has developed several useful scripts to generate statistics for Honeyd and Nepenthes. I have developed amun_submissions_stats.py to generate similar statistics for Amun Honeypot, you can download it from here I am not a good python developer so I’ve done my best to modify Andrew’s script for Nepenthes (submissions2stats.py). Here is a [...]

Read Full Post »

Amun Honeypot’s installation

Installing Amun Honeypot is quite straightforward. In my case I am using a Debian Lenny 5.0 box as a honeypot. I followed this simple steps: Download Amun Honeypot from Sourceforge.net Move amun-v0.1.9.tar.gz to a directory (in my case I have used /opt) Unzip the file using tar xvfz amun-v0.1.9.tar.gz Get into /opt/amun Be sure to [...]

Read Full Post »