Archive for the ‘Honeypots’ Category

Thanks to Kippo SSH Honeypot and those who generously have donated their rootkits and bot software, now I have six interesting malware samples to play with.

I’ve examined three of these files on an isolated machine and these are my first impressions:

  1. People from Western Europe are really bored so they like to write amusing programs
  2. The programs contain funny messages like “We are ROOT, we are deleting the logs,  let’s download evil files…”
  3. They love IRC channels and writing their own versions of ps, top, netstat, ls…

Now I’m preparing my first malware lab to analyze these samples seriously in a protected environment and that’s why I’m testing Samhain Host IDS and working on a network server with DNS, SMTP, HTTP and IRC to simulate a real network, so stay tuned! Any suggestions for this lab are welcomed.

P.S: I’m preparing a new version of the Suricata How-To. I hope you’ve found it useful.

P.S #2: I can´t believe we won the Fifa World Cup! 🙂


Read Full Post »

Kippo SSH Honeypot

Thanks to Lukas Rist’s suggestion I found Kippo SSH Honeypot. Kippo is developed by Upi Tamminen and according to the project’s homepage, “Kippo is inspired, but not based on Kojoney.”, so I decided to give it a try.

Kippo setup and installation is quite simple. You only have to download it, uncompress it, edit the kippo.cfg file (I changed the hostname) and run it with ./start.sh

Kippo has great features. It emulates a Debian 5.0 filesystem, implements interesting shell commands and it allows the attacker to download files with wget, but what I really love is that it records the attacker session in a way that you can play it back later to analyze it. If anyone is interested, I can upload the session logs.

Updated: Please read mig5’s comments for this post for more great information and impressions about Kippo!

My honeypot has recorded three long sessions and these are the most frequent commands used by the attackers:

  • Implemented by Kippo: w, ls, cd, uptime, cat /proc/cpuinfo, uname -a, passwd (but it shows that passwords mismatch :-D), wget…
  • Not implemented by Kippo: cat /etc/issue, cat /proc/version, adduser…

So far the attackers have downloaded three files that I will examine in the following days but a quick inspection shows that one of the files contains a kit to convert a host into a Flood bot. It seems promising.

I really recommend you this honeypot if you want a didactic tool.

Have fun!

Read Full Post »

In the last weeks I’ve been inspecting what kind of traffic is sent to my DSL Router (I will soon post a report) and I’ve found many telnet and ssh connection attempts. I’m very curious about that traffic so I’ve decided to test Kojoney SSH Honeypot. Kojoney was developed by Joxean Koret and there’s a good post about it at madirish.net.

Kojoney installation is very easy and well-documented. In my case I have followed this steps:

  • apt-get install build-essential python python-dev
  • wget http://downloads.sourceforge.net/project/kojoney/kojoney-
  • tar xvfz kojoney-
  • cd kojoney
  • sh INSTALL.sh
  • You will have to accept the licence and answer some final questions about running automatically at boot time (it will install an init.d script).
  • Thanks to mig5: the script will try to guess where man is installed but in Debian it will fail so you will have to specifythe path (/usr/share/man/man1 on Debian)
  • If you want to change SSH listening port edit /usr/share/kojoney/coret_config.py and change  ROOT_CONFIG_PORTS

Kojoney offers valuable report tools, so I will share with you the results in the following days.

Have fun!

Read Full Post »

Thanks to Amun, 78 malware samples have been currently collected. Unfortunately my ISP has recently blocked ports 135 and 445, so for a while there will be no more attacks for that ports.

I wanted to know what kind of malware was downloaded so I used an antivirus. Initially I used ClamAV but 35% of the files looked ok (weird) so I then tried Avast which detected 97% of the files as malware though 32% were detected as generic malware. Rbot-GNZ and Virtob are the winners!

If you are running Amun or Dionaea I would like to know what kind of malware you have collected 😀

Read Full Post »

I want to share with you this init script for Glatopf web honeypot in Debian. If you find it useful let me know 🙂



Updated: PDF was not a good storage option for this script, so I have moved the script to Google Code. My apologies for those who found errors using the PDFs

Read Full Post »

I’m back again after being sick for a few days (more than I expected) so I’m sorry but I have no chance to write a single post.

Today I would like to share with you my first impressions about glastopf.  Glastopf is a truly interesting honeypot project but I wasn´t sure that it would report any attack because I thought that my honeypot server wasn´t interesting enough for hackers (even though Glastopf uses a Google dork list to provide more attack vectors).

According to the logs PHPMyAdmin is an interesting target. The attacker tried to get access to the following:

  • /phpMyAdmin/scripts/setup.php
  • /phpmyadmin/scripts/setup.php
  • /phpmyadmin/config/config.inc.php?p=phpinfo();
  • /pma/config/config.inc.php?p=phpinfo();
  • /phpmyadmin/config/config.inc.php?p=phpinfo();
  • /php-my-admin/config/config.inc.php?p=phpinfo();
  • /phpMyAdmin/config/config.inc.php?p=phpinfo();

I will keep watching the logs and I will inform you of any interesting attack.  I recommend you to read Andrew Waite’s post about glastopf.

P.S: Spanish is my mother tongue so forgive me for my mistakes!

Read Full Post »


According to my Amun logs, the most exploited vulnerabilties are DCOM and MS08-067 so I’ve decided to change my honeypot’s configuration file (amun.conf).

I’ve forced my honeypot to look like a Windows machine and so I’ve disabled all but the following vuln_modules:

  • vuln-ms08067
  • vuln-dcom
  • vuln-lsass

Now only ports 80 (glastopf), 135 and 445 (amun) are opened to the public.

Amun has succesfully downloaded 39 malware files in 6 days, and this is my first analysis:

  • 70% of the malware has its origin in a DCOM vulnerability.
  • 66% of the malware is detected as a virus by Clam Antivirus.
  • Trojan SDBot is the most frequent malware found, followed by W32-Virut.
  • According to my logs, the three leading countries (malware source) are: France, United States and Ukraine.

I am really having fun with Amun!

Read Full Post »

Older Posts »