Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Check our new Geekzone Price Comparison web site for electronics prices in New Zealand.


ForumsLinuxI watched you try and hack me, you failed (Honeypot Thread)


They see me trollin'
1602 posts

Uber Geek

Trusted
Telecom NZ
Subscriber
Topic # 98959 9-Mar-2012 18:35 Send private message

I noticed on my production Linode that there were a tonne of blocked ssh hosts in /etc/hosts.deny – I was interested to know what would happen if one of these “hackers” or “script kiddies” got into my server on root level.

So, I went and bought a 2nd Linode and set up Kippo (http://code.google.com/p/kippo/) – Kippo creates a SSH server under a restricted user, logs everything that goes on and is quite entertaining to watch them attempt to “hack” - I just did some iptables trickery to the 2nd server so I could find out what is going on, most of them are bots with a few of them being real people (looking at the logs though it seems the bots tell the user of a open host, of which the user manually connects and tries to infect with malware or IRC servers to control botnets)

So here, I present “I watched you hack, you failed”

#1 – iptables not found - http://honeypot.murfy.co.nz:8022/playlog/?l=20120218-125755-3907

#2 – Do you even know Linux? - http://honeypot.murfy.co.nz:8022/playlog/?l=20120222-035727-3285

#3 – Segmentation Fault - http://honeypot.murfy.co.nz:8022/playlog/?l=20120302-043815-1578

#4 – Yeah, PHP really doesn’t exist - http://honeypot.murfy.co.nz:8022/playlog/?l=20120308-003910-8337


If anyone else has any captured from Kippo post them here! Else, more to come.




Michael Murphy
[Twitter] [Last.fm] [IPv6 Sage]

Anything written up there is my own view on life, the universe and everything.

Create new topic
1599 posts

Uber Geek
Inactive user
  Reply # 592886 9-Mar-2012 19:20 Send private message

Good on you for doing this, its quite intriguing to actually see the methodology used. I might set up a few honey pots myself.



They see me trollin'
1602 posts

Uber Geek

Trusted
Telecom NZ
Subscriber
  Reply # 592969 9-Mar-2012 21:02 Send private message

codyc1515: Good on you for doing this, its quite intriguing to actually see the methodology used. I might set up a few honey pots myself.


What's cool is you actually get the files they download, for future inspection. 




Michael Murphy
[Twitter] [Last.fm] [IPv6 Sage]

Anything written up there is my own view on life, the universe and everything.

1599 posts

Uber Geek
Inactive user
  Reply # 592971 9-Mar-2012 21:03 Send private message

michaelmurfy:
codyc1515: Good on you for doing this, its quite intriguing to actually see the methodology used. I might set up a few honey pots myself.


What's cool is you actually get the files they download, for future inspection. 

Yeah, I took a look. Some of that stuff is pretty full on and still up. That means they are still out there hacking people.

13 posts

Geek
  Reply # 601047 27-Mar-2012 22:49 Send private message

aaaaawesome. that's just rad.
can you set up a .profile for them so on login, it throws up an $(ssh -l root ${SSH_CLIENT}) ?
that's be hilarious to watch



They see me trollin'
1602 posts

Uber Geek

Trusted
Telecom NZ
Subscriber
  Reply # 601571 28-Mar-2012 21:25 Send private message

shylo: aaaaawesome. that's just rad.
can you set up a .profile for them so on login, it throws up an $(ssh -l root ${SSH_CLIENT}) ?
that's be hilarious to watch


Yeah could do quite easily :)  

If a user logs out, they get a root@localhost prompt, that's sometimes amusing. 




Michael Murphy
[Twitter] [Last.fm] [IPv6 Sage]

Anything written up there is my own view on life, the universe and everything.



They see me trollin'
1602 posts

Uber Geek

Trusted
Telecom NZ
Subscriber
  Reply # 609782 16-Apr-2012 03:31 Send private message

More (for those who are interested)

http://honeypot.murfy.co.nz:8022/playlog/?l=20120410-022654-1748  - This guy thought he was on his local computer at the end, script-kiddie was from the US.

This guy comes back Here to give it another crack, he used his "set" root password he set up the last time, the advantage of using Kippo is you can get it to add password changes to the allowed password list.

http://honeypot.murfy.co.nz:8022/playlog/?l=20120410-021630-1948  - Goes to show that there are some real n00bs out there, this person was from China, as soon as a curveball is thrown at them they get confused.

http://honeypot.murfy.co.nz:8022/playlog/?l=20120413-205812-3678 - Damn, found a glitch I need to fix with Kippo.

http://honeypot.murfy.co.nz:8022/playlog/?l=20120416-022504-5769  - Another guy that seems to have no Linux experience, paste of uname -a?

For some reason, I got quite a few attacks on April the 7th from different IP's in Russia, Here - Another at the same time, same ISP, different IP Here (which seemed to have difficulty with creating a new user) and Here

There are quite a few more - but these are this month (so far) interesting ones.. Enjoy!




Michael Murphy
[Twitter] [Last.fm] [IPv6 Sage]

Anything written up there is my own view on life, the universe and everything.

13 posts

Geek
  Reply # 610198 16-Apr-2012 19:54 Send private message

http://honeypot.murfy.co.nz:8022/playlog/?l=20120410-021630-1948  - Goes to show that there are some real n00bs out there, this person was from China, as soon as a curveball is thrown at them they get confused.


bahahahaha Wargames for the win

throw in an "I'm sorry, Dave. I'm afraid I can't do that." for the deathblow

1965 posts

Uber Geek

Subscriber
  Reply # 610214 16-Apr-2012 20:29 Send private message

I like the fact they they give up when nano isn't available because they don't know how to use vi.





"You are" = "You're" - Not "Your".  "They are" = "They're" - Not "Their" or "There".  You probably mean "lose" not "loose".  There's no such word as "Alot".
 
On the internet, wasting time, since '89.

gjm

490 posts

Ultimate Geek
  Reply # 610221 16-Apr-2012 21:02 Send private message

I used NMap to sidedoor into your system32 folder and ran my low orbit ion canon :@



They see me trollin'
1602 posts

Uber Geek

Trusted
Telecom NZ
Subscriber
  Reply # 610285 16-Apr-2012 23:46 Send private message

Vi is actually available, everyone just tries Nano, then Pico then apt-get install nano (which appears to install) then SEGFAULT!

Then, confused they appear to edit the files on their computer, re-upload, download onto Sever of which they get messed around by Kippo.

Amusing at best.




Michael Murphy
[Twitter] [Last.fm] [IPv6 Sage]

Anything written up there is my own view on life, the universe and everything.

Create new topic



Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »
FaceToFace Communications and StarLeaf bring unique cloud-based videoconferencing to Australia and New Zealand
Posted 22-May-2013 09:12

IBM Watson finds a new job: customer services
Posted 22-May-2013 08:37

Microsoft unveils Xbox One
Posted 22-May-2013 08:11

InternetNZ and AUT University form strategic partnership
Posted 21-May-2013 09:29

Microsoft expands Windows Azure with Australian region
Posted 21-May-2013 09:11

Yahoo! to Acquire Tumblr
Posted 21-May-2013 08:18


Trending now »
Hot discussions in our forums right now:

Xbox One
Created by DjShadow, last reply by merve0o0 on 22-May-2013 18:27 (37 replies)
Pages... 2 3

Cannabis is illegal yet we have really strong 'legal highs' ?
Created by qwerty7, last reply by JimmyH on 22-May-2013 21:06 (56 replies)
Pages... 2 3 4

A new project coming to Geekzone
Created by freitasm, last reply by clinty on 22-May-2013 18:16 (243 replies)
Pages... 15 16 17

Changeover issue: dial up
Created by Zigg, last reply by robjg63 on 21-May-2013 22:02 (17 replies)
Pages... 2

HTC One (2013) owners' discussion
Created by Dingbatt, last reply by blakamin on 22-May-2013 20:55 (1528 replies)
Pages... 100 101 102

Orcon, Is this for real or a scam??
Created by old3eyes, last reply by DarthKermit on 22-May-2013 19:12 (29 replies)
Pages... 2

Vodafone Naked Broadband Speeds (Auckland CBD)
Created by wscalioni, last reply by grkiwi on 20-May-2013 21:13 (14 replies)

"igov" online passport renewals
Created by Linuxluver, last reply by lapimate on 22-May-2013 20:49 (26 replies)
Pages... 2


Geekzone Jobs »
Most recent NZ jobs in technology:

Systems Support Administrator
Posted 22-May-2013 19:27

Senior Technical Business Analyst
Posted 22-May-2013 19:27

Network Reporting Engineer
Posted 22-May-2013 19:27

Enterprise Architect - Microsoft Applications
Posted 22-May-2013 18:27

Software Developer ? Multiple positions!
Posted 22-May-2013 18:27

Business Analyst
Posted 22-May-2013 18:27

Service Delivery Administrator
Posted 22-May-2013 18:27


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.