«
»
07
Dic
2014

Ultimo aggiornamento kippo

Proprio ieri dicevo che non c’era soddisfazione (e continua a non esserci, almeno finchè non cambio sistema) ma 10 minuti fa controllando i log mi sono accorto che c’è stato un minimo di interazione umana! Era ora mi vien da dire… Poca roba, non pensate a chissà che! Qui c’è il log dell’attacco:

honey@raspberrypi ~/kippo-0.8/log $ cat kippo.log.2 |grep 12:49:
2014-12-07 12:49:02+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 103.25.9.229:37269 (192.168.0.10:22) [session: 16900]
2014-12-07 12:49:03+0000 [HoneyPotTransport,16900,103.25.9.229] Remote SSH version: SSH-2.0-PUTTY
2014-12-07 12:49:03+0000 [HoneyPotTransport,16900,103.25.9.229] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2014-12-07 12:49:03+0000 [HoneyPotTransport,16900,103.25.9.229] outgoing: aes128-ctr hmac-sha1 none
2014-12-07 12:49:03+0000 [HoneyPotTransport,16900,103.25.9.229] incoming: aes128-ctr hmac-sha1 none
2014-12-07 12:49:04+0000 [HoneyPotTransport,16900,103.25.9.229] NEW KEYS
2014-12-07 12:49:04+0000 [HoneyPotTransport,16900,103.25.9.229] starting service ssh-userauth
2014-12-07 12:49:04+0000 [SSHS..,16900,103.25.9.229] root trying auth none
2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] root trying auth password
2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] login attempt [root/123456] succeeded
2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] root authenticated with password
2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] starting service ssh-connection
2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] got channel session request
2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] channel open
2014-12-07 12:49:06+0000 [SSH..,16900,103.25.9.229] executing command “#!/bin/sh
2014-12-07 12:49:06+0000 [SS..,16900,103.25.9.229] Unhandled Error
2014-12-07 12:49:06+0000 [SSH..16900,103.25.9.229] remote close
2014-12-07 12:49:06+0000 [SSH..,16900,103.25.9.229] sending close 0
2014-12-07 12:49:07+0000 [SSHService ssh-connection on HoneyPotTransport,16900,103.25.9.229] got channel session request
2014-12-07 12:49:07+0000 [SSH..,16900,103.25.9.229] channel open
2014-12-07 12:49:07+0000 [SSH..,16900,103.25.9.229] executing command “ls -la /var/run/sftp.pid”
2014-12-07 12:49:08+0000 [SSH..,16900,103.25.9.229] Unhandled Error
2014-12-07 12:49:09+0000 [SSH..16900,103.25.9.229] remote close
2014-12-07 12:49:09+0000 [SSH..,16900,103.25.9.229] sending close 1
2014-12-07 12:49:09+0000 [HoneyPotTransport,16900,103.25.9.229] Got remote error, code 11
2014-12-07 12:49:09+0000 [HoneyPotTransport,16900,103.25.9.229] connection lost

Indovinate un pò da dove arriva il 103.25.9.229? Ma dalla Cina ovviamente!! Supponendo che siano 7 ore avanti erano quasi le 20:00 quando CaioLing è inkippato nell‘honeypot!

Vabbè, almeno abbiamo avuto la conferma che qualcuno legge i log dello scanner di rete che ha fatto partire e si è incuriosito!

Questo è quanto! Alla Prossima

 

n0ys3

 



Tags: , , , , ,
This entry was posted on domenica, Dicembre 7th, 2014 at 22:07 and is filed under Howto, utility. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.