{"id":725,"date":"2014-12-07T22:07:08","date_gmt":"2014-12-07T21:07:08","guid":{"rendered":"http:\/\/under12oot.noblogs.org\/?p=725"},"modified":"2014-12-07T22:07:08","modified_gmt":"2014-12-07T21:07:08","slug":"ultimo-aggiornamento-kippo","status":"publish","type":"post","link":"https:\/\/under12oot.noblogs.org\/?p=725","title":{"rendered":"Ultimo aggiornamento kippo"},"content":{"rendered":"

Proprio ieri<\/em> dicevo che non c’era soddisfazione<\/em> (e continua a non<\/em> esserci, almeno finch\u00e8 non cambio sistema) ma 10 minuti fa<\/em> controllando i log mi sono accorto che c’\u00e8 stato<\/em> un minimo di interazione umana!<\/em> Era ora mi vien da dire… Poca roba,<\/em> non pensate a chiss\u00e0 che! Qui c’\u00e8 il log dell’attacco:<\/em><\/p>\n

honey@raspberrypi ~\/kippo-0.8\/log $ <\/em>cat kippo.log.2 |grep 12:49:<\/strong>
\n2014-12-07 12:49:02+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 103.25.9.229:37269 (192.168.0.10:22) [session: 16900]
\n2014-12-07 12:49:03+0000 [HoneyPotTransport,16900,103.25.9.229] Remote SSH version: SSH-2.0-PUTTY
\n2014-12-07 12:49:03+0000 [HoneyPotTransport,16900,103.25.9.229] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
\n2014-12-07 12:49:03+0000 [HoneyPotTransport,16900,103.25.9.229] outgoing: aes128-ctr hmac-sha1 none
\n2014-12-07 12:49:03+0000 [HoneyPotTransport,16900,103.25.9.229] incoming: aes128-ctr hmac-sha1 none
\n2014-12-07 12:49:04+0000 [HoneyPotTransport,16900,103.25.9.229] NEW KEYS
\n2014-12-07 12:49:04+0000 [HoneyPotTransport,16900,103.25.9.229] starting service ssh-userauth
\n2014-12-07 12:49:04+0000 [SSHS..,16900,103.25.9.229] root trying auth none
\n2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] root trying auth password
\n2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] login attempt [root\/123456] succeeded
\n2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] root authenticated with password
\n2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] starting service ssh-connection
\n2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] got channel session request
\n2014-12-07 12:49:05+0000 [SSH..,16900,103.25.9.229] channel open
\n2014-12-07 12:49:06+0000 [SSH..,16900,103.25.9.229] executing command “#!\/bin\/sh
\n2014-12-07 12:49:06+0000 [SS..,16900,103.25.9.229] Unhandled Error
\n2014-12-07 12:49:06+0000 [SSH..16900,103.25.9.229] remote close
\n2014-12-07 12:49:06+0000 [SSH..,16900,103.25.9.229] sending close 0
\n2014-12-07 12:49:07+0000 [SSHService ssh-connection on HoneyPotTransport,16900,103.25.9.229] got channel session request
\n2014-12-07 12:49:07+0000 [SSH..,16900,103.25.9.229] channel open
\n2014-12-07 12:49:07+0000 [SSH..,16900,103.25.9.229] executing command “ls -la \/var\/run\/sftp.pid”
\n2014-12-07 12:49:08+0000 [SSH..,16900,103.25.9.229] Unhandled Error
\n2014-12-07 12:49:09+0000 [SSH..16900,103.25.9.229] remote close
\n2014-12-07 12:49:09+0000 [SSH..,16900,103.25.9.229] sending close 1
\n2014-12-07 12:49:09+0000 [HoneyPotTransport,16900,103.25.9.229] Got remote error, code 11
\n2014-12-07 12:49:09+0000 [HoneyPotTransport,16900,103.25.9.229] connection lost<\/p>\n

Indovinate un p\u00f2 da dove arriva il 103.25.9.229?<\/em> Ma dalla Cina<\/span> ovviamente!! Supponendo che siano 7 ore avanti<\/em> erano quasi le 20:00<\/em> quando CaioLing<\/em> \u00e8 inkippato<\/span> nell‘honeypot!<\/em><\/p>\n

Vabb\u00e8<\/em>, almeno abbiamo avuto la conferma che qualcuno legge i log<\/em> dello scanner di rete che ha fatto partire e si \u00e8 incuriosito<\/em>!<\/p>\n

Questo \u00e8 quanto! Alla Prossima<\/em><\/p>\n

 <\/p>\n

n0ys3<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Proprio ieri dicevo che non c’era soddisfazione (e continua a non esserci, almeno finch\u00e8 non cambio sistema) ma 10 minuti fa controllando i log mi sono accorto che c’\u00e8 stato un minimo di interazione umana! Era ora mi vien da dire… Poca roba, non pensate a chiss\u00e0 che! Qui c’\u00e8 il log dell’attacco: honey@raspberrypi ~\/kippo-0.8\/log […]<\/p>\n","protected":false},"author":5820,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,19],"tags":[179,65,66,104,105,44],"class_list":["post-725","post","type-post","status-publish","format-standard","hentry","category-howto","category-utility","tag-siti-di-e-per-acari","tag-honeypot","tag-kippo","tag-raspberry","tag-raspbian","tag-ssh"],"_links":{"self":[{"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/posts\/725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/users\/5820"}],"replies":[{"embeddable":true,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=725"}],"version-history":[{"count":1,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/posts\/725\/revisions"}],"predecessor-version":[{"id":726,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/posts\/725\/revisions\/726"}],"wp:attachment":[{"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}