Honeypots
Honeypot logs help Jan 19 2009 10:35AM
ny101880 (ny101880 yahoo com)

Good day,

Hi all, i have some question about honeypot packages. There are small
available documentation regarding those packages so I think posting the logs
whill help me understand the logs

I have 4 logs generated and Im not sure If its really a real attack.
All I need is a simple but clear explanation if attack really is happening,
to what extent is my system compromise and what is the attacker doing on the
system

Log 1:
[12/27/07] 80/tcp Timeout expired, closing connection.
[12/27/07] * 80/tcp 148 bytes attack string from 192.168.55.6:50076.
[12/27/07] 5031 Calling plugins for hook 'process_attack'.
[12/27/07] 5031 Calling b64Decode::b64_decode().
[12/27/07] 5031 Base64 decoder - Searching for base64 encoded attack
string.
[12/27/07] 5031 Base64 decoder - No base64 encoded attack string found.
[12/27/07] 5031 Calling ftpDownload::cmd_parse_for_ftp().
[12/27/07] 5031 FTP download - Parsing attack string (148 bytes) for ftp
commands.
[12/27/07] 5031 FTP download - No ftp command found.
[12/27/07] 5031 Calling tftpDownload::cmd_parse_for_tftp().
[12/27/07] 5031 TFTP download - Parsing attack string (148 bytes) for tftp
commands.
[12/27/07] 5031 TFTP download - No tftp command found.
[12/27/07] 5031 Calling vncDownload::cmd_parse_for_vnc().
[12/27/07] 5031 VNC download - Checking for VNC session string in attack
string.
[12/27/07] 5031 VNC download - No VNC session string found.
[12/27/07] 5031 Calling SaveFile::save_to_file().
[12/27/07] 5031 SaveFile - Dumping attack string into file.
[12/27/07] 5031 SaveFile - Attack string saved as
attacks/from_port_80-tcp_5031_2007-12-27.
[12/27/07] 5031 Calling httpDownload::cmd_parse_for_http_url().
[12/27/07] 5031 HTTP download - Parsing attack string (148 bytes) for
URLs.
[12/27/07] 5031 HTTP download - No URLs found.
[12/27/07] 5031 Calling ClamAV::clamscan().
[12/27/07] 5031 ClamAV - No samples found, nothing to scan.
[12/27/07] 5031 Attack data processed.
[12/27/07] 5030 80/tcp Timeout expired, closing connection.
[12/27/07] 5030 * 80/tcp 75 bytes attack string from
192.168.55.6:50075.

Log 2:(aaa.aaaa = site in the web)
[12/27/07 info sc handler] url::anyurl: "http://aaa.aaaa.org/streams"
[12/27/07 info down mgr] Handler curl download handler will download
http://aaa.aaaa.org/streams
[14012009 04:05:54 info down handler] HTTP DOWNLOAD
http://aaa.aaaa.org/streams
[12/27/07 warn down handler] Download error Couldn't resolve host name on
getting file http://aaa.aaaa.org/streams

Log 3:
12/27/07 [SSHServerTransport,21,192.168.55.6] kex alg, key alg:
diffie-hellman-group1-sha1 ssh-rsa
12/27/07 [SSHServerTransport,21,192.168.55.6] outgoing: aes128-cbc hmac-md5
none
12/27/07 [SSHServerTransport,21,192.168.55.6] incoming: aes128-cbc hmac-md5
none
12/27/07 [SSHServerTransport,21,192.168.55.6] NEW KEYS
12/27/07 [SSHServerTransport,21,192.168.55.6] connection lost
12/27/07 [SSHServerTransport,22,192.168.55.6] kex alg, key alg:
diffie-hellman-group1-sha1 ssh-rsa
12/27/07 [SSHServerTransport,22,192.168.55.6] outgoing: aes128-cbc hmac-md5
none
12/27/07 [SSHServerTransport,22,192.168.55.6] incoming: aes128-cbc hmac-md5
none
12/27/07 [SSHServerTransport,22,192.168.55.6] NEW KEYS
12/27/07 [SSHServerTransport,22,192.168.55.6] starting service ssh-userauth
12/27/07 [SSHService ssh-userauth on SSHServerTransport,22,192.168.55.6]
asdfdgt trying auth none
12/27/07[SSHServerTransport,22,192.168.55.6] connection lost

Log 4:
[xxxxx - shellcode_manager] (192.168.55.6) no match, writing hexdump
(sgdfghjkhjfhj56 :299) - UDP ::.^[[0m
[xxxxx - xxxx_server] received unknown UDP request ::.^[[0m
[xxxxx - vuln_check] CHECK Incoming: gqw7^M
^M
gqw7^M
^M
(Bytes: 16) ::.^[[0m
[xxxx - xxxx_request_handler] IMAIL Vulnerability requested shutdown
::.^[[0m
[xxxx - xxxx_request_handler] IMAIL Vulnerability requested shutdown
::.^[[0m
[xxxx - xxxx_request_handler] IMAIL Vulnerability requested shutdown
::.^[[0m
[xxxx - vuln_dameware] DAMEWARE STAGE1: Message () (0) ::.^[[0m
[xxxx - shellcode_manager] (192.168.55.6) no match, writing hexdump
(fsfdfsdfsdfsfs3434 :10) - MaxDB Vulnerability [xxxx - shellcode_manager]
(192.168.55.6) no match, writing hexdump (sfsfsdfsfsfsgdrfte56 :11) - MaxDB
Vulnerability ::.^[[0m

Im hoping anyone with experience and good heart can help me figure this out.

Thanks a lot,
ny
--
View this message in context: http://www.nabble.com/Honeypot-logs-help-tp21540400p21540400.html
Sent from the Honeypots mailing list archive at Nabble.com.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus