Monday, August 30, 2010
Dionaea, First Impressions
Dionaea is a new honeypot application, the successor to Nepenthes, a low interaction honeypot. Dionaea is still a bit rough around the edges. The compiling and installation instructions are quite good. I would not install the optional openssl step via cvs though with a Debian or Ubuntu distribution. When I did, I got a segmentation fault in the libcrypto.so library. I did get dionaea to work the second attempt on a clean Ubuntu 10.04 x86_64 virtual machine. Installing the OS and the application takes about 1.5 hours. I am having trouble accessing the sqlite database. The readlogsqltree.py script works once you copy the modules directory from where you built it into the /opt/dionaea directory, and point the script to that location. However, I got no output or errors. Documentation is almost nonexistent since the application is still alpha code essentially. The honeypot is working according to the dionaea.log, but the dionaea.log file is even more cryptic than nepenthes.log.
Here are some preliminary data:
grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c
1 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:59895->71.53.70.248:0]
1 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 21:38:15] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:40904->]
1 [29082010 21:38:16] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:38:16] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 21:38:26] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:39:40] [192.168.1.12:59895->71.53.70.248:69]
1 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:44:40] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:52:07] [192.168.1.12:135->222.186.27.80:4716]
1 [29082010 21:52:08] [192.168.1.12:135->222.186.27.80:4716]
2 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1796]
2 [29082010 16:37:40]
2 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:2950]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56928]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56979]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57031]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57084]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57140]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57199]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57256]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57312]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57364]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57419]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57475]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57523]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57583]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57643]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57704]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57762]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57817]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57873]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57934]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57987]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58045]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58101]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58161]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58214]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58262]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58322]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58373]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58447]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58505]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58565]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58626]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58681]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58735]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58793]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58850]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58909]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58964]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59024]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59080]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59133]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59201]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59250]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59310]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59371]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59429]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59490]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59544]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59600]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59656]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59714]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59773]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59834]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59963]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:60017]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60078]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60131]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60187]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60250]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60313]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60373]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60431]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60491]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60553]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60614]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60676]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60745]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60805]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60867]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60925]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32812]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32871]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:60990]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32935]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32999]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33061]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33120]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33177]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33233]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33302]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33369]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33427]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33497]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33556]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33614]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33674]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33732]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33795]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33855]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33914]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:33977]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:34039]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34102]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34161]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34221]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34282]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34341]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34406]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34467]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34525]
2 [29082010 20:39:18] [192.168.1.12:80->77.220.185.190:34592]
2 [29082010 20:56:51] [192.168.1.12:80->64.126.23.234:53897]
2 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50969]
2 [29082010 23:20:25] [192.168.1.12:1433->61.164.148.33:5002]
grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c | grep 77.220.185.190 | wc -l
102
IP address 77.220.185.190 performed 102 attacks on port 80 in 40 seconds. It was obviously an automated attack, but I have no idea what tool performed the attack. The IP address maps to Moscow, Russia at the MNOGOBYTE colocation service.
grep sip dionaea.log
[29082010 19:50:44] sip dionaea/sip.py:827-info: SIP Session created
[29082010 19:50:44] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '202.103.52.147', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-24798344;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"; tag=47165868797092908688927622311368018385018985010\r\nAccept: application/sdp\r\nUser-Agent: sundayddr\r\nTo: "sipssc"\r\nContact: sip:100@192.168.1.9:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 267264826399318751054824843\r\nMax-Forwards: 70\r\n\r\n'
[29082010 19:50:44] sip dionaea/sip.py:1072-info: Received OPTIONS
[29082010 19:50:44] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"; tag=47165868797092908688927622311368018385018985010
From: 100
Contact: 100
[29082010 19:50:44] sip dionaea/sip.py:962-debug: io_in: returning 409
[30082010 01:15:34] sip dionaea/sip.py:827-info: SIP Session created
[30082010 01:15:34] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '125.88.105.44', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-13198307;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"; tag=19358999374944096893129611830352363137663012687\r\nAccept: application/sdp\r\nUser-Agent: sundayddr\r\nTo: "sipssc"\r\nContact: sip:100@192.168.1.9:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 267264826399345328022532865\r\nMax-Forwards: 70\r\n\r\n'
[30082010 01:15:34] sip dionaea/sip.py:1072-info: Received OPTIONS
[30082010 01:15:34] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"; tag=19358999374944096893129611830352363137663012687
From: 100
Contact: 100
Dionaea can handle sip attacks. Some people in China (202.103.52.147 maps to the CHINANET Hubei province network and 125.88.105.44 maps to CHINANET Guangdong province network) have modified sipvicious, altered the User Agent to sundayddr, and are probing various networks looking for private PBXs to hijack.
Dionaea is quite promising, but it's still very much a work in progress. It'll be a while before there's a Debian or RPM binary package for it.
Here are some preliminary data:
grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c
1 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:1861]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:135->71.53.70.248:2047]
1 [29082010 16:37:40] [192.168.1.12:59895->71.53.70.248:0]
1 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59894]
1 [29082010 21:38:15] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:1957->71.123.126.104:3865]
1 [29082010 21:38:16] [192.168.1.12:40904->]
1 [29082010 21:38:16] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:38:16] [192.168.1.12:445->71.123.126.104:3062]
1 [29082010 21:38:26] [192.168.1.12:40904->71.123.126.104:22352]
1 [29082010 21:39:40] [192.168.1.12:59895->71.53.70.248:69]
1 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:44:40] [192.168.1.12:445->71.97.10.85:50973]
1 [29082010 21:52:07] [192.168.1.12:135->222.186.27.80:4716]
1 [29082010 21:52:08] [192.168.1.12:135->222.186.27.80:4716]
2 [29082010 16:37:39] [192.168.1.12:135->71.53.70.248:1796]
2 [29082010 16:37:40]
2 [29082010 16:38:14] [192.168.1.12:445->71.123.126.104:2950]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56928]
2 [29082010 20:38:38] [192.168.1.12:80->77.220.185.190:56979]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57031]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57084]
2 [29082010 20:38:39] [192.168.1.12:80->77.220.185.190:57140]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57199]
2 [29082010 20:38:40] [192.168.1.12:80->77.220.185.190:57256]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57312]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57364]
2 [29082010 20:38:41] [192.168.1.12:80->77.220.185.190:57419]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57475]
2 [29082010 20:38:42] [192.168.1.12:80->77.220.185.190:57523]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57583]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57643]
2 [29082010 20:38:43] [192.168.1.12:80->77.220.185.190:57704]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57762]
2 [29082010 20:38:44] [192.168.1.12:80->77.220.185.190:57817]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57873]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57934]
2 [29082010 20:38:45] [192.168.1.12:80->77.220.185.190:57987]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58045]
2 [29082010 20:38:46] [192.168.1.12:80->77.220.185.190:58101]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58161]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58214]
2 [29082010 20:38:47] [192.168.1.12:80->77.220.185.190:58262]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58322]
2 [29082010 20:38:48] [192.168.1.12:80->77.220.185.190:58373]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58447]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58505]
2 [29082010 20:38:49] [192.168.1.12:80->77.220.185.190:58565]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58626]
2 [29082010 20:38:50] [192.168.1.12:80->77.220.185.190:58681]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58735]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58793]
2 [29082010 20:38:51] [192.168.1.12:80->77.220.185.190:58850]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58909]
2 [29082010 20:38:52] [192.168.1.12:80->77.220.185.190:58964]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59024]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59080]
2 [29082010 20:38:53] [192.168.1.12:80->77.220.185.190:59133]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59201]
2 [29082010 20:38:54] [192.168.1.12:80->77.220.185.190:59250]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59310]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59371]
2 [29082010 20:38:55] [192.168.1.12:80->77.220.185.190:59429]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59490]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59544]
2 [29082010 20:38:56] [192.168.1.12:80->77.220.185.190:59600]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59656]
2 [29082010 20:38:57] [192.168.1.12:80->77.220.185.190:59714]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59773]
2 [29082010 20:38:58] [192.168.1.12:80->77.220.185.190:59834]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:59963]
2 [29082010 20:38:59] [192.168.1.12:80->77.220.185.190:60017]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60078]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60131]
2 [29082010 20:39:00] [192.168.1.12:80->77.220.185.190:60187]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60250]
2 [29082010 20:39:01] [192.168.1.12:80->77.220.185.190:60313]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60373]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60431]
2 [29082010 20:39:02] [192.168.1.12:80->77.220.185.190:60491]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60553]
2 [29082010 20:39:03] [192.168.1.12:80->77.220.185.190:60614]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60676]
2 [29082010 20:39:04] [192.168.1.12:80->77.220.185.190:60745]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60805]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60867]
2 [29082010 20:39:05] [192.168.1.12:80->77.220.185.190:60925]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32812]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:32871]
2 [29082010 20:39:06] [192.168.1.12:80->77.220.185.190:60990]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32935]
2 [29082010 20:39:07] [192.168.1.12:80->77.220.185.190:32999]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33061]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33120]
2 [29082010 20:39:08] [192.168.1.12:80->77.220.185.190:33177]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33233]
2 [29082010 20:39:09] [192.168.1.12:80->77.220.185.190:33302]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33369]
2 [29082010 20:39:10] [192.168.1.12:80->77.220.185.190:33427]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33497]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33556]
2 [29082010 20:39:11] [192.168.1.12:80->77.220.185.190:33614]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33674]
2 [29082010 20:39:12] [192.168.1.12:80->77.220.185.190:33732]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33795]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33855]
2 [29082010 20:39:13] [192.168.1.12:80->77.220.185.190:33914]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:33977]
2 [29082010 20:39:14] [192.168.1.12:80->77.220.185.190:34039]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34102]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34161]
2 [29082010 20:39:15] [192.168.1.12:80->77.220.185.190:34221]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34282]
2 [29082010 20:39:16] [192.168.1.12:80->77.220.185.190:34341]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34406]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34467]
2 [29082010 20:39:17] [192.168.1.12:80->77.220.185.190:34525]
2 [29082010 20:39:18] [192.168.1.12:80->77.220.185.190:34592]
2 [29082010 20:56:51] [192.168.1.12:80->64.126.23.234:53897]
2 [29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50969]
2 [29082010 23:20:25] [192.168.1.12:1433->61.164.148.33:5002]
grep established dionaea.log | grep -v debug | grep -v 192.168.1.8 | awk '{ print $1, $2, $8 }' | uniq -c | sort -n | grep -v established | grep -v binding.c | grep 77.220.185.190 | wc -l
102
IP address 77.220.185.190 performed 102 attacks on port 80 in 40 seconds. It was obviously an automated attack, but I have no idea what tool performed the attack. The IP address maps to Moscow, Russia at the MNOGOBYTE colocation service.
grep sip dionaea.log
[29082010 19:50:44] sip dionaea/sip.py:827-info: SIP Session created
[29082010 19:50:44] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '202.103.52.147', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-24798344;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"
[29082010 19:50:44] sip dionaea/sip.py:1072-info: Received OPTIONS
[29082010 19:50:44] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"
From: 100
Contact: 100
[29082010 19:50:44] sip dionaea/sip.py:962-debug: io_in: returning 409
[30082010 01:15:34] sip dionaea/sip.py:827-info: SIP Session created
[30082010 01:15:34] sip dionaea/sip.py:801-debug: ('192.168.1.12', 5060, '125.88.105.44', 5060): b'OPTIONS sip:100@ SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.9:5060;branch=z9hG4bK-13198307;rport\r\nContent-Length: 0\r\nFrom: "sipsscuser"
[30082010 01:15:34] sip dionaea/sip.py:1072-info: Received OPTIONS
[30082010 01:15:34] sip dionaea/sip.py:898-debug: Sending message "SIP/2.0 200 OK
To: "sipsscuser"
From: 100
Contact: 100
Dionaea can handle sip attacks. Some people in China (202.103.52.147 maps to the CHINANET Hubei province network and 125.88.105.44 maps to CHINANET Guangdong province network) have modified sipvicious, altered the User Agent to sundayddr, and are probing various networks looking for private PBXs to hijack.
Dionaea is quite promising, but it's still very much a work in progress. It'll be a while before there's a Debian or RPM binary package for it.
Labels: dionaea honeypot sipvicious
