nick84

Good to know there are still "real" hackers about!

24 posts in this topic

I just got this on my home servers honeypot:

Tue Sep 17 09:31:57    IMAP2 connection from 195.200.13.226Tue Sep 17 09:31:57    Telnet connection from 195.200.13.226Tue Sep 17 09:32:23    Telnet connection from 195.200.13.226Tue Sep 17 09:36:45    Telnet connection from 195.200.13.226Tue Sep 17 09:36:55    Telnet login attempted from 195.200.13.226: user: admin, password: adminTue Sep 17 09:37:06    Telnet login attempted from 195.200.13.226: user: {filtered}, password: {filtered}Tue Sep 17 09:37:12    Telnet login attempted from 195.200.13.226: user: , password: Tue Sep 17 09:48:59    Telnet connection from 195.200.13.226Tue Sep 17 09:48:59    IMAP2 connection from 195.200.13.226Tue Sep 17 09:49:25    Telnet connection from 195.200.13.226Tue Sep 17 09:53:16    Telnet connection from 195.200.13.226Tue Sep 17 09:53:22    Telnet login attempted from 195.200.13.226: user: {filtered}, password: sadas

This is the first attack I have had by an actual person, on my home server and I must say its good to know there are still people out there. Not that I encourage people to hack my home server - which is why i'm not posting its address!

My honeypot has been up for about 2 months or so, and apart from a few automatic port scans ive got nothing.

Imagine my surprise when I got the above logs.

This person was sure thorough! (although they did resort to the use of an automated tool to attack my web server, I forgive them as they at least had a go at my telnet server by hand) :)

Where you see {filtered} is where I have taken out my real name.

The full log is also up at http://www.rootsecure.net/content/temp/hon...oneypot_log.txt

0

Share this post


Link to post
Share on other sites

You would never guess what just happened to me !

Today seems to be special for some reason, first its one person hacking my telnet, then I got someone on my Back Orifice honeypot server! but as it turns out they were just some script kiddie using a tool.

Well it all started, when I was lucky enough to have opened a remote desktop connection to my server, I had minimized it and then heard this beeping, after wondering what it was I realised it was my server, and then I saw someone was attempting to make popup messages appear. So I immediately port scanned them back and you’ll never guess but they happened to have netbios on 138-9 open!

Well of course their was nothing else to do but send a “net send” message to them, which went something along the lines of “Chat with my, my email is … or chat on my website at rootsecure.net”

Well the person actually went to the chat on my site, so I said something along the lines of you got stuck in my honeypot, then what’s your business on my server? and the person replied that he/she was using some automated tool to port scan a range of IP’s!

And here’s the log from my honeypot:

Tue Sep 17 20:32:47 BO PING sweep attempted by 80.5.106.130

Tue Sep 17 20:32:47 BO TYPE_SYSDIALOGBOX attempted by 80.5.106.130

Tue Sep 17 20:33:51 BO PING sweep attempted by 80.5.106.130

Tue Sep 17 20:33:51 BO TYPE_SYSDIALOGBOX attempted by 80.5.106.130

0

Share this post


Link to post
Share on other sites
Good to know there are still "real" hackers about!

I know....I'm pretty cool.

0

Share this post


Link to post
Share on other sites

Just curious, what honeypot are you using? If it's a script I'd love to see it. I never really got honeyd to work.

0

Share this post


Link to post
Share on other sites

To post the time:

Sep 17 2002, 03:20 PM

0

Share this post


Link to post
Share on other sites
Dude, that's 1337. I have a honeypot. But noone attacks it. <_<

OMG, thank you for bringing a five year thread back to life...

0

Share this post


Link to post
Share on other sites
Dude, that's 1337. I have a honeypot. But noone attacks it. <_<

OMG, thank you for bringing a five year thread back to life...

1337h4x0rleet's post was completely worth it, I found it very informative.

0

Share this post


Link to post
Share on other sites

Seriously, what's with all these post-bumps of five year old threads lately?

Bumping is okay as long as it brings something new to the table.

0

Share this post


Link to post
Share on other sites
Just curious, what honeypot are you using? If it's a script I'd love to see it. I never really got honeyd to work.

Nick84 is leet enough that he is using an actual pot of honey.

0

Share this post


Link to post
Share on other sites

Bump

I wish I could get some moron to scan a VM tarpitted unpatched XP box. Don't know what I would do, but it would be cool.

0

Share this post


Link to post
Share on other sites

Wow, maybe we will have to look into automatically locking old threads, this is ridiculous.

Just so you know guests, when you register, you don't have to chronologically go through every thread from the beginning and comment on them. ;)

0

Share this post


Link to post
Share on other sites
You're cute. PM me and we'll get together some time.

Was that from David D? lol !

0

Share this post


Link to post
Share on other sites
Just curious, what honeypot are you using? If it's a script I'd love to see it. I never really got honeyd to work.

Nick84 is leet enough that he is using an actual pot of honey.

That just means he's a witch.

0

Share this post


Link to post
Share on other sites

speaking of honey anybody help me with a basic nepenthes setup ??

0

Share this post


Link to post
Share on other sites

To the original topics: Sometimes I scan foriegn company's stuff to scare the hell out of them, and watch as they start closing the ports, just for fun.

0

Share this post


Link to post
Share on other sites
To the original topics: Sometimes I scan foriegn company's stuff to scare the hell out of them, and watch as they start closing the ports, just for fun.

No you don't

0

Share this post


Link to post
Share on other sites

Nobody closes all their ports because some random idiot scans them.

......

That's just stupid.

0

Share this post


Link to post
Share on other sites

"Oh no, somebody tried to get to our server by sending packets over port 79, and then they talked to httpd listening on port 80! Quick, go into lockdown mode!"

And then these red lights start flashing all over the building and an alarm starts to sound. :D

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now