Dionaea statsStarted 3/7/2013Stopped 3/9/2013Started 3/12/2013Stopped 3/14/2013Graphs are courtesy of DionaeaFRtool
Dionaea stats• Don’t forget to add your API key from VirusTotal to yourconfig file!!• If you don’t add the API key, then the pretty visualization tool can’t doit’s job and you have to do manually!!!
1441097156171414998Dionaea statsTop 10 IP addresses
Kippo statsAccounts that used 123456 aspasswordUser ID Triesroot 7ftpuser 3oracle 3andy 2info 2jeff 2site 2test 2webmaster 2areyes 1brian 1“7 successful logons? But your chart says 27 used the password of123456?! WTF?”
Kippo statsFile downloadedpsyBNC 2.3.2------------This program is useful for people who cannot be on irc all the time.Its used to keep a connection to irc and your irc client connected, oralso allows to act as a normal bouncer by disconnecting from the ircserver when the client disconnects.
Kippo statsReplay script – 20130603-104907-9177.logJust trying to run Perl
Kippo statsReplay script – 20130530-134418-3935.logUpload of shellbot.pl
Kippo statsFile downloaded#!/usr/bin/perl## ShellBOT by: devil__Discovered: June 3, 2005Updated: April 30, 2010 3:46:09 AMType: TrojanSystems Affected:Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, WindowsNT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XPBackdoor.Shellbot is a detection name used by Symantec to identify malicioussoftware programs that share the primary functionality of enabling a remoteattacker to have access to or send commands to a compromised computer.As the name suggests, these threats are used to provide a covert channelthrough which a remote attacker can access and control a computer. TheTrojans vary in sophistication, ranging from those that only allow for limitedfunctions to be performed to those that allow almost any action to be carriedout, thus allowing the remote attacker to almost completely take over controlof a computer.Backdoor.ShellbotRisk Level 1: Very Low
Kippo statsReplay script – 20130602-105723-5678.logUpload a tar.gz and trips a Python reply script
Resources• A host at $IP ($location)tried to log into my honeypots fake TerminalServices server• GET-based RFI attack from $IP ($location)• A host at $IP ($location)tried to log into my honeypots fake MSSQLServerhttp://inguardians.com/