Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Honeypot logs help

From: ny101880 <ny101880 () yahoo com>
Date: Mon, 19 Jan 2009 02:35:32 -0800 (PST)

Good day,

Hi all, i have some question about honeypot packages. There are small
available documentation regarding those packages so I think posting the logs
whill help me understand the logs

I have 4 logs generated and Im not sure If its really a real attack.
All I need is a simple but clear explanation if attack really is happening,
to what extent is my system compromise and what is the attacker doing on the
system

Log 1:
[12/27/07]    80/tcp    Timeout expired, closing connection.
[12/27/07]   * 80/tcp    148 bytes attack string from 192.168.55.6:50076.
[12/27/07]  5031  Calling plugins for hook 'process_attack'.
[12/27/07]  5031  Calling b64Decode::b64_decode().
[12/27/07]  5031  Base64 decoder - Searching for base64 encoded attack
string.
[12/27/07]  5031  Base64 decoder - No base64 encoded attack string found.
[12/27/07]  5031  Calling ftpDownload::cmd_parse_for_ftp().
[12/27/07]  5031  FTP download - Parsing attack string (148 bytes) for ftp
commands.
[12/27/07]  5031  FTP download - No ftp command found.
[12/27/07]  5031  Calling tftpDownload::cmd_parse_for_tftp().
[12/27/07]  5031  TFTP download - Parsing attack string (148 bytes) for tftp
commands.
[12/27/07]  5031  TFTP download - No tftp command found.
[12/27/07]  5031  Calling vncDownload::cmd_parse_for_vnc().
[12/27/07]  5031  VNC download - Checking for VNC session string in attack
string.
[12/27/07]  5031  VNC download - No VNC session string found.
[12/27/07]  5031  Calling SaveFile::save_to_file().
[12/27/07]  5031  SaveFile - Dumping attack string into file.
[12/27/07]  5031  SaveFile - Attack string saved as
attacks/from_port_80-tcp_5031_2007-12-27.
[12/27/07]  5031  Calling httpDownload::cmd_parse_for_http_url().
[12/27/07]  5031  HTTP download - Parsing attack string (148 bytes) for
URLs.
[12/27/07]  5031  HTTP download - No URLs found.
[12/27/07]  5031  Calling ClamAV::clamscan().
[12/27/07]  5031  ClamAV - No samples found, nothing to scan.
[12/27/07]  5031  Attack data processed.
[12/27/07]  5030     80/tcp    Timeout expired, closing connection.
[12/27/07]  5030   * 80/tcp    75 bytes attack string from
192.168.55.6:50075.


Log 2:(aaa.aaaa = site in the web)
[12/27/07 info sc handler] url::anyurl: "http://aaa.aaaa.org/streams";
[12/27/07 info down mgr] Handler curl download handler will download
http://aaa.aaaa.org/streams
[14012009 04:05:54 info down handler] HTTP DOWNLOAD
http://aaa.aaaa.org/streams
[12/27/07 warn down handler] Download error Couldn't resolve host name on
getting file http://aaa.aaaa.org/streams


Log 3:
12/27/07 [SSHServerTransport,21,192.168.55.6] kex alg, key alg:
diffie-hellman-group1-sha1 ssh-rsa
12/27/07 [SSHServerTransport,21,192.168.55.6] outgoing: aes128-cbc hmac-md5
none
12/27/07 [SSHServerTransport,21,192.168.55.6] incoming: aes128-cbc hmac-md5
none
12/27/07 [SSHServerTransport,21,192.168.55.6] NEW KEYS
12/27/07 [SSHServerTransport,21,192.168.55.6] connection lost
12/27/07 [SSHServerTransport,22,192.168.55.6] kex alg, key alg:
diffie-hellman-group1-sha1 ssh-rsa
12/27/07 [SSHServerTransport,22,192.168.55.6] outgoing: aes128-cbc hmac-md5
none
12/27/07 [SSHServerTransport,22,192.168.55.6] incoming: aes128-cbc hmac-md5
none
12/27/07 [SSHServerTransport,22,192.168.55.6] NEW KEYS
12/27/07 [SSHServerTransport,22,192.168.55.6] starting service ssh-userauth
12/27/07 [SSHService ssh-userauth on SSHServerTransport,22,192.168.55.6]
asdfdgt trying auth none
12/27/07[SSHServerTransport,22,192.168.55.6] connection lost

Log 4:
[xxxxx - shellcode_manager] (192.168.55.6) no match, writing hexdump
(sgdfghjkhjfhj56 :299) - UDP ::.^[[0m
[xxxxx - xxxx_server] received unknown UDP request ::.^[[0m
[xxxxx - vuln_check] CHECK Incoming: gqw7^M
^M
gqw7^M
^M
 (Bytes: 16) ::.^[[0m
[xxxx - xxxx_request_handler] IMAIL Vulnerability requested shutdown
::.^[[0m
[xxxx - xxxx_request_handler] IMAIL Vulnerability requested shutdown
::.^[[0m
[xxxx - xxxx_request_handler] IMAIL Vulnerability requested shutdown
::.^[[0m
[xxxx - vuln_dameware] DAMEWARE STAGE1: Message () (0) ::.^[[0m
[xxxx - shellcode_manager] (192.168.55.6) no match, writing hexdump
(fsfdfsdfsdfsfs3434 :10) - MaxDB Vulnerability [xxxx - shellcode_manager]
(192.168.55.6) no match, writing hexdump (sfsfsdfsfsfsgdrfte56 :11) - MaxDB
Vulnerability ::.^[[0m


Im hoping anyone with experience and good heart can help me figure this out.

Thanks a lot,
ny
-- 
View this message in context: http://www.nabble.com/Honeypot-logs-help-tp21540400p21540400.html
Sent from the Honeypots mailing list archive at Nabble.com.
Previous By Date Next
Previous By Thread Next

Current thread: