Honeypots mailing list archives
Honeypot logs help
From: ny101880 <ny101880 () yahoo com>
Date: Mon, 19 Jan 2009 02:35:32 -0800 (PST)
Good day, Hi all, i have some question about honeypot packages. There are small available documentation regarding those packages so I think posting the logs whill help me understand the logs I have 4 logs generated and Im not sure If its really a real attack. All I need is a simple but clear explanation if attack really is happening, to what extent is my system compromise and what is the attacker doing on the system Log 1: [12/27/07] 80/tcp Timeout expired, closing connection. [12/27/07] * 80/tcp 148 bytes attack string from 192.168.55.6:50076. [12/27/07] 5031 Calling plugins for hook 'process_attack'. [12/27/07] 5031 Calling b64Decode::b64_decode(). [12/27/07] 5031 Base64 decoder - Searching for base64 encoded attack string. [12/27/07] 5031 Base64 decoder - No base64 encoded attack string found. [12/27/07] 5031 Calling ftpDownload::cmd_parse_for_ftp(). [12/27/07] 5031 FTP download - Parsing attack string (148 bytes) for ftp commands. [12/27/07] 5031 FTP download - No ftp command found. [12/27/07] 5031 Calling tftpDownload::cmd_parse_for_tftp(). [12/27/07] 5031 TFTP download - Parsing attack string (148 bytes) for tftp commands. [12/27/07] 5031 TFTP download - No tftp command found. [12/27/07] 5031 Calling vncDownload::cmd_parse_for_vnc(). [12/27/07] 5031 VNC download - Checking for VNC session string in attack string. [12/27/07] 5031 VNC download - No VNC session string found. [12/27/07] 5031 Calling SaveFile::save_to_file(). [12/27/07] 5031 SaveFile - Dumping attack string into file. [12/27/07] 5031 SaveFile - Attack string saved as attacks/from_port_80-tcp_5031_2007-12-27. [12/27/07] 5031 Calling httpDownload::cmd_parse_for_http_url(). [12/27/07] 5031 HTTP download - Parsing attack string (148 bytes) for URLs. [12/27/07] 5031 HTTP download - No URLs found. [12/27/07] 5031 Calling ClamAV::clamscan(). [12/27/07] 5031 ClamAV - No samples found, nothing to scan. [12/27/07] 5031 Attack data processed. [12/27/07] 5030 80/tcp Timeout expired, closing connection. [12/27/07] 5030 * 80/tcp 75 bytes attack string from 192.168.55.6:50075. Log 2:(aaa.aaaa = site in the web) [12/27/07 info sc handler] url::anyurl: "http://aaa.aaaa.org/streams" [12/27/07 info down mgr] Handler curl download handler will download http://aaa.aaaa.org/streams [14012009 04:05:54 info down handler] HTTP DOWNLOAD http://aaa.aaaa.org/streams [12/27/07 warn down handler] Download error Couldn't resolve host name on getting file http://aaa.aaaa.org/streams Log 3: 12/27/07 [SSHServerTransport,21,192.168.55.6] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 12/27/07 [SSHServerTransport,21,192.168.55.6] outgoing: aes128-cbc hmac-md5 none 12/27/07 [SSHServerTransport,21,192.168.55.6] incoming: aes128-cbc hmac-md5 none 12/27/07 [SSHServerTransport,21,192.168.55.6] NEW KEYS 12/27/07 [SSHServerTransport,21,192.168.55.6] connection lost 12/27/07 [SSHServerTransport,22,192.168.55.6] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 12/27/07 [SSHServerTransport,22,192.168.55.6] outgoing: aes128-cbc hmac-md5 none 12/27/07 [SSHServerTransport,22,192.168.55.6] incoming: aes128-cbc hmac-md5 none 12/27/07 [SSHServerTransport,22,192.168.55.6] NEW KEYS 12/27/07 [SSHServerTransport,22,192.168.55.6] starting service ssh-userauth 12/27/07 [SSHService ssh-userauth on SSHServerTransport,22,192.168.55.6] asdfdgt trying auth none 12/27/07[SSHServerTransport,22,192.168.55.6] connection lost Log 4: [xxxxx - shellcode_manager] (192.168.55.6) no match, writing hexdump (sgdfghjkhjfhj56 :299) - UDP ::.^[[0m [xxxxx - xxxx_server] received unknown UDP request ::.^[[0m [xxxxx - vuln_check] CHECK Incoming: gqw7^M ^M gqw7^M ^M (Bytes: 16) ::.^[[0m [xxxx - xxxx_request_handler] IMAIL Vulnerability requested shutdown ::.^[[0m [xxxx - xxxx_request_handler] IMAIL Vulnerability requested shutdown ::.^[[0m [xxxx - xxxx_request_handler] IMAIL Vulnerability requested shutdown ::.^[[0m [xxxx - vuln_dameware] DAMEWARE STAGE1: Message () (0) ::.^[[0m [xxxx - shellcode_manager] (192.168.55.6) no match, writing hexdump (fsfdfsdfsdfsfs3434 :10) - MaxDB Vulnerability [xxxx - shellcode_manager] (192.168.55.6) no match, writing hexdump (sfsfsdfsfsfsgdrfte56 :11) - MaxDB Vulnerability ::.^[[0m Im hoping anyone with experience and good heart can help me figure this out. Thanks a lot, ny -- View this message in context: http://www.nabble.com/Honeypot-logs-help-tp21540400p21540400.html Sent from the Honeypots mailing list archive at Nabble.com.
Current thread:
- Honeypot logs help ny101880 (Jan 19)