Honeypot fun with Nepanthes

Submitted by mig5 on Mon, 31/05/2010 - 17:03

Tags:

I've been running a honeypot on a server running Nepenthes, which is apt-get installable on Debian Lenny at time of writing.

Nepenthes works by starting up a bunch of emulated vulnerable services on all the typical ports you'd expect. It then monitors and reports on automated sniffers and malware attacks that think they're delivering payload to a real service.

The server has been running for 24 hours - here are my stats using the Submissions2stat.py log parser by Andrew Waite.

hive:~# ./submissions2stats.py < /var/log/nepenthes/logged_submissions
Statistics engine written by Andrew Waite - <a href="http://www.InfoSanity.co.uk
 
Number">www.InfoSanity.co.uk
 
Number</a> of submissions: 14
Number of unique samples: 9
Number of unique source IPs: 13
 
First sample seen on 2010-05-30
Last sample seen on 2010-05-31
Days running: 1
Average daily submissions: 14
 
Most recent submissions:
2010-05-31, 04:33:28, 173.27.143.135, t<a href="ftp://173.27.143.135/ssms.exe">ftp://173.27.143.135/ssms.exe</a>, 833cda5b5bef5989deb6bf57c557ce30
2010-05-31, 03:43:45, 173.24.129.248, <a href="http://173.24.129.248:80/xxxxxxx">http://173.24.129.248:80/xxxxxxx</a>, a12cab51ef99e98305668d189d0db147
2010-05-31, 03:26:13, 173.67.120.235, <a href="ftp://173.67.120.235:45824/ssms.exe">ftp://173.67.120.235:45824/ssms.exe</a>, 1d419d615dbe5a238bbaa569b3829a23
2010-05-31, 03:11:15, 173.189.33.204, t<a href="ftp://173.189.33.204/ssms.exe">ftp://173.189.33.204/ssms.exe</a>, e269d0462eb2b0b70d5e64dcd7c676cd
2010-05-31, 01:44:16, 173.212.8.3, t<a href="ftp://173.212.8.3/ssms.exe">ftp://173.212.8.3/ssms.exe</a>, 1d419d615dbe5a238bbaa569b3829a23

Wonder why the submissions/downloads have consistently been from the same /8 as my server? Is that coincidence or? Damn amateur that I am, don't fully understand :)

I've had a very persistent Chinese IP trying to exploit SMB/NetBIOS

hive:~# grep 222.186.30.213 /var/log/nepenthes.log | wc -l
7174

It looks like I'm a bit late to the party on the 'run your own honeypot' thing. Bit of research suggests Nepenthes has ceased active development and that new energy is focused on its successor Dionaea. This one is not apt-get installable unfortunately. Oh well, VMs are cheap :) compiling it is then!

Now if only I knew what I was doing.

Add new comment