Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Anyone running a malware honeypot like Dionaea?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Anyone running a malware honeypot like Dionaea?

pylodepylode Member

I setup a Dionaea honey-pot on a Ubuntu VM about 15-20 minutes ago, wonder how long it'll take for malware to come in?

Anyone else here have similar things setup on their VMs?

Comments

  • howardsl2howardsl2 Member
    edited May 2015

    I have one of those running. You may get a few samples per day, mostly from automated Samba/Windows worms. Check your binaries, bistreams, and rtp sub-folders after a while. Also, you can use it with DionaeaFR which is a nice front-web.

    For a more interesting medium interaction SSH honeypot, check out Kippo on GitHub (and kippo-graph for visualization). See this post for the malware samples I collected over the years:
    http://www.lowendtalk.com/discussion/24031/a-useful-list-of-recent-malware-caught-on-vps-server

  • pylodepylode Member

    I've had it running for about 8-9 hours now and no samples, but lots of MySQL scans.

  • cassacassa Member

    It's let, post the IP here and no doubt you'll get some in no time

    Thanked by 3netomx howardsl2 ATHK
  • KwiceroLTDKwiceroLTD Member
    edited May 2015

    I run a false ssh service, when they connect they're greeted with a ascii-art troll face that says "try again?"

    If they manage to get the correct "secret" password they're greeted with a fake terminal window (logged in as "root" ) that anytime you try to install or compile anything it gives you a FBI security warning. The way I see it, might as well let hackers think they've got the "big score"

    Thanked by 3earl ATHK howardsl2
  • ChuckChuck Member

    @KwiceroLTD said:
    I run a false ssh service, when they connect they're greeted with a ascii-art troll face that says "try again?"

    If they manage to get the correct "secret" password they're greeted with a fake terminal window (logged in as "root" ) that anytime you try to install or compile anything it gives you a FBI security warning. The way I see it, might as well let hackers think they've got the "big score"

    How do you set up a false ssh service?

  • pylodepylode Member

    @Chuck said:
    How do you set up a false ssh service?

    https://github.com/desaster/kippo

    Thanked by 2Chuck KwiceroLTD
  • Ryan22Ryan22 Member

    you will find most bruteforce attempt originate from china

  • Run a DirectAdmin server. You will have a brute force honeypot soon.

  • @Ryan22 said:
    you will find most bruteforce attempt originate from china

    False.
    Mine come from Singlehop, Digitalocean (all locations except Germany), Hetzner (which surprises me), Rackspace, and some obviously hijacked servers (funny story is one time, a church server bruteforced a honeypot password -> it was obvious hijacked or HostNun was testing their new "nun cannon")

Sign In or Register to comment.