Virus Blog

SSH Brute Force Attacks

— Posted by zeroq @ 21:59 - 31 Oct, 2008

i have been playing around with a simple SSH Honeypot implementation in order to study a little more about Brute Force attacks on SSH Servers. The project is running for some time now and i want to present some of the data collected so far.

In a period of two month from july to september of this year a total of 143 different attackers tried to compromise the Honeypot. In my opinion this is not really much considering the fake SSH daemon was listening on a few thousand IP addresses.

The 143 attackers tried 9150 different usernames, the top 10 is presented in the following picture.

For the different usernames a total of 25973 different passwords were tried. The top 10 is presented in the next picture.

That´s it for now. I didn´t have the time yet to further investigate the collected data, but i post some more information as soon as i have more time.



Infiltrator v0.3

— Posted by zeroq @ 15:12 - 20 Oct, 2008

Some time has passed since i blogged about the infiltrator script but here is an updated version.
I don't have a changelog, but this release fixes some bugs and provides some minor updates. It should be possible to monitor HTTP POST-based botnets as well.

Have fun: infiltrator-v0.3

For those that don't know what infiltrator is: it is a python script for quick and dirty botnet monitoring. no fancy GUI no extra comfort, just plain text =)



Amun Bug

— Posted by zeroq @ 09:32 - 10 Oct, 2008

I found a small bug today. I missed to set the download identifier for two linkbot shellcodes. There is already a fixed version in the SVN.

If you want to fix it yourself change the following two lines in shellcode_mgr_core.py:
(they start with dlident = instead of what is mentioned below)

line 1047 should read:
self.resultSet['dlident'] = ...

line 1070 sould also start this way:
self.resultSet['dlident'] = ...



Rishi v0.9.6

— Posted by zeroq @ 09:48 - 08 Oct, 2008

And another update to rishi. Some bugs have been fixed, so it should run better now. Files are available at http://sourceforge.net/projects/rishi/
Changelog looks like this:

Rishi v0.9.6:
        - fixed return values of the mysql module
        - modified JOIN regex check
        - modified queue sizes
        - free unused variables when possible



Amun v0.1.6

— Posted by zeroq @ 15:17 - 07 Oct, 2008

Finally. It took quite a while this time, because i thought getting internet at home should be quick and easy...well i am still waiting =) However, i the next release is ready for download either as tar.gz from sourceforge (http://sourceforge.net/project/showfiles.php?group_id=221628) or via subversion from sourceforge.

ChangeLog looks like this:

Changes in v0.1.6:
        - fixed submit-cwsandbox timeout issue
        - fixed submit-cwsandbox result url parsing
        - modified ftp download module
        - modified for-loops in shellcodemanager
        - modified range to xrange
        - added submit-joebox module thanx to the author of joebox and lukas from glasblog
        - added ipconfig command emulation



Powered by kulando