'Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker...
- Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
- Possibility of adding fake file contents so the attacker can
catfiles such as/etc/passwd. Only minimal file contents are included - Session logs stored in an UML Compatible format for easy replay with original timings
- Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection'
The idea was to install & run cowrie on the VPS over a few varying periods (sometimes I left it running for several nights while I slept) in order to pick up any login attempts & to geolocate them with the use of infosniper, & compile the information based on results. It's worth mentioning three other excellent projects to extend Cowrie, which can provide geolocation as part of their frameworks :
First things first. Cowrie has a filesystem such as one you'd expect to find in Debian. Logs such as lastlog can be viewed from /var/log. Below is a picture of my own access to cowrie (with ip obviously redacted) :
Cowrie.log reaps some interesting information. Here we've got access from several different (very) foreign ips, some in the space of the milliseconds from the same ip & some in the space of seconds from varying ips, suggesting automated login attempts :
Cowrie can forward typical SSH requests from port 22 to port 2222. By running a netstat -t command, we can see a foreign ip actively listening on port 2222:
Fantastically, cowrie has a modifiable file called userdb.txt, which allows you to change the
accepted superuser & user passwords. Also here is a a succesful Putty login attempt testing the changes I made. The default honeypot server name here is seen as svr04 :
I can't remember exactly when I gave up documenting geolocated ip addresses from China, but needless to say, an insanely large amount of login attempts directed at our delicious, yet actually rather bland & hollow honeypot seemed to originate from there :
A rather obscure connection was attempted by -something- or -someone- in Seychelles, which for the geographically non-inclined is a tiny island just North of Madagascar. I actually have a very good friend originally from here, & for a moment I thought I ought to give him a cold call & break the case wide open on his collusion with the Chinese to obtain my sensitive & non-existent data :
A final point of interest is the folder 'dl', which contains files pushed to the server by the strange people(?) accessing your honeypot. One is a fairly self-explanatorily named python system test tool, which is actually hosted on a site affiliated with Anonymous. The bottom right 'network test' tool was referenced in the dl folder. Last time I checked I wasn't a scientologist so I'm not sure what I did to deserve this, but I suppose that perhaps the site hosting the tool has little care or foresight for my poor little honeypot :
And finally, here's that 'dl' folder referencing this 'best archive'. Notice the other item with the choice name :
No comments:
Post a Comment