Clients Generating Attacks

[jonatasbaldin]

Clients are generating attacks logs in the server interface.

Logs from Honeypot:

2014-12-04 04:49:11,029 (beeswarm.drones.honeypot.capabilities.handlerbase) Accepted ftp session on port 21 from 10.90.1.8:51791. (955b564f-71b2-4b26-b86c-3327df038cbc)
2014-12-04 04:49:11,031 (beeswarm.drones.honeypot.models.session) pop3 authentication attempt from 10.90.1.8:53464. Credentials: {"username": "nagios", "password": "nagios"}
2014-12-04 04:49:11,032 (beeswarm.drones.honeypot.models.session) ftp authentication attempt from 10.90.1.8:51791. Credentials: {"username": "irene", "password": "qwerty"}
2014-12-04 04:49:11,124 (beeswarm.drones.honeypot.capabilities.handlerbase) Accepted http session on port 80 from 10.90.1.8:60620. (7e26a245-0ef3-41ea-87b2-c3d2534cb3c2)
2014-12-04 04:49:11,125 (beeswarm.drones.honeypot.models.session) http authentication attempt from 10.90.1.8:60620. Credentials: {"username": "adalberto", "password": "123"}
2014-12-04 04:49:11,177 (beeswarm.drones.honeypot.capabilities.handlerbase) Accepted https session on port 443 from 10.90.1.8:54790. (6ecb6181-3ea3-49f7-b9ba-c4fdf44211b9)
2014-12-04 04:49:11,183 (beeswarm.drones.honeypot.models.session) https authentication attempt from 10.90.1.8:54790. Credentials: {"username": "adalberto", "password": "123"}

Logs from Client (this keep repeating):

2014-12-04 04:50:31,834 (beeswarm.drones.client.models.dispatcher) Bait session of type <class 'beeswarm.drones.client.baits.ftp.ftp'> stopped with unhandled error: [Errno 111] Connection refused
2014-12-04 04:50:31,913 (requests.packages.urllib3.connectionpool) Starting new HTTP connection (1): 10.90.1.7
2014-12-04 04:50:31,956 (requests.packages.urllib3.connectionpool) Starting new HTTPS connection (1): 10.90.1.7
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
    result = self._run(*self.args, **self.kwargs)
  File "/usr/local/lib/python2.7/dist-packages/beeswarm/drones/client/baits/smtp.py", line 64, in start
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/beeswarm/drones/client/baits/smtp.py", line 120, in connect
    local_hostname='local.domain', timeout=15)
  File "/usr/lib/python2.7/smtplib.py", line 249, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/lib/python2.7/smtplib.py", line 309, in connect
    self.sock = self._get_socket(host, port, self.timeout)
  File "/usr/lib/python2.7/smtplib.py", line 284, in _get_socket
    return socket.create_connection((port, host), timeout)
  File "/usr/local/lib/python2.7/dist-packages/gevent/socket.py", line 591, in create_connection
    raise err
error: [Errno 111] Connection refused
<Greenlet at 0x4109870: <bound method smtp.start of <beeswarm.drones.client.baits.smtp.smtp object at 0x421ac90>>> failed with error

2014-12-04 04:50:31,995 (beeswarm.drones.client.models.dispatcher) Bait session of type <class 'beeswarm.drones.client.baits.smtp.smtp'> stopped with unhandled error: [Errno 111] Connection refused

The amount of logs is tremendous. 445 Attacks and 1k+ Baits in 2 hours, all generated by the IP from the Client.

[johnnykv]

Thanks for the feedback, the logging issue has been fixed in master. The logs you are seeing was meant to be debug loggings which are only logged when starting with the -v parameter.

[johnnykv]

@jonatasbaldin On a side note, did you see any false positives when testing?

[jonatasbaldin]

My tests everything was ok.

Just some credentials allowed access and others dont, but I can't see if there's difference between them.

Cheers! Em 04/12/2014 16:34, "Johnny Vestergaard" notifications@github.com escreveu:

@jonatasbaldin https://github.com/jonatasbaldin On a side note, did you see any false positives when testing?

— Reply to this email directly or view it on GitHub https://github.com/honeynet/beeswarm/issues/219#issuecomment-65679332.