Have I been pwned?

[amishrabbit]

Issues

I've been running this honeypot for about a month in the latest version. So far, so good.

This morning I went to check on things and I noticed that the web honeypot "public" front end had changed from a "hello world" CMS to a "You've successfully installed Apache Tomcat" splash page.

Is this normal behavior? I'm accustomed to the web front end on the honeypot (is it Tanner?) remaining relatively static. Do the pages change now?

I've logged in to the console and took a number of screenshots. The box seemed sluggish and, in fact, all four processors were running at nearly 100%, so I tried a reboot, but the box was still mostly unresponsive in the console and none of the Web interfaces came back up. I paused the VM and took a snapshot, then performed an update.sh, and rebooted a second time. That seemed to stabilize it and reverted the honeypot web front end back to faux-Drupal.

I took a closer look at saw that there was a short period where the web honeypot was unavailable. The change happened between 03:27 (UTC-7) and 03:33 today. The last faux-Drupal page was served at 03:26:58, and then a request was received at 03:27:02 which the honeypot server did not respond to.

At 03:31:36 the honeypot made a HTTP HEAD request to rules.emergingthreatspro.com and to rules.emergingthreats.net. At 03:33:28 the honeypot received an HTTP request for a page and served the Tomcat splash page. Until I rebooted the honeypot, the only pages it delivered were either the Tomcat splash page, or a Tomcat-generated error page.

I have a full PCAP I can provide for the 10 minutes between 03:25 and 03:35 but I'd prefer not to post it here. Please let me know if you'd like a copy of it.

Basic support information

• What T-Pot version are you currently using? 18.11
• Are you running on a Intel NUC or a VM? VM
• How long has your installation been running? ~14 days since last reboot
• Did you install any upgrades or packages? no
• Did you modify any scripts? no
• Have you turned persistence on/off? I don't know what this means
• How much RAM is available (login via ssh and run htop)? 10GB
• How much stress are the CPUs under (login via ssh and run htop)? 100%
• How much swap space is being used (login via ssh and run htop)? 0K
• How much free disk space is available (login via ssh and run sudo df -h)? 205GB
• What is the current container status (login via ssh and run sudo dps.sh)? (FWIW dps.sh is in /opt/tpot/bin/ and doesn't run from the tsec home directory)

./dps.sh: 11: ./dps.sh: function: not found adbhoney Up 6 minutes 0.0.0.0:5555->5555/tcp ciscoasa Up 6 minutes conpot_guardian_ast Up 6 minutes 0.0.0.0:10001->10001/tcp conpot_iec104 Up 6 minutes 0.0.0.0:161->161/tcp, 0.0.0.0:2404->2404/tcp conpot_ipmi Up 5 minutes 0.0.0.0:623->623/tcp conpot_kamstrup_382 Up 6 minutes 0.0.0.0:1025->1025/tcp, 0.0.0.0:50100->50100/tcp cowrie Up 6 minutes 0.0.0.0:22-23->22-23/tcp cyberchef Up 5 minutes (healthy) 127.0.0.1:64299->8000/tcp dionaea Up 5 minutes elasticpot Up 5 minutes 0.0.0.0:9200->9200/tcp elasticsearch Up 6 minutes (healthy) 127.0.0.1:64298->9200/tcp ewsposter Up 5 minutes glutton Up 5 minutes head Up 3 minutes (healthy) 127.0.0.1:64302->9100/tcp heralding Up 6 minutes 0.0.0.0:110->110/tcp, 0.0.0.0:143->143/tcp, 0.0.0.0:993->993/tcp, 0.0.0.0:995->995/tcp, 0.0.0.0:5432->5432/tcp, 0.0.0.0:5900->5900/tcp kibana Up 3 minutes (healthy) 127.0.0.1:64296->5601/tcp logstash Up 3 minutes (healthy) mailoney Up 6 minutes 0.0.0.0:25->25/tcp medpot Up 5 minutes 0.0.0.0:2575->2575/tcp nginx Up 5 minutes p0f Up 6 minutes rdpy Up 5 minutes 0.0.0.0:3389->3389/tcp snare Up 4 minutes 0.0.0.0:80->80/tcp spiderfoot Up 6 minutes (healthy) 127.0.0.1:64303->8080/tcp suricata Up 6 minutes tanner Up 5 minutes tanner_api Up 5 minutes tanner_phpox Up 6 minutes tanner_redis Up 6 minutes 6379/tcp tanner_web Up 5 minutes ./dps.sh: 13: ./dps.sh: Syntax error: "}" unexpected

[t3chn0m4g3]

No, this is normal, since Snare / Tanner cycles through various cloned sites to keep things exciting.