Honeypot za balkanske IP adrese
#11
mouze, ocekuj od sledece nedelje, trenutno mi off. mashina iz opravdanih razloga Big Grin
Reply
#12
Evo jednog upornog sa brute force napadima, 24.135.243.3, provajder SBB, grad Novi Sad: https://www.abuseipdb.com/check/24.135.243.3.

Quote:Dec 17 15:39:46 base sshd[14692]: Invalid user ux from 24.135.243.3 port 53988
Dec 17 15:49:31 base sshd[15155]: Invalid user git from 24.135.243.3 port 45510
Dec 17 16:06:18 base sshd[16029]: Invalid user public from 24.135.243.3 port 36052
Dec 17 16:14:56 base sshd[16503]: Invalid user taylor from 24.135.243.3 port 37308
Dec 17 16:19:15 base sshd[16732]: Invalid user vs from 24.135.243.3 port 51750
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Reply
#13
Po shodan-u sa druge strane je Ubuntu

SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
nginx1.18.0
PostgreSQL
Minecraft Server Version: 1.19.2 (Protocol 760)

ne bi me čudilo da je jednostavno nečiji hakovan računar kod kuće
Reply
#14
izgleda da je skoro ownovan
https://www.criminalip.io/en/asset/report/24.135.243.3
Reply
#15
Usled nekih privatnih promena, nisam vise u mogucnosti da hostujem tpot (nemanje resorsa).
Ali sam zato proterao https://www.dshield.org projekat na rasp pi na backup link-u i resultati su za 11.1.2023 u prilogu.
Ideja je da automatizujem reporte u neki pristojan vizualni izgled i da se sami objavljuju na nekoj stranici...

p.s: bilo bi dobro ko je voljan i spremanda ucestvuje u ovom projektu, moze dosta zanimljivih stvari da se otkrije.
Dshield radi i na rasp pi-u, tako da mozete potjerati na cemu hocete, potrebno je fw odredjenh portova ili DMZ na njega.
Dashboard i statistike namestite da dobijate na email svakog dana/nedelje i to je to Smile
[Image: attachment.php?aid=435]


Attached Files Image(s)
   
Reply
#16
Od sada honeypot logs (tacnije email summary) cu svaki dan da kacim na:
https://drive.google.com/drive/folders/1...share_link

Da konvertujete IP to country (kao sto sam ostavio u file-u), use this:
=IMPORTDATA("https://ipinfo.io/" & A1 & "/country")
Reply
#17
Evo još jednog upornog sa napadima, IP: 178.220.122.156, provajder Telekom, grad: Čačak (?): https://www.abuseipdb.com/check/178.220.122.156

Quote:Jan 14 09:38:55 base sshd[32727]: Invalid user vbox from 178.220.122.156 port 49930
Jan 14 09:46:58 base sshd[678]: Invalid user ccc from 178.220.122.156 port 59101
Jan 14 09:58:31 base sshd[1463]: Invalid user ttguo from 178.220.122.156 port 39811
Jan 14 09:59:56 base sshd[1515]: Invalid user ovh from 178.220.122.156 port 59133
Jan 14 10:01:22 base sshd[1688]: Invalid user wanqilin from 178.220.122.156 port 49330
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Reply
#18
Update-ovan je g link, al malo i grafike, "vole" grafiku Wink


Attached Files Image(s)
   
Reply
#19
Neke stvari smo izmenili, imamo novi honey (prethodni se nije pokazao idealan).
Za sada samo tizer Smile
Imamo jedan IP iz Srbije i Hrvatske koji radi maliciozne aktivnosti putem ssh (u prilogu).

Ideja je kao i pre, da automatizujemo ceo proces... al` malo vremene nas piiip, pa nikako da se stigne...


Attached Files
.txt   rs_ips.txt (Size: 2.2 KB / Downloads: 92)
.txt   HR.txt (Size: 27.94 KB / Downloads: 67)
Reply
#20
Zanimljivo ta IP (77.105.59.228) je već bila aktivna pre (2021. godina): https://www.abuseipdb.com/check/77.105.59.228. Provajder je Orion Telekom. A evo spominje se i ovde: https://nethackwiki.com/wiki/Forum:Vulture%27s%3F%3F%3F (verovatno nije relevantno jer je iz 2009 godine) i ovde: https://www.proxydocker.com/en/iplookup/77.105.59 (Proxy?).
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)