iPhone Honeypot Project

July 18, 2010

Pilot Test: Preliminary Results

Note: I have removed the attacking IP addresses as I don’t want the user to become aware that they are accessing a honeypot if they were to google their IP. This post will be updated with full IP address information once the project has completed.

Yesterday at 15:06, I changed the router configuration to forward all packets designated for my router to redirect via the network tap to my iPhone. Additionally, all iPhone syslog logs were being forwarded to a secure central logging server. I am currently in the process of splitting the pcap file into usable chunks for analysis in Wireshark. However, the following are the preliminary results recorded via syslog.

abnev-lpt2:pilot-test abnev$ grep launch logclient-192.168.1.102.log  | awk ‘{print $10}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | uniq -c | sort -r
44 x.x.x.x
5 192.168.1.100
1 x.x.x.x
The above shows 44 attempts from the top IP and 1 from the last. The middle, as a network address is ignored.
bash-3.2$ grep launch logclient-192.168.1.102.log  | awk ‘{print $10}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | uniq > ips.txt
bash-3.2$ ~/ipwhois.sh ips.txt
192.168.1.100 GeoIP Country Edition: IP Address not found ̀
x.x.x.x GeoIP Country Edition: ID, Indonesia ̀
x.x.x.x GeoIP Country Edition: KR, Korea, Republic of ̀
I have appended the ipwhois.sh script I wrote for this.
#!/bin/bash
# read a file line by line

cat $1| uniq |
while read ip;
do

echo $ip ̀| sed -e “s|$ip|& $(geoiplookup $ip)|g”
done

exit 0
Additionally, there were many invalid login attempts. The following is a list of the invalid accounts attempted:
bash-3.2# grep “invalid user” logclient-192.168.1.102.log  | grep ssh2 | awk ‘{print $12}’ | uniq -c | sort -r
2 user3
2 sami
2 greku
2 bin
1 puangsan
1 oracle
1 openflow
1 iasiasur
The following are a list of valid accounts attempted:
bash-3.2# grep “Failed password for” logclient-192.168.1.102.log  | grep -v invalid | awk ‘{print $10}’ | uniq -c
22 root
I’ll conduct a preliminary result of the pcap dump shortly.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: