Note: I have removed the attacking IP addresses as I don’t want the user to become aware that they are accessing a honeypot if they were to google their IP. This post will be updated with full IP address information once the project has completed.
Yesterday at 15:06, I changed the router configuration to forward all packets designated for my router to redirect via the network tap to my iPhone. Additionally, all iPhone syslog logs were being forwarded to a secure central logging server. I am currently in the process of splitting the pcap file into usable chunks for analysis in Wireshark. However, the following are the preliminary results recorded via syslog.
abnev-lpt2:pilot-test abnev$ grep launch logclient-192.168.1.102.log | awk ‘{print $10}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | uniq -c | sort -r44 x.x.x.x5 192.168.1.1001 x.x.x.x
bash-3.2$ grep launch logclient-192.168.1.102.log | awk ‘{print $10}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | uniq > ips.txtbash-3.2$ ~/ipwhois.sh ips.txt192.168.1.100 GeoIP Country Edition: IP Address not found ̀x.x.x.x GeoIP Country Edition: ID, Indonesia ̀x.x.x.x GeoIP Country Edition: KR, Korea, Republic of ̀
#!/bin/bash# read a file line by line
cat $1| uniq |while read ip;do
echo $ip ̀| sed -e “s|$ip|& $(geoiplookup $ip)|g”done
exit 0
bash-3.2# grep “invalid user” logclient-192.168.1.102.log | grep ssh2 | awk ‘{print $12}’ | uniq -c | sort -r2 user32 sami2 greku2 bin1 puangsan1 oracle1 openflow1 iasiasur
bash-3.2# grep “Failed password for” logclient-192.168.1.102.log | grep -v invalid | awk ‘{print $10}’ | uniq -c22 root
Leave a Reply