Security Incidents mailing list archives
Code Red honeypot + SMTP logger/alerter
From: Chad Loder <cloder () acm org>
Date: Sun, 05 Aug 2001 21:20:57 -0700
Hi. I've written tool in Java which does the following: - listens on port 80 for incoming Code Red attacks - detects the Code Red attack signature and logs the attacker's IP, the attack URL, and the timestamp - periodically (every 100 requests or every 30 minutes, which ever comes first) sends the logs via SMTP to the email address(es) of your choice This is for those daring/curious people who aren't running a web server (or Snort) already, who feel like poking port 80/tcp open in their firewall and forwarding it to a machine running this honeypot. I've done this on my cable modem and I'm logging about 3 attacks per minute on a single IP address. I have my program configured to send mail to the ARIS email address <aris-report () securityfocus com>. The log format is compatible with the SecurityFocus ARIS email notification format ( see http://www.securityfocus.com/templates/archive.pike?end=2001-08-11&list=1&mid=201907&threads=0&start=2001-08-05&fromthread=0 ), but the source code I've attached does not send email to the ARIS email address by default (check with ARIS first, then uncomment the ARIS recipient line in the source code). You can use this to send logs to your ISP, to yourself, to ARIS, to DShield.org (see program comments) or what have you. You need to change at least two lines in the source code: these are the lines which specify your email address and you SMTP server. If you want to add additional email recipients, it's a trivial change to the source code. The Java source file is attached to this email. It should be safe to open .java source files by default, but if you're wary of this sort of thing, let me know and I'll paste the source code into a new message. Chad Loder Rapid 7, Inc. Visit http://www.rapid7.com for the next generation of security products
Attachment:
CodeRedHoneypot.java
Description:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red honeypot + SMTP logger/alerter Chad Loder (Aug 05)