Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Code Red honeypot + SMTP logger/alerter

From: Chad Loder <cloder () acm org>
Date: Sun, 05 Aug 2001 21:20:57 -0700
Hi. I've written tool in Java which does the
following:

 - listens on port 80 for incoming Code Red
   attacks

 - detects the Code Red attack signature and
   logs the attacker's IP, the attack URL, and
   the timestamp

 - periodically (every 100 requests or every 30
   minutes, which ever comes first) sends the
   logs via SMTP to the email address(es) of your
   choice

This is for those daring/curious people who aren't
running a web server (or Snort) already, who feel
like poking port 80/tcp open in their firewall and
forwarding it to a machine running this honeypot.
I've done this on my cable modem and I'm logging about
3 attacks per minute on a single IP address.

I have my program configured to send mail to the
ARIS email address <aris-report () securityfocus com>.

The log format is compatible with the SecurityFocus
ARIS email notification format (

see
http://www.securityfocus.com/templates/archive.pike?end=2001-08-11&list=1&mid=201907&threads=0&start=2001-08-05&fromthread=0

), but the source code I've attached does not send email to
the ARIS email address by default (check with ARIS first,
then uncomment the ARIS recipient line in the source code).

You can use this to send logs to your ISP, to yourself,
to ARIS, to DShield.org (see program comments) or what
have you.

You need to change at least two lines in the source code:
these are the lines which specify your email address and
you SMTP server. If you want to add additional email
recipients, it's a trivial change to the source code.

The Java source file is attached to this email. It
should be safe to open .java source files by default,
but if you're wary of this sort of thing, let me know
and I'll paste the source code into a new message.

 Chad Loder
 Rapid 7, Inc.
 Visit http://www.rapid7.com for the next generation of security products

Attachment: CodeRedHoneypot.java
Description: 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: