 |
report.php - honeypot - A custom version of kippo used for SSH honeypot analysi… |
 |
git clone git://jay.scot/honeypot |
 |
Log |
|
Files |
|
Refs |
|
README |
|
--- |
|
report.php (7247B) |
|
--- |
|
1 <?php |
|
2 |
|
3 /* |
|
4 * Gets the IP address from the kippo DB and reports the IP for abuse if… |
|
5 * conditions are met. Then saves the information to a 'report' table for |
|
6 * displaying information at a later date. |
|
7 * |
|
8 * I still have debugging echo statements etc floating about :p |
|
9 * |
|
10 * |
|
11 * report table - added to kippo database |
|
12 * |
|
13 * CREATE TABLE IF NOT EXISTS `report` ( |
|
14 * `id` int(11) NOT NULL AUTO_INCREMENT, |
|
15 * `name` char(50) NOT NULL, |
|
16 * `ip` varchar(15) NOT NULL, |
|
17 * `contact` varchar(200) NOT NULL, |
|
18 * `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT… |
|
19 * `replied` tinyint(1) NOT NULL DEFAULT '0', |
|
20 * `contacted` tinyint(1) NOT NULL DEFAULT '1', |
|
21 * `notes` text NOT NULL, |
|
22 * PRIMARY KEY (`id`) |
|
23 * ); |
|
24 * |
|
25 * |
|
26 * Uses pears Mail script, this can be easily change to PHP's mail(). |
|
27 * |
|
28 * pear install Mail |
|
29 * |
|
30 */ |
|
31 |
|
32 error_reporting(0); |
|
33 |
|
34 require_once "Mail.php"; |
|
35 |
|
36 function attackAttempts($id, $db) |
|
37 { |
|
38 $result = mysql_query("SELECT COUNT(id) AS IPCOUNT FROM sessions WHERE… |
|
39 if ($row = mysql_fetch_array($result)) |
|
40 return (int) $row['IPCOUNT']; |
|
41 } |
|
42 |
|
43 function attackSuccessful($id, $db) |
|
44 { |
|
45 $result = mysql_query("SELECT auth.session, auth.success FROM auth |
|
46 INNER JOIN sessions ON auth.s… |
|
47 WHERE auth.success=1 AND sessions.ip='$id'"); |
|
48 |
|
49 $num_rows = (int) mysql_num_rows($result); |
|
50 return $num_rows; |
|
51 } |
|
52 |
|
53 /* Change to your Kippo DB password */ |
|
54 $db = mysql_pconnect("localhost", "kippo", "yourpassword"); |
|
55 mysql_select_db("kippo", $db); |
|
56 |
|
57 $previous_date = date("Y-m-d", strtotime("-1 day")); |
|
58 |
|
59 $QUERY_ATTACKS = mysql_query("SELECT auth.session, auth.`timestamp`, MAX… |
|
60 sessions.ip, sessions.sensor |
|
61 FROM auth INNER JOIN sessions ON auth.sess… |
|
62 WHERE timestamp >= '$previous_date' |
|
63 GROUP BY sessions.ip |
|
64 ORDER BY auth.id "); |
|
65 |
|
66 while ($ROW_ATTACKER = mysql_fetch_array($QUERY_ATTACKS)) |
|
67 { |
|
68 $IPADDRESS = $ROW_ATTACKER["ip"]; |
|
69 $START = $ROW_ATTACKER["MAXTIME"]; |
|
70 $END = $ROW_ATTACKER["MINTIME"]; |
|
71 $SENSOR = $ROW_ATTACKER["sensor"]; |
|
72 $SESSION = $ROW_ATTACKER["session"]; |
|
73 $TIMESTAMP = $ROW_ATTACKER["timestamp"]; |
|
74 |
|
75 /* Already in the DB? dont report again */ |
|
76 $IP_EXISTS = mysql_query("SELECT contacted FROM report WHERE ip='$IP… |
|
77 |
|
78 if ($ROW_EXISTS = mysql_fetch_array($IP_EXISTS)) { |
|
79 continue; |
|
80 } |
|
81 |
|
82 echo "IP = $IPADDRESS\n"; |
|
83 |
|
84 $attack_success = 0; |
|
85 $total_attacks = attackAttempts($IPADDRESS, $db); |
|
86 $attack_success = attackSuccessful($IPADDRESS, $db); |
|
87 |
|
88 if ($total_attacks > 10 ) |
|
89 echo "More than 10 attempts ($total_attacks) ($attack_success)\n"; |
|
90 else if ($attack_success > 0) |
|
91 echo "Attack Success ($total_attacks) ($attack_success)\n"; |
|
92 else { |
|
93 echo "Less than 10 attempts ($total_attacks) ($attack_success)\n"; |
|
94 continue; |
|
95 } |
|
96 |
|
97 $email = array(); |
|
98 |
|
99 unset($f); |
|
100 /* Shouldn't need to sanitise the IP address */ |
|
101 exec("whois $IPADDRESS ", $f); |
|
102 unset($tmpname); |
|
103 unset($output); |
|
104 |
|
105 foreach ($f as $output) { |
|
106 if (stripos($output, "netname:") === 0) |
|
107 $tmpname = explode(':',$output); |
|
108 else if (stripos($output, "owner:") === 0) |
|
109 $tmpname = explode(':',$output); |
|
110 |
|
111 preg_match('/[\._a-zA-Z0-9-]+@[\._a-zA-Z0-9-]+/i', $output, $match… |
|
112 |
|
113 $email[] = strtolower($matches[0]); |
|
114 $email = array_filter($email); |
|
115 } |
|
116 |
|
117 $email = array_filter($email); |
|
118 $email = array_unique($email); |
|
119 |
|
120 $EMAILS = implode(" ",$email); |
|
121 $NAME = trim($tmpname[1]); |
|
122 $email_parts = explode(" ", $EMAILS); |
|
123 |
|
124 foreach ($email_parts as $b_email) { |
|
125 |
|
126 $EMAIL_ABUSE = 0; |
|
127 $tmp_username = substr($b_email, 0, strpos($b_email, '@')); |
|
128 $tmp_username = strtolower($tmp_username); |
|
129 if ( $tmp_username == "abuse" || $tmp_username == "support") { |
|
130 $EMAIL_ABUSE = 1; |
|
131 $EMAILS = $b_email; |
|
132 } |
|
133 } |
|
134 |
|
135 if (empty($email)) { |
|
136 $INSERT_REPORT = mysql_query("INSERT INTO report (name, ip, contac… |
|
137 continue; |
|
138 } else { |
|
139 $INSERT_REPORT = mysql_query("INSERT INTO report (name, ip, cont… |
|
140 } |
|
141 |
|
142 unset($to); |
|
143 $parts = explode(" ", $EMAILS); |
|
144 if (sizeof($parts) == 1) |
|
145 $to = rtrim($parts[0],'.'); |
|
146 else { |
|
147 foreach ($parts as $send_cc) { |
|
148 $send_cc = rtrim($send_cc,'.'); |
|
149 $to .= "$send_cc,"; |
|
150 } |
|
151 |
|
152 $to = substr($to, 0, -1); |
|
153 } |
|
154 echo "TO = $to"; |
|
155 |
|
156 /* Kippo stored the IP of the sensor as a name in the 'sensors' tabl… |
|
157 * the sensor ID and then identify IP. |
|
158 */ |
|
159 switch ($SENSOR) |
|
160 { |
|
161 case 1: |
|
162 $TARGET = "ip-removed"; |
|
163 break; |
|
164 case 2: |
|
165 $TARGET = "ip-removed"; |
|
166 break; |
|
167 case 3: |
|
168 $TARGET = "ip-removed"; |
|
169 break; |
|
170 case 4: |
|
171 $TARGET = "ip-removed"; |
|
172 break; |
|
173 case 5: |
|
174 $TARGET = "ip-removed"; |
|
175 break; |
|
176 case 6: |
|
177 $TARGET = "ip-removed"; |
|
178 break; |
|
179 case 7: |
|
180 $TARGET = "ip-removed"; |
|
181 break; |
|
182 case 8: |
|
183 $TARGET = "ip-removed"; |
|
184 break; |
|
185 } |
|
186 |
|
187 /* My SMTP information, change to yours or remove and add the default |
|
188 PHP mail() command */ |
|
189 $host = "ssl://smtp.gmail.com"; |
|
190 $port = "465"; |
|
191 $username = ""; |
|
192 $password = ''; |
|
193 |
|
194 $subject = "SSH attack from $IPADDRESS"; |
|
195 $from = '[email protected]'; |
|
196 $headers = "From: $from \r\n" . "Reply-To: $from \r\n"; |
|
197 |
|
198 $message = "To abuse/support,"; |
|
199 |
|
200 if ($EMAIL_ABUSE = 0) { |
|
201 $message .= " |
|
202 |
|
203 Please note I could not find a abuse or support email address in an |
|
204 WHOIS lookup."; |
|
205 } |
|
206 |
|
207 $message .= " |
|
208 |
|
209 I run a honeypot network that reports any attacking IP address or |
|
210 successful logins from unauthorised IP address. |
|
211 |
|
212 The IP $IPADDRESS first gained access or attempted to access the |
|
213 honeypot on $START GMT against the IP address $TARGET."; |
|
214 |
|
215 $message .= " |
|
216 |
|
217 It maybe that $IPADDRESS has been compromised, is an active |
|
218 participant in a botnet or is being used as a SSH tunnel. |
|
219 |
|
220 You may wish to monitor the IP Address. You can view more details about |
|
221 the attack such as any more attacks carried out, amount of attacks and |
|
222 even watch the attack if they successfully logged in here: |
|
223 |
|
224 http://honeypot.jayscott.co.uk/ip/$IPADDRESS |
|
225 |
|
226 If you would like any advice or require further information please |
|
227 feel free to contact me, [email protected]. |
|
228 |
|
229 Regards, |
|
230 Jay Scott"; |
|
231 |
|
232 $headers = array ('From' => $from, |
|
233 'To' => $to, |
|
234 'Subject' => $subject); |
|
235 $smtp = Mail::factory('smtp', |
|
236 array ('host' => $host, |
|
237 'port' => $port, |
|
238 'auth' => true, |
|
239 'username' => $username, |
|
240 'password' => $password)); |
|
241 |
|
242 $mail = $smtp->send($to, $headers, $message); |
|
243 |
|
244 if (PEAR::isError($mail)) { |
|
245 echo(" - " . $mail->getMessage() . "\n"); |
|
246 } else { |
|
247 echo(" - Message sent\n\n"); |
|
248 } |
|
249 } |
|
250 ?> |
