Key Pages: Home | WhoIs | TraceRoute | Timeline | Investigations | WikiSyntax | Recent Changes
Recently Viewed: Question3 > Question4 > Question5 > Question6 > Question7
Question7
Question N7
Was the honeypot compromised during the observed time period? How do you know?


Things To Look At
Let's watch for OUTBOUND connection for a starter ? a honeypot should never contact outside autonomously. if it does, is likely to be the attacker that's in it, right ?
We need a graph of WHICH DAYS there was OUTBOUND TRAFFIC.
(21:01:39) Dani3l3: I would expect them to INITIATE a connection
(21:01:48) Dani3l3: we need SYN packets not just ACKs
Result of this idea:
OutgSYN



Suspicious: reboot/change promiscuos mode/stop kernel logger on DailyFeb11
See analysis of the thing by BESA on DailyFeb10


Other Info
Moreover, the honeynet project told us that there were compromises:
[...] This month's challenge, sponsored by Anton Chuvakin, is to analyze a month's worth of honeynet IPtable firewall logs captured in the wild. All sorts of fun stuff happening, including several compromises. [...]




Which Honeypot Was Compromised
Just ideas to check still:
11.11.11.64 - really ? arp redirection thing
11.11.11.67 -
SSL exploit from 66.60.166.84
TheGap
OutgSYN

Unique Sources of outbound traffic (SYN packets): 7
[UNITED STATES] 11.11.11.67 (358)
[UNITED STATES] 11.11.11.73 (10)
[UNITED STATES] 11.11.11.72 (10)
[UNITED STATES] 11.11.11.80 (10)
[UNITED STATES] 11.11.11.69 (10)
[UNITED STATES] 11.11.11.75 (10)
[UNITED STATES] 11.11.11.71 (9)

More details about which machines were active or not are analysed in LayoutHoney




When Was The Honeynet Compromised
Comparison of the total traffic and the traffic from just 11.11.11.67
As you can see from the perfectly matching first big spike on the left, the Y axis is using a scale proportioned to the max value reported.




Those HeatCharts are nice.
So what happens if we compare it / filter it also with just the total traffic initiated from the honeypot to outbound (NotInbound) ?


Big chart: NotInbound

Huge comparison chart: BigChartCompare


This of course does not indicate on its own that a certain honeypot was compromised. But it definitly has helped greatly to spot strange activity. In a honeynet, ANY traffic is supicious by default, as it is no production system. Especially connections initiated by the honeypots going outside are suspicious, and usually indicate something is going on.
Anyway, spontaneouly outgoing traffic IS highly suspicious. Take a look at OutgSYN for more insights on compromises.


Other things remarked:
TcpFlags
Also from the analysis of the TcpFlags we identified signs of compromises, in which machines in the honeynet send outside MULTICAST packets (Proto 2 is IGMP, thus multicast, and the destindation address is 224.0.0.1)!
This happens on the 3rd and on the 19th of February.
http://www.muscetta.org/research/sotm30/output/noACKSYNFINICMPUDPRSTURGP1.log
Outgoing connections to 209.63.57.10





Related Pages
LayoutHoney



Related Pages With Graphs
Timeline
DetailGraph
67Big
HeatCharts




Login