Code Red honeypot + SMTP logger/alerter

From: Chad Loder (cloder@acm.org)
Date: 08/06/01 

Message-Id: <5.1.0.14.2.20010805205211.00affa00@pop-server.socal.rr.com>
Date: Sun, 05 Aug 2001 21:20:57 -0700
To: incidents@securityfocus.com
From: Chad Loder <cloder@acm.org>
Subject: Code Red honeypot + SMTP logger/alerter

Hi. I've written tool in Java which does the
following:

  - listens on port 80 for incoming Code Red
    attacks

  - detects the Code Red attack signature and
    logs the attacker's IP, the attack URL, and
    the timestamp

  - periodically (every 100 requests or every 30
    minutes, which ever comes first) sends the
    logs via SMTP to the email address(es) of your
    choice

This is for those daring/curious people who aren't
running a web server (or Snort) already, who feel
like poking port 80/tcp open in their firewall and
forwarding it to a machine running this honeypot.
I've done this on my cable modem and I'm logging about
3 attacks per minute on a single IP address.

I have my program configured to send mail to the
ARIS email address <aris-report@securityfocus.com>.

The log format is compatible with the SecurityFocus
ARIS email notification format (

see
http://www.securityfocus.com/templates/archive.pike?end=2001-08-11&list=1&mid=201907&threads=0&start=2001-08-05&fromthread=0

), but the source code I've attached does not send email to
the ARIS email address by default (check with ARIS first,
then uncomment the ARIS recipient line in the source code).

You can use this to send logs to your ISP, to yourself,
to ARIS, to DShield.org (see program comments) or what
have you.

You need to change at least two lines in the source code:
these are the lines which specify your email address and
you SMTP server. If you want to add additional email
recipients, it's a trivial change to the source code.

The Java source file is attached to this email. It
should be safe to open .java source files by default,
but if you're wary of this sort of thing, let me know
and I'll paste the source code into a new message.

  Chad Loder
  Rapid 7, Inc.
  Visit http://www.rapid7.com for the next generation of security products

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: US-Cert Update on New Attacks on Computer Infrastructure
    ... Steve and sorry I did not mean to hurt Microsoft. ... In this thread you wonder about some kind of "new source code" that might be ... SSH Key-based Attacks ... infrastructures using compromised SSH keys. ...
    (microsoft.public.security)
  • Re: FTP Client With File Encryption For Remote Backup?
    ... POST or GET request to port 80 to a web site under the authors ... glancing at logs wouldn't ... from publishing its source code, and why PGP was so stalwart in the ... I especially liked the bit where he had the source code ...
    (alt.computer.security)
  • Re: Newbie needs more help.. almost hacked, 3 simple questions
    ... The attack I belive came from the web interface to sign into the SBS. ... to simply put the attacks look like that came from someone trying to ... What ports are open? ... Leave the logs.. ...
    (microsoft.public.windows.server.sbs)
  • Re: Programmatically ban IPs within IIS 5.0 and W2k
    ... check the logs for detected attacks, report them to the ... detects in the IIS ... >logs should already be blocked. ...
    (microsoft.public.inetserver.iis.security)
  • Re: unsuccessful hacking attempt at my machine
    ... Since I saw very similar logs at my friend's ... I see these attacks almost everyday on every machine that has sshd ... The script is designed to run unattended, ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
    (comp.os.linux.security)