Hey Sup Forums I was bored and upon hearing about the malware attack I decided to install KFSensor on my shitty cloudatcost box to watch the botnets.
You can join me too by visiting novnc.com
Been running for a day and already recorded 8,023 connection attempts from all different services/ports.
>cloudatcost
a cuck among cucks
Which one of these buttons installs gentoo?
what the fuck are they connected to you?
could you give me a very short explanation? what am i looking at?
A bunch of server connections and one random SMB request on port 445 which is undoubtedly an infected machine trying to send him wannacry
it was great value
KFSensor is a honeypot that opens mostly every port and logs any attempts from anyone that connects.
I've been using it to mainly monitor Port 445 to see how wannacry is spreading. (I've only had a few attempts out of the 8,000+)
I don't get it. Is your PC infected or are those just random idiots trying to infect random PCs through a public WiFi?
kys
That's mean, user. Don't be mean, I just want to learn.
As far as I know it's not infected. The services I'm running are fake. But the bots connecting don't know that and I get to see the attempts at connecting.
Heres a screenshot of the SMB requests. (These may or may not be wannacry related)
>deals-for-the-family.com
wut
are those connections on your computer? i am lost
see
Those are connection attempts from bots/botnets from around the world in realtime.
>.ru
>.in
>.br
scum of the earth showing why
isnt this run by the government and deploys CP on your HDD if you are into that conspiracy 9/11 ish? Heard they got alot of people that way, I think the term used in a zine I read was honeypot.
Russians seem to love port 23 and 3306
What no. It's just a program that opens lots of ports and makes fake services and lets you see what comes in.
It's quite good too bad there's no crack for it.
>It's quite good too bad there's no crack for it.
is there no crack because its an NSA front company to deploy or track who is active in the community which would make it a crime to crack since its illegal to know anything the NSA knows?
Sean?
This has nothing to do with the NSA. it's not been cracked because it's not popular enough I guess.
oh no you seen my teamviewer ID ;_;
So far I've noticed :
- I'm hardly getting any SMB attacks (sigh)
- Shodan.io is really good at scanning for things
- Despite me having an open windows CMD shell on port 23, bots ignore it expecting something else (a login prompt, linux shell)
- Using SIPVicious to scan for exploitable Asterisk VOIP systems is still a thing
I recommend everyone put their computer into the DMZ with the firewall off, you'll probably be fine.
Lol, interesting.. How the fuck? lol
>This has nothing to do with the NSA. it's not been cracked because it's not popular enough I guess.
its probably one of those NSA fronts we hear about or a homeland sexurity op like they used to take down kickass torrents.
Look for users who use it due to the kind of people who would and what they would monitor then put them on automated lists for tracking and hard drive scanning for illegal files such as a downloaded movie for example or if they dont support the right political party and instead say voted for a nazi fascist.
All these things could be used to take someone down once identified by just planting a few files, it only takes one jpg.
Well the VNC machine is isolated from everything apart from teamviewer.. So I'll assume you just done a WHOIS on the anonymousey domain because im too cheap for whoisguard.
Congrats I guess.. the info is fake btw, you can google the postcode. takes you to mcdonalds.
If you've ever run a server, this shouldn't exactly come as a surprise. It's always been like this.
oooh! honeypots are cool toys
>port 23
>"Command Console"
yeah I get similar in my Apache logs. it's just interesting to see what else goes on the other ports
>SMB request on port 445 which is undoubtedly an infected machine trying to send him wannacry
Random SMB requests have been around forever.
DoublePulsar too
makes you think
I suspect these might be wannacry related but its hard to tell.
I think it just spreads over the LAN IP Range? I'm really suprised at the low amount of attempts. (58 out of 9243)
it tries over internet too
but is pretty much a lost cause due NAT/Lack of IPv4 addresses
It's not doing a very good job in almost 24 hours I've highlighted 4 suspect attempts
amazing that a board dedicated to technology thinks that random internet denies is something that warrants a thread.
no one fucking cares what is bouncing off your firewall you fucking child
how do the worms work anyway?
do they target random IPs or is there some sort of pattern or a list of IP ranges to target?
i don't think that it spreed enough, many might have already done something about it also
as far i remember some de-assembled code, each infected machine just search only 128 /24 subnets
Why would you suspect those four especially out of that list?
initial infection was through e-mail i think
then after infected it would scans 128 random internet subnets
and the whole local network for computers with File Sharing active
I think it scans for a host then drops if it can't do anything else (detects as syn scan on kfsensor)
Lots of pentesters hitting that post doing their scans to see how many 445 systems are out there (binaryedge, shodan) cloud servers like vultr could be from hackers looking to exploit SMB.
The rest i'm unsure as they don't get detected as a syn scan.
"Syn scan" just means that it's only scanning to see if the port is open at all but never send any data. If this were an EternalBlue attack I'd very much expect it to try and send data too.