Been running for a day and already recorded 8,023 connection attempts from all different services/ports.
Joshua Russell
>cloudatcost
a cuck among cucks
Logan Fisher
Which one of these buttons installs gentoo?
Brayden Gonzalez
what the fuck are they connected to you?
James Lopez
could you give me a very short explanation? what am i looking at?
Jaxson Martinez
A bunch of server connections and one random SMB request on port 445 which is undoubtedly an infected machine trying to send him wannacry
Landon Martinez
it was great value
Lucas Stewart
KFSensor is a honeypot that opens mostly every port and logs any attempts from anyone that connects.
I've been using it to mainly monitor Port 445 to see how wannacry is spreading. (I've only had a few attempts out of the 8,000+)
Owen Anderson
I don't get it. Is your PC infected or are those just random idiots trying to infect random PCs through a public WiFi?
Daniel Flores
kys
Gavin Wright
That's mean, user. Don't be mean, I just want to learn.
Isaac Martin
As far as I know it's not infected. The services I'm running are fake. But the bots connecting don't know that and I get to see the attempts at connecting.
Heres a screenshot of the SMB requests. (These may or may not be wannacry related)
Joseph Morgan
>deals-for-the-family.com wut
Brandon Jenkins
are those connections on your computer? i am lost
Logan Bell
see
Nathaniel Collins
Those are connection attempts from bots/botnets from around the world in realtime.
Asher Bennett
>.ru >.in >.br scum of the earth showing why
Alexander Howard
isnt this run by the government and deploys CP on your HDD if you are into that conspiracy 9/11 ish? Heard they got alot of people that way, I think the term used in a zine I read was honeypot.
Charles Gonzalez
Russians seem to love port 23 and 3306
Easton Murphy
What no. It's just a program that opens lots of ports and makes fake services and lets you see what comes in.
It's quite good too bad there's no crack for it.
Samuel Myers
>It's quite good too bad there's no crack for it. is there no crack because its an NSA front company to deploy or track who is active in the community which would make it a crime to crack since its illegal to know anything the NSA knows?
Ethan Baker
Sean?
Juan Jenkins
This has nothing to do with the NSA. it's not been cracked because it's not popular enough I guess.
- I'm hardly getting any SMB attacks (sigh) - Shodan.io is really good at scanning for things - Despite me having an open windows CMD shell on port 23, bots ignore it expecting something else (a login prompt, linux shell) - Using SIPVicious to scan for exploitable Asterisk VOIP systems is still a thing
I recommend everyone put their computer into the DMZ with the firewall off, you'll probably be fine.
Samuel Scott
Lol, interesting.. How the fuck? lol
Aaron Taylor
>This has nothing to do with the NSA. it's not been cracked because it's not popular enough I guess. its probably one of those NSA fronts we hear about or a homeland sexurity op like they used to take down kickass torrents.
Look for users who use it due to the kind of people who would and what they would monitor then put them on automated lists for tracking and hard drive scanning for illegal files such as a downloaded movie for example or if they dont support the right political party and instead say voted for a nazi fascist.
All these things could be used to take someone down once identified by just planting a few files, it only takes one jpg.
Jace Martinez
Well the VNC machine is isolated from everything apart from teamviewer.. So I'll assume you just done a WHOIS on the anonymousey domain because im too cheap for whoisguard.
Congrats I guess.. the info is fake btw, you can google the postcode. takes you to mcdonalds.
Gavin Foster
If you've ever run a server, this shouldn't exactly come as a surprise. It's always been like this.
Jaxson Evans
oooh! honeypots are cool toys
Jacob Campbell
>port 23 >"Command Console"
Charles Roberts
yeah I get similar in my Apache logs. it's just interesting to see what else goes on the other ports
Logan Taylor
>SMB request on port 445 which is undoubtedly an infected machine trying to send him wannacry Random SMB requests have been around forever.
Carson Diaz
DoublePulsar too makes you think
Liam Morgan
I suspect these might be wannacry related but its hard to tell.
I think it just spreads over the LAN IP Range? I'm really suprised at the low amount of attempts. (58 out of 9243)
Gabriel Reyes
it tries over internet too but is pretty much a lost cause due NAT/Lack of IPv4 addresses
Gabriel Thompson
It's not doing a very good job in almost 24 hours I've highlighted 4 suspect attempts
James Robinson
amazing that a board dedicated to technology thinks that random internet denies is something that warrants a thread.
no one fucking cares what is bouncing off your firewall you fucking child
Wyatt Walker
how do the worms work anyway? do they target random IPs or is there some sort of pattern or a list of IP ranges to target?
Robert Smith
i don't think that it spreed enough, many might have already done something about it also as far i remember some de-assembled code, each infected machine just search only 128 /24 subnets
Owen Collins
Why would you suspect those four especially out of that list?
Jaxson James
initial infection was through e-mail i think then after infected it would scans 128 random internet subnets and the whole local network for computers with File Sharing active
Liam Cruz
I think it scans for a host then drops if it can't do anything else (detects as syn scan on kfsensor)
Lots of pentesters hitting that post doing their scans to see how many 445 systems are out there (binaryedge, shodan) cloud servers like vultr could be from hackers looking to exploit SMB.
The rest i'm unsure as they don't get detected as a syn scan.
Luke Long
"Syn scan" just means that it's only scanning to see if the port is open at all but never send any data. If this were an EternalBlue attack I'd very much expect it to try and send data too.