report.php - honeypot - A custom version of kippo used for SSH honeypot analysis and reporting.
(HTM) git clone git://jay.scot/honeypot
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
---
report.php (7247B)
---
1 <?php
2
3 /*
4 * Gets the IP address from the kippo DB and reports the IP for abuse if certain
5 * conditions are met. Then saves the information to a 'report' table for
6 * displaying information at a later date.
7 *
8 * I still have debugging echo statements etc floating about :p
9 *
10 *
11 * report table - added to kippo database
12 *
13 * CREATE TABLE IF NOT EXISTS `report` (
14 * `id` int(11) NOT NULL AUTO_INCREMENT,
15 * `name` char(50) NOT NULL,
16 * `ip` varchar(15) NOT NULL,
17 * `contact` varchar(200) NOT NULL,
18 * `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
19 * `replied` tinyint(1) NOT NULL DEFAULT '0',
20 * `contacted` tinyint(1) NOT NULL DEFAULT '1',
21 * `notes` text NOT NULL,
22 * PRIMARY KEY (`id`)
23 * );
24 *
25 *
26 * Uses pears Mail script, this can be easily change to PHP's mail().
27 *
28 * pear install Mail
29 *
30 */
31
32 error_reporting(0);
33
34 require_once "Mail.php";
35
36 function attackAttempts($id, $db)
37 {
38 $result = mysql_query("SELECT COUNT(id) AS IPCOUNT FROM sessions WHERE ip ='" . $id . "'", $db) or die(mysql_error());
39 if ($row = mysql_fetch_array($result))
40 return (int) $row['IPCOUNT'];
41 }
42
43 function attackSuccessful($id, $db)
44 {
45 $result = mysql_query("SELECT auth.session, auth.success FROM auth
46 INNER JOIN sessions ON auth.session = sessions.id
47 WHERE auth.success=1 AND sessions.ip='$id'");
48
49 $num_rows = (int) mysql_num_rows($result);
50 return $num_rows;
51 }
52
53 /* Change to your Kippo DB password */
54 $db = mysql_pconnect("localhost", "kippo", "yourpassword");
55 mysql_select_db("kippo", $db);
56
57 $previous_date = date("Y-m-d", strtotime("-1 day"));
58
59 $QUERY_ATTACKS = mysql_query("SELECT auth.session, auth.`timestamp`, MAX(sessions.starttime) AS MAXTIME, MIN(sessions.starttime) AS MINTIME,
60 sessions.ip, sessions.sensor
61 FROM auth INNER JOIN sessions ON auth.session = sessions.id
62 WHERE timestamp >= '$previous_date'
63 GROUP BY sessions.ip
64 ORDER BY auth.id ");
65
66 while ($ROW_ATTACKER = mysql_fetch_array($QUERY_ATTACKS))
67 {
68 $IPADDRESS = $ROW_ATTACKER["ip"];
69 $START = $ROW_ATTACKER["MAXTIME"];
70 $END = $ROW_ATTACKER["MINTIME"];
71 $SENSOR = $ROW_ATTACKER["sensor"];
72 $SESSION = $ROW_ATTACKER["session"];
73 $TIMESTAMP = $ROW_ATTACKER["timestamp"];
74
75 /* Already in the DB? dont report again */
76 $IP_EXISTS = mysql_query("SELECT contacted FROM report WHERE ip='$IPADDRESS'");
77
78 if ($ROW_EXISTS = mysql_fetch_array($IP_EXISTS)) {
79 continue;
80 }
81
82 echo "IP = $IPADDRESS\n";
83
84 $attack_success = 0;
85 $total_attacks = attackAttempts($IPADDRESS, $db);
86 $attack_success = attackSuccessful($IPADDRESS, $db);
87
88 if ($total_attacks > 10 )
89 echo "More than 10 attempts ($total_attacks) ($attack_success)\n";
90 else if ($attack_success > 0)
91 echo "Attack Success ($total_attacks) ($attack_success)\n";
92 else {
93 echo "Less than 10 attempts ($total_attacks) ($attack_success)\n";
94 continue;
95 }
96
97 $email = array();
98
99 unset($f);
100 /* Shouldn't need to sanitise the IP address */
101 exec("whois $IPADDRESS ", $f);
102 unset($tmpname);
103 unset($output);
104
105 foreach ($f as $output) {
106 if (stripos($output, "netname:") === 0)
107 $tmpname = explode(':',$output);
108 else if (stripos($output, "owner:") === 0)
109 $tmpname = explode(':',$output);
110
111 preg_match('/[\._a-zA-Z0-9-]+@[\._a-zA-Z0-9-]+/i', $output, $matches);
112
113 $email[] = strtolower($matches[0]);
114 $email = array_filter($email);
115 }
116
117 $email = array_filter($email);
118 $email = array_unique($email);
119
120 $EMAILS = implode(" ",$email);
121 $NAME = trim($tmpname[1]);
122 $email_parts = explode(" ", $EMAILS);
123
124 foreach ($email_parts as $b_email) {
125
126 $EMAIL_ABUSE = 0;
127 $tmp_username = substr($b_email, 0, strpos($b_email, '@'));
128 $tmp_username = strtolower($tmp_username);
129 if ( $tmp_username == "abuse" || $tmp_username == "support") {
130 $EMAIL_ABUSE = 1;
131 $EMAILS = $b_email;
132 }
133 }
134
135 if (empty($email)) {
136 $INSERT_REPORT = mysql_query("INSERT INTO report (name, ip, contact, contacted, date) VALUES ('$NAME', '$IPADDRESS','', 0, '$TIMESTAMP')");
137 continue;
138 } else {
139 $INSERT_REPORT = mysql_query("INSERT INTO report (name, ip, contact, date) VALUES ('$NAME', '$IPADDRESS','$EMAILS', '$TIMESTAMP')");
140 }
141
142 unset($to);
143 $parts = explode(" ", $EMAILS);
144 if (sizeof($parts) == 1)
145 $to = rtrim($parts[0],'.');
146 else {
147 foreach ($parts as $send_cc) {
148 $send_cc = rtrim($send_cc,'.');
149 $to .= "$send_cc,";
150 }
151
152 $to = substr($to, 0, -1);
153 }
154 echo "TO = $to";
155
156 /* Kippo stored the IP of the sensor as a name in the 'sensors' table, get
157 * the sensor ID and then identify IP.
158 */
159 switch ($SENSOR)
160 {
161 case 1:
162 $TARGET = "ip-removed";
163 break;
164 case 2:
165 $TARGET = "ip-removed";
166 break;
167 case 3:
168 $TARGET = "ip-removed";
169 break;
170 case 4:
171 $TARGET = "ip-removed";
172 break;
173 case 5:
174 $TARGET = "ip-removed";
175 break;
176 case 6:
177 $TARGET = "ip-removed";
178 break;
179 case 7:
180 $TARGET = "ip-removed";
181 break;
182 case 8:
183 $TARGET = "ip-removed";
184 break;
185 }
186
187 /* My SMTP information, change to yours or remove and add the default
188 PHP mail() command */
189 $host = "ssl://smtp.gmail.com";
190 $port = "465";
191 $username = "";
192 $password = '';
193
194 $subject = "SSH attack from $IPADDRESS";
195 $from = 'jay@jayscott.co.uk';
196 $headers = "From: $from \r\n" . "Reply-To: $from \r\n";
197
198 $message = "To abuse/support,";
199
200 if ($EMAIL_ABUSE = 0) {
201 $message .= "
202
203 Please note I could not find a abuse or support email address in an
204 WHOIS lookup.";
205 }
206
207 $message .= "
208
209 I run a honeypot network that reports any attacking IP address or
210 successful logins from unauthorised IP address.
211
212 The IP $IPADDRESS first gained access or attempted to access the
213 honeypot on $START GMT against the IP address $TARGET.";
214
215 $message .= "
216
217 It maybe that $IPADDRESS has been compromised, is an active
218 participant in a botnet or is being used as a SSH tunnel.
219
220 You may wish to monitor the IP Address. You can view more details about
221 the attack such as any more attacks carried out, amount of attacks and
222 even watch the attack if they successfully logged in here:
223
224 http://honeypot.jayscott.co.uk/ip/$IPADDRESS
225
226 If you would like any advice or require further information please
227 feel free to contact me, jay@jayscott.co.uk.
228
229 Regards,
230 Jay Scott";
231
232 $headers = array ('From' => $from,
233 'To' => $to,
234 'Subject' => $subject);
235 $smtp = Mail::factory('smtp',
236 array ('host' => $host,
237 'port' => $port,
238 'auth' => true,
239 'username' => $username,
240 'password' => $password));
241
242 $mail = $smtp->send($to, $headers, $message);
243
244 if (PEAR::isError($mail)) {
245 echo(" - " . $mail->getMessage() . "\n");
246 } else {
247 echo(" - Message sent\n\n");
248 }
249 }
250 ?>