jay.scot

       snippets.php - honeypot - A custom version of kippo used for SSH honeypot analysis and reporting.
 (HTM) git clone git://jay.scot/honeypot
 (DIR) Log
 (DIR) Files
 (DIR) Refs
 (DIR) README
       ---
       snippets.php (2389B)
       ---
            1 <?
            2 
            3 /*
            4  * Various code snippets I used in pages through-out the project, didn't think
            5  * there was much point in displaying all of the HTML etc.
            6  */
            7 
            8 
            9 /* === Get unique Malware links === */
           10 
           11 $QUERY_DOWNLOAD = mysql_query("SELECT input.input, input.timestamp, sessions.ip
           12                                FROM input INNER JOIN sessions
           13                                ON input.session = sessions.id
           14                                WHERE input.input LIKE '%wget%'
           15                                GROUP BY input.input
           16                                ORDER BY input.timestamp DESC ");
           17 
           18 while ($DOWNLOAD_ROW = mysql_fetch_array($QUERY_DOWNLOAD)) {
           19   if (strlen($DOWNLOAD_ROW['input']) > 8) {
           20 
           21     $Date = strtotime($DOWNLOAD_ROW["timestamp"]);
           22     $myDate = date('D jS M, G:i:s', $Date);
           23 
           24     $URL = htmlspecialchars($DOWNLOAD_ROW['input']);
           25 
           26     echo "<tr><td>$myDate</td>
           27           <td>" . substr($URL, 5) . "</td></tr>";
           28   }
           29 }
           30 
           31 
           32 
           33 /* === Get unique passwords === */
           34 
           35 $sql_date = mysql_real_escape_string($_GET['date']);
           36 
           37 if ($sql_date == 'all') {
           38   $previous_date = "2011-02-01"; /* date I started logging via sql */
           39 } else if ($sql_date == 'week') {
           40   $previous_date = date("Y-m-d", strtotime("-7 day"));
           41 } else if ($sql_date == 'month') {
           42   $previous_date = date("Y-m-d", strtotime("-30 day"));
           43 } else {
           44   $previous_date = date("Y-m-d", strtotime("-1 day"));
           45 }
           46 
           47 /* simply change password to username for username stats */
           48 $query_passwords = mysql_query("SELECT COUNT(password) AS PCOUNT, password
           49                                 FROM auth WHERE password <> ''
           50                                 AND timestamp >= '$previous_date'
           51                                 GROUP BY password
           52                                 ORDER BY PCOUNT DESC LIMIT 20");
           53 
           54 
           55 /* === Showing information on the attack === */
           56 
           57 $QUERY_CLIENT = mysql_query("SELECT version FROM clients
           58                              WHERE id = '$CLIENT'
           59                              LIMIT 1");
           60 
           61 $CLIENT_SEARCH = strtolower($ROWS_CLIENT['version']);
           62 
           63   if (strpos($CLIENT_SEARCH, "putty"))
           64     echo "<b>Connected Manually</b> ";
           65   else if (strpos($CLIENT_SEARCH, "libssh"))
           66     echo "<b>Used a C scanner</b> ";
           67   else if (strpos($CLIENT_SEARCH, "winscp"))
           68     echo "<b>Used WinSCP</b> ";
           69   else if (strpos($CLIENT_SEARCH, "openssh"))
           70     echo "<b>Connected Manually</b> ";
           71   else if (strpos($CLIENT_SEARCH, "nmap"))
           72     echo "<b>NMap Scan</b> ";
           73 
           74 
           75 
           76 ?>