thp-0.4.6/0040755000076400007640000000000007663604436011644 5ustar gbakosgbakosthp-0.4.6/CHANGELOG0100644000076400007640000001035207663603306013047 0ustar gbakosgbakos0.4.6 - Enhanced shell.pl to include a working directory array, makes pwd and cd work. Added wget, more flexible uname (with -a, -s, -m, -v), w, and support for semicolon separated command list. 0.4.5 (not released) - Added Time::HiRes as the best method of pulling good timestamps. Moved thpfunc.pl into ~thp/lib. Improvements to iptables script, primarily to fix a firewall logging bug. Chris Corella : Added (thp.conf)$uname mostly to simulate how easy it is to add shell like capabilities. Added (shell.pl) select LOG;$|=1; to set LOG to currently selected output filehandler, and flush buffer on all PRINT statements to LOG. Added (shell.pl) uname -a, nad whoami functionality, see first comment. Added (all handlers) select LOG; $|=1; code 0.4.4 - Lots of changes here! Capture logs now include src address & port of attacker. Selectable in the config file, capture log entries on a single-line, syslog-style, suitable for machine parsing. Check the comments for certain implications of choosing this option. I changed the directory layout a bit with this release. In the $thpdir/lib directory are the individual functions libs, as well as other response files. Http.pl is completely rewritten, with the goal of rfc2616 compliance whenever possible. It includes errors 414, 501, 400 & 414, correctly built http return headers for several file types, chameleon mode - to change its responses (if turned on) to respond like an IIS machine when an attacker requests certain types of resources, and several other features. It is useable (if you are a little deranged) as a lightweight webserver with a flat directory structure. 0.4.3-2 - adjusted xinetd.d file port numbers & removed o-x on conf files (pr0ps to Bill Scherr), added GOODNET & GOODSVCS to INPUT chain, added a section to iptables.rules to allow a multi-homed system to trust either an entire interface, or just a trusted network. Added a test to bomb out if someone accidentaly runs iptables.rules as-is on a machine that is a router. Fixed escapes & array references in ftp() that were causing some versions of Perl to complain. 0.4.3-1 - Fixed extra shell prompt on exit, added GPL blurb to all files (thanks to Scot Wilcoxon for pointing this out), removed duplicate xinetd.d files from the tarball (sorry folks), iptables script requires less post- install tweaking for hpot_svcs, moved port range for listeners to 40k+ to avoid conflicts with fakerpc, several other little tweaks & bugfixes. 0.4.3 - Added session timeouts, simple http emul, pid on caplog start line (you can now easily correlate with xinetd logging), xinetd per-source lim its by default. 0.4.2-2 - Tweaked ftp some more, added a thp.conf switch to allow genuine data connections for ftp, thus STOR functions and deposits the file(s) uploaded into the hpot directory. LIST & RETR just get junk via greetbin. Provided for a silent listener (no prompt or greeting). Various housekeeping. 0.4.2-1 - Tweaked ftp a bit, pasv, port, list, retr now do something. 0.4.2 - Added an ftp responder in thpfunc.pl. Improved session naming by using the syscall gettimeofday and concatenating seconds & usecs in hex, with a fallback to the old method. Added a nullresponder sub to thpfunc.pl. 0.4.1 - Due to a piss poor job of input validation (none), thus the ease with which an intruder could execute arbitrary commands as user "nobody", I have begun a rewrite in Perl, taking a little better care in examining ( or not evaluating at all) any external data exchanges. Broke things up into thp.cfg (config stuff), thpfunc.pl (functions lib), and relegated logthis to dealing with start/stop logging & calling the service-specific subroutines (not there yet). 0.3.2 - Extended iptables script to simplify multiple hpot_svcs. Clarified and enhanced iptables support for permitted (trusted) networks and/or services. Started playing with thpsvcs, to provide believeable responses to simple initial commands. ftp is the only one in there now, more to come. 0.3.1 - Some xinetds don't like the config file name xinetd.hpot, so I renamed it to simply hpot. Added the necessary iptables lines to allow local -> external & return trip traffic. Fixed README (yeah, right). 0.3 - First real build. Prior versions were local cob-jobs. I figure 0.3 is about right. thp-0.4.6/READTHIS0100644000076400007640000002367507663602156013001 0ustar gbakosgbakosthp - the tiny honeypot # version 0.4.6 # Copyright George Bakos - alpinista@bigfoot.com # May 2003 # This is free software, released under the tems of the GNU General # Public License avaiable at http://www.gnu.org INTRODUCTION ------------ I threw this together and started capturing pretty good poop, so a few friends thought I should make it available. Here it is. If you think it's lame, that's fine. I wasn't going to put it out, anyway. You may find it worthwile if you have only one ip address, and don't want to DNAT everything incoming to an internal dedicated honeypot. I run it on several machines that are in regular daily use. DISCLAIMER ---------- This is a neat toy. That's all it is. You can learn from your toys if you use them responsibly, or you can leave them lying around on the floor, trip on them, and break your neck. Don't come crying to me because you thought my toys didn't break. That's stupid. When it breaks, grab a little glue and fix it, or throw it away; I don't care. Have fun, learn something, help others learn, but don't whine because you were told that this was foolproof. It isn't. Fools will always provide the proof. CONCEPT ------- The concept is simple: listen and record. The only problem is that the badguys can't speak until after a connection comes up. So we give them one. On any port they want. Period. Upon connecting, they are presented with a greeting (I use fortune) and a root prompt. W00p! They are leet. If you prefer a silent listener (no greeting or prompt), that's cool, too. See the section xinetd.d/inetd, below. Script kiddeez are your best entertainment value! xinetd is used to open a single port. New connections to it get handed off to a simple Perl script that builds two files: a running connection tracker, and a unique session file, into which we merely capture all data. That's also where the root prompt comes from. Keystrokes, autorooter scripts, exploit reconnects, whatever. (If you want other services emulated, you add another xinetd.d file & change the commandline param & port) iptables REDIRECT is used to pass all incoming connection requests, regardless of destination port, to that xinetd listener, unless we make an exception. Portmap is one such exception. In order for the intruder-to-be to know what port rpc.cmsd (or any other rpc service) is listening on, she needs to ask the target system's portmapper. So we fire up a portmapper, and feed it bogus mappings for every service we can. Sort of like building a static arp table, only more funnerer. Now, all of this port redirect tomfoolery is TCP only, but that's ok. UDP is connectionless; once the attacker believes she knows what port to use, off it flies. And we capture it, even if there is no service at the near end. I personally use Snort & SHADOW to alert me & capture everything, you go ahead and roll your own solution. Mine accommodates a pretty busy DSL that serves my family, while still grabbing every bit of nastiness that is sent to it. There are also several large sites running this on much busier production systems/networks with no noticeable impact on performance. INSTALLATION ------------ I'm going to assume that you have a fully functioning IDS of some sort up and running. If not, you probably should put down the keyboard and step away from the computer. Do not pass go, do not install this hpot. .......... OK, now that they are out of the room, let's party. Keep your IDS sigs up to date, folks. I use Snort for grabbing full binaries of anything that fires a sig, as well as SHADOW to have a complete header log. With SHADOW, I get logging even if I get hit with an 0-day that Snort misses. It's nice to be able to replay the progression of events, too. (plug, plug, plug) I highly asvise you read through this file,as well as all of the comments in the thp.conf and iptables.rules files, but if you don't care about the details, and just want to put this thing up as quickly as possible, here's the straight poop: cd /usr/local zcat | tar -xvf - ln -s thp-0.x.x thp mkdir /var/log/hpot chown nobody:nobody /var/log/hpot chmod 700 /var/log/hpot cp ./thp/xinetd.d/* /etc/xinetd.d edit xinetd files to change to :"disable = no" make any path & preferences adjustements in thp.conf & iptables.rules ./thp/iptables.rules /etc/rc.d/init.d/portmap start pmap_set < ./thp/fakerpc /etc/rc.d/init.d/xinetd start come back here and read. thp.conf -------- You may want to read through this file & make some adjustments, although for most folks, this will fly fine just as it is. Read the comments & go. One new feature for 0.4.4 you MAY wish to turn on is "logtype". From thp.conf: # Log format - "single" or "multi". Single line format is easier to parse, but # does not make any entry into the capture log until the session is complete. # Multiline gives you separate "start" & "end" lines, but is a pain in the # toches to do anything with. This means that if an intruder is actively in the pot, you WON'T see a log entry. Sure, you'll still see it in netstat, iptables, xinetd, sid logs, etc., but thp won't summarize it in the captures log until the session ends. If you depend on tailing the captures log for some kind of alert, it might be a good idea to leave the logtype as "multi". In thp.conf, there are a number of paths specified. If you don't like them, change them. You will need to create a log location. The default is /var/log/hpot. Go ahead and mkdir, chown nobody & chmod 700 it. logthis ------- The file "logthis" is the main script of the lot. It will create the master log entries in /var/log/hpot/captures, and call the necessary input handler(s) from thpfunc.pl. thpfunc.pl ---------- This is most of the meat & potato(e?)s. If you want to extend thp's functionality, please put your handler in here & call it from logthis based on xinetd server_args. I am beginning to think this would be better as individual files, rather than one big kahuna. I can't make major changes like that without pissing some folks off, so let's be democratic about it. All in favor, say aye. The ayes have it. Expect individual files on your local supermarket shelves soon. A couple of notes on SIDs: ------------------------- The session IDs (session filenames, as well) are derived from the start time of the intruder's data, not his connection. There may be a gap of a second or more if the attack is not automated. Please remember this when correlating firewall & IDS logs against SID files. New for v0.4.2 is a better sub gettime() in thpfunc.pl. There are two methods of creating SIDs, depending on how cool your Perl is. If your Perl has syscall.ph built, then you will have microsecond-unique SIDs. If not, then thp falls back on the old method of one SID per second. The old method can, and will, result in multiple sessions logging to the same file, if they both initiate within a second of each other. If you don't want this, and your Perl isn't quite l33t 3NuF, take a look at h2ph(1) and make it happen. Yes, I know there is a very nice CPAN module available, but more folks have C headers already on their boxes. To generate syscall.ph on my Linux: # cd /usr/include # h2ph * ./sys/* ./bits/* xinetd/inetd ------------ Some inted type super-server needs to be installed. I prefer xinetd, but good ol' /sbin/inetd is ok, too; you'll just lose alot of flexibility, including the ability to limit concurrent sessions. Use the inetd.conf line here: 6635 stream tcp nowait nobody /usr/local/thp/logthis logthis From the xinted.d directory, copy the xinetd configure file "hpot" into your system /etc/xinetd.d directory, and be sure to re-enable it by editing. Don't ask me why I used port 6635 for the catch-all, my head just happenned to fall on those keys, then I woke up. If you need it, xinetd is available from http://www.synack.net/xinetd/. Some folks will prefer a different listener; go for it. If you are going to use any of the thpfunc.pl services (currently only ftp and a really rudimentary http is in there), then the appropriate thp- file must also appear in the xinetd.d directory. The only difference between these are the commandline param, serive name & port number. The cmdline parameter tells the logthis script which subroutine to call from thpfunc.pl. If you prefer any service to be a "silent listener", i.e. no response, no prompt, no nothin' except logging of input, comment out the "server_args" line in the appropriate xinetd.d file. portmap ------- I wanted to register every service imaginable with the portmapper, but didn't like the idea of actually running the daemons necessary and relying on the firewall to keep the beasties at bay (some dweeb's voice in my ear kept saying, "defense in depth.") I was going to bang on the sources to portmapper and hardcode everything from /etc/rpc into there, but after I pulled the tarball down, I started reading and saw that pmap_dump and pmap_set would do it all. Cool. Thanks Wietse. The fakerpc here is derived from RedHat Linux 7.1, Irix 5.3, and Solaris 8's /etc/rpc files, and then built to include lines for versions 1-4 of each rpc program, via both udp and tcp. Start portmapper as normal, but instead of firing up rpc programs, just execute: "pmap_set < /usr/local/thp/fakerpc". There's a 1:1 chance that this will break your existing legit rpc services. If you are running rpc services on your firewall/hpot, you should go hang out with those non-IDS types above. iptables -------- I'll write this section later, or not. For now, read the comments in the iptables.thp and edit as necessary, or incorporate the essential bits into your own ruleset. If you have an existing firewall script & aren't comfortable modifying it yourself, feel free to ask. I may have time to help. I'm going to yell for a minute. Stop reading if you are going to be offended. WARNING! DANGER WILL ROBINSON! THIS WILL BREAK YOUR EXISTING IPTABLES FIREWALL. Any questions? Read the disclaimer again. Hey, Dan, when are you going to give us your /etc/pf.conf? George alpinista@bigfoot.com thp-0.4.6/fakerpc0100644000076400007640000003241007647066046013200 0ustar gbakosgbakos100001 1 tcp 32002 rstatd 100001 1 udp 32002 rstatd 100001 2 tcp 32002 rstatd 100001 2 udp 32002 rstatd 100001 3 tcp 32002 rstatd 100001 3 udp 32002 rstatd 100001 4 tcp 32002 rstatd 100001 4 udp 32002 rstatd 100002 1 tcp 32003 rusersd 100002 1 udp 32003 rusersd 100002 2 tcp 32003 rusersd 100002 2 udp 32003 rusersd 100002 3 tcp 32003 rusersd 100002 3 udp 32003 rusersd 100002 4 tcp 32003 rusersd 100002 4 udp 32003 rusersd 100004 1 tcp 32005 ypserv 100004 1 udp 32005 ypserv 100004 2 tcp 32005 ypserv 100004 2 udp 32005 ypserv 100004 3 tcp 32005 ypserv 100004 3 udp 32005 ypserv 100004 4 tcp 32005 ypserv 100004 4 udp 32005 ypserv 100005 1 tcp 32006 mountd 100005 1 udp 32006 mountd 100005 2 tcp 32006 mountd 100005 2 udp 32006 mountd 100005 3 tcp 32006 mountd 100005 3 udp 32006 mountd 100005 4 tcp 32006 mountd 100005 4 udp 32006 mountd 100007 1 tcp 32007 ypbind 100007 1 udp 32007 ypbind 100007 2 tcp 32007 ypbind 100007 2 udp 32007 ypbind 100007 3 tcp 32007 ypbind 100007 3 udp 32007 ypbind 100007 4 tcp 32007 ypbind 100007 4 udp 32007 ypbind 100008 1 tcp 32008 walld 100008 1 udp 32008 walld 100008 2 tcp 32008 walld 100008 2 udp 32008 walld 100008 3 tcp 32008 walld 100008 3 udp 32008 walld 100008 4 tcp 32008 walld 100008 4 udp 32008 walld 100009 1 tcp 32009 yppasswdd 100009 1 udp 32009 yppasswdd 100009 2 tcp 32009 yppasswdd 100009 2 udp 32009 yppasswdd 100009 3 tcp 32009 yppasswdd 100009 3 udp 32009 yppasswdd 100009 4 tcp 32009 yppasswdd 100009 4 udp 32009 yppasswdd 100010 1 tcp 32010 etherstatd 100010 1 udp 32010 etherstatd 100010 2 tcp 32010 etherstatd 100010 2 udp 32010 etherstatd 100010 3 tcp 32010 etherstatd 100010 3 udp 32010 etherstatd 100010 4 tcp 32010 etherstatd 100010 4 udp 32010 etherstatd 100011 1 tcp 32011 rquotad 100011 1 udp 32011 rquotad 100011 2 tcp 32011 rquotad 100011 2 udp 32011 rquotad 100011 3 tcp 32011 rquotad 100011 3 udp 32011 rquotad 100011 4 tcp 32011 rquotad 100011 4 udp 32011 rquotad 100012 1 tcp 32012 sprayd 100012 1 udp 32012 sprayd 100012 2 tcp 32012 sprayd 100012 2 udp 32012 sprayd 100012 3 tcp 32012 sprayd 100012 3 udp 32012 sprayd 100012 4 tcp 32012 sprayd 100012 4 udp 32012 sprayd 100013 1 tcp 32013 3270_mapper 100013 1 udp 32013 3270_mapper 100013 2 tcp 32013 3270_mapper 100013 2 udp 32013 3270_mapper 100013 3 tcp 32013 3270_mapper 100013 3 udp 32013 3270_mapper 100013 4 tcp 32013 3270_mapper 100013 4 udp 32013 3270_mapper 100014 1 tcp 32014 rje_mapper 100014 1 udp 32014 rje_mapper 100014 2 tcp 32014 rje_mapper 100014 2 udp 32014 rje_mapper 100014 3 tcp 32014 rje_mapper 100014 3 udp 32014 rje_mapper 100014 4 tcp 32014 rje_mapper 100014 4 udp 32014 rje_mapper 100015 1 tcp 32015 selection_svc 100015 1 udp 32015 selection_svc 100015 2 tcp 32015 selection_svc 100015 2 udp 32015 selection_svc 100015 3 tcp 32015 selection_svc 100015 3 udp 32015 selection_svc 100015 4 tcp 32015 selection_svc 100015 4 udp 32015 selection_svc 100016 1 tcp 32016 database_svc 100016 1 udp 32016 database_svc 100016 2 tcp 32016 database_svc 100016 2 udp 32016 database_svc 100016 3 tcp 32016 database_svc 100016 3 udp 32016 database_svc 100016 4 tcp 32016 database_svc 100016 4 udp 32016 database_svc 100017 1 tcp 32017 rexd 100017 1 udp 32017 rexd 100017 2 tcp 32017 rexd 100017 2 udp 32017 rexd 100017 3 tcp 32017 rexd 100017 3 udp 32017 rexd 100017 4 tcp 32017 rexd 100017 4 udp 32017 rexd 100018 1 tcp 32018 alis 100018 1 udp 32018 alis 100018 2 tcp 32018 alis 100018 2 udp 32018 alis 100018 3 tcp 32018 alis 100018 3 udp 32018 alis 100018 4 tcp 32018 alis 100018 4 udp 32018 alis 100019 1 tcp 32019 sched 100019 1 udp 32019 sched 100019 2 tcp 32019 sched 100019 2 udp 32019 sched 100019 3 tcp 32019 sched 100019 3 udp 32019 sched 100019 4 tcp 32019 sched 100019 4 udp 32019 sched 100020 1 tcp 32020 llockmgr 100020 1 udp 32020 llockmgr 100020 2 tcp 32020 llockmgr 100020 2 udp 32020 llockmgr 100020 3 tcp 32020 llockmgr 100020 3 udp 32020 llockmgr 100020 4 tcp 32020 llockmgr 100020 4 udp 32020 llockmgr 100021 1 tcp 32021 nlockmgr 100021 1 udp 32021 nlockmgr 100021 2 tcp 32021 nlockmgr 100021 2 udp 32021 nlockmgr 100021 3 tcp 32021 nlockmgr 100021 3 udp 32021 nlockmgr 100021 4 tcp 32021 nlockmgr 100021 4 udp 32021 nlockmgr 100022 1 tcp 32022 x25.inr 100022 1 udp 32022 x25.inr 100022 2 tcp 32022 x25.inr 100022 2 udp 32022 x25.inr 100022 3 tcp 32022 x25.inr 100022 3 udp 32022 x25.inr 100022 4 tcp 32022 x25.inr 100022 4 udp 32022 x25.inr 100023 1 tcp 32023 statmon 100023 1 udp 32023 statmon 100023 2 tcp 32023 statmon 100023 2 udp 32023 statmon 100023 3 tcp 32023 statmon 100023 3 udp 32023 statmon 100023 4 tcp 32023 statmon 100023 4 udp 32023 statmon 100024 1 tcp 32024 status 100024 1 udp 32024 status 100024 2 tcp 32024 status 100024 2 udp 32024 status 100024 3 tcp 32024 status 100024 3 udp 32024 status 100024 4 tcp 32024 status 100024 4 udp 32024 status 100026 1 tcp 32025 bootparam 100026 1 udp 32025 bootparam 100026 2 tcp 32025 bootparam 100026 2 udp 32025 bootparam 100026 3 tcp 32025 bootparam 100026 3 udp 32025 bootparam 100026 4 tcp 32025 bootparam 100026 4 udp 32025 bootparam 100028 1 tcp 32026 ypupdated 100028 1 udp 32026 ypupdated 100028 2 tcp 32026 ypupdated 100028 2 udp 32026 ypupdated 100028 3 tcp 32026 ypupdated 100028 3 udp 32026 ypupdated 100028 4 tcp 32026 ypupdated 100028 4 udp 32026 ypupdated 100029 1 tcp 32027 keyserv 100029 1 udp 32027 keyserv 100029 2 tcp 32027 keyserv 100029 2 udp 32027 keyserv 100029 3 tcp 32027 keyserv 100029 3 udp 32027 keyserv 100029 4 tcp 32027 keyserv 100029 4 udp 32027 keyserv 100033 1 tcp 32028 sunlink_mapper 100033 1 udp 32028 sunlink_mapper 100033 2 tcp 32028 sunlink_mapper 100033 2 udp 32028 sunlink_mapper 100033 3 tcp 32028 sunlink_mapper 100033 3 udp 32028 sunlink_mapper 100033 4 tcp 32028 sunlink_mapper 100033 4 udp 32028 sunlink_mapper 100037 1 tcp 32029 tfsd 100037 1 udp 32029 tfsd 100037 2 tcp 32029 tfsd 100037 2 udp 32029 tfsd 100037 3 tcp 32029 tfsd 100037 3 udp 32029 tfsd 100037 4 tcp 32029 tfsd 100037 4 udp 32029 tfsd 100038 1 tcp 32030 nsed 100038 1 udp 32030 nsed 100038 2 tcp 32030 nsed 100038 2 udp 32030 nsed 100038 3 tcp 32030 nsed 100038 3 udp 32030 nsed 100038 4 tcp 32030 nsed 100038 4 udp 32030 nsed 100039 1 tcp 32031 nsemntd 100039 1 udp 32031 nsemntd 100039 2 tcp 32031 nsemntd 100039 2 udp 32031 nsemntd 100039 3 tcp 32031 nsemntd 100039 3 udp 32031 nsemntd 100039 4 tcp 32031 nsemntd 100039 4 udp 32031 nsemntd 100043 1 tcp 32032 showfhd 100043 1 udp 32032 showfhd 100043 2 tcp 32032 showfhd 100043 2 udp 32032 showfhd 100043 3 tcp 32032 showfhd 100043 3 udp 32032 showfhd 100043 4 tcp 32032 showfhd 100043 4 udp 32032 showfhd 100055 1 tcp 32033 ioadmd 100055 1 udp 32033 ioadmd 100055 2 tcp 32033 ioadmd 100055 2 udp 32033 ioadmd 100055 3 tcp 32033 ioadmd 100055 3 udp 32033 ioadmd 100055 4 tcp 32033 ioadmd 100055 4 udp 32033 ioadmd 100062 1 tcp 32034 NETlicense 100062 1 udp 32034 NETlicense 100062 2 tcp 32034 NETlicense 100062 2 udp 32034 NETlicense 100062 3 tcp 32034 NETlicense 100062 3 udp 32034 NETlicense 100062 4 tcp 32034 NETlicense 100062 4 udp 32034 NETlicense 100065 1 tcp 32035 sunisamd 100065 1 udp 32035 sunisamd 100065 2 tcp 32035 sunisamd 100065 2 udp 32035 sunisamd 100065 3 tcp 32035 sunisamd 100065 3 udp 32035 sunisamd 100065 4 tcp 32035 sunisamd 100065 4 udp 32035 sunisamd 100066 1 tcp 32036 debug_svc 100066 1 udp 32036 debug_svc 100066 2 tcp 32036 debug_svc 100066 2 udp 32036 debug_svc 100066 3 tcp 32036 debug_svc 100066 3 udp 32036 debug_svc 100066 4 tcp 32036 debug_svc 100066 4 udp 32036 debug_svc 100069 1 tcp 32037 ypxfrd 100069 1 udp 32037 ypxfrd 100069 2 tcp 32037 ypxfrd 100069 2 udp 32037 ypxfrd 100069 3 tcp 32037 ypxfrd 100069 3 udp 32037 ypxfrd 100069 4 tcp 32037 ypxfrd 100069 4 udp 32037 ypxfrd 100071 1 tcp 32038 bugtraqd 100071 1 udp 32038 bugtraqd 100071 2 tcp 32038 bugtraqd 100071 2 udp 32038 bugtraqd 100071 3 tcp 32038 bugtraqd 100071 3 udp 32038 bugtraqd 100071 4 tcp 32038 bugtraqd 100071 4 udp 32038 bugtraqd 100078 1 tcp 32039 kerbd 100078 1 udp 32039 kerbd 100078 2 tcp 32039 kerbd 100078 2 udp 32039 kerbd 100078 3 tcp 32039 kerbd 100078 3 udp 32039 kerbd 100078 4 tcp 32039 kerbd 100078 4 udp 32039 kerbd 100101 1 tcp 32040 event 100101 1 udp 32040 event 100101 2 tcp 32040 event 100101 2 udp 32040 event 100101 3 tcp 32040 event 100101 3 udp 32040 event 100101 4 tcp 32040 event 100101 4 udp 32040 event 100102 1 tcp 32041 logger 100102 1 udp 32041 logger 100102 2 tcp 32041 logger 100102 2 udp 32041 logger 100102 3 tcp 32041 logger 100102 3 udp 32041 logger 100102 4 tcp 32041 logger 100102 4 udp 32041 logger 100104 1 tcp 32042 sync 100104 1 udp 32042 sync 100104 2 tcp 32042 sync 100104 2 udp 32042 sync 100104 3 tcp 32042 sync 100104 3 udp 32042 sync 100104 4 tcp 32042 sync 100104 4 udp 32042 sync 100107 1 tcp 32043 hostperf 100107 1 udp 32043 hostperf 100107 2 tcp 32043 hostperf 100107 2 udp 32043 hostperf 100107 3 tcp 32043 hostperf 100107 3 udp 32043 hostperf 100107 4 tcp 32043 hostperf 100107 4 udp 32043 hostperf 100109 1 tcp 32044 activity 100109 1 udp 32044 activity 100109 2 tcp 32044 activity 100109 2 udp 32044 activity 100109 3 tcp 32044 activity 100109 3 udp 32044 activity 100109 4 tcp 32044 activity 100109 4 udp 32044 activity 100112 1 tcp 32045 hostmem 100112 1 udp 32045 hostmem 100112 2 tcp 32045 hostmem 100112 2 udp 32045 hostmem 100112 3 tcp 32045 hostmem 100112 3 udp 32045 hostmem 100112 4 tcp 32045 hostmem 100112 4 udp 32045 hostmem 100113 1 tcp 32046 sample 100113 1 udp 32046 sample 100113 2 tcp 32046 sample 100113 2 udp 32046 sample 100113 3 tcp 32046 sample 100113 3 udp 32046 sample 100113 4 tcp 32046 sample 100113 4 udp 32046 sample 100114 1 tcp 32047 x25 100114 1 udp 32047 x25 100114 2 tcp 32047 x25 100114 2 udp 32047 x25 100114 3 tcp 32047 x25 100114 3 udp 32047 x25 100114 4 tcp 32047 x25 100114 4 udp 32047 x25 100115 1 tcp 32048 ping 100115 1 udp 32048 ping 100115 2 tcp 32048 ping 100115 2 udp 32048 ping 100115 3 tcp 32048 ping 100115 3 udp 32048 ping 100115 4 tcp 32048 ping 100115 4 udp 32048 ping 100116 1 tcp 32049 rpcnfs 100116 1 udp 32049 rpcnfs 100116 2 tcp 32049 rpcnfs 100116 2 udp 32049 rpcnfs 100116 3 tcp 32049 rpcnfs 100116 3 udp 32049 rpcnfs 100116 4 tcp 32049 rpcnfs 100116 4 udp 32049 rpcnfs 100117 1 tcp 32050 hostif 100117 1 udp 32050 hostif 100117 2 tcp 32050 hostif 100117 2 udp 32050 hostif 100117 3 tcp 32050 hostif 100117 3 udp 32050 hostif 100117 4 tcp 32050 hostif 100117 4 udp 32050 hostif 100118 1 tcp 32051 etherif 100118 1 udp 32051 etherif 100118 2 tcp 32051 etherif 100118 2 udp 32051 etherif 100118 3 tcp 32051 etherif 100118 3 udp 32051 etherif 100118 4 tcp 32051 etherif 100118 4 udp 32051 etherif 100120 1 tcp 32052 iproutes 100120 1 udp 32052 iproutes 100120 2 tcp 32052 iproutes 100120 2 udp 32052 iproutes 100120 3 tcp 32052 iproutes 100120 3 udp 32052 iproutes 100120 4 tcp 32052 iproutes 100120 4 udp 32052 iproutes 100121 1 tcp 32053 layers 100121 1 udp 32053 layers 100121 2 tcp 32053 layers 100121 2 udp 32053 layers 100121 3 tcp 32053 layers 100121 3 udp 32053 layers 100121 4 tcp 32053 layers 100121 4 udp 32053 layers 100122 1 tcp 32054 snmp 100122 1 udp 32054 snmp 100122 2 tcp 32054 snmp 100122 2 udp 32054 snmp 100122 3 tcp 32054 snmp 100122 3 udp 32054 snmp 100122 4 tcp 32054 snmp 100122 4 udp 32054 snmp 100123 1 tcp 32055 traffic 100123 1 udp 32055 traffic 100123 2 tcp 32055 traffic 100123 2 udp 32055 traffic 100123 3 tcp 32055 traffic 100123 3 udp 32055 traffic 100123 4 tcp 32055 traffic 100123 4 udp 32055 traffic 100227 1 tcp 32056 nfs_acl 100227 1 udp 32056 nfs_acl 100227 2 tcp 32056 nfs_acl 100227 2 udp 32056 nfs_acl 100227 3 tcp 32056 nfs_acl 100227 3 udp 32056 nfs_acl 100227 4 tcp 32056 nfs_acl 100227 4 udp 32056 nfs_acl 100232 1 tcp 32057 sadmind 100232 1 udp 32057 sadmind 100232 2 tcp 32057 sadmind 100232 2 udp 32057 sadmind 100232 3 tcp 32057 sadmind 100232 3 udp 32057 sadmind 100232 4 tcp 32057 sadmind 100232 4 udp 32057 sadmind 100233 1 tcp 32060 ufsd 100233 1 udp 32060 ufsd 100233 2 tcp 32060 ufsd 100233 2 udp 32060 ufsd 100233 3 tcp 32060 ufsd 100233 3 udp 32060 ufsd 100233 4 tcp 32060 ufsd 100233 4 udp 32060 ufsd 100300 1 tcp 32058 nisd 100300 1 udp 32058 nisd 100300 2 tcp 32058 nisd 100300 2 udp 32058 nisd 100300 3 tcp 32058 nisd 100300 3 udp 32058 nisd 100300 4 tcp 32058 nisd 100300 4 udp 32058 nisd 100303 1 tcp 32059 nispasswd 100303 1 udp 32059 nispasswd 100303 2 tcp 32059 nispasswd 100303 2 udp 32059 nispasswd 100303 3 tcp 32059 nispasswd 100303 3 udp 32059 nispasswd 100303 4 tcp 32059 nispasswd 100303 4 udp 32059 nispasswd 150001 1 tcp 32061 pcnfsd 150001 1 udp 32061 pcnfsd 150001 2 tcp 32061 pcnfsd 150001 2 udp 32061 pcnfsd 150001 3 tcp 32061 pcnfsd 150001 3 udp 32061 pcnfsd 150001 4 tcp 32061 pcnfsd 150001 4 udp 32061 pcnfsd 300019 1 tcp 32062 amd 300019 1 udp 32062 amd 300019 2 tcp 32062 amd 300019 2 udp 32062 amd 300019 3 tcp 32062 amd 300019 3 udp 32062 amd 300019 4 tcp 32062 amd 300019 4 udp 32062 amd 391002 1 tcp 32063 sgi_fam 391002 1 udp 32063 sgi_fam 391002 2 tcp 32063 sgi_fam 391002 2 udp 32063 sgi_fam 391002 3 tcp 32063 sgi_fam 391002 3 udp 32063 sgi_fam 391002 4 tcp 32063 sgi_fam 391002 4 udp 32063 sgi_fam 545580417 1 tcp 32064 bwnfsd 545580417 1 udp 32064 bwnfsd 545580417 2 tcp 32064 bwnfsd 545580417 2 udp 32064 bwnfsd 545580417 3 tcp 32064 bwnfsd 545580417 3 udp 32064 bwnfsd 545580417 4 tcp 32064 bwnfsd 545580417 4 udp 32064 bwnfsd 600100069 1 tcp 32065 fypxfrd 600100069 1 udp 32065 fypxfrd 600100069 2 tcp 32065 fypxfrd 600100069 2 udp 32065 fypxfrd 600100069 3 tcp 32065 fypxfrd 600100069 3 udp 32065 fypxfrd 600100069 4 tcp 32065 fypxfrd 600100069 4 udp 32065 fypxfrd thp-0.4.6/iptables.rules0100755000076400007640000002405707663035731014527 0ustar gbakosgbakos#!/bin/bash # # /usr/local/thp/iptables.rules version 0.4.5 # # Copyright George Bakos - alpinista@bigfoot.com # Feb 7, 2003 # This is free software, released under the terms of the GNU General # Public License avaiable at http://www.fsf.org/licenses/gpl.txt # # iptables rules to support the thp logthis script. All incoming connect # requests that don't have a dedicated listenerget redirected to a single # listening port, where the script will log all activity. # # Be sure to load the appropriate modules so that all of the goodies in # here work. You should customize this to your needs, including whatever # you want to allow legitimate outgoing and return traffic. NEVER trust # someone elses script to defend your perimiter, unless you've gone over # it with a fine toothed comb, or paid them the big shekles and can file a # healthy lawsuit when it breaks. Isn't risk transferance great, ISSOs? # # DISCLAIMER # This is a neat toy. That's all it is. You can learn from your toys # if you use them responsibly, or you can leave them lying around on # the floor, trip on them, and break your neck. Don't come crying to me # because you thought my toys didn't break. That's stupid. When it breaks, # grab a little glue and fix it, or throw it away; I don't give a shit. # Have fun, learn something, help others learn, but don't whine because # you were told that this was foolproof. It isn't. Fools will always # provide the proof. # The interface attached to the big bad world # EXTIF="eth0" # The trusted internal interface # WARNING! This setting will allow all traffic from this interface to be # trusted. It is highly advised that you also define a trusted internal # network below, that will then limit your exposure. # # INTIF="eth0" # INTNET= # The following two variables will determine whether or not to allow certain # incoming traffic to avoid redirection to the honeypot. If either of them is # uncommented, traffic that matches will be passed on to the INPUT chain # intact. If both of them are uncommented, then both parameters must be matched # in order to be passed. # Trusted external net. Change this to the CIDR block of any network that # is authorized to used the GOOD_SVCS, defined below. Comment this out if you # don't want to use any. # GOODNET="192.168.1.0/24" # Available legitimate services. Comment this out if you don't want to use any. # GOOD_SVCS="80,22" # Comma separated list of ports that you have custom tcp listeners hanging out. # Comment this out if you don't want to use any. # HPOT_TCP_SVCS="21,80" # If responding to passive mode ftp LIST and RETR commands, this is the port # that you will make the content available on. Not yet fully implemented. # HPOT_PASV="33701" # HPOT_UDP_SVCS= not yet implemented. # Do you want to handle portmap queries? Be sure to run the daemon and populate # it with the pmap_set command described in the README # PORTMAP="yes" # What port is your xinetd catchall listener bound to? # REDIRPORT="6635" # Change this to your iptables binary location # IPTCMD="/sbin/iptables" # If you want nice verbose loggging, fatten this up as you see fit # LOGOPT="--log-tcp-options --log-ip-options" ################################################################### # End of variables section. You shouldn't need to change anything # below this point unless you are customizing the firewall behavior ################################################################### # Section 0 - Preparation # 0.1 # Check to see of the machine is a router. If so, exit this script. # if [ $( cat /proc/sys/net/ipv4/ip_forward) -eq 1 ] then echo "Oops, /proc/sys/net/ipv4/ip_forward == 1!" echo "Sorry, this machine appears to be a router. Please edit this" echo "script a little more carefully, or better yet, write your own" echo "based on the concepts herein." exit 1 fi # 0.2 # Flush existing chains & delete user-defines before creating new ones. # $IPTCMD -F $IPTCMD -F -t nat $IPTCMD -X $IPTCMD -X -t nat $IPTCMD -t nat -N thp-redir $IPTCMD -N evilin $IPTCMD -N postinput # 0.3 # Set major policies to DROP. # $IPTCMD -P INPUT DROP $IPTCMD -P FORWARD DROP $IPTCMD -P OUTPUT DROP # Section 1 - PREROUTING # 1.0 # We don't want to redirect requests coming from the trusted external net # or destined for GOOD_SVCS # if [[ $GOODNET && $GOOD_SVCS ]]; then $IPTCMD -t nat -A PREROUTING -i $EXTIF -p tcp\ -m multiport --dports $GOOD_SVCS -s $GOODNET -j RETURN elif [[ $GOODNET ]]; then $IPTCMD -t nat -A PREROUTING -i $EXTIF -p tcp\ -s $GOODNET -j RETURN elif [[ $GOOD_SVCS ]]; then $IPTCMD -t nat -A PREROUTING -i $EXTIF -p tcp\ -m multiport --dports $GOOD_SVCS -j RETURN fi # 1.1 # 1.1.1 # Do you want to answer portmapper # queries? If you wish to use the portmapper ruse, be sure to run your # portmapper, then do: "pmap_set < $INSTALLDIR/etc/fakerpc" if [[ $PORTMAP = "yes" ]]; then $IPTCMD -t nat -A PREROUTING -p tcp --dport 111 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 60/minute -j RETURN ; fi if [[ $PORTMAP = "yes" ]]; then $IPTCMD -t nat -A PREROUTING -p udp --dport 111 -m limit --limit 60/minute -j RETURN ; fi # 1.1.2 # Do you have a static port defined for passive ftp data transfers? Be sure to configure it in # thp.conf & un-disable it in xinetd.d/thp-pasv. if [[ $HPOT_PASV ]]; then $IPTCMD -t nat -A PREROUTING -i $EXTIF -p tcp --dport $HPOT_PASV -j RETURN; fi # 1.2 # Let's limit logging, in case some twit decides to do a vertical port scan & # make a mess of our logs (the mess it leaves in the hpot captures log can # easily be cleaned out with the not-yet-ready unzero script). Speaking about # messes, iptables has a habit of clearing entries from the state table before # the other side is satisfied, so lets make sure that we're only rediring SYNs: # $IPTCMD -t nat -A PREROUTING -i $EXTIF -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 60/minute -j thp-redir # 1.3 # And the redirect. # # First we log the redirect $IPTCMD -t nat -A thp-redir -j LOG --log-prefix "HPOT_DATA: " $LOGOPT # If you have other dedicated listeners, this will keep those from being # redirected to the generic listener. # for hport_u in `echo -n $HPOT_UDP_SVCS|sed -e 's/,/ /g'` do $IPTCMD -t nat -A thp-redir -i $EXTIF -p udp --dport $hport_u -j REDIRECT --to-port $(($hport_u + 40000)) done for hport_t in `echo -n $HPOT_TCP_SVCS|sed -e 's/,/ /g'` do $IPTCMD -t nat -A thp-redir -i $EXTIF -p tcp --dport $hport_t -j REDIRECT --to-port $(($hport_t + 40000)) done $IPTCMD -t nat -A thp-redir -p tcp -j REDIRECT --to-ports $REDIRPORT # Section 2.0 INPUT # 2.1 # $IPTCMD -A INPUT -i lo -j ACCEPT $IPTCMD -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # 2.2 # ALlow traffic according to INTIF and INTNET. if [[ $INTIF && $INTNET ]]; then $IPTCMD -A INPUT -i $INTIF -s $INTNET -m state --state NEW -j ACCEPT elif [[ $INTIF ]]; then $IPTCMD -A INPUT -i $INTIF -m state --state NEW -j ACCEPT fi # 2.3 # Allow traffic according to either GOODNET and/or GOOD_SVCS. # if [[ $GOODNET && $GOOD_SVCS ]]; then $IPTCMD -A INPUT -i $EXTIF -p tcp --tcp-flags FIN,SYN,RST,ACK SYN \ -m multiport --dports $GOOD_SVCS -s $GOODNET -m state --state NEW -j ACCEPT elif [[ $GOODNET ]]; then $IPTCMD -A INPUT -i $EXTIF -p tcp --tcp-flags FIN,SYN,RST,ACK SYN\ -s $GOODNET -m state --state NEW -j ACCEPT elif [[ $GOOD_SVCS ]]; then $IPTCMD -A INPUT -i $EXTIF -p tcp --tcp-flags FIN,SYN,RST,ACK SYN\ -m multiport --dports $GOOD_SVCS -m state --state NEW -j ACCEPT fi # 2.4 $IPTCMD -A INPUT -i $EXTIF -j evilin $IPTCMD -A INPUT -j postinput # Section 3.0 - OUTPUT # 3.1 $IPTCMD -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT # 3.2 - 3.3 # We definitely want to respond to probes that stimulate UDP or ICMP responses. # $IPTCMD -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPTCMD -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT # Section 4 - evilin # 4.1 - 4.2: # We shouldn't accept fragged ICMP or UDP, especially if we are running # portmapper. You can get alot more restrictive here if you want. # $IPTCMD -A evilin -p udp -f -m limit -j LOG --log-prefix FRAG_UDP: $LOGOPT $IPTCMD -A evilin -p icmp -f -m limit -j LOG --log-prefix FRAG_ICMP: $LOGOPT $IPTCMD -A evilin -p udp -f -j DROP $IPTCMD -A evilin -p icmp -f -j DROP # 4.3 # Existing connections are allowed to continue # $IPTCMD -A evilin -m state --state RELATED,ESTABLISHED -j ACCEPT # 4.4 # Allow traffic that we have already REDIREDTed to HPOT_xxx_SVCS # if [[ $HPOT_UDP_SVCS ]]; then for hport_u in `echo -n $HPOT_UDP_SVCS|sed -e 's/,/ /g'` do $IPTCMD -A evilin -p udp --dport $(($hport_u + 40000)) -j ACCEPT done fi if [[ $HPOT_TCP_SVCS ]]; then for hport_t in `echo -n $HPOT_TCP_SVCS|sed -e 's/,/ /g'` do $IPTCMD -A evilin -p tcp --dport $(($hport_t + 40000)) -j ACCEPT done fi # 4.5 # Allow traffic that we have already REDIRECTed to $REDIRPORT (the catchall) # $IPTCMD -A evilin -p tcp -m tcp --dport $REDIRPORT -j ACCEPT # 4.6 # Is portmap allowed? # if [[ $PORTMAP = "yes" ]]; then $IPTCMD -A evilin -p tcp --dport 111 -j ACCEPT ; fi if [[ $PORTMAP = "yes" ]]; then $IPTCMD -A evilin -p udp --dport 111 -j ACCEPT ; fi # 4.7 # Accept traffic to the static PASV port if [[ $HPOT_PASV ]]; then $IPTCMD -A evilin -p tcp --dport $HPOT_PASV -j ACCEPT ; fi # Section 6 - postinput # Actions to take whenever something falls completely off of the INPUT chain. # # 6.1 - 6.2 # Remember the log limiting above? Here we deal with lingering crap from old # connections, while still logging enough to see things like RST and FIN scans. # $IPTCMD -A postinput -p tcp -m tcp --tcp-flags FIN,SYN,RST RST -m limit --limit 8/hour -j LOG --log-prefix "BADTHINGS_IN-limit:" $LOGOPT $IPTCMD -A postinput -p tcp -m tcp --tcp-flags FIN,SYN,ACK FIN,ACK -m limit --limit 8/hour -j LOG --log-prefix "BADTHINGS_IN-limit:" $LOGOPT # 6.3 - 6.4 # Everything remaining gets dealt with here. This includes non-fragmented UDP # and ICMP attack traffic. # $IPTCMD -A postinput -j LOG --log-prefix "BADTHINGS_IN:" $LOGOPT $IPTCMD -A postinput -j DROP thp-0.4.6/lib/0040755000076400007640000000000007663602323012403 5ustar gbakosgbakosthp-0.4.6/lib/index.html0100644000076400007640000000410207647066275014406 0ustar gbakosgbakos Index of /files/thp/devel/lib

Index of /files/thp/devel/lib

      Name                    Last modified       Size  Description


[DIR] Parent Directory        07-Feb-2003 00:17      -  
[DIR] Apache/                 02-Aug-2002 13:12      -  
[DIR] Microsoft-IIS/          02-Aug-2002 05:42      -  
[   ] autorun                 20-Sep-2002 05:19     1k  
[   ] catchall.pl             30-Jul-2002 02:06     1k  
[   ] ftpd.orig               20-Sep-2002 03:17     4k  
[   ] ftpd.pl                 20-Sep-2002 06:10     5k  
[   ] ftpport.pl              20-Sep-2002 06:38     1k  
[   ] http.pl                 02-Aug-2002 14:23     6k  
[   ] nullresp.pl             30-Jul-2002 01:52     1k  
[   ] shell.pl                19-Aug-2002 14:41     1k  
[   ] smtp.pl                 04-Sep-2002 15:14     5k  
[   ] smtp.pl.ref             22-Aug-2002 01:39     4k  
[   ] smtptab                 12-Sep-2002 14:43     1k  
[   ] thpfunc.pl              23-Dec-2002 09:40     3k
thp-0.4.6/lib/Apache/0040755000076400007640000000000007663015655013572 5ustar gbakosgbakosthp-0.4.6/lib/Apache/index.html0100644000076400007640000000137307647066275015576 0ustar gbakosgbakos Index of /files/thp/devel/lib/Apache

Index of /files/thp/devel/lib/Apache

      Name                    Last modified       Size  Description


[DIR] Parent Directory        06-Feb-2003 02:45      -  
[   ] 200                     02-Aug-2002 03:33     2k  
[IMG] apache_pb.gif           01-Aug-2002 14:24     2k
thp-0.4.6/lib/Apache/2000100644000076400007640000000312607647066275014023 0ustar gbakosgbakos Test Page for Apache Installation on Web Site

It Worked! The Apache Web Server is Installed on this Web Site!

If you can see this page, then the people who own this domain have just installed the Apache Web server software successfully. They now have to add content to this directory and replace this placeholder page, or else point the server at their real content.

If you are seeing this page instead of the site you expected, please contact the administrator of the site involved. (Try sending mail to <Webmaster@domain>.) Although this site is running the Apache software it almost certainly has no other connection to the Apache Group, so please do not send mail about this site or its contents to the Apache authors. If you do, your message will be ignored.

The Apache documentation has been included with this distribution.

The Webmaster of this site is free to use the image below on an Apache-powered Web server. Thanks for using Apache!

thp-0.4.6/lib/Apache/apache_pb.gif0100644000076400007640000000442607647066275016174 0ustar gbakosgbakosGIF89a ΥssskkkZZZ!B1RޭBƽ1cJ{֥Jc焜Rc!, GH*\ȰÇ#JHE0l0!(Q&XA3_h; 2 3€=e%03PpWL޴yׯ`|Iv *P0a? J㾕@w۵2P0!IP;._]̸b#Dh0A R Nσf+d^fu' u'Hhۖݺ%\0xa/^μy 5{XA30d@{ o/ ˟yo]!o߽L(PSQST $PŴ@L)SrUFʤ} 8_RgdrT`ZnY\p[5^-PMAGBN"rYu Iaw_x"ihlA.9y( PMXőQ `O/SE S @|E@@V2igeUP _*JRMnU)NEzIM=*SVi('̪O_8pM0a Ȓx!|[Q"Y՟l5c~x6_&; 5 %B4pBjfx, < ̜qj5On;#P k9 ENPENL 'ʑ&me|mXc"7R^~Pw4&טw砇.褗9aMсȊX,A.;D-)hke#TӱL*eӯ*lRVt/Uoego @@Z4RJ,~?L$!j)d?2q@V|DFx@)0jBAOW׳9 SI]π( [bL)㯽\X,%= yTWXB=/Vo^|.}V46\zrR.V*l_2ök.7z"ۢ\) (R%Dix r Qp 縔pq";5Pn%$&IJZd.E0b"~jdH-1@V\oQ̥. e ILh:)A92L IjZ1wLW49B] Q& o&g!pBݠΖg4F])KYȬj[%'ID+ JHn.4^آ3U\~bS K:y$#}ISj "1|$͠.@iLm\GeB턍k|!GkJ ,pHV5Xt"̟A*J~㡤QEr9@0K`M0'&YZV@5+V -5 KҚ=@;thp-0.4.6/lib/Microsoft-IIS/0040755000076400007640000000000007663015655015000 5ustar gbakosgbakosthp-0.4.6/lib/Microsoft-IIS/index.html0100644000076400007640000000141007647066275016774 0ustar gbakosgbakos Index of /files/thp/devel/lib/Microsoft-IIS

Index of /files/thp/devel/lib/Microsoft-IIS

      Name                    Last modified       Size  Description


[DIR] Parent Directory        06-Feb-2003 02:45      -  
[   ] 200                     02-Aug-2002 05:31     1k  
[IMG] pagerror.gif            02-Aug-2002 05:33     3k
thp-0.4.6/lib/Microsoft-IIS/2000100644000076400007640000000256007647066275015232 0ustar gbakosgbakos Under Construction

Under Construction

The site you were trying to reach does not currently have a default page. It may be in the process of being upgraded.


Please try this site again later. If you still experience the problem, try contacting the Web site administrator.


thp-0.4.6/lib/Microsoft-IIS/pagerror.gif0100644000076400007640000000536607647066275017325 0ustar gbakosgbakosBM 6($0                     thp-0.4.6/lib/catchall.pl0100644000076400007640000000060507647066275014525 0ustar gbakosgbakossub catchall { $ENV{'PATH'} = '/bin:/usr/bin'; delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; open(GREETING, "$greetbin|"); while() { print STDERR $_; } close(GREETING); print STDERR "$prompt"; while () { open(LOG, ">>$sesslog"); print STDERR "$prompt"; print LOG $_; close(LOG); if (/exit|logout|quit/) { return; } } } thp-0.4.6/lib/ftpd.orig0100644000076400007640000000762707647066275014247 0ustar gbakosgbakossub ftp { srand(time); my $ftpuser = "anon"; my $type = I; my @addroct = split /\./, $thpaddr; #my @portoct = ((($shorttime % 124) + 4),($shorttime % 255)); unless (defined $pasvport){ $pasvport = int(rand 65535) + 1025; } my @pasvoct = ($pasvport >> 8, $pasvport & 0xff); my $file = "file"; %ftphash = ( user => "331 Password required for $ftpuser\x0d\x0a", pass => "230 User $ftpuser logged in.\x0d\x0a", already => "530 Already logged in.\x0d\x0a", nologin => "530 Please login with USER and PASS.\x0d\x0a", start => "220 $hostname.$domain $ftpver ready.\x0d\x0a", syst => "215 UNIX Type: L8\x0d\x0a", pwd => "257 \"/\" is current directory.\x0d\x0a", type => "200 Type set to $type.\x0d\x0a", mkd => "257 New directory created.\x0d\x0a", stor => "150 Opening BINARY mode data connection.\x0d\x0a", pwd => "257 \"/\" is current directory.\x0d\x0a", cwd => "250 CWD command successful.\x0d\x0a", cdup => "257 \"/\" is current directory.\x0d\x0a", port => "500 Passive mode only.\x0d\x0a", compl => "226 Transfer complete.\x0d\x0a", rnfr => "350 File exists, ready for destination name.\x0d\x0a", rnto => "250 RNTO command successful.\x0d\x0a", retr => qq (150 Opening ASCII mode data connection for \'$file\'.\x0d\x0a), list => qq (150 Opening ASCII mode data connection for 'file list'.\x0d\x0a), pasv => qq (227 Entering Passive Mode \($addroct[0],$addroct[1],$addroct[2],$addroct[3],$pasvoct[0],$pasvoct[1]\)\x0d\x0a), help => qq (214-The following commands are recognized. USER PORT STOR RNTO NLST MKD CDUP PASS PASV APPE ABOR SITE XMKD XCUP TYPE DELE SYST RMD STOU STRU ALLO CWD STAT XRMD SIZE MODE REST XCWD HELP PWD MDTM QUIT RETR RNFR LIST NOOP XPWD 214 Direct comments to root\@localhost.\x0d\x0a), "site help" => qq (214-The following SITE commands are recognized. UMASK CHMOD GROUP NEWER INDEX ALIAS GROUPS IDLE HELP GPASS MINFO EXEC CDPATH 214 Direct comments to root\@localhost.\x0d\x0a), quit => qq (221-You have transferred 0 bytes in 0 files. 221-Total traffic for this session was 2164 bytes in 0 transfers. 221 Thank you for using the FTP service on $hostname.$domain.\x0d\x0a) ); $login = 0; print STDERR $ftphash{start}; while (my $commands = ) { open(LOG, ">>$sesslog"); print LOG $commands; chomp $commands; $commands =~ s/\r//; @commands=split /\s+/,($commands); if ($commands[0] =~ /user/i && $commands[1] =~ /[[:alnum:]]+/){ if ($login == 1) { print STDERR $ftphash{already}; } else { $ftpuser = $commands[1]; $ftphash{user} =~ s/anon/$ftpuser/; $ftphash{pass} =~ s/anon/$ftpuser/; print STDERR $ftphash{user}; } } elsif ($commands[0] =~ /pass/i && $commands[1] =~ /[[:print:]]+/) { if ($login == 1) { print STDERR $ftphash{already}; } else { if ($ftpuser) { $login = 1; print STDERR $ftphash{pass}; } } } elsif ($commands[0] =~ /list|retr|stor/i) { if ($login == 1) { $commands[0] =~ tr/A-Z/a-z/; print STDERR $ftphash{$commands[0]}; sleep 1; print STDERR $ftphash{compl}; } else { print STDERR $ftphash{nologin}; } } elsif ($commands[0] =~ /help|pasv|port|pwd|syst|rnfr|rnto|mkd|cwd|cdup|type/i) { if ($login == 1) { $commands[0] =~ tr/A-Z/a-z/; print STDERR $ftphash{$commands[0]}; } else { print STDERR $ftphash{nologin}; } } elsif ("$commands" =~ /\bsite help\b/i) { if ($login == 1) { $commands =~ tr/A-Z/a-z/; print STDERR $ftphash{"$commands"}; } else { print STDERR $ftphash{nologin}; } } elsif ($commands[0] =~ /exit\b|quit\b/i) { print STDERR $ftphash{quit}; return; } else { if ($login == 1) { print STDERR "500 @commands: command not understood.\x0d\x0a"; } else { print STDERR $ftphash{nologin}; } } close LOG; } } thp-0.4.6/lib/ftpd.pl0100644000076400007640000001104107647320000013656 0ustar gbakosgbakossub ftp { srand(time); my $ftpuser = "anon"; my $type = I; my @addroct = split /\./, $thpaddr; #my @portoct = ((($shorttime % 124) + 4),($shorttime % 255)); unless (defined $pasvport){ $pasvport = int(rand 65535) + 1025; } my @pasvoct = ($pasvport >> 8, $pasvport & 0xff); my $file = "file"; %ftphash = ( user => "331 Password required for $ftpuser\x0d\x0a", pass => "230 User $ftpuser logged in.\x0d\x0a", already => "530 Already logged in.\x0d\x0a", nologin => "530 Please login with USER and PASS.\x0d\x0a", start => "220 $hostname.$domain $ftpver ready.\x0d\x0a", syst => "215 UNIX Type: L8\x0d\x0a", pwd => "257 \"/\" is current directory.\x0d\x0a", type => "200 Type set to $type.\x0d\x0a", mkd => "257 New directory created.\x0d\x0a", stor => "150 Opening BINARY mode data connection.\x0d\x0a", pwd => "257 \"/\" is current directory.\x0d\x0a", cwd => "250 CWD command successful.\x0d\x0a", cdup => "257 \"/\" is current directory.\x0d\x0a", port => "500 Passive mode only.\x0d\x0a", port502 => "502 Illegal PORT Command\x0d\x0a", port200 => "200 PORT command successful.\x0d\x0a", actv425 => "425 Can't build data connection: Connection refused.\x0d\x0a", compl => "226 Transfer complete.\x0d\x0a", rnfr => "350 File exists, ready for destination name.\x0d\x0a", rnto => "250 RNTO command successful.\x0d\x0a", retr => qq (150 Opening ASCII mode data connection for \'$file\'.\x0d\x0a), list => qq (150 Opening ASCII mode data connection for 'file list'.\x0d\x0a), pasv => qq (227 Entering Passive Mode \($addroct[0],$addroct[1],$addroct[2],$addroct[3],$pasvoct[0],$pasvoct[1]\)\x0d\x0a), help => qq (214-The following commands are recognized. USER PORT STOR RNTO NLST MKD CDUP PASS PASV APPE ABOR SITE XMKD XCUP TYPE DELE SYST RMD STOU STRU ALLO CWD STAT XRMD SIZE MODE REST XCWD HELP PWD MDTM QUIT RETR RNFR LIST NOOP XPWD 214 Direct comments to root\@localhost.\x0d\x0a), "site help" => qq (214-The following SITE commands are recognized. UMASK CHMOD GROUP NEWER INDEX ALIAS GROUPS IDLE HELP GPASS MINFO EXEC CDPATH 214 Direct comments to root\@localhost.\x0d\x0a), quit => qq (221-You have transferred 0 bytes in 0 files. 221-Total traffic for this session was 2164 bytes in 0 transfers. 221 Thank you for using the FTP service on $hostname.$domain.\x0d\x0a) ); $login = 0; print STDERR $ftphash{start}; while (my $commands = ) { open(LOG, ">>$sesslog"); select LOG; $|=1; print LOG $commands; chomp $commands; $commands =~ s/\r//; @commands=split /\s+/,($commands); if ($commands[0] =~ /user/i && $commands[1] =~ /[[:alnum:]]+/){ if ($login == 1) { print STDERR $ftphash{already}; } else { $ftpuser = $commands[1]; $ftphash{user} =~ s/anon/$ftpuser/; $ftphash{pass} =~ s/anon/$ftpuser/; print STDERR $ftphash{user}; } } elsif ($commands[0] =~ /pass/i && $commands[1] =~ /[[:print:]]+/) { if ($login == 1) { print STDERR $ftphash{already}; } else { if ($ftpuser) { $login = 1; print STDERR $ftphash{pass}; } } } elsif ($commands[0] =~ /list|retr|stor/i) { if ($login == 1) { $commands[0] =~ tr/A-Z/a-z/; if (defined ($actvport)) { $retval = active($commands[0], $commands[1]); print STDERR $ftphash{$retval}; } else { print STDERR $ftphash{$commands[0]}; sleep 1; print STDERR $ftphash{compl}; } } else { print STDERR $ftphash{nologin}; } } elsif ($commands[0] =~ /help|pasv|pwd|syst|rnfr|rnto|mkd|cwd|cdup|type/i) { if ($login == 1) { $commands[0] =~ tr/A-Z/a-z/; print STDERR $ftphash{$commands[0]}; } else { print STDERR $ftphash{nologin}; } } elsif ($commands[0] =~ /port/i) { if ($login == 1) { $success = ftpport($commands[1]) if ($commands[1] =~ /(\d){1,3},(\d){1,3},(\d){1,3},(\d){1,3},(\d){1,3},(\d){1,3}/); print STDERR $ftphash{$success}; $actvport = 1; } else { print STDERR $ftphash{nologin}; } } elsif ("$commands" =~ /\bsite help\b/i) { if ($login == 1) { $commands =~ tr/A-Z/a-z/; print STDERR $ftphash{"$commands"}; } else { print STDERR $ftphash{nologin}; } } elsif ($commands[0] =~ /exit\b|quit\b/i) { print STDERR $ftphash{quit}; return; } else { if ($login == 1) { print STDERR "500 @commands: command not understood.\x0d\x0a"; } else { print STDERR $ftphash{nologin}; } } close LOG; } } thp-0.4.6/lib/ftpport.pl0100644000076400007640000000216607647316605014447 0ustar gbakosgbakossub ftpport { use IO::Socket; my $portspec = shift; my @portspec = split (/\,/, $portspec); $rhost = "$portspec[0].$portspec[1].$portspec[2].$portspec[3]"; $rport = (($portspec[4] << 8) + $portspec[5]); if (inet_aton($rhost) ne inet_aton($saddr)) { return "port502"; } else { return "port200"; } } sub active { use IO::Socket; %actvhash = ( dir150 => "150 Opening ASCII mode data connection for directory listing.\x0d\x0a", retr150 => "150 Opening BINARY mode data connection for $arg.\x0d\x0a" stor150 => "150 Opening BINARY mode data connection for $arg.\x0d\x0a" ); my $actvcmd = shift; my $arg = shift; my $sock = IO::Socket::INET -> new(PeerAddr => "$rhost", PeerPort => "$rport", Proto => "tcp" ) or return "actv425"; if ($actvcmd =~ /stor/i) { print STDERR $actvhash{stor150}; } elsif ($actvcmd =~ /retr/i) { print STDERR $actvhash{retr150}; } my ($upload, $booty); return unless (defined ($upload = fork())); if ($upload) { while ($booty = <$sock>) { print LOG $booty; LOG->autoflush(1); } kill ('TERM', $upload); } else { while () { print $sock $_; } } close $sock; return "compl"; } thp-0.4.6/lib/http.pl0100644000076400007640000001320007647320025013706 0ustar gbakosgbakos# /usr/local/thp/lib/http.pl version 0.4.4 # # httpd emultation functions for thp - Tiny Honeypot # # Copyright George Bakos - alpinista@bigfoot.com # Aud 02, 2002 # This is free software, released under the terms of the GNU General # Public License avaiable at http://www.fsf.org/licenses/gpl.txt # sub http { while (my $commands = ) { open(LOG, ">>$sesslog"); select LOG; $|=1; print LOG $commands; $lcount++; $commands =~ s/\r//; my $commline = "line$lcount"; @$commline = split /\s+/,($commands); # Should we change labels? If selected in thp.conf, and the intruder is # looking for common Microsoft-IIS resources, this will change the httpd # vendor & version to accomodate them. if ($line1[1] =~ /(pagerror.gif|\.asp|\.exe|\.htr|\.htx|\.htw|\.com\.dll|\.ida)[$\?%+]?/ && $chameleon eq "yes") { ($httpdvend, $httpdver) = ("Microsoft-IIS", "$chamelver"); } $respdir = "$thpdir/lib/$httpdvend"; # Has the intruder specified an HTTP version in their request? If not, # the session closes with an error - see err400() $method = $line1[0]; $resname = $line1[1]; $resname =~ s/^.*\///; $protover = "$line1[2]" if ($line1[2] =~ /HTTP\/1.[01]$/); if ($commands =~ /^$/m) { # Check for an acceptable http method. If fatfingered or otherwise unknown, # bomb out with an error 501. Not all daemons return 501s, some just spew # error 400s for just about everything broken. I still need to ID where # this is appropriate. if ($method !~ /GET|POST|HEAD/ ) { http_hdr("501","Bad Method","text/html"); err501(); exit 0; # Is the URL too long? Feel free to monkey with this, or ditch it. This # tests the entire URI, not just resource filename. } elsif ( length($line1[1]) > 255 ) { http_hdr("414","Request-URI Too Large","text/html"); err414(); exit 0; # Match on resource name. We allow "/" and "index.htm" and "index.html". All # of these will return the content in lib//200. The return headers # are built in http_hdr(), and content is pulled from the file. If your html # document contains tags, those image files should be placed in the same # directory. We can't match on $resname here, since we stripped off all # slashes, and would break default webpage requests. Thus it's back to # $line1[1]. } elsif ( $line1[1] =~ m/^(\/$|\/index.htm[l]?)$/ && $protover) { $respfile = "$respdir/200"; http_hdr("200","OK","text/html"); open (RESP, "$respfile"); while () { chomp; print STDERR ($_, "\x0d\x0a"); } close RESP; print STDERR ($_, "\x0d\x0a"); exit 0; # If the vendor is IIS and the request contains common default resource # names, this returns the same lib//200 } elsif ( $resname =~ /(default|iisstart|localstart)/ && $protover && $httpdvend eq "Microsoft-IIS") { $respfile = "$respdir/200"; http_hdr("200","OK","text/html"); open (RESP, "$respfile"); while () { chomp; print STDERR ($_, "\x0d\x0a"); } close RESP; print STDERR ($_, "\x0d\x0a"); exit 0; # Here is the text catchall, setting a mimetype of /text/html. } elsif ( -T "$respdir/$resname" && $protover) { $respfile = "$respdir/$resname"; http_hdr("200","OK","text/html"); open (RESP, "$respfile"); while () { print STDERR $_; } close RESP; print STDERR "\x0d\x0a\x0d\x0a"; exit 0; # If the request is for an image, strip off the path and pull it out of # the same lib// directory, modifying the mime type accordingly. } elsif ( $resname =~ /(gif|jpg|png)$/ && ($imgtype = "$+") && -f "$respdir/$resname" && $protover) { $respfile = "$respdir/$resname"; http_hdr("200","OK","image/$imgtype"); open (RESP, "$respfile"); while () { print STDERR $_; } close RESP; print STDERR "\x0d\x0a\x0d\x0a"; exit 0; } else { http_hdr("400","Bad Request","text/html"); err400() } exit 0; } close LOG; } } sub http_hdr { $fsize = -s $respfile; $now = strftime("%a, %B %d %Y %T GMT", gmtime(time)); print STDERR qq ($protover $_[0] $_[1]\x0d Server: $httpdvend/$httpdver\x0d Date: $now\x0d Content-Length: $fsize\x0d Connection: close\x0d Content-Type: $_[2]\x0d\x0a); if ( $_[2] =~ /image/ ) { print STDERR "Accept-Ranges: bytes\x0d\x0a"; } if ( $httpdvend =~ /Microsoft/ ) { print STDERR "Set-Cookie: ASPSESSIONIDQQGGGHOO=GAFBCHFDEANKGFKPIPKENMAP; path=/\x0d\x0a"; print STDERR "Cache-control: private\x0d\x0a"; } print STDERR "\x0d\x0a"; } sub err400 { my $msg = qq ( 400 Bad Request

Bad Request

Your browser sent a request that this server could not understand.

Invalid URI in request "@line1"

$httpdvend/$httpdver Server at $thpaddr Port 80
\x0d\x0a\x0d\x0a); print STDERR "$msg"; } sub err414 { my $msg = qq ( 414 Request-URI Too Large

Request-URI Too Large

The requested URL's length exceeds the capacity limit for this server.

request failed: URI too long

$httpdvend/$httpdver Server at $thpaddr Port 80
\x0d\x0a\x0d\x0a); print ( STDERR "$msg"); } sub err501 { my $msg = qq ( 501 Invalid Method

Invalid Method

The requested method is not available on this server.

request failed: Invalid or unrecognized method in "@line1"

$httpdvend/$httpdver Server at $thpaddr Port 80
\x0d\x0a\x0d\x0a); print ( STDERR "$msg"); } thp-0.4.6/lib/nullresp.pl0100644000076400007640000000020107647320050014566 0ustar gbakosgbakossub nullresp { while () { open(LOG, ">>$sesslog"); select LOG; $|=1; print LOG $_; close LOG; } } thp-0.4.6/lib/shell.pl0100664000076400007640000000514007663605635014057 0ustar gbakosgbakossub shell { $thpath = "$homedir"; if ($thpath =~ m/^.*\/([^\/]+)/){ $pathsuffix = $1; } if ($hostname =~ m/^([^\.]+)\./){ $shortname = $1; } $prompt = "[root\@${shortname} ${pathsuffix}]# "; open(GREETING, "$greetbin|"); while() { print STDERR $_; } close(GREETING); print STDERR "$prompt"; while (my $commandline = ) { open(LOG, ">>$sesslog"); select LOG; $|=1; print LOG $commandline; chomp $commandline; @commandline = (split ";", $commandline); while (@commandline){ $commands = shift (@commandline) ; @command=split /\s+/,($commands); shift @command if ($command[0] =~ /^(\s|$)/); if ($command[0] =~ /\buname\b/){ if ($command[1] =~ /-[amsv]\b/){ print STDERR $shellhash{$command[0]}{$command[1]}, "\n"; }else{ print STDERR $shellhash{$command[0]}{-s}, "\n"; } } elsif ($command[0] =~ /\bcd\b/){ changedir("$command[1]"); } elsif ($command[0] =~ /\bpwd\b/){ print STDERR "$thpath\n"; } elsif ($command[0] =~ /\b(whoami|w|id|wget)\b/){ print STDERR "$shellhash{$command[0]}\n"; } elsif ($command[0] =~ /\b(exit|logout)\b/){ close(LOG); return; } } print STDERR "$prompt"; } } sub changedir{ $elements = $_[0] or $elements = "$homedir"; if ($elements =~ /^\/.*/){ $elements =~ s/\///; @thpath = (); } else { @thpath = (split /\//, $thpath); } @elements = (split /\//, $elements); foreach $element (@elements){ if ($element eq ".."){ pop @thpath; } else { push @thpath, $element; } } $thpath = "/" . (join "/", @thpath); $thpath =~ s/^\/\//\//; $pathsuffix = pop @thpath; push @thpath, $pathsuffix; $pathsuffix = "/" unless $pathsuffix; $prompt = "[root\@$shortname $pathsuffix]# "; } sub hostname{ } %shellhash = ( uname => { -a => "Linux localhost 2.2.17 #4 Mon Apr 7 09:04:33 EDT 2001 i686 unknown unknown GNU/Linux", -m => "i686", -s => "Linux", -v => "#4 Mon Apr 7 09:04:33 EDT 2001", }, whoami => "root", w => "3:32am up 7:45, 10 users, load average: 0.04, 0.05, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT", id => "uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)", wget => "wget: missing URL Usage: wget [OPTION]... [URL]... Try `wget --help' for more options.", ); thp-0.4.6/lib/smtp.pl0100644000076400007640000001250507647320116013722 0ustar gbakosgbakossub smtp { $now = strftime("%a, %B %d %Y %T GMT", gmtime(time)); open (HTAB, "$thpdir/lib/smtptab"); my @keys = qw( state Command regex newstate continue response assignment ); $cnt = 0; while () { unless ( /^$|^#/ ) { chomp; my $key; $cnt++; $strcnt = sprintf (qq(%0.2d), $cnt); @_ = split(/\t/, $_, 7); foreach $key (@keys){ $rules{"$strcnt$key"} = shift @_; } } } foreach $k (sort keys %rules) { print "$k => $rules{$k}\n"; } close HTAB; %smtp = ( start => "220 $hostname.$domain ESMTP Sendmail 8.11.2/8.11.2; $now\x0d\x0a", helo => "250 $hostname.$domain Hello $dom [$saddr], pleased to meet you\x0d\x0a", err501 => "501 5.0.0 Invalid domain name\x0d\x0a", ehlo => qq (250 $hostname.$domain Hello $dom [$saddr], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH GSSAPI 250 HELP ), err503 => "503 5.0.0 $hostname.$domain Duplicate HELO/EHLO\x0d\x0a", mail => "250 2.1.0 $rpath... Sender ok\x0d\x0a", already => "503 5.5.0 Sender already specified\x0d\x0a", bogs => "500 5.5.1 Command unrecognized: \"$cmd\"\x0d\x0a", err553 => "553 5.1.0 ... prescan: token too long\x0d\x0a", norp => "503 5.0.0 Need MAIL command\x0d\x0a", nofp => "503 5.0.0 Need RCPT (recipient)\x0d\x0a", lrcpt => "250 2.1.5 $lrcpt... Recipient ok\x0d\x0a", rrcpt => "250 2.1.5 $rrcpt... Recipient ok (will queue)\x0d\x0a", data => "354 Enter mail, end with \".\" on a line by itself\x0d\x0a", eof => "250 2.0.0 $qid Message accepted for delivery\x0d\x0a", help => qq (214-2.0.0 This is sendmail version 8.11.2 214-2.0.0 Topics: 214-2.0.0 HELO EHLO MAIL RCPT DATA 214-2.0.0 RSET NOOP QUIT HELP VRFY 214-2.0.0 EXPN VERB ETRN DSN AUTH 214-2.0.0 STARTTLS 214-2.0.0 For more info use "HELP ". 214-2.0.0 To report bugs in the implementation send email to 214-2.0.0 sendmail-bugs@sendmail.org. 214-2.0.0 For local information send email to Postmaster at your site. 214 2.0.0 End of HELP info\x0d\x0a), ehlohlp => qq (214-2.0.0 EHLO 214-2.0.0 Introduce yourself, and request extended SMTP mode. 214-2.0.0 Possible replies include: 214-2.0.0 SEND Send as mail [RFC821] 214-2.0.0 SOML Send as mail or terminal [RFC821] 214-2.0.0 SAML Send as mail and terminal [RFC821] 214-2.0.0 EXPN Expand the mailing list [RFC821] 214-2.0.0 HELP Supply helpful information [RFC821] 214-2.0.0 TURN Turn the operation around [RFC821] 214-2.0.0 8BITMIME Use 8-bit data [RFC1652] 214-2.0.0 SIZE Message size declaration [RFC1870] 214-2.0.0 VERB Verbose [Allman] 214-2.0.0 ONEX One message transaction only [Allman] 214-2.0.0 CHUNKING Chunking [RFC1830] 214-2.0.0 BINARYMIME Binary MIME [RFC1830] 214-2.0.0 PIPELINING Command Pipelining [RFC1854] 214-2.0.0 DSN Delivery Status Notification [RFC1891] 214-2.0.0 ETRN Remote Message Queue Starting [RFC1985] 214-2.0.0 STARTTLS Secure SMTP [RFC2487] 214-2.0.0 AUTH Authentication [RFC2554] 214-2.0.0 XUSR Initial (user) submission [Allman] 214-2.0.0 ENHANCEDSTATUSCODES Enhanced status codes [RFC2034] 214 2.0.0 End of HELP info\x0d\x0a), quit => qq (221 2.0.0 $hostname.$domain closing connection\x0d\x0a) ); $login = 0; print STDERR $smtphash{start}; while (my $commands = ) { open(LOG, ">>$sesslog"); print LOG $commands; select LOG; $|=1; chomp $commands; $commands =~ s/\r//; @commands=split /\s+/,($commands); if ($commands[0] =~ /user/i && $commands[1] =~ /[[:alnum:]]+/){ if ($login == 1) { print STDERR $ftphash{already}; } else { $ftpuser = $commands[1]; $ftphash{user} =~ s/anon/$ftpuser/; $ftphash{pass} =~ s/anon/$ftpuser/; print STDERR $ftphash{user}; } } elsif ($commands[0] =~ /pass/i && $commands[1] =~ /[[:print:]]+/) { if ($login == 1) { print STDERR $ftphash{already}; } else { if ($ftpuser) { $login = 1; print STDERR $ftphash{pass}; } } } elsif ($commands[0] =~ /list|retr|stor/i) { if ($login == 1) { $commands[0] =~ tr/A-Z/a-z/; print STDERR $ftphash{$commands[0]}; sleep 1; print STDERR $ftphash{compl}; } else { print STDERR $ftphash{nologin}; } } elsif ($commands[0] =~ /help|pasv|port|pwd|syst|rnfr|rnto|mkd|cwd|cdup|type/i) { if ($login == 1) { $commands[0] =~ tr/A-Z/a-z/; print STDERR $ftphash{$commands[0]}; } else { print STDERR $ftphash{nologin}; } } elsif ("$commands" =~ /\bsite help\b/i) { if ($login == 1) { $commands =~ tr/A-Z/a-z/; print STDERR $ftphash{"$commands"}; } else { print STDERR $ftphash{nologin}; } } elsif ($commands[0] =~ /exit\b|quit\b/i) { print STDERR $ftphash{quit}; return; } else { if ($login == 1) { print STDERR "500 @commands: command not understood.\x0d\x0a"; } else { print STDERR $ftphash{nologin}; } } close LOG; } } thp-0.4.6/lib/smtp.pl.ref0100644000076400007640000000756407647066275014523 0ustar gbakosgbakossub smtp { $now = strftime("%a, %B %d %Y %T GMT", gmtime(time)); open (HTAB, "/usr/local/thp/lib/smtptab"); my @keys = qw( State Command regex newstate continue response assignment ); $cnt = 0; while () { unless ( /^$|^#/ ) { chomp; my $key; $cnt++; $strcnt = sprintf (qq(%0.2d), $cnt); @_ = split(/\t/, $_, 7); foreach $key (@keys){ $rules{"$strcnt$key"} = shift @_; } } } foreach $k (sort keys %rules) { print "$k => $rules{$k}\n"; } close HTAB; %smtp = ( start => "220 $hostname.$domain ESMTP Sendmail 8.11.2/8.11.2; $now\x0d\x0a", helo => "250 $hostname.$domain Hello $dom [$saddr], pleased to meet you\x0d\x0a", err501 => "501 5.0.0 Invalid domain name\x0d\x0a", ehlo => qq (250 $hostname.$domain Hello $dom [$saddr], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH GSSAPI 250 HELP ), err503 => "503 5.0.0 $hostname.$domain Duplicate HELO/EHLO\x0d\x0a", mail => "250 2.1.0 $rpath... Sender ok\x0d\x0a", already => "503 5.5.0 Sender already specified\x0d\x0a", bogs => "500 5.5.1 Command unrecognized: \"$cmd\"\x0d\x0a" err553 => "553 5.1.0 ... prescan: token too long\x0d\x0a" norp => "503 5.0.0 Need MAIL command\x0d\x0a", nofp => "503 5.0.0 Need RCPT (recipient)\x0d\x0a", lrcpt => "250 2.1.5 $lrcpt... Recipient ok\x0d\x0a", rrcpt => "250 2.1.5 $rrcpt... Recipient ok (will queue)\x0d\x0a", data => "354 Enter mail, end with \".\" on a line by itself\x0d\x0a", eof => "250 2.0.0 $qid Message accepted for delivery\x0d\x0a", help => qq (214-2.0.0 This is sendmail version 8.11.2 214-2.0.0 Topics: 214-2.0.0 HELO EHLO MAIL RCPT DATA 214-2.0.0 RSET NOOP QUIT HELP VRFY 214-2.0.0 EXPN VERB ETRN DSN AUTH 214-2.0.0 STARTTLS 214-2.0.0 For more info use "HELP ". 214-2.0.0 To report bugs in the implementation send email to 214-2.0.0 sendmail-bugs@sendmail.org. 214-2.0.0 For local information send email to Postmaster at your site. 214 2.0.0 End of HELP info\x0d\x0a), ehlohlp => qq (214-2.0.0 EHLO 214-2.0.0 Introduce yourself, and request extended SMTP mode. 214-2.0.0 Possible replies include: 214-2.0.0 SEND Send as mail [RFC821] 214-2.0.0 SOML Send as mail or terminal [RFC821] 214-2.0.0 SAML Send as mail and terminal [RFC821] 214-2.0.0 EXPN Expand the mailing list [RFC821] 214-2.0.0 HELP Supply helpful information [RFC821] 214-2.0.0 TURN Turn the operation around [RFC821] 214-2.0.0 8BITMIME Use 8-bit data [RFC1652] 214-2.0.0 SIZE Message size declaration [RFC1870] 214-2.0.0 VERB Verbose [Allman] 214-2.0.0 ONEX One message transaction only [Allman] 214-2.0.0 CHUNKING Chunking [RFC1830] 214-2.0.0 BINARYMIME Binary MIME [RFC1830] 214-2.0.0 PIPELINING Command Pipelining [RFC1854] 214-2.0.0 DSN Delivery Status Notification [RFC1891] 214-2.0.0 ETRN Remote Message Queue Starting [RFC1985] 214-2.0.0 STARTTLS Secure SMTP [RFC2487] 214-2.0.0 AUTH Authentication [RFC2554] 214-2.0.0 XUSR Initial (user) submission [Allman] 214-2.0.0 ENHANCEDSTATUSCODES Enhanced status codes [RFC2034] 214 2.0.0 End of HELP info\x0d\x0a), quit => qq (221 2.0.0 $hostname.$domain closing connection\x0d\x0a) ); $login = 0; print STDERR $smtphash{start}; while (my $commands = ) { open(LOG, ">>$sesslog"); print LOG $commands; chomp $commands; $commands =~ s/\r//; @commands=split /\s+/,($commands); close LOG; } } thp-0.4.6/lib/smtptab0100644000076400007640000000265507647066275014021 0ustar gbakosgbakos# The following state table is used to match intruder input against three # parameter sets: current state, command issued & a regex against the content. # Every line of input is compared to the entries in this table in order, until # the first match is made. If the rule contains a "y" in the "continue?" field, # subsequent matches will also be processed, until a "continue? = n" is # encountered. Entries are to be separated by a single TAB character. The # "response" entry can be a function w/args (err404()), hash key ($smtp{ehlo}), # or null (""). # WARNING: # If you choose to do silly things here, you can jeopardize the security of # the host. The subroutines I have included have been given alot of (enough?) # scrutiny, and seem ok. Other functions ( i.e. system("stupid stuff") ) may # result in system compromise or loss of data. # state Command regex newstate continue? response assignment(s) # ----- ------- ----- -------- --------- -------- ------------- new HELO /^helo .{256,}/i new n $smtp{err501} new EHLO /^ehlo .{256,}/i new n $smtp{err501} new HELO /^helo [[:alnum:]\.-] fwait n $smtp{helo} $dom = $commands[1] new EHLO /^ehlo [[:alnum:]\.-] fwait n $smtp{ehlo} $dom = $commands[1] fwait HELO /^helo / fwait n $smtp{err503} fwait MAIL FROM: /^mail from: .{256,}/i fwait n $smtp{err553} fwait MAIL FROM: /^mail from: [[:alnum:]]+\x40[[:alnum:]]+/i fwait $smtp{mail} $rpath = $commands[2] data . /^\.$/ fwait n $smtp{qwait} thp-0.4.6/lib/thpfunc.pl0100644000076400007640000000553007647305613014413 0ustar gbakosgbakos# /usr/local/thp/thpfunc.pl version 0.4.4 # Functions for use in thp 0.4.x A component of the thp # honeypot kit. # # Copyright George Bakos - alpinista@bigfoot.com # July 15, 2002 # This is free software, released under the terms of the GNU General # Public License avaiable at http://www.fsf.org/licenses/gpl.txt sub getip { $reply = `/sbin/ifconfig $intf`; if ($reply =~ /^.*?\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b.*/is) { $thpaddr = $1 } } # Since our SIDs are hex concatanations of unix time in seconds & microseconds, # we need a way to pull hi-resolution timestamps. Otherwise, we settle for # one-second accuracy, possibly leading to some mangled session logging. # If Time::HiRes is available, our lives are easy. If not, lets see if the # necessary headers are available for a gettimeofday() syscall. If that # bombs too, we're stuck with plain ol' time. :-p sub gettime { if ( eval "require Time::HiRes" ) { import Time::HiRes ; my ($secs, $usecs) = Time::HiRes::gettimeofday(); $timestp = sprintf ("%.X%.X", ("$secs", "$usecs")); $shorttime = $secs; } elsif (eval "require 'sys/syscall.ph'") { my $now = pack("LL", ()); syscall( &SYS_gettimeofday, $now, undef) >= 0 or die "gettimeofday: $!"; my($secs, $usecs) = unpack("LL", $now); $timestp = sprintf ("%.X%.X", ("$secs", "$usecs")); $shorttime = $secs; } else { $shorttime = $timestp = time(); } } # signal handlers # Use a SIGALRM to limit time of execution of each script # Since $sid is only used to label the caplog entry (once # things get going) we can here add a comment to it and exit # with a nonzero value. # It's a bit of a kludge; please improve on this, folks. sub closeout { $sid = "$sid - timeout"; clcaplog(); close(CAPLOG); exit 5; } $SIG{ALRM} = \&closeout; # Here, we manage the caplog file, which tracks all sessions sub opncaplog { gettime(); $start = $shorttime; $sid = $timestp; if ($svcname) { $sid="$sid.$svcname"} $sesslog="$logdir/$sid"; if ($logtype eq "single") { @capdata = ((strftime("%b %d %T", localtime(time))), ("SID=$sid"), ("PID=$procid"), ("SRC=$saddr"), ("SPT=$sport")); } else { print (CAPLOG "\n", strftime("%b %d %T", localtime(time)), " start thp SID $sid, UNIX pid $procid source $nsdata[4]\n"); } } sub clcaplog { gettime(); $end = $shorttime; $eltime = $end - $start; if ($logtype ne "single") { print CAPLOG strftime("%b %d %T", localtime(time)), " end thp SID $sid\n"; } if ($eltime > 0) { $etstr = (strftime("%T", gmtime($eltime))); push (@capdata,("ET=$etstr")); if ($logtype ne "single") { print CAPLOG "\t- elapsed time ", $etstr, "\n"; } } if ($size=(-s $sesslog)) { push (@capdata,("BYTES=$size")); if ($logtype ne "single") { print CAPLOG "\t- total $size bytes\n"; } } if ($logtype eq "single") { print CAPLOG "@capdata\n"; } } thp-0.4.6/lib/shell/0040775000076400007640000000000007663575041013522 5ustar gbakosgbakosthp-0.4.6/lib/shell/rh8/0040775000076400007640000000000007663572711014224 5ustar gbakosgbakosthp-0.4.6/logthis0100755000076400007640000000241007647320173013230 0ustar gbakosgbakos#!/usr/bin/perl -X package thp; # /usr/local/thp/logthis version 0.4.4 # A Perl script to log input from nonspecified tcp connections # that are managed by xinetd/inetd. A component of the thp # honeypot kit. # # Copyright George Bakos - alpinista@bigfoot.com # July 29, 2002 # This is free software, released under the terms of the GNU General # Public License avaiable at http://www.fsf.org/licenses/gpl.txt $thpdir="/usr/local/thp"; $svcname = $ARGV[0]; $procid = $$; $ENV{'PATH'} = '/bin:/usr/bin:/sbin:/usr/sbin'; delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; @nsdata = split(" ",`netstat -tnp 2>/dev/null | grep $procid/perl`); ($saddr, $sport) = split /:/,$nsdata[4]; do "$thpdir/thp.conf"; foreach $file (<$thpdir/lib/*.pl>) { do "$file"; } alarm $timeout; use POSIX qw(strftime); if ($allowftpdata == "0") { $thpaddr="127.0.0.1"; } elsif (!"$thpaddr") { $thpaddr = getip(); } open(CAPLOG, ">>$logfile"); opncaplog(); # Redirect STDOUT to lessen the liklihood of an attacker fooling thp into # returning something useful to him. open(NEWOUT, ">/dev/null") || die; *STDOUT = *NEWOUT; if (!"$svcname") { nullresp(); } elsif ($svcname =~ /shell|ftp|http|mssql|smtp|pop3/) { &$svcname(); } else { nullresp(); } close NEWOUT; clcaplog(); close(CAPLOG); thp-0.4.6/thp.conf0100644000076400007640000000624007663601410013272 0ustar gbakosgbakos# /usr/local/thp/thp.conf version 0.4.5 # # variables for use in thp - Tiny Honeypot # # Copyright George Bakos - gbakos@ists.dartmouth.edu # Feb06, 2003 # This is free software, released under the terms of the GNU General # Public License avaiable at http://www.fsf.org/licenses/gpl.txt # Interface to listen on $intf = "eth0"; # Session timeout - wouldja believe that some systems # just don't cleanup stale sockets? $timeout = "300"; # seconds # Hostname to use in responses: $hostname = "localhost.localdomain"; # ip address to state for incoming connections, ie: ftp data channel # NOTE: if commented out, thp will try to determine it from the # interface specified above. This will fail if thp user (nobody, by default) # doesn't have permission to read /proc/net/dev #$thpaddr = "127.0.0.1"; # Domain name to use in responses: $domain = "localdomain"; # location of thp scripts, libs, etc. $thpdir = "/usr/local/thp"; # Directory for all logging. Should be mode 0700 nobody:nobody $logdir = "/var/log/hpot"; # Specific name for the master logfile. $logfile = "$logdir/captures"; # Log format - "single" or "multi". Single line format is easier to parse, but # does not make any entry into the capture log until the session is complete. # Multiline gives you separate "start" & "end" lines, but is a pain in the toches # to do anything with. $logtype = "single"; # Program to run to generate the shell MOTD. I like fortune. #$greetbin = "/usr/games/fortune"; $greetbin = "/bin/false"; # The home directory of the virtual root user $homedir = "/root"; # If a shell prompt is to be returned, here ye go. NOTE: this may be # changed later as the intruder changes working directory. $prompt = "[root\@$hostname root]# "; # ftp server version choices (edit them if you like) my $fver1 = "FTP server (Version wu-2.6.0(1))"; my $fver2 = "FTP server (Version wu-2.6.1(2))"; my $fver3 = "FTP server (Version wu-2.6.1-16)"; my $fver4 = "FTP server (BSDI Version 7.00LS)"; my $fver5 = "FTP server (PFTP 0.13)"; my $fver6 = "NcFTPd Server"; my $fver7 = "Microsoft FTP Service (Version 5.0)"; my $fver8 = "Microsoft FTP Service (Version 4.0)"; # ftp version to emulate: $ftpver = $fver3; # Should we allow ftp data connections? # 0 = no # 1 = yes $allowftpdata = "1"; # Do you want to specify a port for passive (PASV) ftp data transfer? # Leave this commented out if you prefer thp to select a random port. If you # choose a specific port here, it is a great idea to un-disable xinetd.d/thp.pasv # and edit it listen on that port. $pasvport = 33701; # the http vendor is emulated via selecting the appropriate directory of responses #$httpdvend = "Microsoft-IIS"; $httpdvend = "Apache"; # http version is reported in headers, responses, etc. and SHOULD be a sensible # match with the $httpdvend. If your server reports itself as IIS/1.3.9, that # might raise an eyebrow. #$httpdver = "5.0"; #$httpdver = "6.0"; $httpdver = "1.3.9"; #$httpdver = "1.3.19"; # If an attacker is looking for Windows files specifically, should thp accommodate # them, even if your $httpdvend (above) is something else? $chameleon = "yes"; # If you do wish to be a chameleon, what should your fake version be? $chamelver = "5.0"; thp-0.4.6/xinetd.d/0040755000076400007640000000000007663015770013356 5ustar gbakosgbakosthp-0.4.6/xinetd.d/hpot0100644000076400007640000000070607647066046014257 0ustar gbakosgbakos# default: off # description: A generic listener that calls a logging script to # record all data (keystrokes, autoroot scripts, etc.) # Be sure to change the diable line, only if ye be men # of valor. service thp { type = UNLISTED socket_type = stream wait = no user = nobody protocol = tcp server = /usr/local/thp/logthis server_args = shell port = 6635 disable = yes instances = 10 per_source = 1 } thp-0.4.6/xinetd.d/thp-ftpd0100644000076400007640000000057607647066046015040 0ustar gbakosgbakos# default: on # description: thp-ftpd calls the generic thpsvcs with param "ftp", # resulting in an ftpd emulation. service thp-ftp { type = UNLISTED socket_type = stream protocol = tcp port = 40021 wait = no user = nobody server = /usr/local/thp/logthis server_args = ftp nice = 10 disable = yes instances = 10 per_source = 1 } thp-0.4.6/xinetd.d/thp-httpd0100644000076400007640000000060307647066046015215 0ustar gbakosgbakos# default: on # description: thp-ftpd calls the generic thpsvcs with param "httpd", # resulting in an ftpd emulation. service thp-httpd { type = UNLISTED socket_type = stream protocol = tcp port = 40080 wait = no user = nobody server = /usr/local/thp/logthis server_args = http nice = 10 disable = yes instances = 10 per_source = 1 } thp-0.4.6/xinetd.d/thp-pasv0100644000076400007640000000060307647066046015043 0ustar gbakosgbakos# default: on # description: thp-ftpd calls the generic thpsvcs with param "ftp", # resulting in an ftpd emulation. service thp-pasv { type = UNLISTED socket_type = stream protocol = tcp port = 33701 wait = no user = nobody server = /usr/local/thp/logthis server_args = nullresp nice = 10 disable = yes instances = 1 per_source = 1 } thp-0.4.6/thpfunc.pl0100644000076400007640000000553007647305476013654 0ustar gbakosgbakos# /usr/local/thp/thpfunc.pl version 0.4.4 # Functions for use in thp 0.4.x A component of the thp # honeypot kit. # # Copyright George Bakos - alpinista@bigfoot.com # July 15, 2002 # This is free software, released under the terms of the GNU General # Public License avaiable at http://www.fsf.org/licenses/gpl.txt sub getip { $reply = `/sbin/ifconfig $intf`; if ($reply =~ /^.*?\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b.*/is) { $thpaddr = $1 } } # Since our SIDs are hex concatanations of unix time in seconds & microseconds, # we need a way to pull hi-resolution timestamps. Otherwise, we settle for # one-second accuracy, possibly leading to some mangled session logging. # If Time::HiRes is available, our lives are easy. If not, lets see if the # necessary headers are available for a gettimeofday() syscall. If that # bombs too, we're stuck with plain ol' time. :-p sub gettime { if ( eval "require Time::HiRes" ) { import Time::HiRes ; my ($secs, $usecs) = Time::HiRes::gettimeofday(); $timestp = sprintf ("%.X%.X", ("$secs", "$usecs")); $shorttime = $secs; } elsif (eval "require 'sys/syscall.ph'") { my $now = pack("LL", ()); syscall( &SYS_gettimeofday, $now, undef) >= 0 or die "gettimeofday: $!"; my($secs, $usecs) = unpack("LL", $now); $timestp = sprintf ("%.X%.X", ("$secs", "$usecs")); $shorttime = $secs; } else { $shorttime = $timestp = time(); } } # signal handlers # Use a SIGALRM to limit time of execution of each script # Since $sid is only used to label the caplog entry (once # things get going) we can here add a comment to it and exit # with a nonzero value. # It's a bit of a kludge; please improve on this, folks. sub closeout { $sid = "$sid - timeout"; clcaplog(); close(CAPLOG); exit 5; } $SIG{ALRM} = \&closeout; # Here, we manage the caplog file, which tracks all sessions sub opncaplog { gettime(); $start = $shorttime; $sid = $timestp; if ($svcname) { $sid="$sid.$svcname"} $sesslog="$logdir/$sid"; if ($logtype eq "single") { @capdata = ((strftime("%b %d %T", localtime(time))), ("SID=$sid"), ("PID=$procid"), ("SRC=$saddr"), ("SPT=$sport")); } else { print (CAPLOG "\n", strftime("%b %d %T", localtime(time)), " start thp SID $sid, UNIX pid $procid source $nsdata[4]\n"); } } sub clcaplog { gettime(); $end = $shorttime; $eltime = $end - $start; if ($logtype ne "single") { print CAPLOG strftime("%b %d %T", localtime(time)), " end thp SID $sid\n"; } if ($eltime > 0) { $etstr = (strftime("%T", gmtime($eltime))); push (@capdata,("ET=$etstr")); if ($logtype ne "single") { print CAPLOG "\t- elapsed time ", $etstr, "\n"; } } if ($size=(-s $sesslog)) { push (@capdata,("BYTES=$size")); if ($logtype ne "single") { print CAPLOG "\t- total $size bytes\n"; } } if ($logtype eq "single") { print CAPLOG "@capdata\n"; } }