Watching botnets in real time.

>>60392705
>cloudatcost

a cuck among cucks

>>60392705
Which one of these buttons installs gentoo?

>>60392705
what the fuck are they connected to you?

>>60392705
could you give me a very short explanation? what am i looking at?

>>60392837
A bunch of server connections and one random SMB request on port 445 which is undoubtedly an infected machine trying to send him wannacry

>>60392786
it was great value

>>60392837
KFSensor is a honeypot that opens mostly every port and logs any attempts from anyone that connects.

I've been using it to mainly monitor Port 445 to see how wannacry is spreading. (I've only had a few attempts out of the 8,000+)

I don't get it. Is your PC infected or are those just random idiots trying to infect random PCs through a public WiFi?

>>60393221
kys

>>60393373
That's mean, anon. Don't be mean, I just want to learn.

File: screenshot.png (109KB, 1280x800px) Image search: [Google]

109KB, 1280x800px

>>60393221
As far as I know it's not infected. The services I'm running are fake. But the bots connecting don't know that and I get to see the attempts at connecting.

Heres a screenshot of the SMB requests. (These may or may not be wannacry related)

>>60393439
>deals-for-the-family.com
wut

>>60393439
are those connections on your computer? i am lost

>>60394131
see>>60392965

>>60394131
Those are connection attempts from bots/botnets from around the world in realtime.

>>60393439
>.ru
>.in
>.br
scum of the earth showing why

File: 1479886023073.jpg (24KB, 400x300px)

24KB, 400x300px

isnt this run by the government and deploys CP on your HDD if you are into that conspiracy 9/11 ish? Heard they got alot of people that way, I think the term used in a zine I read was honeypot.

>>60394241
Russians seem to love port 23 and 3306

>>60394252
What no. It's just a program that opens lots of ports and makes fake services and lets you see what comes in.

It's quite good too bad there's no crack for it.

>>60394318
>It's quite good too bad there's no crack for it.
is there no crack because its an NSA front company to deploy or track who is active in the community which would make it a crime to crack since its illegal to know anything the NSA knows?

>>60392705
Sean?

>>60394393
This has nothing to do with the NSA. it's not been cracked because it's not popular enough I guess.

>>60394490
oh no you seen my teamviewer ID ;_;

>>60394550
[email protected]

So far I've noticed :

- I'm hardly getting any SMB attacks (sigh)
- Shodan.io is really good at scanning for things
- Despite me having an open windows CMD shell on port 23, bots ignore it expecting something else (a login prompt, linux shell)
- Using SIPVicious to scan for exploitable Asterisk VOIP systems is still a thing

I recommend everyone put their computer into the DMZ with the firewall off, you'll probably be fine.

>>60394657
Lol, interesting.. How the fuck? lol

>>60394522
>This has nothing to do with the NSA. it's not been cracked because it's not popular enough I guess.
its probably one of those NSA fronts we hear about or a homeland sexurity op like they used to take down kickass torrents.

Look for users who use it due to the kind of people who would and what they would monitor then put them on automated lists for tracking and hard drive scanning for illegal files such as a downloaded movie for example or if they dont support the right political party and instead say voted for a nazi fascist.

All these things could be used to take someone down once identified by just planting a few files, it only takes one jpg.

>>60394657
>>60394745>>60394729

Well the VNC machine is isolated from everything apart from teamviewer.. So I'll assume you just done a WHOIS on the anonymousey domain because im too cheap for whoisguard.

Congrats I guess.. the info is fake btw, you can google the postcode. takes you to mcdonalds.

File: ss.png (21KB, 1597x1174px) Image search: [Google]

21KB, 1597x1174px

>>60392705
If you've ever run a server, this shouldn't exactly come as a surprise. It's always been like this.

>>60392965
oooh! honeypots are cool toys

File: wat-3.gif (817KB, 200x233px)

817KB, 200x233px

>>60392705
>port 23
>"Command Console"

>>60395393
yeah I get similar in my Apache logs. it's just interesting to see what else goes on the other ports

>>60392877
>SMB request on port 445 which is undoubtedly an infected machine trying to send him wannacry
Random SMB requests have been around forever.

>>60395452
DoublePulsar too
makes you think

>>60395452
I suspect these might be wannacry related but its hard to tell.

I think it just spreads over the LAN IP Range? I'm really suprised at the low amount of attempts. (58 out of 9243)

>>60395539
it tries over internet too
but is pretty much a lost cause due NAT/Lack of IPv4 addresses

File: smb.png (98KB, 1280x800px)

98KB, 1280x800px

>>60395550
It's not doing a very good job in almost 24 hours I've highlighted 4 suspect attempts

File: 1298527151028.jpg (25KB, 627x627px)

25KB, 627x627px

amazing that a board dedicated to technology thinks that random internet denies is something that warrants a thread.

no one fucking cares what is bouncing off your firewall you fucking child

>>60395573
how do the worms work anyway?
do they target random IPs or is there some sort of pattern or a list of IP ranges to target?

>>60395573
i don't think that it spreed enough, many might have already done something about it also
as far i remember some de-assembled code, each infected machine just search only 128 /24 subnets

>>60395573
Why would you suspect those four especially out of that list?

>>60395633
initial infection was through e-mail i think
then after infected it would scans 128 random internet subnets
and the whole local network for computers with File Sharing active

>>60395668
I think it scans for a host then drops if it can't do anything else (detects as syn scan on kfsensor)

Lots of pentesters hitting that post doing their scans to see how many 445 systems are out there (binaryedge, shodan) cloud servers like vultr could be from hackers looking to exploit SMB.

The rest i'm unsure as they don't get detected as a syn scan.

>>60395765
"Syn scan" just means that it's only scanning to see if the port is open at all but never send any data. If this were an EternalBlue attack I'd very much expect it to try and send data too.