Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Consternation Security operated a honeypot on December 31, 2013 targeting Anonymous IRC channels to Identify Digital Activists who may be involved in hacking or general digital anarchy.
- After several hours researching operation safe winter being conducted by Anonymous I found several red flags. mainly wepay donation pages.
- Since scamming and otherwise abusive behavior is taking place by people involved with this operation, including the campaign being used to spam the anti-government opNSA. I am exposing ip's of people involved, and supporting the opsafewinter campaign.
- There are some bot's in the list, but that's to be expected when phishing.
- First I wanted to test how effective the trap was, so i ran over to the main Anonops irc channel #Anonops. Sure enough, I got some hits, curious discovery was one IP was inside facebook's own corporate network. could this be facebook monitoring hacker activity? or has one of their servers/computers been compromised? Hard to say.
- December 31, 2013: 199.59.161.30 <--- Bot
- December 31, 2013: 31.151.158.2 <--- Human
- December 31, 2013: 96.255.149.128 <--- Human
- December 31, 2013: 81.157.105.93 <--- Human
- December 31, 2013: 75.16.201.31 <--- Human
- December 31, 2013: 173.252.74.119 <--- Facebook?!?
- December 31, 2013: 67.81.217.135 <--- Human
- Next I went over to cyber gorilla's IRC Network to further test things, but i found it to be mainly dead and just full of idling users despite all the advertising it's received in the last few weeks. All I got was some hits from their server bots that display the title of the url posted.
- December 31, 2013: 5.9.108.74 <--- Bot
- Since I've already exposed the site in this test, it was time to burn it down. I posted the link from the Anonrelations account on twitter and watched the hits and RT's. I'm not going to sift through the list and pick out the automated bots but the first 9 hit way too fast to be human.
- December 31, 2013: 199.59.148.210 <-- Too fast to be human
- December 31, 2013: 199.59.148.209 <-- Too fast to be human
- December 31, 2013: 69.164.201.127 <-- Too fast to be human
- December 31, 2013: 54.241.198.78 <-- Too fast to be human
- December 31, 2013: 54.241.198.78 <-- Too fast to be human
- December 31, 2013: 74.112.131.242 <-- Too fast to be human
- December 31, 2013: 74.112.131.241 <-- Too fast to be human
- December 31, 2013: 46.236.7.246 <-- Too fast to be human
- December 31, 2013: 54.241.41.133 <-- Too fast to be human
- The rest are anyone's guess. I was able to cross reference some of these with older logs, and they were in fact associated with several known anonymous members. so in that aspect, the honeypot was a success.
- December 31, 2013: 65.52.244.38
- December 31, 2013: 173.192.79.101
- December 31, 2013: 46.236.24.48
- December 31, 2013: 98.137.207.17
- December 31, 2013: 98.137.207.17
- December 31, 2013: 54.196.145.175
- December 31, 2013: 199.59.148.211
- December 31, 2013: 37.59.16.156
- December 31, 2013: 199.59.161.30
- December 31, 2013: 54.224.152.41
- December 31, 2013: 46.252.18.106
- December 31, 2013: 46.246.92.155
- December 31, 2013: 74.112.131.241
- December 31, 2013: 23.227.176.35
- December 31, 2013: 23.227.176.34
- December 31, 2013: 23.227.176.34
- December 31, 2013: 23.227.176.35
- December 31, 2013: 98.137.207.17
- December 31, 2013: 46.236.26.102
- December 31, 2013: 54.225.58.239
- December 31, 2013: 130.155.204.198
- December 31, 2013: 212.124.109.166
- December 31, 2013: 212.124.109.166
- December 31, 2013: 74.96.97.57
- December 31, 2013: 50.57.227.76
- December 31, 2013: 74.112.131.242
- December 31, 2013: 54.225.52.78
- December 31, 2013: 54.225.52.78
- December 31, 2013: 66.249.74.72
- December 31, 2013: 199.189.85.8
- December 31, 2013: 205.188.94.164
- December 31, 2013: 54.196.127.20
- Now that things are broken down. lets take a look at the header data on a few of these, and that will give us a better indication of what's a bot, and who's human.
- Anonops Bot.
- 199.59.161.30 - - [31/Dec/2013:13:19:03 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59585 "-" "Mozilla/5.0 (Compatible; Supybot 0.83.4.1+gribble (2011-08-12T18:12:56-0400))"
- Human
- 31.151.158.2 - - [31/Dec/2013:13:19:20 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"
- Human
- 96.255.149.128 - - [31/Dec/2013:13:19:21 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"
- Human
- 81.157.105.93 - - [31/Dec/2013:13:19:31 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
- Human
- 75.16.201.31 - - [31/Dec/2013:13:20:33 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
- Interesting Facebook hit from inside anonops.
- 173.252.74.119 - - [31/Dec/2013:13:22:08 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 206 11165 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
- Human
- 67.81.217.135 - - [31/Dec/2013:13:28:13 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"
- Cyber Gorilla IRC Bot
- 5.9.108.74 - - [31/Dec/2013:13:58:49 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 285 "-" "Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
- Interesting. amazon IP. automated i'm sure.
- 54.241.198.78 - - [31/Dec/2013:14:04:48 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 227 "-" "Google-HTTP-Java-Client/1.17.0-rc (gzip)"
- Human
- 65.52.244.38 - - [31/Dec/2013:14:04:50 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11114 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
- Appears human but tried to snag robots.txt. not familiar with flipboard.
- 54.196.145.175 - - [31/Dec/2013:14:05:46 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 597 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (FlipboardProxy/1.1; +http://flipboard.com/browserproxy)"
- Hi twitter.
- 199.59.148.211 - - [31/Dec/2013:14:06:55 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11114 "-" "Twitterbot/1.0"
- Aww how cute. someone was going to post my article as fact.. you know. cause the internet said it was real.
- 37.59.16.156 - - [31/Dec/2013:14:07:18 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (compatible; PaperLiBot/2.1; http://support.paper.li/entries/20023257-what-is-paper-li)"
- Human
- 46.246.92.155 - - [31/Dec/2013:14:09:22 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
- Interesting
- 98.137.207.17 - - [31/Dec/2013:14:13:56 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59613 "-" "NING/1.0"
- Human - Ipad news reader
- 54.225.58.239 - - [31/Dec/2013:14:14:09 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11133 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Contact: feedback@getprismatic.com"
- Not sure.
- 130.155.204.198 - - [31/Dec/2013:14:15:10 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 58824 "-" "Java/1.6.0_27"
- Another NING
- 212.124.109.166 - - [31/Dec/2013:14:20:39 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 366 "-" "NING/1.0"
- Human
- 74.96.97.57 - - [31/Dec/2013:14:20:42 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11169 "http://t.co/WlGhlJdTYz" "Mozilla/5.0 (Windows NT 6.0; rv:26.0) Gecko/20100101 Firefox/26.0"
- web proxy I think
- 50.57.227.76 - - [31/Dec/2013:14:20:42 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 285 "-" "EventMachine HttpClient"
- Human
- 54.225.52.78 - - [31/Dec/2013:14:21:00 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2008091620 Firefox/3.0.2"
- Human
- 205.188.94.164 - - [31/Dec/2013:14:21:20 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59613 "-" "Jakarta Commons-HttpClient/3.1"
- I'll look deeper into the logs when I get time, I do see that injection was successful on most occasions.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement