API tools faq
paste
Advertisement
Guest User

opsafewinter honeypot

a guest
Aug 21st, 2014
1,337
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.88 KB | None | 0 0
raw download clone embed print report
  1. Consternation Security operated a honeypot on December 31, 2013 targeting Anonymous IRC channels to Identify Digital Activists who may be involved in hacking or general digital anarchy.
  2.  
  3. After several hours researching operation safe winter being conducted by Anonymous I found several red flags. mainly wepay donation pages.
  4.  
  5. Since scamming and otherwise abusive behavior is taking place by people involved with this operation, including the campaign being used to spam the anti-government opNSA. I am exposing ip's of people involved, and supporting the opsafewinter campaign.
  6.  
  7. There are some bot's in the list, but that's to be expected when phishing.
  8.  
  9. First I wanted to test how effective the trap was, so i ran over to the main Anonops irc channel #Anonops. Sure enough, I got some hits, curious discovery was one IP was inside facebook's own corporate network. could this be facebook monitoring hacker activity? or has one of their servers/computers been compromised? Hard to say.
  10.  
  11. December 31, 2013: 199.59.161.30 <--- Bot
  12. December 31, 2013: 31.151.158.2 <--- Human
  13. December 31, 2013: 96.255.149.128 <--- Human
  14. December 31, 2013: 81.157.105.93 <--- Human
  15. December 31, 2013: 75.16.201.31 <--- Human
  16. December 31, 2013: 173.252.74.119 <--- Facebook?!?
  17. December 31, 2013: 67.81.217.135 <--- Human
  18.  
  19. Next I went over to cyber gorilla's IRC Network to further test things, but i found it to be mainly dead and just full of idling users despite all the advertising it's received in the last few weeks. All I got was some hits from their server bots that display the title of the url posted.
  20.  
  21. December 31, 2013: 5.9.108.74 <--- Bot
  22.  
  23. Since I've already exposed the site in this test, it was time to burn it down. I posted the link from the Anonrelations account on twitter and watched the hits and RT's. I'm not going to sift through the list and pick out the automated bots but the first 9 hit way too fast to be human.
  24.  
  25. December 31, 2013: 199.59.148.210 <-- Too fast to be human
  26. December 31, 2013: 199.59.148.209 <-- Too fast to be human
  27. December 31, 2013: 69.164.201.127 <-- Too fast to be human
  28. December 31, 2013: 54.241.198.78 <-- Too fast to be human
  29. December 31, 2013: 54.241.198.78 <-- Too fast to be human
  30. December 31, 2013: 74.112.131.242 <-- Too fast to be human
  31. December 31, 2013: 74.112.131.241 <-- Too fast to be human
  32. December 31, 2013: 46.236.7.246 <-- Too fast to be human
  33. December 31, 2013: 54.241.41.133 <-- Too fast to be human
  34.  
  35. The rest are anyone's guess. I was able to cross reference some of these with older logs, and they were in fact associated with several known anonymous members. so in that aspect, the honeypot was a success.
  36.  
  37. December 31, 2013: 65.52.244.38
  38. December 31, 2013: 173.192.79.101
  39. December 31, 2013: 46.236.24.48
  40. December 31, 2013: 98.137.207.17
  41. December 31, 2013: 98.137.207.17
  42. December 31, 2013: 54.196.145.175
  43. December 31, 2013: 199.59.148.211
  44. December 31, 2013: 37.59.16.156
  45. December 31, 2013: 199.59.161.30
  46. December 31, 2013: 54.224.152.41
  47. December 31, 2013: 46.252.18.106
  48. December 31, 2013: 46.246.92.155
  49. December 31, 2013: 74.112.131.241
  50. December 31, 2013: 23.227.176.35
  51. December 31, 2013: 23.227.176.34
  52. December 31, 2013: 23.227.176.34
  53. December 31, 2013: 23.227.176.35
  54. December 31, 2013: 98.137.207.17
  55. December 31, 2013: 46.236.26.102
  56. December 31, 2013: 54.225.58.239
  57. December 31, 2013: 130.155.204.198
  58. December 31, 2013: 212.124.109.166
  59. December 31, 2013: 212.124.109.166
  60. December 31, 2013: 74.96.97.57
  61. December 31, 2013: 50.57.227.76
  62. December 31, 2013: 74.112.131.242
  63. December 31, 2013: 54.225.52.78
  64. December 31, 2013: 54.225.52.78
  65. December 31, 2013: 66.249.74.72
  66. December 31, 2013: 199.189.85.8
  67. December 31, 2013: 205.188.94.164
  68. December 31, 2013: 54.196.127.20
  69.  
  70. Now that things are broken down. lets take a look at the header data on a few of these, and that will give us a better indication of what's a bot, and who's human.
  71.  
  72. Anonops Bot.
  73. 199.59.161.30 - - [31/Dec/2013:13:19:03 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59585 "-" "Mozilla/5.0 (Compatible; Supybot 0.83.4.1+gribble (2011-08-12T18:12:56-0400))"
  74. Human
  75. 31.151.158.2 - - [31/Dec/2013:13:19:20 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"
  76. Human
  77. 96.255.149.128 - - [31/Dec/2013:13:19:21 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"
  78. Human
  79. 81.157.105.93 - - [31/Dec/2013:13:19:31 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
  80. Human
  81. 75.16.201.31 - - [31/Dec/2013:13:20:33 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"
  82. Interesting Facebook hit from inside anonops.
  83. 173.252.74.119 - - [31/Dec/2013:13:22:08 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 206 11165 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
  84. Human
  85. 67.81.217.135 - - [31/Dec/2013:13:28:13 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11116 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"
  86. Cyber Gorilla IRC Bot
  87. 5.9.108.74 - - [31/Dec/2013:13:58:49 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 285 "-" "Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
  88. Interesting. amazon IP. automated i'm sure.
  89. 54.241.198.78 - - [31/Dec/2013:14:04:48 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 227 "-" "Google-HTTP-Java-Client/1.17.0-rc (gzip)"
  90. Human
  91. 65.52.244.38 - - [31/Dec/2013:14:04:50 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11114 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
  92. Appears human but tried to snag robots.txt. not familiar with flipboard.
  93. 54.196.145.175 - - [31/Dec/2013:14:05:46 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 597 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (FlipboardProxy/1.1; +http://flipboard.com/browserproxy)"
  94. Hi twitter.
  95. 199.59.148.211 - - [31/Dec/2013:14:06:55 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11114 "-" "Twitterbot/1.0"
  96. Aww how cute. someone was going to post my article as fact.. you know. cause the internet said it was real.
  97. 37.59.16.156 - - [31/Dec/2013:14:07:18 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (compatible; PaperLiBot/2.1; http://support.paper.li/entries/20023257-what-is-paper-li)"
  98. Human
  99. 46.246.92.155 - - [31/Dec/2013:14:09:22 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
  100. Interesting
  101. 98.137.207.17 - - [31/Dec/2013:14:13:56 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59613 "-" "NING/1.0"
  102. Human - Ipad news reader
  103. 54.225.58.239 - - [31/Dec/2013:14:14:09 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11133 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_6) AppleWebKit/534.24 (KHTML, like Gecko) Contact: feedback@getprismatic.com"
  104. Not sure.
  105. 130.155.204.198 - - [31/Dec/2013:14:15:10 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 58824 "-" "Java/1.6.0_27"
  106. Another NING
  107. 212.124.109.166 - - [31/Dec/2013:14:20:39 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 366 "-" "NING/1.0"
  108. Human
  109. 74.96.97.57 - - [31/Dec/2013:14:20:42 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11169 "http://t.co/WlGhlJdTYz" "Mozilla/5.0 (Windows NT 6.0; rv:26.0) Gecko/20100101 Firefox/26.0"
  110. web proxy I think
  111. 50.57.227.76 - - [31/Dec/2013:14:20:42 +1100] "HEAD /story/24320782/anonymous-helps-the-homeless-in-houston-tx HTTP/1.1" 301 285 "-" "EventMachine HttpClient"
  112. Human
  113. 54.225.52.78 - - [31/Dec/2013:14:21:00 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 11170 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2008091620 Firefox/3.0.2"
  114. Human
  115. 205.188.94.164 - - [31/Dec/2013:14:21:20 +1100] "GET /story/24320782/anonymous-helps-the-homeless-in-houston-tx/ HTTP/1.1" 200 59613 "-" "Jakarta Commons-HttpClient/3.1"
  116. I'll look deeper into the logs when I get time, I do see that injection was successful on most occasions.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!