What is kojoney?

Why the name kojoney ?

cojon

cloyed

attacker

Who is the author of kojoney?

Which is the license of kojoney?

Does it works under Win32?

I found a bug!

Where can I download the source of kojoney?

Dependencies

Installing Kojoney

INSTALL.sh

Installing Kojoney with the install script

Install all the prerequisites (listed in previous paragraphs).

Download the latest kojoney package. Currently kojoney-0.0.3.2.zip (or a previous version).

Copy it to a temporary directory (i.e. /tmp/kojoney)

Un(zip|tar) the package

$ tar -xvzf kojoney-0.0.3.1.tar.gz (or unzip kojoney-0.0.3.2.zip)

(...)

$ ls

kojoney kojoney-0.0.3.1.tar.gz

Enter in to the 'kojoney' directory, and (as root user if is an unix like OS) type "sh INSTALL.sh".

Follow the wizard.

$ su

password:

# sh INSTALL.sh

Kojoney Honeypot installer.



Press enter to view the license agreement ...

<<< NOTE: After read the license agreement press 'q' to exit >>>

Do you accept the ZPL, MIT and GPL license terms (yes/no) ?

yes

All licenses accepted.

******************************************

Kojoney Honeypot Installer version 0.0.3

******************************************



Step 1 - Copying files

(... uninteresting information...)

Step 2 - Building libraries

[+] Building and installing [IP-Country]

[+] Building and installing [Geograpy-Countries]

[+] Building and installing [Zope Interfaces]

[+] Building and installing [Twisted extension]

[+] Building and installing [PyCrypto]

(... Possibly various warnings. You can ignore these safely...)

[+] Building and installing [Twisted Conch extension]

Step 3 - Installing documentation

[+] Installing man pages

Step 4 - Changing permissions and creating symbolic links

[+] Creating symlinks



Step 5 - Final questions and fun



Do you want to run it automatically at boot time (yes/no)?

yes



***No run levels were assigned. You need to do this manually.***



Do you want to run it now (yes/no)?

yes

Starting daemon





Kojoney installation finished.









And how can I uninstall it?

How can I start the daemon?

./kojoney.py

And how can I start it automatically at boot time?

yes.

kojoney

How can I start kojoney automatically in Debian?

# ln -s /etc/init.d/kojoney /etc/rc2.d



# ln -s /etc/init.d/kojoney /etc/rc3.d



# ln -s /etc/init.d/kojoney /etc/rc5.d





How can I start kojoney automatically in Redhat?

# /sbin/chkconfig --level 345 kojoney on





Where is the kojoney log file?

How can I generate activity reports?

kojreport

kojreport-filter

kojreport-filter

<desired ip address or date>

Where is the report utility documentation?

man kojreport

man kojreport-filter

doc/html

Any example reports, please?

I like reports with graphic and pies

I wana view more reports!

Uh! The reporting tool recognizes humans!?

How is possible to recognize if a session was opened by a bot or by a human?

Using kojhumans , the tool to differ between humans and bots.

$ /usr/share/kojoney/kojhumans <logfile> {--by-session|--by-ip}





$

/usr/share/kojoney/

kojhumans /var/log/honeypot.log --by-ip

Human detected at 127.0.0.1 (**, Intranet address)

Human detected at 82.77.71.107 (RO, Romania)



2 human(s) total



$

/usr/share/kojoney/

kojhumans /var/log/honeypot.log --by-session

Session with id 0 opened by a human

Session with id 5 opened by a human

Session with id 1682 opened by a human



3 human session(s) total





How to search for an specific session data?.

What username/password combinations are allowed to connect to the honeypot?

widely used

/etc/kojoney/fake_users

fake_users

How to search for an specific session?

$ /usr/share/kojoney/kojsession /var/log/honeypot.log -total

7258 session(s)





$ /usr/share/kojoney/kojsession /var/log/honeypot.log 1682





Kojoney Honeypot Report

-----------------------



Date: lun 01 ago 2005 23:56:15 CEST

Log lines: 31

Log size: 4,0K /tmp/tmp.6pM2Df



Authenticated users. Successfull logons

---------------------------------------



1 ftp



Total 1



Logons with null passwords

--------------------------



1 ftp



Total 1



Logons with or without password

-------------------------------



2 ftp

1 tiffany



Total 3



X11 forward requests

--------------------

Total 0



Executed different commands

---------------------------



2 id

1 whoami

1 w

1 uptime

1 ls -a

1 cd home



Total 7



Number of times the intruder tries to change the terminal window size

---------------------------------------------------------------------

Total 1



IP Addresses

------------



1 82.77.71.107 - 1 conexion(es)



Total 1



Sessions opened by humans

-------------------------

Session with id 1682 opened by a human



1 human session(s) total



Humans detecteds by IP

----------------------

Human detected at 82.77.71.107 (RO, Romania)



1 human(s) total



Internal Honeypot Errors

------------------------

Total 0

We known that the attacker was enter into our honeypot by using the username and password combination ftp/ftp He or she also tried to logon with the user ftp and with no password, and also with the username tiffany. He or she tried to execute the commands "id" (two times), "whoami", "w", "uptime", "ls -a" and "cd home". The intruder changed the remote terminal window size during the intrussion (looking the log file in raw mode I found the attacker were using a simple xterm). The attacker were an human. The attacker comes from Romania, concretely around Craiova (thanks to the extremely cool tool xtraceroute).

How to search for an specific IP address?

kojreport-filter

$ kojreport-filter <log file> <filter> <traceroute> <nmap> <country resolution>





Kojoney Honeypot Report

-----------------------



Date: mar 02 ago 2005 00:09:40 CEST

Log lines: 35679

Log size: 3,5M /tmp/tmp.JbRsEU



Authenticated users. Successfull logons

---------------------------------------



2 root

2 admin

1 webmaster

1 web

1 user

1 test

1 oracle

1 mysql

1 guest

1 administrator



Total 12



Unauthenticated users. Failed logons

------------------------------------

Total 0



Users successfully authenticateds with publickey

------------------------------------------------

Total 0



Users unsuccessfully authenticateds with publickey

--------------------------------------------------

Total 0



Logons with null passwords

--------------------------

Total 0



Logons with or without password

-------------------------------



3421 root

11 admin

11 adam

10 ellen

9 ronald

9 paul

9 mail

9 jack

9 guest

9 francis

9 eric

9 danny

9 alex

8 apple

7 user

7 adrian

6 white

6 webster

6 viper

(...about 1400 other username/password combinations..)

1 dakota

1 Christ

1 chicago

1 arbgirl_phpbb1

1 apple1

1 alan

1 absurdir_deadphp



Total 5070



Number of times a remote shell was opened

-----------------------------------------



Total 12



X11 forward requests

--------------------

Total 0



Executed different commands

---------------------------

Total 0



Number of times the intruder tries to change the terminal window size

---------------------------------------------------------------------

Total 0



IP Addresses

------------



1 209.152.166.77 - 5093 conexion(es)



Total 1



IP Addresses and Countries

--------------------------



1 209.152.166.77 - US, United States



Total 1



Sessions opened by humans

-------------------------

0 human session(s) total



Humans detecteds by IP

----------------------

0 human(s) total



Internal Honeypot Errors

------------------------

Total 0



How to search for an specific date and/or date range?

$ kojreport-filter /var/log/honeypot.log '^2005/07/30' 0 0 1

Kojoney Honeypot Report

-----------------------



Date: mar 02 ago 2005 00:20:53 CEST

Log lines: 61066

Log size: 4,7M /tmp/tmp.MG7QZj



Authenticated users. Successfull logons

---------------------------------------



3 root

2 test

2 admin

1 webmaster

1 web

1 user

1 oracle

1 mysql

1 guest

1 administrator



Total 14



Unauthenticated users. Failed logons

------------------------------------



3419 root

11 adam

10 ellen

9 ronald

9 paul

9 mail

9 jack

9 francis

9 eric

9 danny

9 alex

9 admin

8 guest

8 apple

7 adrian

6 white

6 webster

6 viper

6 user

6 stephanie

6 russ

6 philip

6 mike

6 matt

6 martin

6 kayla

6 jerry

6 james

(...to many tries...)

1 chicago

1 arbgirl_phpbb1

1 apple1

1 alan

1 administrator

1 absurdir_deadphp



Total 5058



Logons with null passwords

--------------------------



1 root



Total 1



Logons with or without password

-------------------------------



3423 root

11 admin

11 adam

10 ellen

9 ronald

9 paul

9 mail

9 jack

9 guest

9 francis

9 eric

9 danny

9 alex

8 apple

7 user

7 adrian

6 white

6 webster

6 viper

6 stephanie

6 russ

6 philip

6 mike

6 matt

(...and more combinatios again...)

1 arbgirl_phpbb1

1 apple1

1 alan

1 absurdir_deadphp



Total 5073



Number of times a remote shell was opened

-----------------------------------------

Total 14



X11 forward requests

--------------------

Total 0



Executed different commands

---------------------------

Total 0



Number of times the intruder tries to change the terminal window size

---------------------------------------------------------------------

Total 0



IP Addresses

------------



1 209.152.166.77 - 5093 conexion(es)

2 172.179.184.30 - 1 conexion(es)

3 82.43.139.111 - 1 conexion(es)



Total 3



IP Addresses and Countries

--------------------------



1 209.152.166.77 - US, United States

2 172.179.184.30 - US, United States

3 82.43.139.111 - GB, United Kingdom



Total 3



Sessions opened by humans

-------------------------

0 human session(s) total



Humans detecteds by IP

----------------------

0 human(s) total



Internal Honeypot Errors

------------------------

Total 0





Where can I get more information about honeypots?

Thanks

and also for the good logo he made. (Don't take a look to

:P).

Thanks to barrapunto.com.

Thanks to my f* confusions.



Thanks to my girlfriend because of the pacience. What a crudel life... Or not :)

disinterested

live