About Honeybird‎ > ‎

Old honeybird website (until mid 2009)


Greeting to Honeynet Project

posted Oct 19, 2009, 7:38 PM by Peter Cheung

Hi Honeynet Project,

Our honeynet project established in 2007, it was co-operated with PISA (http://www.pisa.org.hk) and local educational institutes. Currently, there is 5 members (Alan, Daniel, Peter, Roland and Wallace) involve on this project, we use our spare time to set up and maintain the honeynet. Our objective is

1.Learn the hacker tracks involved in the attacks.
2.Collect statistics for internet attack forecast and attack preventive alert.
3.Provide courseware or research topic for local educational institutes.

Thanks to everyone at the Honeynet Project for bringing us on board. We look forward to get to know and communicate with each others.

Here is some words from our team members:
Alan Tam: “My name is Alan Tam and just joined the honeynet hongkong for a few months. I like Linux and OS X but still have to support a windows 2000 running in my wife’s computer. I wish ATI display driver can one day be running natively on virtualization such that I can safely run fast DX10 games and a honeywall with hostapd…”

Peter Cheung: “My name is Peter Cheung and started the honeynet a year ago. Interested in hacker behavior, motivation, tools and technique. I hope this project also can raise public aware in infosec”.

Roland Cheung: “My name is Roland Cheung and joined the honeynet for a year ago. Interested in Malware analysis and forensic. It is exciting to join the Honeynet Project and hope we can share our techique and informatin from each others.”

Cheers,
HoneyBird - Honeynet Hong Kong Chapter

Website: http://www.honeybird.hk
Email: honeybirdhk (at) gmail (dot) com
GPG: 16A9 95A0 F683 6944 E912 212F A40A 13F0 C4DD 5E66

Problem on installing sebek

posted Oct 19, 2009, 7:37 PM by Peter Cheung

Sebek is to capture all of the attackers activities (keystrokes, file uploads, passwords) then covertly send the data to the server.

I tried to install sebek to the Linux machine but a problem occurred on "configure" stage, the error messages as below:

Kernel defined KBUILD_BASENAME
checking for struct task_struct.p_pptr… no
Kernel NOT using P_PPTR
checking for struct inet_opt.daddr… no
Kernel NOT using INET_OPT
checking for /lib/modules/2.6.11-1.1369_FC4/build/net/packet/af_packet.c… no
configure: error: Cannot find /lib/modules/2.6.11-1.1369_FC4/build/net/packet/af_packet.c

the problem seems cannot find af_packet.c but I had already install kernel-source package and also use gcc-4.x or gcc-3.x verion to compile. Under /lib/modules/2.6.11-1.1369_FC4/build/net/packet/ , I only find a Makefile file. Do you know which software package include the af_packet.c or Do you have experience on similar problem when compile software on Linux?

GPG Key for Honeybird.hk

posted Oct 19, 2009, 7:36 PM by Peter Cheung

A GPG key for Honeybird.hk is generated for secure communication with other parties or organization.

GPG key

Fingerprint: 16A9 95A0 F683 6944 E912 212F A40A 13F0 C4DD 5E66

The key was generated by the OpenSource software Gpg4win

Roo - data remote replication

posted Oct 19, 2009, 7:35 PM by Peter Cheung

http://www.cs.indiana.edu/~cviecco/distributed_roo/index.html

This is a distribute honeynet and we can make use of this concept to replicate the roo mysql to our remote syslog for analysis.

Walleye - enable prompt login

posted Oct 19, 2009, 7:33 PM by Peter Cheung

Add these 2 modules at /etc/walleye/httpd.conf

LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so

Restart the apache :

/etc/init.d/walleye-httpd restart

Add .htaccess at /var/www/html/walleye/

AuthType Basic
AuthName “I’m not a Honeynet”
AuthUserFile /dev/httppasswd
Require user you me

Then change the permission :

#chmod 644 .htaccess

Honeywall - Reset honeywall(ROO) password

posted Oct 19, 2009, 7:31 PM by Peter Cheung

  1. reboot system
  2. at boot splash press any key to enter menu
  3. press “p” to enter passwd
  4. enter grub password (default is “honey”)
  5. - - passwd will be echoed like “*****”
  6. press “e” to enter grub command line interface
  7. use up/down arrows to choose line begining with “kernel”
  8. press “e” to edit
  9. - - cursor will be placed at end of line to edit
  10. add a space then type the word “single (no “”)
  11. press return to save changes
  12. press “b” to boot
  13. When you see the prompt
  14. Give root password for maintenance (or type control-D to continue):

  15. Enter root passwd and press return to check whether or not you have lock yourself out of a non root user account due to 3 consecutive failed logins:
  16. /sbin/pam_tally –user USERNAME

    (where username is the username you are testing)
    If you see:
    user USERNAME (xxx) has YYY
    (where xxx is USERNAME’s UID and YYY is >= 3) Then USERNAME has a
    consecutive failed login count greater than 3 and the account has
    been locked.

    To unlock the account for the above reson:
    /sbin/pam_tally –user USERNAME –reset
    then reboot

    If you have simply (or also) forgoten the passwd for USERNAME:
    passwd USERNAME
    (supply new passwd)

  17. reboot

Walleye - first time change password problem

posted Oct 19, 2009, 7:31 PM by Peter Cheung

Use 10 to 17 chars and would not work.

Try 8 and 9 chars will work fine.

Honeybird 2008 status report

posted Oct 19, 2009, 7:29 PM by Peter Cheung

Honeybird 2008 status report.

Top scanned port

posted Oct 19, 2009, 7:28 PM by Peter Cheung

Port 80 had became top scanned port in Honeybird since 6/Jan/2009.  It took over the leading position of SQL 1433 / 1434.  

Top 10 Scanned Ports:
=====================

 Port       Packets    Bytes      Conns
 ———  ———  ———  ———
 tcp/135          166          0        147
 tcp/445          140          0        104
 tcp/80          1068     297364         90
 udp/1026          34      19815         34
icmp/0            289      16290         26
 udp/1027          24      14050         24
 tcp/1433          29          0         19
 tcp/22            24          0         13
 udp/1434          11       4136         11
 tcp/2967          15          0          9

Splunk installed.

posted Oct 19, 2009, 7:27 PM by Peter Cheung

Splunk free version installed to help analysis the data.

These 2 sites have explain how-to add a login box for free edition. Some more steps added :

1. Bind the splunk to run on 127.0.0.1:8000 . Default it is bind to all IP.

http://www.splunk.com/base/Documentation/3.4.6/Installation/ConfigureSplunkBeforeStartup

2.Configure Apache to listen Your IP 1.1.1.1:8000

Then follow the steps in either these sites:

http://www.deckerd.com/core/splunk-free-htaccess-protection-using-apache/

http://www.subnetzero.net/2008/09/password-protect-splunk_6852.html

1-10 of 16