a POP3 tarpit (teergrub)/honeypot
I wrote this program for pretty much the same reasons that I wrote SMTarPit.
Like SMTarPit TarPop is a combined SMTP honeypot and tarpit released under the GPL. It is writen in Perl so it should work on virtually any platform that supports Perl (except Windows). It uses xinetd which looks at port 110 (instructions in the tarball) and when someone calls it, tarpop is launched. It then decides whether there is a man or a machine on the other end and sets about wasting their time.
It is meant to complement SMTarPit by presenting the cracker with an open port 110 which seems to have a POP3 server on the other end and potentially, lots of juicy accounts to look at.
There are plenty of instructions as to how to configure the program - if Perl is not your first language, you should still be able to see what to do. You will certainly need to put a valid domain name in there but it is all well laid out so that you can install it and run it as a part of xinetd.
Every time an incoming call to port 110 happens, xinetd starts a copy of this server. It only has a small memory footprint and doesn't really consume much processor time.
When the server is started, it responds with the usual welcome message and then waits for the client to respond. When the client does respond, it looks at how long it took and tries to work out whether it is a man or machine at the other end (you can adjust this time in the program if you want).
If the server thinks that it is a machine at the other end, it goes into tarpit mode where everything takes a long time.
You need to have bogus email addresses that the cracker needs to check. You can do this by having a web server on port 80 with a 1 pixel square link to it from a site that is spidered regularly (you can put the other site into Google's spider list if you want). If it is on the same server, any checks to see that email addresses are genuine will show that they are.
Something else you might consider is all of those phishing attacks. If you click on one (to open on a browser not running scripting, preferable not on Windows either) then, where the opportunity arises, add a tarpitted email address - this will get sold on as a valid email address and might create a bit of interest at the same time.
You don't need...
- a computer that runs Perl
- xinetd (you can probably run it with inetd - let me know on that one)
- The computer does not receive any incoming pop3 mailbox calls (ie, port 110 on the external ethernet card is not used)
- Port 110 open on the firewall
- there is a domain name pointing to that IP address (even a domestic broadband machine can use this - go to DynDNS.Org to see how to get your own domain name for free)
- root access
You should have (any way)...
- to have Perl in the directory that this program runs in because it doesn't call anything else once it is chrooted (it doesn't before either)
- to run it on a mainframe - a home, broadband machine will do it
- a great, in-depth knowledge of setting up servers as you can follow the instructions in the Perl script file - you can run this on virtually anything
- to spend money
- a firewall that you can configure to point port 110 traffic to your server
- Perl (nothing fancy is needed here, the basic install that comes with your OS should do)
- a 24/7 connection to the Internet
- a machine that you run all of the time
In a shell, get the host ip address for "info2.mine.nu"
Open up telnet and point it to the address on port 110. You will get the TarPop honeypot/tarpit. After that, just start using some POP3 commands and see what happens.
The following is representative of the output for one session from the full log...
NEW 20601 126.96.36.199 2005 Jan 27 11:29:58
20601 2005 Jan 27 11:29:58 +OK POP3 server ready <email@example.com>
20601 2005 Jan 27 11:30:13 USER Peter123
20601 -- delta_t = 15 seconds
20601 -- Slow response: selecting honeypot mode
20601 2005 Jan 27 11:30:18 +OK
20601 2005 Jan 27 11:30:31 PASS piper654
20601 2005 Jan 27 11:30:38 -ERR User ID/password combination not recognised
20601 2005 Jan 27 11:30:48 PASS PiPeR654
20601 2005 Jan 27 11:30:55 -ERR Need User ID first
20601 2005 Jan 27 11:31:08 USER Peter123
20601 2005 Jan 27 11:31:11 +OK
20601 2005 Jan 27 11:31:21 PASS PiPeR654
20601 2005 Jan 27 11:31:28 -ERR POP3 server pop.sbhp.info2.mine.nu signing off
20601 -- Reached max UserID fails (max = 3)
20601 -- duration: 90 seconds
... and this from the quicklog
20601 2005 Jan 27 11:31:28 192.168.1.80 - duration = 90
Click here to download the tarball...
Length: 10,821 Bytes.
|0.5.0 Released 27/01/2005 10,821 Bytes
- This is the first release. It forms a basic honeypot/tarpit to keep automatic mail clients and basic hacking attempts happy.
email paul-grosse at ntlworld dot com
Return to home page