OpenCanary: 197 Days in the Wilderness

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Announcing “BootAble” – GRC's New Boot-Testing Freeware
    Please see the BootAble page at GRC for the whole story.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)


Lob

What could possibly go wrong?
Nov 7, 2020
161
44
In May 2022, I experimented with putting OpenCanary into an Oracle Cloud Ubuntu VM. It was a quick and basic implementation with the following ports open:
  • FTP (TCP 21)
  • SSH (TCP 22)
  • TELNET (TCP 23)
  • HTTP (Synology DSM skin, TCP 5000)
I left it to fester and, as I recently implemented a more complete OpenCanary in OCI, I have retired the original one.

It ran for 197 days and the ports lit up 328’347 times….!! The Internet is a dirty. dirty place!

Of the 328’000 attempts to access it, the focus was mainly on getting into the shell of the platform - so SSH and Telnet were the targets. Telnet saw 134’968 connection attempts and SSH 191’563 attempts.

Due to me not having fine-tuned the OpenCanary I was running, I have no credential statistics across those attempts. But fear not - the new OpenCanary I put out there is very popular and I configured it better. I normalised the logs that I captured in 42 hours (17’610 access attempts!)

On Canary 1.0, there were over 25’000 (from 328’000) connection attempts from 61.177.17x.x - guess where these IPs are? Add to that a California-based IP 45.85.147.174 hitting the host 7’800 times and a German IP (176.57.150.175) also hitting the host around that many times.

My top two attacking IP addresses on OpenCanary 2.0 are:
  • 49.88.112.75 with 3293 access attempts, apparently some bored child in China
  • 111.207.253.232 in second place with 824 attempts (again, in China)
The ports they were hitting were again SSH and Telnet. The spread is close with 9045 hits to Telnet and 8389 hits to SSH. SSH will drop requests due to it not liking the fingerprint, that must be annoying….!

So what about user accounts and passwords they attempt to get into?
  • root - 6977 attempts
  • admin - 1613 attempts
  • default - 403 attempts
  • guest - 326 attempts
  • user - 131 attempts
I feel a special mention has to go to the user accounts telnetadmin and ubnt; they must be some kind of dumb default accounts on some devices.

The passwords were interesting.
  • 1234/5/6 - the tyranny of the default, no doubt
  • Password* - oh yeah….
  • admin - more tyranny!
  • default, 1111, 888888, 54321 - oh lazy people, where art thou?
  • Win1doW$ - it’s an Ubuntu host, I doubt it….
  • Zte521 - this must be default on some ZTE kit

Conclusion​

It’s clear the Internet is a dirty, dirty place.

OpenCanary is an interesting, free project and hosting it on Oracle Cloud for free is a good experiment. OpenCanary 2.0 is seeing 420 hits per hour and this will lead to some excellent statistics on the ports and protocols being attacked. It is mainly attempts to get a command posture into the system and build from there, that’s clear.

What is also obvious is the combinations of usernames and passwords. Certainly, some of the visits seem to push set credentials into the OpenCanary, Known Dumb Credentials (KDCs). This hints that any default username/password combination deployed to an Internet-facing host will be compromised in hours if not minutes.

One of the key controls that all frameworks have when introducing new technology is to deploy with passwords changed or with other methods, strong methods, of authentication enabled.

Do it - or be a victim.
 
An update: I have a new OpenCanary out there running with some nice lights illuminated. I found that someone discovered my R/W SMB share and was storing malware in it…. :eek:

Rather than killing the write capabilities, I‘ve made the honeypot sweeter: https://www.ciso.pm/enhancing-the-opencanary-samba-writes-and-malware-submissions/

It‘s now automatically submitting samples to VirusTotal and dropped the Canary Tokens that were not interesting to my new friend :D
 
Be careful you don't become a proxy for an attack on someone else, as you might face legal responsibility in such a case.
that's my thought, I may end up cleaning the folder more regularly than once a month ;)