Honeypot

Who Used to Live at My IP Address?

3 min read

You know when you move into a new place, you still get mail for the people who used to live there? Do you ever wonder who those people were when you write “Return to Sender” on the envelope?

With the popularity and ease of spinning up cloud environments these days, (not to mention the lack of IPv4 addresses) you are bound to end up moving into a public IP address that used to belong to someone else.

What do you know about the previous owner?

Sr. Technology Specialist Tom Peterson digs in:

While looking at traffic on a honeypot that I have setup on Digital Ocean, I saw some inbound traffic to TCP port 888 that wasn’t the usual junk we see. It was a machine checking in with mine as if I was its Command and Control (CnC) server!

When an unsuspecting machine gets infected by something nasty, it often configures the address of a server on the internet for the malware to periodically check-in with. This CnC server might install a keylogger to secretly monitor the infected machine or instruct it to send traffic as part of a Distributed Denial of Service (DDoS) attack. Many times, DNS is used to find a CnC server to connect to, but it’s also possible the malware configures a hard-coded IP address instead.

Had someone been running a CnC server on the IP that I’m using now?

Digital Ocean, like the other cloud providers, assigns new IP addresses from a large pool of addresses they own. With so many droplets being created and destroyed every day, my IP was certainly used by someone else in the past. But what were they using it for?

It took about a week to notice the first one, but now that I know to look for them, I’ve found check-ins from quite a few malware families. It’s not uncommon to see a check-in that contains the username and password from the compromised machine. This kind of information is often simply base64 encoded and sent out in the clear!

CnC-check-in_anon.pcapng

Take a look at a sanitized example of one of these check-ins. It contains information about the infected machine, including the OS version, host name, and maybe even hardware specs.

The threat assessment summary tells me that it is from an old Nitol botnet. Krebs has more about the operation that Microsoft lead to take it down in 2012!

It just goes to show, you never know who lived at your IP address before you!

It makes us wonder, is there anything we should do about any of this? Is this simply the background noise of the internet? Join in the conversation on Twitter @cloudshark and use #CSHoneypot and let us know your thoughts.

Our honeypot project is just getting started. What else would you like to see us explore? Join our newsletter below to discover what will we find next!

Header photo by Photo by Mathyas Kurmann on Unsplash

Get articles like this in your inbox: