Skip to content
/ StickyExim Public

Exim Honey Pot for CVE-2019-10149 exploit attempts.

3 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Brets0150/StickyExim

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
README.md
README.md
 
 
honey_harvester_exim_cve-2019-10149.sh
honey_harvester_exim_cve-2019-10149.sh
 
 
install_StickyExim.sh
install_StickyExim.sh
 
 

Repository files navigation

StickyExim

An Email HoneyPot

Features

  • Easy to deploy. The install scripts does all the work.
  • Abuse report are atomaticlly created and sent to the attacking IP owner.
  • Abuse reports are stored with a hash at time of creation incase needed later.

Requirements

  • Domain names.

    • One real domain you use for normal email. Example: myrealdomain.com
    • One domain for the HoneyPot(s). Example: myhoneydomain.com

  • DNS record control.

    • Add a Wild card for all subdomains of myhoneydomain.com to point to the IP of mail server for domain myrealdomain.com. In Bind this would look like "*.myhoneydomain.com. IN A 1.1.1.1."

  • Another Mail Server

    • Anything will work. You can just use your normal email server; there is no special requirements. This is just to receive emails at.
    • Make "myhoneydomain.com" and "log.myhoneydomain.com" Domain Alias for "myrealdomain.com"
    • Create the account "[email protected]".

  • Debain 9

    • May work with other Debain version, but all testing was done in version 9.

Install

apt update ; apt install -y git
git clone https://github.com/Brets0150/StickyExim.git
cd ./StickyExim/
chmod +x *.sh
./install_StickyExim.sh <DomainNameUsedForHoneyPot> <ExternalEmailAddressToSendTestEmailTo>
Example:
./install_StickyExim.sh  "definitelynotahoneypot.com" "[email protected]"

After the install, a test email will be sent to the email address you provided above. If you do not get a email, check the mail log(/var/log/exim4/maillog).

Configure

nano honey_harvester_exim_cve-2019-10149.sh

You need to find and update two variable at the top of this script.

This is the email that will appear on abuse reports that are sent. So this needs to be a valid email address. You may be contacted back by the people who get these reports.

Example: [email protected] str_my_abuse_email_address_to_use_in_from_field=''

This email address must be different from the "str_my_abuse_email_address_to_use_in_from_field". This email is use to send a copy of a abuse reports to you so you are aware that an attack was found. Since the "str_my_abuse_email_address_to_use_in_from_field" domain will be local to this honeypot system, it will not try to send to a remote. I suggest adding a subdomain.

Example: [email protected] str_my_abuse_email_address_to_send_copy_of_abuse_report=''

Testing

If you want to test to confirm the honeypot is working, you can use this other project I found. https://github.com/cowbe0x004/eximrce-CVE-2019-10149

NOTE: This will send a abuse report to the owner of the IP you are testing from(ie, your ISP). Use at your own risk.

Happy Hunting!

About

Exim Honey Pot for CVE-2019-10149 exploit attempts.

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages