Well didn’t think they would access it, but they did. Someone just looked at my little honey trap ….. from Russia.

Subject: WARNING: access to honeypot

IP = 81.222.223.38
Browser = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

inetnum: 81.222.223.0 - 81.222.224.255
netname: FRO
descr: JSC “FRO” Network
country: RU
admin-c: DS544-RIPE
tech-c: AG12797-RIPE
status: ASSIGNED PA
notify: ***@eltel.net
mnt-by: ELTEL-RIPE-MNT
changed: ********@eltel.net 20040925
source: RIPE

person: Dmitry Samarin
address: 10N, 65-67,
address: Chaykovskogo st.
address: 191123 Saint-Petersburg
address: Russia
phone: +7 812 4381100
fax-no: +7 812 4381101
e-mail: ***@eltel.net
nic-hdl: DS544-RIPE
changed: ********@eltel.net 20021110
source: RIPE

person: Alexandr Goussev
address: 10N, 65-67,
address: Chaykovskogo st.
address: 191194 Saint-Petersburg
address: Russia

I wonder if it’s an anon proxy? Don’t think so. What hacker would be using IE6? Unless the person is v. sophisticated and changing the user agent.

That IP resolves to www.nwlink.spb.ru — Alliance of Home Networks St-Peterburg. Anyone read Russian?!

Oly says:

Check the email headers, assuming he sent any. If they came from hotmail’s servers then someone’s definitely got a keylogger on your mate’s computer. If not, it could be someone just doing a faked email looking like it’s from him?

Headers say hotmail servers. It’s not faked.

OK, here’s the full story:

I set up a secret repository of the photos from Manila. Not on this server, so don’t bother looking! I password protected the page and sent out instructions to all the lads on how to view them. Yes, that email included the address, password and user ID, not the best, but I’d forgotten about my mate complaining about his Hotmail issues.

On Sunday night, he called to say he was locked out of Hotmail. I then received an email, from his address, to me and a load of other addresses, containing some of the more incriminating (for him) photos from the weekend. The email was sent to pretty much all the girls in his address book. He was lucky (ish), there were no work addresses there.

I called him to see if he had downloaded any of the photos and saved in his Hotmail. No. So that meant someone had accessed the ’secret’ page.

I checked the server logs:

$ for IP in $( grep secret-path server.log | awk {’print $1′} | sort -u )
do
   echo $IP
   whois $IP | grep address
done

All addresses were in Hong Kong, except for one in Ireland.

Turns out, a girl who stayed with him for five weeks in March/April, is now living in Ireland. Sooooooo …. case closed?

Anyway, I sent out another email to the lads last night saying I had updated the photos with a new link. The new link is a blank page, but emails me with the user’s IP address and browser info — my first ever PHP page! I sent one to all minus my mate telling them all to ignore it.

So we are just waiting for her (?) to access the honey trap.

We cannot access Hotmail from work, so my mate wouldn’t type his password onto a work machine, so last night I checked out his home machine. He had a firewall on his router, but the Mac OS X firewall wasn’t running. I couldn’t see any processes running that could be key loggers and no crontab entries. His wireless network wasn’t secured, it is now. I also installed Little Snitch, which should capture any attempts to access the outside world from his computer. I’m pretty sure there is nothing happening on his home machine. I did, however, discover that girl’s Hotmail password. Sooooo ……

He is pissed off because his photos went to all the girls he knows. I’m pissed because someone has accessed my private photos. I feel like changing my honey trap to fook her machine reet up. If I knew how.

Anyway, email encryption from now on.