Extending OpenCanary Monitoring

HackingHoneypot

Expect the Unexpected

The unexpected can happen when running OpenCanary instances and this demands some adapting. It’s considerably less dangerous than fixing an aircraft while flying, of course!

Stability

The Python-based OpenCanary is fairly low maintenance once running but, with 1.2 million+ hits per OC, they get a little tired and can simply disappear. I suspect there are some memory constraints with Python and possibly bugs in the .py code itself that leads to an abend of the process.

To ensure an alert when a process dies, you can adapt Process Monitor to alert you (my preference is into Slack via Webhook) when the twistd/opencanaryd process goes AWOL.

The script basically polls ps -ef for those key words on a 5 minute interval and will (should) notify you once until it sees the processes again.

In parallel, OC Monitor will try opening a telnet session on a periodic basis and, should telnet not respond, it will try to gracefully start the OpenCanary daemon again. Try, try, fail again and it will hit it with a hammer (reboot).

Drive-by “Deposits” (SMB)

If you are daring and run an open Samba share, you will likely get files being dropped on your share. Folder Watcher will monitor the share and copy files to another directory once they are copied (they often get deleted).

Those files are then submitted to VirusTotal.

An interesting fact is they all checksum out to the same malware. I am trying to figure out the reason for this….