jump to navigation

Kippo SSH honeypot over the years December 24, 2012

Posted by lvdeijk in Uncategorized.
trackback

For over two years now, my ssh-honeypot kippo (developed by Upi Tamminen) is receiving “visits” from all over the world. With an easy to guess root password 123456, to shorten the brute force attacks I have gathered some interesting data/statistics.

So to sum things up:

First attack on Monday, 26-Jul-2010, 09:11 AM
Total login attempts 474433
Distinct source IP addresses 2254

With the help from the kippo-graph project from @ikoniaris here are some stats

top10_passwords


So, almost half a million login attempts. Thats a lot considering the honeypot holds only one ip address!

When the attackers are “in” they do all kinds of things. They change the root password for future use which is fine by me. This way I get some extra insight on the passwords they commonly use. The password isn’t really changed of course, the honeypot just plays along.

They download windows service packs for instance. When done they throw them away again..why? Well, my guess is that they are just trying out my bandwidth to determine the amount of spam they can send out.
Some attacks seem to have similarities like checking out the cpu-info for instance.

And yes, they download the tools of their trade.

Here some numbers on that:

Total number of downloads 774
Distinct number of downloads 510

And they simply use the wget command to copy their tools from download locations like
And you know what, thats just fine by me too. Oh, and thanks for the copy !
They can even unpack the tools. But no, they can’t use them. We don’t want to be a staging point for them to attack more machines now, do we?

So, who are those people? Well, they are criminals for a start! Where do they come from? Analyzing the tools shows a lot of Romanian comment lines in there scripts. But that doesn’t mean that the attackers have to come from Romania as well! They can come from all over the world.

Here is my top 10
And this is an image with worldwide results

world
The grey icons means at least one attack and the blue more than one time.

So there are people out there, that make money using other peoples’ bandwidth. It seems they don’t even care if they are detected. Some of them even tried to communicate with me (swear words mostly)

It was interesting to see how the attacks developed. The tools the attackers used. Yes, even the typo’s they made.
Fun times in general and most important, I learned a lot from my adversaries.
I plan to deploy more honeypots like kippo in the coming year.

If people are interested in more information about the wonderful world of honeypots, do visit the honeynet project page or donate to this great non-profit organisation.
Follow @ProjectHoneynet on twitter or “like” the facebook page for the latest updates and information on the various honeypot projects and challenges.

2012 has been a good year. Lets make 2013 even better!
Cheers!

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: