Intruder alert
So I’ve been running a Secure shell honeypot for about a year or so, so might as well open up the log files and see what people have been l33ting these days.
For the uninitiated, or for normal people, Secure shell (or SSH) is the traditional method that people log in remotely to Linux (or other unix-based) servers.
A honeypot pretends to be a standard login server, but instead of logging into a real server, it allows would-be hackers to fairly easily guess their way into a sandbox environment, where they can be prodded and observed to see what they get up to.
The honeypot reacts like a normal server would, logging any input that it receives, and pretends to do the sorts of things that people normally try to do when they gain unauthorised access to a computer system (i.e. the electronic equivalent of putting graffiti in the toilet stalls and having their way with the photocopier).
And now, what with Julia Gillard declaring a new War on Technology and throwing money at a new “cyber security centre” (which will certainly be money well spent), it should be every citizen’s prerogative to try to see what the evil commies are getting up to on their computer networks.
So after pretty much a full day of number-crunching and regexing the 2012 logfiles, and a second full day of fiddling about with databases and wordpress, this is what I’ve got:
Executive Summary
| Total number of connections: | 143,039 |
|---|---|
| Total number of unique IP addresses: | 1,488 |
| Total number of logins: | 179,671 |
| (failed): | 175,020 |
| (succeeded): | 4,651 |
| Total number of unique usernames: | 18,413 |
| Total number of unique passwords: | 38,010 |
| Total number of unique username/passwords combinations: | 78,568 |
| Total session time: | 65 days, 7 minutes, 51 hours, 29 seconds |
| (minimum session time): | 0 seconds |
| (average session time): | 39.5 seconds |
| (maximum session time): | 2 days, 13 minutes, 35 hours, 27 seconds |
| Total number of interactive commands: | 394 |
| Total number of non-interactive commands: | 59 |
| Total number of file transfers: | 11 |
- I’m getting about 400 connections a day to the honeypot (the honeypot is exposed via a single public IP address)
- There’s a comparatively small number of IP addresses that are connecting
- About 2-3% of the login attempts are successful (I can increase this percentage if I think it’s worthwhile)
- In total, about 2 months of wallclock time has spent by people logged in to the honeypot
- Only a dozen or so logins have attempted to download a file to the honeypot (presumably with the intention of doing nasty things to the system)
Also note that everything in the reports above and below consist of unauthorised login attempts; there’s no reason why an authorised person would attempt to log into the public-facing side of the honeypot..
Network intrustion statistics
Daily
You can click the tabs above the graph in order to see the same statistics using different histogram intervals.
Long sessions are graphed at 1:00:00
If you’re interested in the files people are downloading, the ones I’m seeing (with server names redacted to stop you from inadvertently clicking on the things):
- http://lost.in.████████.ro/haha.tgz
- http://lost.in.████████.ro/mata.tgz
- http://raydennn.████████.net/pico.tgz
- http://████████.se/wru
- http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ks
- http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
- http://root-arhive.████████.am/scanner/gosh.jpg
- http://████████.ucoz.com/GeekzMech,.tgz
- http://www.████████.ro/redirecte_linux_v2.0.tar.gz
- http://████████.altervista.org/boti.tgz
- http://bucuresti.████████.net/R/D/N/udp.pl
- http://ddospower.████████.org/udp.pl
- http://inplm.████████.com/p.jpg
- http://copilash.████████/boti.tgz
- http://bucuresti.████████.net/R/D/N/ryo.tgz
- http://root-arhive.████████.ua/emech/emech-fast.jpg
- http://████████.ucoz.com/nethack.jp
- http://fitza.████████.su/sc/33180.tar
- http://a
- http://████████.djmixtv.net/puffu/gosh.tgz
which also includes a microsoft windows service pack in there, amusingly enough.
I would check out these .tar and .tgz archives to see what’s in there, but hey… only so many hours in the day.
And it’s always amusing to see the sorts of usernames/passwords that people attempt to jiggle the locks with, so:
Top 20 Login credentials
| root | 60513 | 33.680% |
| test | 2395 | 1.333% |
| oracle | 1484 | 0.826% |
| admin | 1441 | 0.802% |
| www | 1306 | 0.727% |
| nagios | 1160 | 0.646% |
| bin | 1153 | 0.642% |
| mysql | 1084 | 0.603% |
| user | 1062 | 0.591% |
| info | 970 | 0.540% |
| support | 967 | 0.538% |
| testuser | 759 | 0.422% |
| ftpuser | 744 | 0.414% |
| webadmin | 705 | 0.392% |
| web | 703 | 0.391% |
| postgres | 651 | 0.362% |
| guest | 591 | 0.329% |
| ts | 585 | 0.326% |
| teamspeak | 582 | 0.324% |
| svn | 551 | 0.307% |
| (other) | 100265 | 55.805% |
The password selection here (second tab above the graph) also predominantly checks for the greatest passwords of all time
An interesting password in the top 10 was “cacutza” coming in at number five. It’s not as popular as “password”, but more popular than “12345”. I couldn’t find anything about it on the net, but according to a Romanian friend of mine, it’s not a word but is close to some urban slang that means prostitute, little shit or a poisoning plant. You learn something new every day 🙂
Top 20 IP addresses
 |
219.143.227.168 | 15336 | 10.721% |
 |
69.175.14.226 | 8433 | 5.895% |
|
184.106.247.121 | 7812 | 5.461% |
|
111.161.39.241 | 6486 | 4.534% |
|
67.55.73.7 | 5153 | 3.602% |
|
222.23.50.196 | 4912 | 3.434% |
|
159.226.114.188 | 4283 | 2.994% |
|
65.116.132.231 | 4177 | 2.920% |
|
122.49.41.206 | 3602 | 2.518% |
|
220.231.57.157 | 3465 | 2.422% |
|
42.121.86.193 | 3144 | 2.198% |
 |
115.254.40.205 | 2863 | 2.002% |
|
123.129.222.170 | 2674 | 1.869% |
 |
177.43.116.178 | 2572 | 1.798% |
 |
122.155.161.9 | 2271 | 1.588% |
|
117.239.131.1 | 2161 | 1.511% |
 |
93.189.118.184 | 1861 | 1.301% |
|
120.192.167.22 | 1769 | 1.237% |
 |
101.78.154.120 | 1731 | 1.210% |
 |
31.222.190.113 | 1731 | 1.210% |
 |
(other) | 56603 | 39.572% |
I should probably point out that it’s relatively simple to proxy a login request through another machine, so it’s highly likely that the countries above aren’t a real indication of the source of the attacker. So remember to take that into account before you go and declare war on them.
Still, it makes the charts look pretty.
Location
|
China | 67812 | 47.407% |
|
United States | 29562 | 20.667% |
|
India | 9363 | 6.546% |
 |
Korea, Republic of | 5183 | 3.623% |
|
Thailand | 4448 | 3.110% |
|
Brazil | 3373 | 2.358% |
|
Hong Kong | 2487 | 1.739% |
 |
Philippines | 2329 | 1.628% |
|
United Kingdom | 2086 | 1.458% |
|
Hungary | 1903 | 1.330% |
 |
Taiwan | 1274 | 0.891% |
 |
Canada | 1157 | 0.809% |
 |
Colombia | 1051 | 0.735% |
 |
Turkey | 920 | 0.643% |
 |
Vietnam | 797 | 0.557% |
 |
Spain | 764 | 0.534% |
 |
Ecuador | 731 | 0.511% |
 |
Japan | 682 | 0.477% |
 |
Senegal | 665 | 0.465% |
 |
Russian Federation | 625 | 0.437% |
If I had even a shred of business nouse I’d throw that all into a webapp or bundle it into a programmable network appliance and get people to pay me, oh, $200 a pop for it. Leave a message in the comment sections below if you’re interested, incidentally.
Not that you can actually do that much with the information, but I guess it’s always nice to know what people are trying to do with random IP addresses out on the internet.
Especially if it’s your random IP addresses out on the internet.
Update 30/1/2013: Added the bit about cacutza in the password section.
Update 6/5/2013: If you find this interesting, you might also want to look at another kippo analysis at http://blog.macuyiko.com/2011/03/running-ssh-honeypot-with-kippo-lets.html .
Update 17/12/2023: So apparently this is now called cowrie, not kippo. Also noticed that someone else has produced some software to produce the same kinds of charts that I’ve got above. At some stage I’ll rejig all this for the cowrie server I kicked off a month or two ago.
Related Posts
About The Author
Really interesting. You should take a look in those files! I’m curious. haha.tgz… gosh.jpg … they are downloading to your honeypot then down to thier own servers from there?
Yeah should do 🙂
As far as I can see it’s just to the honeypot… the honeypot allows the download to take place, but doesn’t let them unzip, view or run the downloads from there.
I might try to find some interesting sessions and transcribe the complete list of commands they enter up on the blog…
So, I just need to install, config Kippo and be connected to the net, using a static-manual public-IP, and there will be poeple willing to log-in to my faux-server?
Interesting…
Yeah, pretty much, I don’t think you even need a static IP, since I imagine there are people (and/or machines operating within the american homeland security bunkers) that are port-scanning the entire IP address space, but it would help as far as getting consistent data out of the thing.
I haven’t looked at the logs in a while… I guess I should probably write a script to keep these graphs up-to-date. It’d be interesting to see if I get higher or lower number of connection attempts to port 22 than to port 80.