Intruder alert

| January 28, 2013 | Internet, Programming | 5 Comments
Danger Will Robinson!
Danger Will Robinson!

So I’ve been running a Secure shell honeypot for about a year or so, so might as well open up the log files and see what people have been l33ting these days.

For the uninitiated, or for normal people, Secure shell (or SSH) is the traditional method that people log in remotely to Linux (or other unix-based) servers.

A honeypot pretends to be a standard login server, but instead of logging into a real server, it allows would-be hackers to fairly easily guess their way into a sandbox environment, where they can be prodded and observed to see what they get up to.

The honeypot reacts like a normal server would, logging any input that it receives, and pretends to do the sorts of things that people normally try to do when they gain unauthorised access to a computer system (i.e. the electronic equivalent of putting graffiti in the toilet stalls and having their way with the photocopier).

And now, what with Julia Gillard declaring a new War on Technology and throwing money at a new “cyber security centre” (which will certainly be money well spent), it should be every citizen’s prerogative to try to see what the evil commies are getting up to on their computer networks.

So after pretty much a full day of number-crunching and regexing the 2012 logfiles, and a second full day of fiddling about with databases and wordpress, this is what I’ve got:

Executive Summary

Total number of connections: 143,039
 
Total number of unique IP addresses: 1,488
 
Total number of logins: 179,671
(failed): 175,020
(succeeded): 4,651
 
Total number of unique usernames: 18,413
Total number of unique passwords: 38,010
Total number of unique username/passwords combinations: 78,568
 
Total session time: 65 days, 7 minutes, 51 hours, 29 seconds
(minimum session time): 0 seconds
(average session time): 39.5 seconds
(maximum session time): 2 days, 13 minutes, 35 hours, 27 seconds
 
Total number of interactive commands: 394
Total number of non-interactive commands: 59
 
Total number of file transfers: 11
▲ So a couple of interesting stats to start off with:

  • I’m getting about 400 connections a day to the honeypot (the honeypot is exposed via a single public IP address)
  • There’s a comparatively small number of IP addresses that are connecting
  • About 2-3% of the login attempts are successful (I can increase this percentage if I think it’s worthwhile)
  • In total, about 2 months of wallclock time has spent by people logged in to the honeypot
  • Only a dozen or so logins have attempted to download a file to the honeypot (presumably with the intention of doing nasty things to the system)

Also note that everything in the reports above and below consist of unauthorised login attempts; there’s no reason why an authorised person would attempt to log into the public-facing side of the honeypot..

Network intrustion statistics

Connections
1) How many connections are made to my computer network over time ?
▲ The gaps in the connections (during February, and July-August) here are most likely to the honeypot not running during those times.

You can click the tabs above the graph in order to see the same statistics using different histogram intervals.

Login attempts
2) How many (failed and successful) login attempts are made to my computer network over time ?
▲ Login attempts closely matches the connections graph. The spike at the beginning of the year was due to some enterprising people performing what appears to be thousands of separate login attempts over a much smaller number of connections.
Logins
3) How many successful login attempts are made to my computer network over time ?
▲ A bit of variation here, but averaging about 300 successful logins to the honeypot every month.
Session time
4) How long do successful login sessions last (in hours:minutes:seconds) ?
Long sessions are graphed at 1:00:00
▲ Not sure how useful this is, but thought it would be interesting to see how long people stay logged on to the honeypot. Pretty much everyone has logged out within 6 minutes, except for a handful of connections that stay on for much longer. The graph above is clipped on the vertical axis at 1hr; any sessions over this time have their login time printed next to the marker
Commands
5) How many commands are run during successful logins to my computer network ?
▲ Surprisingly few people even attempt running any commands once they gain access to the system
File transfers
6) How many files are transferred during successful logins to my computer network ?
▲ And here are the nasty people who are trying to download malware or rootkit the machine.

If you’re interested in the files people are downloading, the ones I’m seeing (with server names redacted to stop you from inadvertently clicking on the things):

  • http://lost.in.████████.ro/haha.tgz
  • http://lost.in.████████.ro/mata.tgz
  • http://raydennn.████████.net/pico.tgz
  • http://████████.se/wru
  • http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ks
  • http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
  • http://root-arhive.████████.am/scanner/gosh.jpg
  • http://████████.ucoz.com/GeekzMech,.tgz
  • http://www.████████.ro/redirecte_linux_v2.0.tar.gz
  • http://████████.altervista.org/boti.tgz
  • http://bucuresti.████████.net/R/D/N/udp.pl
  • http://ddospower.████████.org/udp.pl
  • http://inplm.████████.com/p.jpg
  • http://copilash.████████/boti.tgz
  • http://bucuresti.████████.net/R/D/N/ryo.tgz
  • http://root-arhive.████████.ua/emech/emech-fast.jpg
  • http://████████.ucoz.com/nethack.jp
  • http://fitza.████████.su/sc/33180.tar
  • http://a
  • http://████████.djmixtv.net/puffu/gosh.tgz

which also includes a microsoft windows service pack in there, amusingly enough.

I would check out these .tar and .tgz archives to see what’s in there, but hey… only so many hours in the day.

And it’s always amusing to see the sorts of usernames/passwords that people attempt to jiggle the locks with, so:

Top 20 Login credentials

Login credentials

Top 20 usernames
1) What are the most-commonly supplied usernames during login attempts to my computer network ?

root 60513 33.680%
test 2395 1.333%
oracle 1484 0.826%
admin 1441 0.802%
www 1306 0.727%
nagios 1160 0.646%
bin 1153 0.642%
mysql 1084 0.603%
user 1062 0.591%
info 970 0.540%
support 967 0.538%
testuser 759 0.422%
ftpuser 744 0.414%
webadmin 705 0.392%
web 703 0.391%
postgres 651 0.362%
guest 591 0.329%
ts 585 0.326%
teamspeak 582 0.324%
svn 551 0.307%
(other) 100265 55.805%

▲ Nothing too surprising here. The root user is the superuser for unix machines, so if you gain access to that you’ve essentially got complete control of the system.

The password selection here (second tab above the graph) also predominantly checks for the greatest passwords of all time

An interesting password in the top 10 was “cacutza” coming in at number five. It’s not as popular as “password”, but more popular than “12345”. I couldn’t find anything about it on the net, but according to a Romanian friend of mine, it’s not a word but is close to some urban slang that means prostitute, little shit or a poisoning plant. You learn something new every day 🙂

Top 20 IP addresses

IP addresses

Top 20 IP addresses (by connection)
4) Which IP addresses are connecting to my computer network ?

219.143.227.168 15336 10.721%
69.175.14.226 8433 5.895%
184.106.247.121 7812 5.461%
111.161.39.241 6486 4.534%
67.55.73.7 5153 3.602%
222.23.50.196 4912 3.434%
159.226.114.188 4283 2.994%
65.116.132.231 4177 2.920%
122.49.41.206 3602 2.518%
220.231.57.157 3465 2.422%
42.121.86.193 3144 2.198%
115.254.40.205 2863 2.002%
123.129.222.170 2674 1.869%
177.43.116.178 2572 1.798%
122.155.161.9 2271 1.588%
117.239.131.1 2161 1.511%
93.189.118.184 1861 1.301%
120.192.167.22 1769 1.237%
101.78.154.120 1731 1.210%
31.222.190.113 1731 1.210%
(other) 56603 39.572%

▲ If you hover your cursor over the IP addresses in the legend at the right of the graphs to see a reverse DNS lookup of that IP. You can also hover over the flags to see the city/country of that IP according to the Free Maxmind GeoIP database

I should probably point out that it’s relatively simple to proxy a login request through another machine, so it’s highly likely that the countries above aren’t a real indication of the source of the attacker. So remember to take that into account before you go and declare war on them.

Still, it makes the charts look pretty.

Location

Location

Top 20 countries (by connection)
10) Which countries are making connections to my computer network ?

China 67812 47.407%
United States 29562 20.667%
India 9363 6.546%
Korea, Republic of 5183 3.623%
Thailand 4448 3.110%
Brazil 3373 2.358%
Hong Kong 2487 1.739%
Philippines 2329 1.628%
United Kingdom 2086 1.458%
Hungary 1903 1.330%
Taiwan 1274 0.891%
Canada 1157 0.809%
Colombia 1051 0.735%
Turkey 920 0.643%
Vietnam 797 0.557%
Spain 764 0.534%
Ecuador 731 0.511%
Japan 682 0.477%
Senegal 665 0.465%
Russian Federation 625 0.437%

▲ So that’s a lot of connections from China and the US then. Good thing that no-one in the US would ever think of proxying their requests through a server in another country.

If I had even a shred of business nouse I’d throw that all into a webapp or bundle it into a programmable network appliance and get people to pay me, oh, $200 a pop for it. Leave a message in the comment sections below if you’re interested, incidentally.

Not that you can actually do that much with the information, but I guess it’s always nice to know what people are trying to do with random IP addresses out on the internet.

Especially if it’s your random IP addresses out on the internet.

Update 30/1/2013: Added the bit about cacutza in the password section.

Update 6/5/2013: If you find this interesting, you might also want to look at another kippo analysis at http://blog.macuyiko.com/2011/03/running-ssh-honeypot-with-kippo-lets.html .

Update 17/12/2023: So apparently this is now called cowrie, not kippo. Also noticed that someone else has produced some software to produce the same kinds of charts that I’ve got above. At some stage I’ll rejig all this for the cowrie server I kicked off a month or two ago.

Tags:, ,

Related Posts

About The Author

knoxg

5 Comments
  1. Chris Reply

    Really interesting. You should take a look in those files! I’m curious. haha.tgz… gosh.jpg … they are downloading to your honeypot then down to thier own servers from there?

    • knoxg Reply

      Yeah should do 🙂

      As far as I can see it’s just to the honeypot… the honeypot allows the download to take place, but doesn’t let them unzip, view or run the downloads from there.

      I might try to find some interesting sessions and transcribe the complete list of commands they enter up on the blog…

  2. Joy Reply

    So, I just need to install, config Kippo and be connected to the net, using a static-manual public-IP, and there will be poeple willing to log-in to my faux-server?
    Interesting…

    • knoxg Reply

      Yeah, pretty much, I don’t think you even need a static IP, since I imagine there are people (and/or machines operating within the american homeland security bunkers) that are port-scanning the entire IP address space, but it would help as far as getting consistent data out of the thing.

      I haven’t looked at the logs in a while… I guess I should probably write a script to keep these graphs up-to-date. It’d be interesting to see if I get higher or lower number of connection attempts to port 22 than to port 80.

Add a Comment

Your email address will not be published. Required fields are marked *