Over the last month, I’ve been running Kippo which is an SSH honeypot designed to log brute force attacks and shell interactions performed by the attacker. I thought I’d share some of my results which have been quite interesting!

More information about Kippo can be found at:

Starting off with some general stats, I’m surprised to see the amount of attention the honeypot has received:

Screen Shot 2015-09-02 at 21.17.49

This vertical bar chart displays the top 10 username and password combinations that attackers try when attacking the system:

Screen Shot 2015-09-02 at 21.22.13

There seems to be a bit of a theme as to where the connections are coming from (top 5):

Screen Shot 2015-09-02 at 21.27.00

I configured a couple of fairly lame username as password combinations to enable successful logins to see what the attacker next steps would be. The following table displays the top 10 commands (overall) entered by attackers in the honeypot system:

Screen Shot 2015-09-02 at 21.35.15

The honeypot contains a directory for saving files downloaded by the emulated wget command. This is where the following files were found to have been downloaded:

Screen Shot 2015-09-02 at 21.38.40

An md5 sum search on virus total indicates this to be some potentially recently discovered malware, specifically Linux/BillGates x32 i86:

Screen Shot 2015-09-02 at 21.46.48

More information about this family of malware can be found at:

Lets see what the next month brings!