Hackin9

The Christmas period is a nice time to play with some honeypots and share some of the info they have been collecting. Currently I only have two functioning, both of them are located in the US. Each receives 20K or more login attempts per day. Im using a standard kippo installation, running as a non root user and using authbindto run the honeypoton port 22. Results are sent to a logging server for collection.

One of the honeypots has no valid password so it will always fail Im mainly interested in collecting the various userid and passwords used in the guessing attempts. The other one does have a valid password and I regularly expand its interaction by providing the correct responses utilising the kippo capabilities. The password can be changed by modifying the data/userdb.txt file in the kipposubdirectory. The interaction can be improved by issuing a command and capturing the output and placing the resulting file in txtcmds directory. For example sftp is often the first command issued.Locate where sftpis running from (usually /usr/bin). Create the structure under the honeyfsdirectory, e.g. honeyfs/usr/bin/sftp. Issue the command sftp and capture the output to a file called sftp and place it in the txtcmds directory,follow the same structure so txtcmds/usr/bin/sftp. Now when the command is entered it will get a response and hopefully you will get additional results.

So some stats for December:

  • Unique Passwords used: 136,029
  • Unique Userids used: 305"> Most common guessed password Most Common Userid " />

    Dirtiest subnets

    The following are the /24 subnets that are most active with a high number of hosts from the same subnet attacking.

    • 103.41.124.0 - HK, CN - AS 63854
    • AS 4134 -https://isc.sans.edu/asreport.html?as=4134
      • 122.225.109.0 - Huzhou, CN
      • 122.225.97.0">-">-">, CN
      • 218.2.0.0 - Nanjing, CN
      • 222.186.34.0">-">-">-">Based on the above Im quite comfortable in saying that blocking anything coming from AS4134would not be a bad idea.

        Passwords

        The passwords used in the attempts are quite varied and range from the simple as shown above to much more esoteric and complex passwords such as">[email protected]@WSX##EDC,[email protected][email protected],">%TGBVFR$#[email protected],WORLDEDU20121123.">stop

      p>

      There has been some increase in scanning over the past month or so. My previous Honeypotrun in August 2014would max out at 1500 attempts per day. The main surprise to me was the wide range of passwords being used. A number of them seem to relate directly to specific types of hardware installed such as modem/routers. Others look like quite robust passwords and may have come from the various password compromises this year. The main message is that ifyou are running an SSH server it will get attackedand youd best have some decent passwords and ideally use certificate authentication to secure the server.

      If you want to run your own, Im a fan of kippo, it is simple to set up and there are plenty of guides on how to do it. Make sure you run it on a box that is not a production device and secure it. You do not want to become a staging point for attacks.

      If you want to submit your kippologs, Dr J in this diaryhttps://isc.sans.edu/diary/New+Feature+Live+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433 provides the perl to do so.

      Enjoy

      Mark H - Shearwater

      (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status