An Information Security Community
My dear friend Leon tweeted that it took few minutes for his kippo install to get it's first catch.
I knew that if you go online with SSH password 123456 you will eventually get hacked but i was curious about how soon would that be.
So i ran a little experiment for the sole purpose of documenting that, and i repeated it on 6 fresh VPS installs in 6 different areas.
Without further ado here are the results:
New York 1
Started: Wed Mar 5 11:56:05
Owned in: 38 hours
2014-03-07 02:11:12-0500 [SSHService ssh-userauth on HoneyPotTransport,1935,126.96.36.199] login attempt [root/123456] succeeded
Started: Fri Mar 7 07:51:47
Owned in: 11 hours
2014-03-07 18:43:07-0500 [SSHService ssh-userauth on HoneyPotTransport,8,188.8.131.52] login attempt [root/123456] succeeded
San Francisco 1
Started: Fri Mar 7 22:39:59
Owned in: 26 hours
2014-03-09 8:41:19-0500 [SSHService ssh-userauth on HoneyPotTransport,41,184.108.40.206] login attempt [root/123456] succeeded
Started: Sun Mar 9 09:20:05
Owned in: 25 hours
2014-03-10 12:09:29-0500 [SSHService ssh-userauth on HoneyPotTransport,32,220.127.116.11] login attempt [root/123456] succeeded
New York 2
Started: Thu Mar 13 03:45:23
Owned in: 16 hours
2014-03-13 19:37:12-0500 [SSHService ssh-userauth on HoneyPotTransport,35,18.104.22.168] login attempt [root/123456] succeeded
Started: Fri Mar 14 14:00:32
Owned in: 2 hours 47 minutes
2014-03-14 16:47:21-0400 [SSHService ssh-userauth on HoneyPotTransport,0,22.214.171.124] login attempt [root/123456] succeeded
Being only a small sample it's not safe to jump into conclusions on which place is a more safe to operate online or which place will supply your honeypot with more juicy data.
But it's safe to say that if you run your SSH facing the internet and the password is 123456 it will eventually be owned.
And i am attaching some logs and network capture files (I apologize for forgetting to collect them every time)
(Note i updated some timestamps to make the timezones the same)
If you have similar data please post them as well.