SSH Vandals?
I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time".
In this particular case, the attacker logged in, and issues the following commands:
kippo:~# w 06:37:29 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 151.81.3.83 06:37 0.00s 0.00s 0.00s w kippo:~# ps x PID TTY TIME CMD 5673 pts/0 00:00:00 bash 5677 pts/0 00:00:00 ps x kippo:~# kill -9 -1 kippo:~#
In short, the attacker went in, did minimal recognizance, and then went ahead killing the system (terminating all processes with a PID larger then 1). A real system would be unresponsive as a result.
Not clear if this is a vigilante/vandal killing badly configured ssh server, or if this was an intent to detect a honeypot (But then again, the real system would be dead as a result, and there are less destructive ways to detect simple honeypots like kippo.
The speed of the attack suggests that it was performed manually. We do not see a big change in ssh probes overall.
Any ideas? Has anybody seen similar "vandals"?
-----------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
Diary Archives
Comments
Rick
Sep 15th 2011
1 decade ago
Ace
Sep 15th 2011
1 decade ago
Joshua
Sep 15th 2011
1 decade ago
dsh
Sep 15th 2011
1 decade ago
G
Sep 15th 2011
1 decade ago
Still, pretty weird behaviour, even for a hacker, but one way to detect 'dumb' honeypots I guess.
Dom De Vitto
Sep 16th 2011
1 decade ago
How can you tell the difference between a Honeypot, and a real system that was rigged to make an attempted intruder THINK it was a honeypot?
Mysid
Sep 16th 2011
1 decade ago
EXAMPLES
kill -9 -1
Kill all processes you can kill.
Regards
matteo
Sep 16th 2011
1 decade ago
TheJan
Sep 16th 2011
1 decade ago
TheJan
Sep 16th 2011
1 decade ago