My Kippo findings after three months

Jan 13, 2013

Three months ago I installed Kippo in a low end VPS of mine. About a month after that, I got bored of manually checking kippo everyday so I made a small script to automate the process. Fast forward another two months and here we're.

In three months time, I had 122.487 bruteforce attempts from 339 different IPs. Of said attempts, 130 were successful on finding the correct password(s). I set up Kippo to accept two different easy-to-guess passwords for the root account. People interacted with the honeypot (as in logged in and tried to download files, etc) only 16 times out of those 130. The rest were just bots logging in and logging out.

The first command every attacker runs after logging in is w, followed by cat /proc/cpuinfo. Ten out of the sixteen attackers logged out after seeing the results of /proc/cpuinfo. I guess people know about Kippo and recognize it by /proc/cpuinfo. After noticing that, I changed mine – something I suggest everyone to do as Kippo by default is easily identified. There were a few hits where people thought it's an actual server and not a honeypot and tried downloading some of their tools. I disabled wget but made it look like it's there, so it was funny seeing them figuring out why they can't download their files.

Unfortunately, I haven't come across any new web shell; only some IRC bots, so nothing interesting to post about there.

Of the 122.487 previously mentioned attempts, I've gathered 30.048 unique passwords (around 29.500 if you don't count extra whitespace) and 8.525 usernames. I run both of the lists containing passwords and usernames against pipal. By far (49.12%) the most used username is root followed by test (0.8%).

For more details on both of the reports check my Kippo findings page.

Tags: honeypot security