What You Get After Running an SSH Honeypot for 30 Days
What is a honeypot?
A honeypot detects and records attacks when an attacker tries to break into a system.
The honeypot we will discuss here is an SSH honeypot.
Environment
1 | OS: Ubuntu 24.04 LTS x86_64 |
Login Attempts
1 | cat X.log | grep -c "login attempt" |
There were a total of 11,599 login attempts. Divided by 30 days, this means an average of 386 login attempts per day.
Used Usernames
1 | cat X.log | grep -a "login attempt" | awk '{print $5}' | awk -F "'" '{print $2}' | sort | uniq -c | sort -nr | head |
As expected, there are many attacks that target customary and default usernames.
For the 345gs5662d34
user, according to the Aalborg University of Denmark Research this could be the default credential for a Polycom CX600 IP telephone
Check it here :
SweetCam: an IP Camera Honeypot
Passwords
1 | cat X.log | grep -a "login attempt" | awk '{print $5}' | awk -F "'" '{print $4}' | sort | uniq -c | sort -nr | head |
Once again, the same as the default username for Polycom CX600 IP telephone
Commands executed after login
1 | cat X.log | grep -a "CMD" | awk -F'CMD: ' '{print $2}' | sort | uniq -c | sort -nr |
Now the interesting part starts
The oinasf script
The execution of a mysterious script, ./oinasf
, followed by attempts to read and display the systemโs executable content, indicates a probing strategy for vulnerabilities or valuable information.
The use of /ip cloud print
suggests that bots target MikroTik routers to access or disrupt cloud-based services, while uname -s -m
provides them with essential details about the operating system and machine architecture, valuable for crafting further actions tailored to the systemโs specifics.
In conclusion, these commands represent a clear strategy to infiltrate, assess, and establish control over targeted systems.
They emphasize the botโs preference for direct manipulation and sustained access highlighting the critical need for robust defenses against such common yet potentially devastating tactics.
The mdrfckr crypto miner
This miner would simply create a cron job that would delete everything on the .ssh
folder and add a single ssh key and lock other users out.
After that it would kill other miners if they exist and just have the open field.
You can check this repo of someone who already got hacked and the miner was used on his server : Dump of the crypto-miner that got installed on my system - Github
The MIPS malware
Probably another MIPS (Multiprocessor without Interlocked Pipeline Stages) architecture malware, targeting routers and IoT devices.
Here is a good read and analysis of the behaviour of a MIPS Malware :
Analyzing a Backdoor/Bot for the MIPS Platform
The Sakura.sh Script
This script is part of the Gafgyt Malware.
Gafgyt, also known as BASHLITE, is a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices, often by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks.
Here is A Detailed Analysis of the Gafgyt Malware Targeting IoT Devices
ยฉ 2024 โ Sofiane Hamlaooui โ Making the world a better place ๐