Secure Honey

SSH honeypot written in C

Hiding Behind Multiple IPs

Friday 13th December 2013 10:34

This week's blog post will be fairly brief as I've not had a lot of time to work on the project due to other commitments (mostly end of university term and run-up to Christmas).

Last week I set up a pure honeypot running under Ubuntu. I was hoping to discuss details of attacks that took place on the pure honeypot in this week's post - but I've not had a chance to run the honeypot for long this week.

I want to ensure I can be near my computer for pretty much a whole day so I can run the honeypot and monitor its logs. The only free day I had was yesterday and, frustratingly, there were zero attacks on the honeypot yesterday.

Also, attacks on the low-interaction C honeypot have dropped over the past few days. The table below shows the number of attacks on the honeypot over the past 10 days:

date # attempts
Fri 13 Dec 2013 6
Thu 12 Dec 2013 7
Wed 11 Dec 2013 215
Tue 10 Dec 2013 23
Mon 9 Dec 2013 35
Sun 8 Dec 2013 2,193
Sat 7 Dec 2013 37
Fri 6 Dec 2013 30
Thu 5 Dec 2013 65
Wed 4 Dec 2013 40

The table above shows that Sunday the 8th of December saw the busiest day yet for the low-interaction honeypot with 2,193 brute-force attempts, but that today and yesterday have only seen 7 and 6 brute-force attacks respectively.

Multiple IP Addresses; Same Attack

One noticeable attack this week came from 2 separate IP addresses but contained the exact same attack:

date ip username password honeypot
Sun 8 Dec 2013, 11:29:38 122.***.***.** admin admin123 charlie
Sun 8 Dec 2013, 11:29:42 122.***.***.** root root123 charlie
Sun 8 Dec 2013, 11:29:49 122.***.***.** user user123 charlie
Sun 8 Dec 2013, 11:29:52 122.***.***.** guest guest123 charlie
Sun 8 Dec 2013, 11:29:57 122.***.***.** root raspberry charlie
Sun 8 Dec 2013, 11:30:01 122.***.***.** xbian raspberry charlie
Sun 8 Dec 2013, 11:30:07 122.***.***.** D-Link D-Link charlie
Sun 8 Dec 2013, 11:30:14 122.***.***.** root synopass charlie
Sun 8 Dec 2013, 11:30:22 122.***.***.** cisco cisco charlie
Sun 8 Dec 2013, 11:30:29 122.***.***.** student student charlie
Sun 8 Dec 2013, 11:30:34 122.***.***.** oracle oracle charlie
Sun 8 Dec 2013, 15:21:31 54.***.***.*** admin admin123 charlie
Sun 8 Dec 2013, 15:21:33 54.***.***.*** root root123 charlie
Sun 8 Dec 2013, 15:21:36 54.***.***.*** user user123 charlie
Sun 8 Dec 2013, 15:21:39 54.***.***.*** guest guest123 charlie
Sun 8 Dec 2013, 15:21:41 54.***.***.*** root raspberry charlie
Sun 8 Dec 2013, 15:21:44 54.***.***.*** xbian raspberry charlie
Sun 8 Dec 2013, 15:21:47 54.***.***.*** D-Link D-Link charlie
Sun 8 Dec 2013, 15:21:50 54.***.***.*** root synopass charlie
Sun 8 Dec 2013, 15:21:53 54.***.***.*** cisco cisco charlie
Sun 8 Dec 2013, 15:21:55 54.***.***.*** student student charlie
Sun 8 Dec 2013, 15:21:58 54.***.***.*** oracle oracle charlie

The data above shows that an attack came from 2 different IP addresses: 54.***.***.*** (Ireland) and 122.***.***.** (Australia). This could perhaps be the same attacker using two different IP addresses or two separate attacks using the same attack script. Due to the time of the attacks being so close together, it seems more probable that it's the same attacker hiding behind 2 different IP addresses.

Again, a similar attack coming in from multiple IP addresses is shown below:

date ip username password honeypot
Mon 9 Dec 2013, 00:51:50 113.*.***.* root root charlie
Mon 9 Dec 2013, 00:51:53 113.*.***.* root password charlie
Mon 9 Dec 2013, 00:51:55 113.*.***.* root 111111 charlie
Mon 9 Dec 2013, 00:51:58 113.*.***.* root 123456 charlie
Mon 9 Dec 2013, 00:52:14 113.*.***.* root root alpha
Mon 9 Dec 2013, 00:52:17 113.*.***.* root password alpha
Mon 9 Dec 2013, 00:52:20 113.*.***.* root 111111 alpha
Mon 9 Dec 2013, 00:52:22 113.*.***.* root 123456 alpha
Mon 9 Dec 2013, 04:27:15 190.***.***.** root root alpha
Mon 9 Dec 2013, 04:27:17 190.***.***.** root password alpha
Mon 9 Dec 2013, 04:27:20 190.***.***.** root 111111 alpha
Mon 9 Dec 2013, 04:27:22 190.***.***.** root 123456 alpha
Mon 9 Dec 2013, 09:01:24 46.***.***.** root root charlie
Mon 9 Dec 2013, 09:01:26 46.***.***.** root password charlie
Mon 9 Dec 2013, 09:01:28 46.***.***.** root 111111 charlie
Mon 9 Dec 2013, 09:01:30 46.***.***.** root 123456 charlie
Mon 9 Dec 2013, 09:01:37 46.***.***.** root root alpha
Mon 9 Dec 2013, 09:01:39 46.***.***.** root password alpha
Mon 9 Dec 2013, 09:01:41 46.***.***.** root 111111 alpha
Mon 9 Dec 2013, 09:01:43 46.***.***.** root 123456 alpha
Mon 9 Dec 2013, 18:26:53 46.***.***.** root root charlie
Mon 9 Dec 2013, 18:26:56 46.***.***.** root password charlie
Mon 9 Dec 2013, 18:26:58 46.***.***.** root 111111 charlie
Mon 9 Dec 2013, 18:27:00 46.***.***.** root 123456 charlie
Mon 9 Dec 2013, 18:27:11 46.***.***.** root root alpha
Mon 9 Dec 2013, 18:27:13 46.***.***.** root password alpha
Mon 9 Dec 2013, 18:27:15 46.***.***.** root 111111 alpha
Mon 9 Dec 2013, 18:27:17 46.***.***.** root 123456 alpha

The table above shows that the attacking IP addresses are 113.*.***.* (China), 190.***.***.** (Chile) and 46.***.***.** (Germany) and that, despite appearing to originate from different IP addresses, the attacks are the same. These brute-force attacks consisted of no more than the username "root" and the passwords "root", "password", "111111" and "123456".

This data strongly supports the theory that attackers are hiding behind the masks of multiple IP addresses. This also means that the number of unique IP addresses that attack the honeypot is not a good indicator to the the number of unique attackers that are attacking the honeypot.

Finally, this week I've also been working on my book review for Jon Erickson's Hacking: The Art of Exploitation. I'm about half way through writing the review, so aiming to publish the post next week.

Image credit: "Masks" by ohad*, flickr.com/photos/ohadby/26168831

Comments

There are no comments for this blog post yet

Add Comment

Name

Email (won't be displayed)

Website (optional)

Comments

Live Stats (see full stats)

Attempted logins

date range # attempts
today393
yesterday194
past 7 days4,426
past 30 days17,357
all time4,114,040

Top 5 passwords

password # attempts
12345618,562
admin8,503
password6,536
-6,393
root4,833

Top 5 usernames

username # attempts
root3,927,129
admin78,772
test4,046
oracle3,356
nagios2,648

Stats represent data collected from SSH login attempts on multiple honeypots. Parts of some stats may be filtered to maintain anonymity.

Updated: Tue, 07 Jun 2016 16:33:48 +0100

Live Password Cloud

12qwaszx 963852741 1234%^ POIUYT 12344321 zxcvbn 111 zaqxsw 888888 111111 asdfghjkl a123456 windows qwer1234 q1w2e3 Passw0rd zxcv support 1111 server iloveyou welcome123 user !@ abcdef a cisco 123abc qwer qwerty123 q123456 manager 54321 alpine qq123456 huawei 11223344 password zaqxswcde qazwsx default 1 qwe123 test okokok 88888888 ubnt dragon 159753 147852369 12345678 passwd qwertyuiop 23456 power qwaszx huawei123 changeme123 123123123 5201314 Aa123456 qwe 1qazxsw2 nagios redhat zaqxswcdevfr q1w2e3r4 1234qwer 1qaz2wsx3edc monitor 12345 pass root1234 password123 123qweasd 000000 z1x2c3v4 qaz qazwsx123 f**kyou admin123!@# Pass123 121212 p@ssword 1a2s3d4f 1qaz2wsx Admin123456 woaini zaq1xsw2 linux adminadmin _ system 1qaz@WSX P@ssw0rd1 sapp a1b2c3d4 654321 qazwsxedc 1234 sqlpp qazxsw asdf sysadmin qqpp abc123 idc2008 123123 666666 123456 123qwe 987654321 admin123 admin@123 zhang 789789 11111111 idcidc qwerty123456 secret Huawei@123 !@#$%^ changeme 1q2w3e 147258369 superman 147258 admin1 mnbvcxz admin welcome 225588 !qaz1QAZ 123 p0o9i8u7 apple aaa !QAZ2wsx administrator zzzzzz oracle qwerty china 0000 rootpass 7890pp letmein abcd1234 1122334455 raspberry abc1234 a1s2d3f4 rootroot P@ssw0rd qwert public adminpp 1q2w3e4r5t root 1234567890 qweasd guest asdfgh test123 zxcvbnm caonima - !QAZ@WSX 112233 147147 123654 q1w2e3r4t5 1234567 1q2w3e4r password1 root123 123456789 12345qwert qweasdzxc 110110 159357