| Date range | |
| Updated | |
| Total logins | |
| — AWS | |
| — OVH | |
| Unique credentials | |
| Unique IPs | |
| Files uploaded | |
| Malware uploaded |
| SHA256 Digest | Threat Type | First Discovered | Freq. |
|---|
| Command | Freq. |
|---|
| Hosting Provider | Freq. |
|---|
| ISP | Freq. |
|---|
In this blog post we'll deploy the honeypot we made in the previous post (How to build an SSH honeypot in Python and Docker - Part 2) to Amazon Web Services (AWS) Lightsail VPS.
We'll start off by creating a new Lightsail instance. Then we'll configure the instance so it's ready to run our honeypot. We'll install Docker, and Docker Compose, then finally install and test our SSH honeypot.
In this blog post I'll be extending the SSH honeypot we built in Part 1 (see How to build an SSH honeypot in Python and Docker - Part 1) to download any files the honeypot receives. A great way to collect malware samples to analyse.
The main features we'll be adding to the new honeypot are:
In today's blog post I'll explain how to build a low-interaction SSH honeypot in Python and containerise it in Docker. In part 2, we'll add functionality to collect malware samples -- ideal for malware analysis.
One of the key design goals of this honeypot is efficiency. Why? Well, if the honeypot has low resource requirements (RAM, CPU, etc), it means we can deploy it to a global infrastructure -- such as multiple virtual private servers (VPS) -- without incurring large costs.
Existing honeypot solutions are available. However, some of them can be quite resource intensive. I've curated a list of popular honeypots here: A Curated List of Awesome Honeypots.
In today's blog post we'll explore what cryptojacking is, why cybercriminals are motivated by cryptocurrency mining attacks, and we'll look at real-world attacks.
Why? Well, cryptojacking was big business for cybercriminals in 2017 and 2018. But died down in 2019 after Coinhive shut down. Now, in 2021, Cryptojacking attacks are on the rise again (see report by Kaspersky).
I've noticed this trend of cryptojacking attacks targetting my honeypots (see my last 2 blog posts: Cryptojacking Attacks Continue To Target SSH Servers and Sneaky Malware Reconfigures Hive OS Wallet for Profit). I want to understand more about cryptojacking and why it's on the rise.
So, grab yourself a coffee (or a hot chocolate), find yourself a comfy spot, and I'll put on my best John Hurt storytelling voice...
Coming up in today's blog post: I'll be exploring recent cyber attacks targeting my SSH honeypots. Since 2018/19, we've known that SSH servers around the world have been targeted by cryptocurrency mining operations. So I'm curious to analyse my honeypot's logs to understand A) if threat actors are still motivated by cryptocurrency, and B) what techniques are used by threat actors.
Just over 1 month ago I deployed my new SSH honeypots (built in Python, containerised in Docker, see: Secure Honey v2.0 has been launched!). Since then, my honeypots have received 129,122 unauthorised logins (username:password credentials) from 3,780 unique IP addresses. 132,479 (77,214 unique) shell commands have been executed, and 91,927 (64,156 unique) files have been uploaded to the honeypot -- of which 23,874 (53 unique) were malicious.
So let's crack on and explore the data!
