SSH honeypot, deployed in the wild, collecting and sharing data

Hiding Behind Multiple IPs

13 Dec 2013 • 3 min read

Masks on a fenceThis week's blog post will be fairly brief as I've not had a lot of time to work on the project due to other commitments (mostly end of university term and run-up to Christmas).

Last week I set up a pure honeypot running under Ubuntu. I was hoping to discuss details of attacks that took place on the pure honeypot in this week's post - but I've not had a chance to run the honeypot for long this week.

I want to ensure I can be near my computer for pretty much a whole day so I can run the honeypot and monitor its logs. The only free day I had was yesterday and, frustratingly, there were zero attacks on the honeypot yesterday.

Also, attacks on the low-interaction C honeypot have dropped over the past few days. The table below shows the number of attacks on the honeypot over the past 10 days:

date # attempts
Fri 13 Dec 2013 6
Thu 12 Dec 2013 7
Wed 11 Dec 2013 215
Tue 10 Dec 2013 23
Mon 9 Dec 2013 35
Sun 8 Dec 2013 2,193
Sat 7 Dec 2013 37
Fri 6 Dec 2013 30
Thu 5 Dec 2013 65
Wed 4 Dec 2013 40

The table above shows that Sunday the 8th of December saw the busiest day yet for the low-interaction honeypot with 2,193 brute-force attempts, but that today and yesterday have only seen 7 and 6 brute-force attacks respectively.

Multiple IP Addresses; Same Attack

One noticeable attack this week came from 2 separate IP addresses but contained the exact same attack:

date ip username password honeypot
Sun 8 Dec 2013, 11:29:38 122.***.***.** admin admin123 charlie
Sun 8 Dec 2013, 11:29:42 122.***.***.** root root123 charlie
Sun 8 Dec 2013, 11:29:49 122.***.***.** user user123 charlie
Sun 8 Dec 2013, 11:29:52 122.***.***.** guest guest123 charlie
Sun 8 Dec 2013, 11:29:57 122.***.***.** root raspberry charlie
Sun 8 Dec 2013, 11:30:01 122.***.***.** xbian raspberry charlie
Sun 8 Dec 2013, 11:30:07 122.***.***.** D-Link D-Link charlie
Sun 8 Dec 2013, 11:30:14 122.***.***.** root synopass charlie
Sun 8 Dec 2013, 11:30:22 122.***.***.** cisco cisco charlie
Sun 8 Dec 2013, 11:30:29 122.***.***.** student student charlie
Sun 8 Dec 2013, 11:30:34 122.***.***.** oracle oracle charlie
Sun 8 Dec 2013, 15:21:31 54.***.***.*** admin admin123 charlie
Sun 8 Dec 2013, 15:21:33 54.***.***.*** root root123 charlie
Sun 8 Dec 2013, 15:21:36 54.***.***.*** user user123 charlie
Sun 8 Dec 2013, 15:21:39 54.***.***.*** guest guest123 charlie
Sun 8 Dec 2013, 15:21:41 54.***.***.*** root raspberry charlie
Sun 8 Dec 2013, 15:21:44 54.***.***.*** xbian raspberry charlie
Sun 8 Dec 2013, 15:21:47 54.***.***.*** D-Link D-Link charlie
Sun 8 Dec 2013, 15:21:50 54.***.***.*** root synopass charlie
Sun 8 Dec 2013, 15:21:53 54.***.***.*** cisco cisco charlie
Sun 8 Dec 2013, 15:21:55 54.***.***.*** student student charlie
Sun 8 Dec 2013, 15:21:58 54.***.***.*** oracle oracle charlie

The data above shows that an attack came from 2 different IP addresses: 54.***.***.*** (Ireland) and 122.***.***.** (Australia). This could perhaps be the same attacker using two different IP addresses or two separate attacks using the same attack script. Due to the time of the attacks being so close together, it seems more probable that it's the same attacker hiding behind 2 different IP addresses.

Again, a similar attack coming in from multiple IP addresses is shown below:

date ip username password honeypot
Mon 9 Dec 2013, 00:51:50 113.*.***.* root root charlie
Mon 9 Dec 2013, 00:51:53 113.*.***.* root password charlie
Mon 9 Dec 2013, 00:51:55 113.*.***.* root 111111 charlie
Mon 9 Dec 2013, 00:51:58 113.*.***.* root 123456 charlie
Mon 9 Dec 2013, 00:52:14 113.*.***.* root root alpha
Mon 9 Dec 2013, 00:52:17 113.*.***.* root password alpha
Mon 9 Dec 2013, 00:52:20 113.*.***.* root 111111 alpha
Mon 9 Dec 2013, 00:52:22 113.*.***.* root 123456 alpha
Mon 9 Dec 2013, 04:27:15 190.***.***.** root root alpha
Mon 9 Dec 2013, 04:27:17 190.***.***.** root password alpha
Mon 9 Dec 2013, 04:27:20 190.***.***.** root 111111 alpha
Mon 9 Dec 2013, 04:27:22 190.***.***.** root 123456 alpha
Mon 9 Dec 2013, 09:01:24 46.***.***.** root root charlie
Mon 9 Dec 2013, 09:01:26 46.***.***.** root password charlie
Mon 9 Dec 2013, 09:01:28 46.***.***.** root 111111 charlie
Mon 9 Dec 2013, 09:01:30 46.***.***.** root 123456 charlie
Mon 9 Dec 2013, 09:01:37 46.***.***.** root root alpha
Mon 9 Dec 2013, 09:01:39 46.***.***.** root password alpha
Mon 9 Dec 2013, 09:01:41 46.***.***.** root 111111 alpha
Mon 9 Dec 2013, 09:01:43 46.***.***.** root 123456 alpha
Mon 9 Dec 2013, 18:26:53 46.***.***.** root root charlie
Mon 9 Dec 2013, 18:26:56 46.***.***.** root password charlie
Mon 9 Dec 2013, 18:26:58 46.***.***.** root 111111 charlie
Mon 9 Dec 2013, 18:27:00 46.***.***.** root 123456 charlie
Mon 9 Dec 2013, 18:27:11 46.***.***.** root root alpha
Mon 9 Dec 2013, 18:27:13 46.***.***.** root password alpha
Mon 9 Dec 2013, 18:27:15 46.***.***.** root 111111 alpha
Mon 9 Dec 2013, 18:27:17 46.***.***.** root 123456 alpha

The table above shows that the attacking IP addresses are 113.*.***.* (China), 190.***.***.** (Chile) and 46.***.***.** (Germany) and that, despite appearing to originate from different IP addresses, the attacks are the same. These brute-force attacks consisted of no more than the username "root" and the passwords "root", "password", "111111" and "123456".

This data strongly supports the theory that attackers are hiding behind the masks of multiple IP addresses. This also means that the number of unique IP addresses that attack the honeypot is not a good indicator to the the number of unique attackers that are attacking the honeypot.

Finally, this week I've also been working on my book review for Jon Erickson's Hacking: The Art of Exploitation. I'm about half way through writing the review, so aiming to publish the post next week.

Image credit: "Masks" by ohad*, flickr.com/photos/ohadby/26168831

About the author

Simon BellSimon Bell is an award-winning Cyber Security Researcher, Software Engineer, and Web Security Specialist. Simon's research papers have been published internationally, and his findings have featured in Ars Technica, The Hacker News, PC World, among others. He founded Secure Honey, an open-source honeypot and threat intelligence project, in 2013. He has a PhD in Information Security and a BSc in Computer Science.

Follow Simon on Twitter: @SimonByte