Hiding Behind Multiple IPs
This week's blog post will be fairly brief as I've not had a lot of time to work on the project due to other commitments (mostly end of university term and run-up to Christmas).
Last week I set up a pure honeypot running under Ubuntu. I was hoping to discuss details of attacks that took place on the pure honeypot in this week's post - but I've not had a chance to run the honeypot for long this week.
I want to ensure I can be near my computer for pretty much a whole day so I can run the honeypot and monitor its logs. The only free day I had was yesterday and, frustratingly, there were zero attacks on the honeypot yesterday.
Also, attacks on the low-interaction C honeypot have dropped over the past few days. The table below shows the number of attacks on the honeypot over the past 10 days:
| date | # attempts |
| Fri 13 Dec 2013 | 6 |
| Thu 12 Dec 2013 | 7 |
| Wed 11 Dec 2013 | 215 |
| Tue 10 Dec 2013 | 23 |
| Mon 9 Dec 2013 | 35 |
| Sun 8 Dec 2013 | 2,193 |
| Sat 7 Dec 2013 | 37 |
| Fri 6 Dec 2013 | 30 |
| Thu 5 Dec 2013 | 65 |
| Wed 4 Dec 2013 | 40 |
The table above shows that Sunday the 8th of December saw the busiest day yet for the low-interaction honeypot with 2,193 brute-force attempts, but that today and yesterday have only seen 7 and 6 brute-force attacks respectively.
Multiple IP Addresses; Same Attack
One noticeable attack this week came from 2 separate IP addresses but contained the exact same attack:
| date | ip | username | password | honeypot |
| Sun 8 Dec 2013, 11:29:38 | 122.***.***.** | admin | admin123 | charlie |
| Sun 8 Dec 2013, 11:29:42 | 122.***.***.** | root | root123 | charlie |
| Sun 8 Dec 2013, 11:29:49 | 122.***.***.** | user | user123 | charlie |
| Sun 8 Dec 2013, 11:29:52 | 122.***.***.** | guest | guest123 | charlie |
| Sun 8 Dec 2013, 11:29:57 | 122.***.***.** | root | raspberry | charlie |
| Sun 8 Dec 2013, 11:30:01 | 122.***.***.** | xbian | raspberry | charlie |
| Sun 8 Dec 2013, 11:30:07 | 122.***.***.** | D-Link | D-Link | charlie |
| Sun 8 Dec 2013, 11:30:14 | 122.***.***.** | root | synopass | charlie |
| Sun 8 Dec 2013, 11:30:22 | 122.***.***.** | cisco | cisco | charlie |
| Sun 8 Dec 2013, 11:30:29 | 122.***.***.** | student | student | charlie |
| Sun 8 Dec 2013, 11:30:34 | 122.***.***.** | oracle | oracle | charlie |
| Sun 8 Dec 2013, 15:21:31 | 54.***.***.*** | admin | admin123 | charlie |
| Sun 8 Dec 2013, 15:21:33 | 54.***.***.*** | root | root123 | charlie |
| Sun 8 Dec 2013, 15:21:36 | 54.***.***.*** | user | user123 | charlie |
| Sun 8 Dec 2013, 15:21:39 | 54.***.***.*** | guest | guest123 | charlie |
| Sun 8 Dec 2013, 15:21:41 | 54.***.***.*** | root | raspberry | charlie |
| Sun 8 Dec 2013, 15:21:44 | 54.***.***.*** | xbian | raspberry | charlie |
| Sun 8 Dec 2013, 15:21:47 | 54.***.***.*** | D-Link | D-Link | charlie |
| Sun 8 Dec 2013, 15:21:50 | 54.***.***.*** | root | synopass | charlie |
| Sun 8 Dec 2013, 15:21:53 | 54.***.***.*** | cisco | cisco | charlie |
| Sun 8 Dec 2013, 15:21:55 | 54.***.***.*** | student | student | charlie |
| Sun 8 Dec 2013, 15:21:58 | 54.***.***.*** | oracle | oracle | charlie |
The data above shows that an attack came from 2 different IP addresses: 54.***.***.*** (Ireland) and 122.***.***.** (Australia). This could perhaps be the same attacker using two different IP addresses or two separate attacks using the same attack script. Due to the time of the attacks being so close together, it seems more probable that it's the same attacker hiding behind 2 different IP addresses.
Again, a similar attack coming in from multiple IP addresses is shown below:
| date | ip | username | password | honeypot |
| Mon 9 Dec 2013, 00:51:50 | 113.*.***.* | root | root | charlie |
| Mon 9 Dec 2013, 00:51:53 | 113.*.***.* | root | password | charlie |
| Mon 9 Dec 2013, 00:51:55 | 113.*.***.* | root | 111111 | charlie |
| Mon 9 Dec 2013, 00:51:58 | 113.*.***.* | root | 123456 | charlie |
| Mon 9 Dec 2013, 00:52:14 | 113.*.***.* | root | root | alpha |
| Mon 9 Dec 2013, 00:52:17 | 113.*.***.* | root | password | alpha |
| Mon 9 Dec 2013, 00:52:20 | 113.*.***.* | root | 111111 | alpha |
| Mon 9 Dec 2013, 00:52:22 | 113.*.***.* | root | 123456 | alpha |
| Mon 9 Dec 2013, 04:27:15 | 190.***.***.** | root | root | alpha |
| Mon 9 Dec 2013, 04:27:17 | 190.***.***.** | root | password | alpha |
| Mon 9 Dec 2013, 04:27:20 | 190.***.***.** | root | 111111 | alpha |
| Mon 9 Dec 2013, 04:27:22 | 190.***.***.** | root | 123456 | alpha |
| Mon 9 Dec 2013, 09:01:24 | 46.***.***.** | root | root | charlie |
| Mon 9 Dec 2013, 09:01:26 | 46.***.***.** | root | password | charlie |
| Mon 9 Dec 2013, 09:01:28 | 46.***.***.** | root | 111111 | charlie |
| Mon 9 Dec 2013, 09:01:30 | 46.***.***.** | root | 123456 | charlie |
| Mon 9 Dec 2013, 09:01:37 | 46.***.***.** | root | root | alpha |
| Mon 9 Dec 2013, 09:01:39 | 46.***.***.** | root | password | alpha |
| Mon 9 Dec 2013, 09:01:41 | 46.***.***.** | root | 111111 | alpha |
| Mon 9 Dec 2013, 09:01:43 | 46.***.***.** | root | 123456 | alpha |
| Mon 9 Dec 2013, 18:26:53 | 46.***.***.** | root | root | charlie |
| Mon 9 Dec 2013, 18:26:56 | 46.***.***.** | root | password | charlie |
| Mon 9 Dec 2013, 18:26:58 | 46.***.***.** | root | 111111 | charlie |
| Mon 9 Dec 2013, 18:27:00 | 46.***.***.** | root | 123456 | charlie |
| Mon 9 Dec 2013, 18:27:11 | 46.***.***.** | root | root | alpha |
| Mon 9 Dec 2013, 18:27:13 | 46.***.***.** | root | password | alpha |
| Mon 9 Dec 2013, 18:27:15 | 46.***.***.** | root | 111111 | alpha |
| Mon 9 Dec 2013, 18:27:17 | 46.***.***.** | root | 123456 | alpha |
The table above shows that the attacking IP addresses are 113.*.***.* (China), 190.***.***.** (Chile) and 46.***.***.** (Germany) and that, despite appearing to originate from different IP addresses, the attacks are the same. These brute-force attacks consisted of no more than the username "root" and the passwords "root", "password", "111111" and "123456".
This data strongly supports the theory that attackers are hiding behind the masks of multiple IP addresses. This also means that the number of unique IP addresses that attack the honeypot is not a good indicator to the the number of unique attackers that are attacking the honeypot.
Finally, this week I've also been working on my book review for Jon Erickson's Hacking: The Art of Exploitation. I'm about half way through writing the review, so aiming to publish the post next week.
Image credit: "Masks" by ohad*, flickr.com/photos/ohadby/26168831
About the author
Simon Bell is an award-winning Cyber Security Researcher, Software Engineer, and Web Security Specialist. Simon's research papers have been published internationally, and his findings have featured in Ars Technica, The Hacker News, PC World, among others. He founded Secure Honey, an open-source honeypot and threat intelligence project, in 2013. He has a PhD in Information Security and a BSc in Computer Science.
Follow Simon on Twitter: @SimonByte
