Last Updated: 2011-09-15 13:56:55 UTC
by Johannes Ullrich (Version: 1)
I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time".
In this particular case, the attacker logged in, and issues the following commands:
kippo:~# w 06:37:29 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 220.127.116.11 06:37 0.00s 0.00s 0.00s w kippo:~# ps x PID TTY TIME CMD 5673 pts/0 00:00:00 bash 5677 pts/0 00:00:00 ps x kippo:~# kill -9 -1 kippo:~#