|
I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time". In this particular case, the attacker logged in, and issues the following commands: kippo:~# w 06:37:29 up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 151.81.3.83 06:37 0.00s 0.00s 0.00s w kippo:~# ps x PID TTY TIME CMD 5673 pts/0 00:00:00 bash 5677 pts/0 00:00:00 ps x kippo:~# kill -9 -1 kippo:~# In short, the attacker went in, did minimal recognizance, and then went ahead killing the system (terminating all processes with a PID larger then 1). A real system would be unresponsive as a result.
Not clear if this is a vigilante/vandal killing badly configured ssh server, or if this was an intent to detect a honeypot (But then again, the real system would be dead as a result, and there are less destructive ways to detect simple honeypots like kippo.
The speed of the attack suggests that it was performed manually. We do not see a big change in ssh probes overall.
Any ideas? Has anybody seen similar "vandals"?
----------- |
Johannes 4346 Posts ISC Handler Sep 15th 2011 |
| Thread locked Subscribe |
Sep 15th 2011 1 decade ago |
|
I do see considerable automated ssh brute force traffic these days. Coincidentally, I wrote a blog on protecting SSH just last night http://parasec.parallel42.ca/?p=162 (feel free to redact if you feel the self-promotion is too blatant) Not currently running a honey pot, so I prefer not to find out what they will do if they do gain access!
|
Chavez243 15 Posts |
| Quote |
Sep 15th 2011 1 decade ago |
|
Smoke me a Kippo, I'll be back for breakfast!
|
Andrew 41 Posts |
| Quote |
Sep 15th 2011 1 decade ago |
|
That's funny. I run kill -9 -1 to un-dead a stuck console.
|
Andrew 39 Posts |
| Quote |
Sep 15th 2011 1 decade ago |
|
"What a guy!"
|
Dean 135 Posts |
| Quote |
Sep 15th 2011 1 decade ago |
|
or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted...
|
Anonymous |
| Quote |
Sep 15th 2011 1 decade ago |
|
I thought a -9 -1 would just reboot the box, not make it unresponsive (for long) ?
Still, pretty weird behaviour, even for a hacker, but one way to detect 'dumb' honeypots I guess. |
DomMcIntyreDeVitto 45 Posts |
| Quote |
Sep 16th 2011 1 decade ago |
|
"or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted..."
How can you tell the difference between a Honeypot, and a real system that was rigged to make an attempted intruder THINK it was a honeypot? |
Mysid 146 Posts |
| Quote |
Sep 16th 2011 1 decade ago |
|
"man kill" reports:
EXAMPLES kill -9 -1 Kill all processes you can kill. Regards |
Mysid 8 Posts |
| Quote |
Sep 16th 2011 1 decade ago |
|
I've also seen something similar four times this week. Guys just logging in to change the password or to delete some files. My personal favorite is a dumbass that produced 210K of kippo logs by deleting every single file, one after another...
|
Mysid 3 Posts |
| Quote |
Sep 16th 2011 1 decade ago |
|
Oh, and btw: your prompt really says "kippo"? ;)
|
Mysid 3 Posts |
| Quote |
Sep 16th 2011 1 decade ago |
|
Login, send the kill comand, try to login within 1 minute. Honeypot will be online, other system will be offline (rebooting). The guy is smarter than you are. Although I prefer changing the password and trying to re-login.
|
Mysid 27 Posts |
| Quote |
Sep 16th 2011 1 decade ago |
|
alibert,
One full minute? - I have virtual boxes that reboot from hitting Enter to being completely online again in 20 seconds... |
Per 11 Posts |
| Quote |
Sep 16th 2011 1 decade ago |
|
beyond that, kippo remembers changed passwords... so your re-login technique wouldn't really work out
|
Per 3 Posts |
| Quote |
Sep 16th 2011 1 decade ago |
|
I would be suspicious when I run ps x and only get back bash, and ps x. If someone was dumb enough to 1. allow remote root access, and 2. protect it with an easy password, I would think that the services running under root would be far more than just bash and the command I just entered no?
|
Per 3 Posts |
| Quote |
Sep 16th 2011 1 decade ago |
|
@TheJan: I didnt know that, that is pretty cool. Is this on a IP basis?
@Per: Our DL380 G7 running RHEL 5.5 takes about 5+ minutes to boot |
Per 27 Posts |
| Quote |
Sep 21st 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
