Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: SSH Vandals? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSH Vandals?

I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time".

In this particular case, the attacker logged in, and issues the following commands:

kippo:~# w
 06:37:29 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0       06:37    0.00s  0.00s  0.00s w

kippo:~# ps x
  PID TTY          TIME CMD
 5673 pts/0    00:00:00 bash
 5677 pts/0    00:00:00 ps x

kippo:~# kill -9 -1

In short, the attacker went in, did minimal recognizance, and then went ahead killing the system (terminating all processes with a PID larger then 1). A real system would be unresponsive as a result.
Not clear if this is a vigilante/vandal killing badly configured ssh server, or if this was an intent to detect a honeypot (But then again, the real system would be dead as a result, and there are less destructive ways to detect simple honeypots like kippo.
The speed of the attack suggests that it was performed manually. We do not see a big change in ssh probes overall.
Any ideas? Has anybody seen similar "vandals"?

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4510 Posts
ISC Handler
Sep 15th 2011
I do see considerable automated ssh brute force traffic these days. Coincidentally, I wrote a blog on protecting SSH just last night (feel free to redact if you feel the self-promotion is too blatant) Not currently running a honey pot, so I prefer not to find out what they will do if they do gain access!

15 Posts
Smoke me a Kippo, I'll be back for breakfast!

41 Posts
That's funny. I run kill -9 -1 to un-dead a stuck console.
39 Posts
"What a guy!"

135 Posts
or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted...
I thought a -9 -1 would just reboot the box, not make it unresponsive (for long) ?

Still, pretty weird behaviour, even for a hacker, but one way to detect 'dumb' honeypots I guess.

45 Posts
"or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted..."

How can you tell the difference between a Honeypot, and a real system that was rigged to make an attempted intruder THINK it was a honeypot?

146 Posts
"man kill" reports:
kill -9 -1
Kill all processes you can kill.

8 Posts
I've also seen something similar four times this week. Guys just logging in to change the password or to delete some files. My personal favorite is a dumbass that produced 210K of kippo logs by deleting every single file, one after another...
3 Posts
Oh, and btw: your prompt really says "kippo"? ;)
3 Posts
Login, send the kill comand, try to login within 1 minute. Honeypot will be online, other system will be offline (rebooting). The guy is smarter than you are. Although I prefer changing the password and trying to re-login.
27 Posts

One full minute? - I have virtual boxes that reboot from hitting Enter to being completely online again in 20 seconds...

11 Posts
beyond that, kippo remembers changed passwords... so your re-login technique wouldn't really work out
3 Posts
I would be suspicious when I run ps x and only get back bash, and ps x. If someone was dumb enough to 1. allow remote root access, and 2. protect it with an easy password, I would think that the services running under root would be far more than just bash and the command I just entered no?
3 Posts
@TheJan: I didnt know that, that is pretty cool. Is this on a IP basis?

@Per: Our DL380 G7 running RHEL 5.5 takes about 5+ minutes to boot
27 Posts

Sign Up for Free or Log In to start participating in the conversation!