My next class:

SSH Vandals?

Published: 2011-09-15. Last Updated: 2011-09-15 13:56:55 UTC
by Johannes Ullrich (Version: 1)
15 comment(s)

I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time".

In this particular case, the attacker logged in, and issues the following commands:

kippo:~# w
 06:37:29 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    151.81.3.83       06:37    0.00s  0.00s  0.00s w

kippo:~# ps x
  PID TTY          TIME CMD
 5673 pts/0    00:00:00 bash
 5677 pts/0    00:00:00 ps x

kippo:~# kill -9 -1
kippo:~#
In short, the attacker went in, did minimal recognizance, and then went ahead killing the system (terminating all processes with a PID larger then 1). A real system would be unresponsive as a result.
 
Not clear if this is a vigilante/vandal killing badly configured ssh server, or if this was an intent to detect a honeypot (But then again, the real system would be dead as a result, and there are less destructive ways to detect simple honeypots like kippo.
 
The speed of the attack suggests that it was performed manually. We do not see a big change in ssh probes overall.
 
Any ideas? Has anybody seen similar "vandals"?

-----------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ssh vandals
15 comment(s)
My next class:

Comments

I do see considerable automated ssh brute force traffic these days. Coincidentally, I wrote a blog on protecting SSH just last night http://parasec.parallel42.ca/?p=162 (feel free to redact if you feel the self-promotion is too blatant) Not currently running a honey pot, so I prefer not to find out what they will do if they do gain access!

Rick

Sep 15th 2011
1 decade ago

Smoke me a Kippo, I'll be back for breakfast!

Ace

Sep 15th 2011
1 decade ago

That's funny. I run kill -9 -1 to un-dead a stuck console.

Joshua

Sep 15th 2011
1 decade ago

"What a guy!"

dsh

Sep 15th 2011
1 decade ago

or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted...

G

Sep 15th 2011
1 decade ago

I thought a -9 -1 would just reboot the box, not make it unresponsive (for long) ?

Still, pretty weird behaviour, even for a hacker, but one way to detect 'dumb' honeypots I guess.

Dom De Vitto

Sep 16th 2011
1 decade ago

"or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted..."


How can you tell the difference between a Honeypot, and a real system that was rigged to make an attempted intruder THINK it was a honeypot?

Mysid

Sep 16th 2011
1 decade ago

"man kill" reports:
EXAMPLES
kill -9 -1
Kill all processes you can kill.

Regards

matteo

Sep 16th 2011
1 decade ago

I've also seen something similar four times this week. Guys just logging in to change the password or to delete some files. My personal favorite is a dumbass that produced 210K of kippo logs by deleting every single file, one after another...

TheJan

Sep 16th 2011
1 decade ago

Oh, and btw: your prompt really says "kippo"? ;)

TheJan

Sep 16th 2011
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives