Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: SSH Vandals? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSH Vandals?

I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time".

In this particular case, the attacker logged in, and issues the following commands:

kippo:~# w
 06:37:29 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    151.81.3.83       06:37    0.00s  0.00s  0.00s w

kippo:~# ps x
  PID TTY          TIME CMD
 5673 pts/0    00:00:00 bash
 5677 pts/0    00:00:00 ps x

kippo:~# kill -9 -1
kippo:~#

In short, the attacker went in, did minimal recognizance, and then went ahead killing the system (terminating all processes with a PID larger then 1). A real system would be unresponsive as a result.
 
Not clear if this is a vigilante/vandal killing badly configured ssh server, or if this was an intent to detect a honeypot (But then again, the real system would be dead as a result, and there are less destructive ways to detect simple honeypots like kippo.
 
The speed of the attack suggests that it was performed manually. We do not see a big change in ssh probes overall.
 
Any ideas? Has anybody seen similar "vandals"?

-----------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Johannes

3271 Posts
ISC Handler
I do see considerable automated ssh brute force traffic these days. Coincidentally, I wrote a blog on protecting SSH just last night http://parasec.parallel42.ca/?p=162 (feel free to redact if you feel the self-promotion is too blatant) Not currently running a honey pot, so I prefer not to find out what they will do if they do gain access!
Chavez243

15 Posts Posts
Smoke me a Kippo, I'll be back for breakfast!
Andrew

41 Posts Posts
That's funny. I run kill -9 -1 to un-dead a stuck console.
Andrew
39 Posts Posts
"What a guy!"
Dean

135 Posts Posts
or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted...
Anonymous
Posts
I thought a -9 -1 would just reboot the box, not make it unresponsive (for long) ?

Still, pretty weird behaviour, even for a hacker, but one way to detect 'dumb' honeypots I guess.
Dom

31 Posts Posts
"or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted..."


How can you tell the difference between a Honeypot, and a real system that was rigged to make an attempted intruder THINK it was a honeypot?
Mysid

146 Posts Posts
"man kill" reports:
EXAMPLES
kill -9 -1
Kill all processes you can kill.

Regards
Mysid
8 Posts Posts
I've also seen something similar four times this week. Guys just logging in to change the password or to delete some files. My personal favorite is a dumbass that produced 210K of kippo logs by deleting every single file, one after another...
Mysid
3 Posts Posts
Oh, and btw: your prompt really says "kippo"? ;)
Mysid
3 Posts Posts
Login, send the kill comand, try to login within 1 minute. Honeypot will be online, other system will be offline (rebooting). The guy is smarter than you are. Although I prefer changing the password and trying to re-login.
Mysid
27 Posts Posts
alibert,

One full minute? - I have virtual boxes that reboot from hitting Enter to being completely online again in 20 seconds...
Per

11 Posts Posts
beyond that, kippo remembers changed passwords... so your re-login technique wouldn't really work out
Per
3 Posts Posts
I would be suspicious when I run ps x and only get back bash, and ps x. If someone was dumb enough to 1. allow remote root access, and 2. protect it with an easy password, I would think that the services running under root would be far more than just bash and the command I just entered no?
Per
3 Posts Posts
@TheJan: I didnt know that, that is pretty cool. Is this on a IP basis?

@Per: Our DL380 G7 running RHEL 5.5 takes about 5+ minutes to boot
Per
27 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!