Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SSH Vandals? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSH Vandals?

I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time".

In this particular case, the attacker logged in, and issues the following commands:

kippo:~# w
 06:37:29 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    151.81.3.83       06:37    0.00s  0.00s  0.00s w

kippo:~# ps x
  PID TTY          TIME CMD
 5673 pts/0    00:00:00 bash
 5677 pts/0    00:00:00 ps x

kippo:~# kill -9 -1
kippo:~#

In short, the attacker went in, did minimal recognizance, and then went ahead killing the system (terminating all processes with a PID larger then 1). A real system would be unresponsive as a result.
 
Not clear if this is a vigilante/vandal killing badly configured ssh server, or if this was an intent to detect a honeypot (But then again, the real system would be dead as a result, and there are less destructive ways to detect simple honeypots like kippo.
 
The speed of the attack suggests that it was performed manually. We do not see a big change in ssh probes overall.
 
Any ideas? Has anybody seen similar "vandals"?

-----------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich March 2019

Johannes

3413 Posts
ISC Handler
I do see considerable automated ssh brute force traffic these days. Coincidentally, I wrote a blog on protecting SSH just last night http://parasec.parallel42.ca/?p=162 (feel free to redact if you feel the self-promotion is too blatant) Not currently running a honey pot, so I prefer not to find out what they will do if they do gain access!
Chavez243

15 Posts
Smoke me a Kippo, I'll be back for breakfast!
Andrew

41 Posts
That's funny. I run kill -9 -1 to un-dead a stuck console.
Andrew
39 Posts
"What a guy!"
Dean

135 Posts
or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted...
Anonymous
I thought a -9 -1 would just reboot the box, not make it unresponsive (for long) ?

Still, pretty weird behaviour, even for a hacker, but one way to detect 'dumb' honeypots I guess.
DomMcIntyreDeVitto

35 Posts
"or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted..."


How can you tell the difference between a Honeypot, and a real system that was rigged to make an attempted intruder THINK it was a honeypot?
Mysid

146 Posts
"man kill" reports:
EXAMPLES
kill -9 -1
Kill all processes you can kill.

Regards
Mysid
8 Posts
I've also seen something similar four times this week. Guys just logging in to change the password or to delete some files. My personal favorite is a dumbass that produced 210K of kippo logs by deleting every single file, one after another...
Mysid
3 Posts
Oh, and btw: your prompt really says "kippo"? ;)
Mysid
3 Posts
Login, send the kill comand, try to login within 1 minute. Honeypot will be online, other system will be offline (rebooting). The guy is smarter than you are. Although I prefer changing the password and trying to re-login.
Mysid
27 Posts
alibert,

One full minute? - I have virtual boxes that reboot from hitting Enter to being completely online again in 20 seconds...
Per

11 Posts
beyond that, kippo remembers changed passwords... so your re-login technique wouldn't really work out
Per
3 Posts
I would be suspicious when I run ps x and only get back bash, and ps x. If someone was dumb enough to 1. allow remote root access, and 2. protect it with an easy password, I would think that the services running under root would be far more than just bash and the command I just entered no?
Per
3 Posts
@TheJan: I didnt know that, that is pretty cool. Is this on a IP basis?

@Per: Our DL380 G7 running RHEL 5.5 takes about 5+ minutes to boot
Per
27 Posts

Sign Up for Free or Log In to start participating in the conversation!