Initial Kippo honeypot stats

I’ve been running Kippo for nearly two weeks now (decided to live dangerously and go with SVN version) and have seen some interesting results.
Top 10 most common passwords attempted:

  1. a (651)
  2. 123456 (495)
  3. password (331)
  4. 12345 (302)
  5. 123 (224)
  6. 1234 (169)
  7. 1 (139)
  8. 12 (123)
  9. root (105)
  10. test (46)

Select count(password), password
from auth
where password <> ”
group by password
order by count(password) desc
limit 10;

Top 10 most common username attempted:

  1. root (8510)
  2. admin (144)
  3. test (127)
  4. oracle (96)
  5. nagios (49)
  6. mysql (47)
  7. guest (43)
  8. info (42)
  9. user (41)
  10. postgres (40)

select count(username), username
from auth
where username <>”
group by username
order by count(username)
desc limit 10;

Success ratio:
17065 attempts, 48 successful connections. (n.b. results skewed as account has purposefully poor choice of password)

select count(success),success
from auth
group by success
order by success;

Number of connections per unique IP:

  1. 202.99.89.69 (5212)
  2. 200.61.189.164 (1752)
  3. 78.37.83.203 (1043)
  4. 218.108.235.86 (848)
  5. 195.14.50.8 (628)
  6. 218.80.200.138 (271)
  7. 58.222.200.226 (238)
  8. 58.18.172.206 (158)
  9. 119.188.7.174 (128)
  10. 119.42.148.10 (113)

select count(ip), ip
from sessions
group by ip
order by count(ip) desc;

Number of attempts were relatively low IP address, in total 194 different source locations have attempted to access the server, with each typically only making 4 attemtps.
Packages:
Once exploited a number of attackers have proceeded to download various rootkits and utilities (thanks for these). Nothing too interesting yet, standard rootkit functionality, IRC clients and SSH scanners for further compromise. I still need to analyse some of these in more detail, so watch your RSS feeds for more to come.
One malicious user also attempted to create new user accounts on the server, if you have an account called ‘iony’ with a password of ‘ionyszaa’ then you may want to remove it…
If you’ve got a spare machine and public IP address, give Kippo a shot, setup is realitively easy; I’ve seen some interesting malicious user sessions and it turns out that some of those ‘31337 haxxors’ that everyone fears really can’t type.
–Andrew Waite

Join the conversation

11 Comments

  1. Hello Andrew, thanks again for a useful post. I have setup another Kippo honeypot on a more capable vps in order to use mysql logging. It had already caught some probes. Are you familiar or do you know of any web gui for the stats collected? I have seen the carniwwwhore thing but as I understand it uses xmpp and not the sql-logged data?

    1. I’m afraid at the only webUI that I’m aware of integrating with Kippo is Carniwwwwhore. I did know of a project to implement a similar solution but this didn’t progress past alpha stage and was never released publicly unfortunately.
      If you’re looking for a project there’s definitely an opening there, know a few people who’ve asked the same question.

  2. Hello Andrew, another useful query is also this:
    select username as ‘Username’, password as ‘Password’, count(username) as ‘#Attempts’
    from auth
    where username ” and password ”
    group by username, password
    order by count(username) desc
    which displays the most common username+passwords combinations. You can use it to update the pass.db file from times to times, since I have found that the success (for the attacker) ratio is generaly really low. An example of a live system: ~15 vs ~4800.
    I will write a simple php script to generate some graphs when I get some free time.

  3. Sorry, the SQL code isn’t diplayed correctly, here is again (feel free to delete this comment and update the previous one):

    SELECT username AS 'Username',
    PASSWORD AS 'Password', count( username ) AS '#Attempts'
    FROM auth
    WHERE username [] ''
    AND PASSWORD [] ''
    GROUP BY username,
    PASSWORD
    ORDER BY count( username ) DESC
    LIMIT 0 , 30

    ‘Editors note, replace square brackets with angular brackets whilst I play with formatting….

    1. Well, for some reason WP does not show the > and < signs. Anyway, username and password above should NOT be EQUAL to ''

        1. No time yet I’m afraid, tied up with other things trying to get clear for the festive break.
          Hoping things calm down soon, starting to miss time in my lab.

Leave a comment

Your email address will not be published. Required fields are marked *