I’ve been running Kippo for nearly two weeks now (decided to live dangerously and go with SVN version) and have seen some interesting results.
Top 10 most common passwords attempted:
- a (651)
- 123456 (495)
- password (331)
- 12345 (302)
- 123 (224)
- 1234 (169)
- 1 (139)
- 12 (123)
- root (105)
- test (46)
Select count(password), password
from auth
where password <> ”
group by password
order by count(password) desc
limit 10;
Top 10 most common username attempted:
- root (8510)
- admin (144)
- test (127)
- oracle (96)
- nagios (49)
- mysql (47)
- guest (43)
- info (42)
- user (41)
- postgres (40)
select count(username), username
from auth
where username <>”
group by username
order by count(username)
desc limit 10;
Success ratio:
17065 attempts, 48 successful connections. (n.b. results skewed as account has purposefully poor choice of password)
select count(success),success
from auth
group by success
order by success;
Number of connections per unique IP:
- 202.99.89.69 (5212)
- 200.61.189.164 (1752)
- 78.37.83.203 (1043)
- 218.108.235.86 (848)
- 195.14.50.8 (628)
- 218.80.200.138 (271)
- 58.222.200.226 (238)
- 58.18.172.206 (158)
- 119.188.7.174 (128)
- 119.42.148.10 (113)
select count(ip), ip
from sessions
group by ip
order by count(ip) desc;
Number of attempts were relatively low IP address, in total 194 different source locations have attempted to access the server, with each typically only making 4 attemtps.
Packages:
Once exploited a number of attackers have proceeded to download various rootkits and utilities (thanks for these). Nothing too interesting yet, standard rootkit functionality, IRC clients and SSH scanners for further compromise. I still need to analyse some of these in more detail, so watch your RSS feeds for more to come.
One malicious user also attempted to create new user accounts on the server, if you have an account called ‘iony’ with a password of ‘ionyszaa’ then you may want to remove it…
If you’ve got a spare machine and public IP address, give Kippo a shot, setup is realitively easy; I’ve seen some interesting malicious user sessions and it turns out that some of those ‘31337 haxxors’ that everyone fears really can’t type.
–Andrew Waite
Hello Andrew, thanks again for a useful post. I have setup another Kippo honeypot on a more capable vps in order to use mysql logging. It had already caught some probes. Are you familiar or do you know of any web gui for the stats collected? I have seen the carniwwwhore thing but as I understand it uses xmpp and not the sql-logged data?
I’m afraid at the only webUI that I’m aware of integrating with Kippo is Carniwwwwhore. I did know of a project to implement a similar solution but this didn’t progress past alpha stage and was never released publicly unfortunately.
If you’re looking for a project there’s definitely an opening there, know a few people who’ve asked the same question.
Hello Andrew, another useful query is also this:
select username as ‘Username’, password as ‘Password’, count(username) as ‘#Attempts’
from auth
where username ” and password ”
group by username, password
order by count(username) desc
which displays the most common username+passwords combinations. You can use it to update the pass.db file from times to times, since I have found that the success (for the attacker) ratio is generaly really low. An example of a live system: ~15 vs ~4800.
I will write a simple php script to generate some graphs when I get some free time.
Sorry, the SQL code isn’t diplayed correctly, here is again (feel free to delete this comment and update the previous one):
SELECT username AS 'Username',
PASSWORD AS 'Password', count( username ) AS '#Attempts'
FROM auth
WHERE username [] ''
AND PASSWORD [] ''
GROUP BY username,
PASSWORD
ORDER BY count( username ) DESC
LIMIT 0 , 30
‘Editors note, replace square brackets with angular brackets whilst I play with formatting….
Well, for some reason WP does not show the > and < signs. Anyway, username and password above should NOT be EQUAL to
''Hello Andrew, check this out when you have the time:
http://ikoniari.webpages.auth.gr/kippo-graph-0-1-released.html
It’s a bit ugly at the moment but it does the simple work that it’s supposed to.
Nice work, I’ll try to give it a test-drive in my own environment shortly 🙂
Thanks Andrew, let me know. By the way, I just released version 0.2 with a web template 🙂 Surely a better option that the plain php script: http://ikoniari.webpages.auth.gr/kippo-graph
Hello Andrew. Any luck with the script?
Today I released v0.3 as well with 3 more graphs and more on the way… I’m looking for new ways to visualize some things. Info (as usual) at http://ikoniari.webpages.auth.gr/kippo-graph
Simple instructions for ubuntu+apache: untar into /var/www, chmod 777 generated-graphs, edit config.php and browse to http://server/kippo-graph
It works fine for me but can you test it as well?
No time yet I’m afraid, tied up with other things trying to get clear for the festive break.
Hoping things calm down soon, starting to miss time in my lab.