Collecting data from SSH Honeypots


The first of many honeypots are live and data rolling s in! :D

I’ve been chipping away at HoneypotDB, a project to create a global honeypot network comprised of many honeypot types that all report to one centralised data index, that can be queried via public API. So far, I’ve used Ansible to build and deploy some basic Cowrie SSHhoneypots in docker containers and built a basic elasticSearch and logstash set up to analyse and store collected data.

I mentioned in my previous post that Kibana could be used to visualise data and create useful dashboards for analysis. Pretty cool right?!

Honeypot Kibana

Data analysis

The 6 pots located primarily in Europe have managed to generate over 1.65 million events over the last 7 days, 220,000 of which were login attempts. Cowrie has also captured commands submitted to the fake terminal, so we can see what bots (and some people by the looks of it) are trying to do.

Just glancing at the data, it looks like the bulk of the attackers are mainly aiming to install some sort of miner onto the system or/and add a user to allow access if the miner is removed. Most of the initial commands from the bots are something along the lines of cat /proc/cpuinfo | grep name | wc -l or using the lscpu utility to count how many cores the system has. If the server as more than X cores, a miner will then be installed. This is probably to only target powerful systems where a miner is not likely to be noticed.

I’ve also noticed that most of the bots tend to download scripts viacurl -O or wget to /tmp, give the file execute permissions and run them before quickly removing the downloaded file. This then means that the malware is then only in memory. Neat! I know that some off these miners are extra sneaky, and sometimes try and spawn processes with names like/bin/apache posing as a common webserver to try and mask its presence on the system. Perhaps sit would be interesting to pull apart some of the scripts we capture and see what we can find? 🤔