Insights from Running an SSH Honeypot for 30 Days

BY Mark Howell 1 years ago4 MINS READ
article cover

Today in Edworking News we want to talk about What is a honeypot?
A honeypot detects and records attacks when an attacker tries to break into a system. The honeypot we will discuss here is an SSH honeypot.

Environment Login Attempts

There were a total of 11,599 login attempts. Divided by 30 days, this means an average of 386 login attempts per day.

Used Usernames

As expected, many attacks target customary and default usernames. For the `345gs5662d34` user, according to the Aalborg University of Denmark, this could be the default credential for a Polycom CX600 IP telephone.

SweetCam: an IP Camera Honeypot

Passwords

Once again, the same as the default username for Polycom CX600 IP telephone.

Commands Executed After Login

Now the interesting part starts:

The oinasf Script

The execution of a mysterious script, `./oinasf`, followed by attempts to read and display the system's executable content, indicates a probing strategy for vulnerabilities or valuable information. The use of `/ip cloud print` suggests that bots target MikroTik routers to access or disrupt cloud-based services, while `uname -s -m` provides them with essential details about the operating system and machine architecture, valuable for crafting further actions tailored to the system's specifics.
In conclusion, these commands represent a clear strategy to infiltrate, assess, and establish control over targeted systems. They emphasize the bot's preference for direct manipulation and sustained access, highlighting the critical need for robust defenses against such common, yet potentially devastating tactics.

The mdrfckr Crypto Miner

This miner would simply create a cron job that would delete everything on the `.ssh` folder and add a single SSH key to lock other users out. After that, it would kill other miners if they exist and then have an open field. You can check this repo of someone who already got hacked and the miner was used on his server.

The MIPS Malware

Probably another MIPS (Multiprocessor without Interlocked Pipeline Stages) architecture malware, targeting routers and IoT devices. Here is a good read and analysis of the behavior of a MIPS Malware.

The Sakura.sh Script

This script is part of the Gafgyt Malware, also known as BASHLITE, a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks. Here is A Detailed Analysis of the Gafgyt Malware Targeting IoT Devices.
---

Remember these 3 key ideas for your startup:

  1. Stay Proactive with Security: Implementing honeypots can help detect and analyze intrusion attempts, offering valuable insights into attack vectors and malware tactics. For instance, honeypots can identify default credential usage and scripting threats, enabling better defenses. Check out these free productivity tools for teams.

  2. Understand Attack Patterns: Knowledge about common threats like the Gafgyt malware or crypto mining scripts allows your startup to prepare against similar attacks. This includes monitoring default credentials and unusual login attempts, a step that many may overlook. Discover how to effectively assign tasks to team members.

  3. Leverage Detailed Reports: Use the data gathered from honeypots to create detailed security protocols tailored to the specific threats your startup or SME might face. This includes setting up cron jobs to monitor system integrity and securing all entry points against IoT-based attacks.
    Edworking is the best and smartest decision for SMEs and startups to be more productive. Edworking is a free superapp of productivity that includes all you need for work powered by AI in the same superapp, connecting Task Management, Docs, Chat, Videocall, and File Management. Save money today by not paying for Slack, Trello, Dropbox, Zoom, and Notion.
    For more details, see the original source.

article cover
About the Author: Mark Howell Linkedin

Mark Howell is a talented content writer for Edworking's blog, consistently producing high-quality articles on a daily basis. As a Sales Representative, he brings a unique perspective to his writing, providing valuable insights and actionable advice for readers in the education industry. With a keen eye for detail and a passion for sharing knowledge, Mark is an indispensable member of the Edworking team. His expertise in task management ensures that he is always on top of his assignments and meets strict deadlines. Furthermore, Mark's skills in project management enable him to collaborate effectively with colleagues, contributing to the team's overall success and growth. As a reliable and diligent professional, Mark Howell continues to elevate Edworking's blog and brand with his well-researched and engaging content.

Trendy NewsSee All Articles
CoverEdit PDFs Securely & Freely: Breeze PDF In-Browser SolutionBreeze PDF is a free, offline browser-based PDF editor ensuring privacy. It offers text, image, and signature additions, form fields, merging, page deletion, and password protection without uploads.
BY Mark Howell 2 mo ago
CoverDecoding R1: The Future of AI Reasoning ModelsR1 is an affordable, open-source AI model emphasizing reasoning, enabling innovation and efficiency, while influencing AI advancements and geopolitical dynamics.
BY Mark Howell 26 January 2025
CoverSteam Brick: A Minimalist Gaming Console Redefines PortabilitySteam Brick: A modified, screenless Steam Deck for travel, focusing on portability by using external displays and inputs. A creative yet impractical DIY project with potential risks.
BY Mark Howell 26 January 2025
CoverVisual Prompt Injections: Essential Guide for StartupsThe Beginner's Guide to Visual Prompt Injections explores vulnerabilities in AI models like GPT-4V, highlighting security risks for startups and offering strategies to mitigate potential data compromises.
BY Mark Howell 13 November 2024
CoverGraph-Based AI: Pioneering Future Innovation PathwaysGraph-based AI, developed by MIT's Markus J. Buehler, bridges unrelated fields, revealing shared complexity patterns, accelerating innovation by uncovering novel ideas and designs, fostering unprecedented growth opportunities.
BY Mark Howell 13 November 2024
CoverRevolutionary Image Protection: Watermark Anything with Localized MessagesWatermark Anything enables embedding multiple localized watermarks in images, balancing imperceptibility and robustness. It uses Python, PyTorch, and CUDA, with COCO dataset, under CC-BY-NC license.
BY Mark Howell 13 November 2024
CoverJungle Music's Role in Shaping 90s Video Game SoundtracksJungle music in the 90s revolutionized video game soundtracks, enhancing fast-paced gameplay on PlayStation and Nintendo 64, and fostering a cultural revolution through its energetic beats and immersive experiences.
BY Mark Howell 13 November 2024
CoverMastering Probability-Generating Functions: A Guide for EntrepreneursProbability-generating functions (pgfs) are mathematical tools used in probability theory for data analysis, risk management, and predictive modeling, crucial for startups and SMEs in strategic decision-making.
BY Mark Howell 31 October 2024
Try EdworkingA new way to work from  anywhere, for everyone for Free!
Sign up Now