SSH Vandals?

Published: 2011-09-15
Last Updated: 2011-09-15 13:56:55 UTC
by Johannes Ullrich (Version: 1)
15 comment(s)

I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time".

In this particular case, the attacker logged in, and issues the following commands:

kippo:~# w
 06:37:29 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0       06:37    0.00s  0.00s  0.00s w

kippo:~# ps x
  PID TTY          TIME CMD
 5673 pts/0    00:00:00 bash
 5677 pts/0    00:00:00 ps x

kippo:~# kill -9 -1

In short, the attacker went in, did minimal recognizance, and then went ahead killing the system (terminating all processes with a PID larger then 1). A real system would be unresponsive as a result.
Not clear if this is a vigilante/vandal killing badly configured ssh server, or if this was an intent to detect a honeypot (But then again, the real system would be dead as a result, and there are less destructive ways to detect simple honeypots like kippo.
The speed of the attack suggests that it was performed manually. We do not see a big change in ssh probes overall.
Any ideas? Has anybody seen similar "vandals"?

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: ssh vandals
15 comment(s)


I do see considerable automated ssh brute force traffic these days. Coincidentally, I wrote a blog on protecting SSH just last night (feel free to redact if you feel the self-promotion is too blatant) Not currently running a honey pot, so I prefer not to find out what they will do if they do gain access!
Smoke me a Kippo, I'll be back for breakfast!
That's funny. I run kill -9 -1 to un-dead a stuck console.
"What a guy!"
or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted...
I thought a -9 -1 would just reboot the box, not make it unresponsive (for long) ?

Still, pretty weird behaviour, even for a hacker, but one way to detect 'dumb' honeypots I guess.
"or maybe she's quite smart, and knows that kill -9 -1 is a good way of detecting honeypots. In short, you were outsmarted..."

How can you tell the difference between a Honeypot, and a real system that was rigged to make an attempted intruder THINK it was a honeypot?
"man kill" reports:
kill -9 -1
Kill all processes you can kill.

I've also seen something similar four times this week. Guys just logging in to change the password or to delete some files. My personal favorite is a dumbass that produced 210K of kippo logs by deleting every single file, one after another...
Oh, and btw: your prompt really says "kippo"? ;)

Diary Archives