It’s a trap! How to create honeypots for stupid bots

If you had ever administered a server, you definitely know that the password-based authentication must be disabled or restricted: either by a whitelist, or a VPN gateway, or in some other way. We decided to conduct an experiment and check what happens if this simple step isn’t taken.

warning

This article is intended for educational purposes only. Neither the authors nor the Editorial Board can be held liable for any damages caused by improper usage of this information.

Placing yourself under attack and watching what happens is the best way to learn how hackers operate. That’s exactly what we did: purchased a few servers on different subnets and waited in ambush. The first careless bot was caught in just 7 seconds; in less than a day, we detected more than 12 thousand guests on the SSH service alone. It’s not surprising therefore that malicious bots manage to brute-force credentials of many servers over time, and the compromised computers continue the dirty work of their captors and mine bitcoins in the spare time.

We have examined attacks delivered over several protocols: SSH (the most popular one), Telnet (widespread in the IoT world), and FTP (used to inject shells for subsequent attacks or infect executable files). In the course of the test, we were attacked 986437 times over SSH alone.

Why use somebody else’s computers?

After hacking a ‘smart’ device, you can use it to attack the rest of the network, deliver DDoS attacks, mine cryptocurrencies, disseminate spam, and perform even more sophisticated operations, including DNS poisoning or traffic interception.

Malefactors often deploy proxy servers on hijacked computers. This ‘product’ is very popular in the shadow sector of the Internet: after a brief search, we found several dozen such offers. Interestingly, proxies are usually sold by subscription, not on the one-time basis.

The average price tag for 100 proxies is some USD 25. But for elite proxies sold in one hand, vendors charge USD 3-4 per IP – and they are sold out almost instantly. Perhaps, unofficial discounts are offered to regular customers?..

Preparations

We deployed honeypots on two servers. The first one wasn’t initially intended for this research; accordingly, a part of its statistics doesn’t include passwords. The second server had honeypots from the very beginning.

At some point, we transferred the built-in SSH service to port 404 (“404 SSH Service Not Found”, yeah) on both servers, and deployed a honeypot on the default port (22). And imagine: not a single bot managed to find SSH after that! As you can see, the old recommendation to transfer SSH to nonstandard ports still makes sense, especially if port 22 is open but gives no sign that the target service is present somewhere else.

As a result, the final sample turned out to be not so large, but we expanded the statistics by analyzing logs from hacked bots.

Where to get honeypots?

Below are the honeypots we used for different protocols. Of course, there are plenty of other solutions, including commercial ones, but their listing and analysis go beyond the scope of this article.

telnetlogger

This simple logger records login attempts and saves the login:password pairs. IP addresses are saved as well, but to a different file and without connection to the login:password pairs, which is inconvenient. The program runs without any issues and doesn’t require sophisticated configuring.

SSH Honeypot

The program logs the IP, login, and password. Each record has a time stamp not available in the Telnet logger. The information about the time can be used to build advanced graphs (e.g. correlation between the intensity of attacks and the time of day or day of the week), but in this particular case, we were interested only in the very fact of the attack and the techniques used.

First brute-forcing attempts began just 7 seconds after the honeypot activation.

[Sun Jan 10 22:40:41 2021] ssh-honeypot 0.1.0 by Daniel Roberson started on port 22. PID 4010913
[Sun Jan 10 22:40:49 2021] 196.*.*.166 supervisor qwer1234
[Sun Jan 10 22:41:16 2021] 59.*.*.186 vyatta 123
[Sun Jan 10 22:41:38 2021] 207.*.*.45 root muiemulta

honeypot-ftp

This protocol was the least popular among the bots. Perhaps, this was because we were unable to find a honeypot written in a commonly-used language and had to use whatever was available. Even a brief examination of the program reveals that this honeypot uses the Twisted framework, which scares off some botnets not to mention attackers with at least some brains.

Scanning honeypot-ftp with nmap
Scanning honeypot-ftp with nmap

SSH

We used two different methods to collect statistics. The first one involved the analysis of sshd logs that record unsuccessful authentication attempts together with the information about the used logins and IP addresses of the attackers. To expand the statistics, we decided to use servers initially not intended for this research – their owners kindly provided to us the journald records, and we included them in our analysis.

The second method involves the analysis of the honeypots’ logs storing inter alia passwords used by the attackers. This statistics isn’t that extensive, but accurate to the maximum.

Expectedly, the most frequently used login is root. In total, it occurs in the honeypots’ logs 85563 times, which is more than by an order of magnitude greater than the second most popular login: oracle (7832 times).

In the case of sshd, the gap between root and all other variants is even greater: 408778 login attempts with root versus 321467 attempts with other logins (55.9% in total). The second most popular login, admin, was used only in 15331 attempts (26.7 times less than the first one). The third position is occupied by test (8624 attempts).

The table below provides the rating of the most popular logins. The first two columns present data extracted from the sshd logs; the second two columns, from the honeypots’ logs.

The asterisks conceal IP addresses of the test servers. Apparently, the most gifted bots think that admins can use the server’s IP as a login… In fact, the number of bots trying to use the IP address as a login was not large – but they were so persistent that made such logins pretty common.

Other interesting logins recorded in the honeypots’ logs are: ubnt (a default login for Ubiquiti devices, 1001 attempts), web (897), demo (885), MikroTik (795), pi (a default user on Raspberry Pi, 770), telecomadmin (a standard login on many routers, 748), minecraft (293), baikal (292), dev (173), ts (166), odoo (158), vbox (154), sinusbot (120), csgoserver (100), mcserver (80), hacker (45), cactiuser (45), xxx (28), miner (17), and terraria (14).

In addition, 51 authentication attempts were made with blank passwords. In other words, bots attack game servers (Minecraft, CS:GO, and Terraria are popular games, and there were enough logins containing these words) and routers (telecomadmin is a classical variant for Huawei and other routers) and also try random logins.

The sshd logs include the above-mentioned ubnt (1558), demo (1370), pi (1312), web (1129), minecraft (1006), MikroTik (661), sinusbot (433), and some others (huawei, linux, nvidia – who in the world would give such names to users??).

One crazy bot even tried to brute-force our servers using passwords from the list below as logins:

1 !234QwerAsdf
1 !@#!@#!@#!
1 !@#%
1 !@#
%QWERT
1 !@#%^
1 !@#
%^&()_+
1 !@#$%^&
()_+|
1 !@#%^qwer
1 !@#
%qwert\r
1 !@#qwer
1 !@#123
%^
1 !@#1234
1 !@#123qwas
1 !@#321Qwe
1 !@#456qweASD
1 !@#QWE123QWE
1 !@#abc123
1 !@#edc!@#
1 !@#qwe%^
1 !@#wsx!@#
1 !Passw0rd!
1 !Password@
1 !Q#E@W
R
1 !QA2ws3ed
1 !QAZ
1 !QAZ1231xsw
1 !QAZ2wsx\r
1 !QAZ@WSX3EDC
1 !QAZWSX0a
1 !QAZX(OL<M
1 !QAZXSW@#EDC!@#
1 !QAZxsw2#EDCvfr4%TGBnhy6
1 !QAZzaq1@WSX
1 !QAz@WSx#EDcRFv
1 !QWASZX1
1 !Qaz
1 !Qaz!Qaz
1 !password!

We have identified 4981 unique logins in the honeypots’ logs and 30036 unique logins in the sshd logs.

Speaking of the passwords: for the reasons mentioned above, we couldn’t analyze passwords used in all attacks (whose number approaches one million). So, keep in mind that the passwords examined below were extracted from a relatively small sample (some 200 thousand attempts).

The password of the year is root (19,600 attempts). The ‘sacred’ 123456 is in second place (7284 attempts). Below is a list of other most popular passwords used by bots to hack your server:

2966 J5cmmu=Kyf0-br8CsW
3306 11111
3528 qwerty
3943 12345
4272 1234
4501 test
4704 123
4924 admin
7284 123456
19600 root

Out of them, only J5cmmu... raises questions. We failed to find out whose standard password is it, but Google searches brought results of similar studies indicating that this mystery has already attracted some interest in the community.

The Top 100 List also includes such passwords as password (position 13/2479 attempts), 12345678 (18/1053), pi (38/431) and paspberry (39/424), hlL0mlNAabiR (49/305), telecomadmin (65/220), and changeme (84/106). In addition, 2262 login attempts were made with the blank password.

In total, 33306 unique passwords have been identified.

The attackers

Of course, we wanted to find out who exactly had attacked us. So, we extracted all the recorded addresses from one of the honeypots and used a tool available on GitHub to build a nice map (see below).

We have also identified addresses most frequently used by the attackers. Below are the 5 most persistent bots:

8354 211.114.134.118
11096 121.169.34.14
15474 20.184.15.72
24492 202.103.176.67
42512 222.186.10.114

The addresses are provided in full so that you can blacklist them on your firewall.

8162 unique addresses made at least 10 login attempts each; 1564 made at least 100 attempts each; and only 97 bots tried to log in more than 500 times! However, almost one half of all login attempts were made by bots who made 100 attempts or more (in other words, the lion’s share of all attacks were performed by bots who don’t linger on a single target for a long time and leave it after making just a couple of dozen attempts. But because of the unique bots who tirelessly try to hack the same server, the average number of attempts per attacker is 51.7.

Overall, we have encountered a lot of standard passwords for various equipment, login modifications, and pretty primitive passwords. Bots are very persistent; apparently, their owners believe that the server might agree some day that its password is root. The number of attempts to exploit vulnerabilities was pretty low: just a few dozen. Unfortunately, honeypots used in our experiment aren’t perfect, and we could not find out what vulnerabilities the attackers were trying to exploit.

Telnet

Of course, the main login used by bots is root (53084 attempts). The next most popular login is admin (22021 attempts) and sh is in the third place (16790 attempts). The fourth and fifth positions are occupied by linuxshell and enable (16790 and 16677 attempts, respectively). The Top 10 List also includes system (6th place, 10509 attempts),shell (9316) and guest (5037). The 11th position is held by support (3780) – frankly speaking, we had expected it to score a better result.

The list of logins includes truly original variants:

14 \x17\x12\x1b\x1f\x18\x1f\x05\x02\x04
20 \x05\x03
20 \x27::!
20 \x2c>.8?K
32 cuadmin
32 ncorrect
33 db2fenc1
44 \x16\x03
44 diag
48 */&\x22%K
68 &;;\x20
69 cisco
71 \x04
84 9$?K101jnior130Alphanetworks176dnsekakf2?K
101 jnior
130 Alphanetworks
176 dnsekakf2
$
215 TMAR#DLKT20060205

One can only guess who in the world uses such logins. But searches for the last login returned an interesting site. It looks like the login TMAR # DLKT20060205 belongs to the D-Link 500B router (apparently attacked by the detected bot). In total, we encountered 297 unique logins.

The distribution of attacks by IP addresses is as follows: out of the 186454 attacks on Telnet, 14128 attacks (7.6%) were performed from the same IP. 8006 unique attackers have been recorded, which translates into 23.2 login attempts per IP.

The passwords were no less unique than logins. Just look:

1 `\x22=\x1a\x3c8g!>-/!
1 rasberrypie
3 4\xc6\x1eU\xae\x9a\xf4\xa3Y_m&:\xe7\x0fr\xd7x\x80\xf5\x01\xbc;\xce\x04
8 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
11 wapnd15_dlob_dap1522b
12 5:\x20\x278%
12 7ujMko0root
12 8>;;$9?K
12 Uq-4GIt3M
14 0p3nm35h
14 D13HH[
14 P@55w0rd!
131 hacktheworld1337
170 Win1doW$
1406 t0talc0ntr0l4!
2421 S2fGqNFs
2521 OxhlwSG8

It’s always nice to see a bot yelling out of despair.

In total, there were 699 unique passwords. Their Top 10 List is provided below – never use these variants on your server!

4066 12345
4231 default
4825 start-shell
4829 development
5158 admin
5448 /bin/busybox\x20KURC
9190 /bin/busybox\x20LMAO
9650 runshellcmd
15505 linuxshell
16801 shell

As you can see, the above list includes busybox: apparently, some bots try to send commands right away without entering a username and a password. In other words, open box hunters don’t even bother to check whether authentication is required or not.

The conclusion in the case of Telnet is simple: no matter how strong the factory password looks, it must be changed ASAP.

FTP

Log recorded by the FTP honeypot
Log recorded by the FTP honeypot

It’s necessary to keep in mind that the majority of attacks delivered over FTP are targeted, while the purpose of the mass scanning is to identify servers with default credentials or without authentication.

Nothing remarkable was found there: the logs have recorded a few attempts to log in without a password, a few anonymous login attempts, and no lengthy brute-force attempts or exploits.

Conclusion: FTP-related risks are less severe in comparison with Telnet or even SSH. However, this is not a reason to leave FTP without protection.

Counterattacking

We have identified all unique IP addresses of the attackers and created a wordlist containing logins and passwords used by the bots. Then we tried to brute-force the attackers with this wordlist.

www

We used THC-Hydra, B0n3tBrute, BruteDum, and cbrutekrag.

Interestingly, not many devices turned out to be vulnerable to the retaliatory attack. Perhaps, this is because we attacked only the addresses from the honeypots’ logs leaving alone a much greater number of addresses from the sshd logs. In any event, this was done solely to test the hypothesis that the attackers themselves had been infected by automated bots.

We found several IP cameras, a couple of routers, and other ‘smart’ devices. Due to lack of time, we were unable to check all of them manually.

One of the found hosts was running pfSense; according to its creators, this is the “world’s most trusted open-source firewall”. Still, even pfSense cannot protect admins who use such passwords as admin.

pfSense
pfSense

The next server turned out to be a VPN gateway.

The process name clearly indicates the purpose of this bot: mining Monero.

Processes running on the host
Processes running on the host

197 addresses out of the 1779 (11%) turned out to be vulnerable to our counterattacks over SSH. On the one hand, this is not much. On the other hand, every tenth attacker is protected poorly and can be easily hacked. In addition, this number could be much greater should we use a larger wordlist.

A significant portion of the attackers belong to the Internet of Things. Most probably, they were infected after the successful brute-forcing of their passwords.

Conclusions

We have examined just a few protocols used by hackers, and, of course, our research cannot be considered comprehensive. For instance, it doesn’t cover numerous Windows-based machines.

The main conclusion is that recommendations well-known since the early 2000s are still relevant today: close ports, transfer critical services to nonstandard ports, set complex nonbrutable passwords, or even disable password-based authentication at all.

As you can see, the number of attacks delivered in just a couple of months is enormous. If you leave an insecure password for a long time, it will be cracked sooner or later. Of course, in many smart gadgets, the password is hardcoded by the developer, but even in such situations, the device’s management port must not be visible from the outside.

And the last piece of advice: create your own honeypot to see the main threats and automatically deflect some of them.


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>