Cowrie is a free and open source honeypot which mimics an SSH shell (this remotely controls the web server). To sum it up: Attackers, who are constantly scanning for open SSH ports, will see this and attack. This wastes their time/computing power and Cowrie logs all of their commands, which gives us insight into their tactics.
I let Cowrie run for 24 hours on my web server. There were dozens of attackers, mostly using the same few tactics once gaining initial access; below I will cover 4:
Attacker the first: 141.94.76.58 (this is an IP address)
France! I can accept that folks will try to attack my website, but a Frenchman? Thanks a lot Macron, you baked good.
Command ran: cd ~ && rm -rf .ssh && mkdir .ssh && echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx
I’m not bash guy, but it looks like this was an attempt to remove my ssh keys and paste in his own. Luckily Cowrie saves this key into a safe directory for review later. The session then closed (it auto closes after a certain number of seconds), and that IP was not seen again. That’s the way the Macaron crumbles, Frenchy!
Attacker the 2nd: 92.255.85.70
A Russian IP, somehow via an ISP in Hong Kong. Looks like Ukraine was just a distraction, and the real target was my hiking enthusiast website!
This fella logged in with the ingenious username and password of root/asdasd. So, if your password is asdasd and you’ve got a Ukraine flag avatar, I recommend a password change.
Log entry: direct-tcp connection request to 64.233.165.100:443 from 127.0.0.1:0
when that failed: direct-tcp connection request to google.com:443 from 127.0.0.1:0
Not sure what happened here. Maybe he was trying to direct traffic to google to test something? He gave up after that. With that lack of tenacity, they’ll never hold Crimea.
The third attacker: : 193.169.254.183
Poland! From the winged hussars saving Christendom to attacking random web servers. How the mighty have fallen!
Take a look at this nuts password they used: F8Ek8HERbADE9DtADECmeVaCU
Weirdly, haveibeenpwned.com does not show that password as compromised:
Guess it is now though…….SORRY!
They tried a couple of uname-a commands. I believe this prints system information. I wonder if this revealed the honeypot. IDK. This IP kept logging back in with different credentials. My guess is that it’s some kind of script that tries to login, runs uname -a to determine if it’s a fake or attackable, and then closes the connection if it is. Wack!
Final attacker: 79.10.178.226
MAMA MIA, Italia!
Command: echo -e “iptv\\nwDsaKhkPdZJu\\nwDsaKhkPdZJu”|passwd|bash
They just tried reset the password via the echo command.
Anyways, that was fun. I’m gonna turn it off though. Before all of Europe unites against me.
Thanks for reading!