Regarding motivation, don't leave us hanging; what were those bots up to? about sshesame HOT 3 CLOSED

A word of warning, bots finding and authenticating to your honeypot might add your IP address to some "hosts worth attacking" lists somewhere. I'd only run it on throwaway, dedicated VPS, or be ready to change the IP address of the host I was running it on once done.

As for gaining access to the attackers system, I don't think it's something worth doing.

• These are probably either compromised hosts or throwaway instances running in compromised cloud accounts, I don't think you'd find anything of interest.
• The attackers are not utilizing SSH channels which would allow gaining control over their clients (e.g. X11). They also don't use standard SSH implementations like OpenSSH. This means that you'd have to find a vulnerability in some unknown SSH implementation to do this.
• It's also probably illegal? Not a lawyer tho so IDK.

from sshesame.

I saw three patterns.
The majority of attackers tried to brute force IMAP, POP3 and SMTP credentials through TCP/IP forwarding. Like, they didn't even open a shell session or execute a command, the just went for some remote mail server and that's it.
Some tried to execute commands to retrieve info about the system (e.g. uname) and didn't do anything else (probably because the honeypot doesn't respond to these).
There were also attempts to download and execute shell scripts. I've carefully looked at a few, most of them were a bunch of wget commands downloading a binary compiled for various architectures and executing them. I didn't really look into the binaries themselves, my reverse engineering skills are not that great.

Also, you can very much recreate this yourselves. If you have a host with a public IPv4 address and something listening on port 22, bots will find it. Fire up a few cheap VPS hosts, move openssh to something other than port 22, run this honeypot on port 22 and collect logs over a few weeks or months.

from sshesame.

Ohh... that's interesting. I'm gonna try this on my VPS. I do get many attempts for password login on port 22 on ssh. Never thought about a honeypot to find out who they are. Wonder if you can also deliver a payload to them upon login to gain access to their system.

from sshesame.