cjc.im / posts / I trawled through the logs of the honeypot vps

As specified in the last post, I bought a VPS with the simple intention of letting it sit idle to see what (I can only guess) automated attempts at log in and access.

For this first little attempt, I left ssh running on the default port, and a bare httpd with no content to see what users attempted to log in, where from and what web addresses were attempted.

SSH login attempts

First off, lets look at the very predictable top 10 username attempts.

Attempts | Login
  189762 | root
      82 | admin
      46 | guest
      44 | test
      33 | oracle
      26 | git
      20 | mysql
      19 | support
      19 | info
      18 | ftpuser

A major win for root login attempts, no surprises there, same with the other in the top 10. An honourable mention should go out to he username pi which had 9 attempts over the course of the week. pi of course is the default username for the raspian linux distro. Pretty cool that it is on the list of default usernames to try.

IP Address access

There are literally too many IP addresses to list, or even do a top ten. Over the course of the week, there were around 190,000 login attempts to the VPS. A couple of interesting points to note about the addesses is that there was a significant chunk from the same subnet, which according to a quick search shows that it is a Hong Kong based ISP. Each of the IP addresses in the same subnet scanned between a few hundred and a few thousand times. The majority of the other addresses came from China. I have yet to really look up every single IP address, this might be an improvement for future reports.

HTTP Access addresses

Given that there is no hostname associated with the VPS (yet) there wasnt all that much traffic.

Amount | URL
    44 | /manager/html
    17 | http://www.******.com/
    18 | /
     3 | /phph/php/ph.php
     2 | /rom-0

Tackling these interesting requests in reverse order.

Interesting mention on the httpd logs was that there was 5 scans from masscan which is pretty cool.

Tags: infosec