The Importance of Security

We may have heard the constant drone of how essential security practices are and how cyber attacks happen every day, but not everyone might understand what an attack actually looks like. To help visualize it, I set up a Cowrie honeypot to log SSH and Telnet brute force attacks and shell interaction. Additionally, I set up an adbhoney honeypot designed for Android Debug Bridge over TCP/IP. I’ll go more in depth into both pots to show the different attack methods used and even some of the malware that the attackers tried to execute.

Cowrie Overview

The time range I filtered for was between 3pm and 11pm CST. During this time, a whopping 96% of attacks came from the U.S., with Kuwait, Canada, China, and Russia holding ~1% each. The U.S. attackers were spread around the country, but they were concentrated mostly in Los Angeles, CA. In total, there were 405 attacks, but only 4 attempted any kind of command line interaction. These 4 attacks and their commands originated from the same IP address, as shown below.

Investigating the Attacker

As we can see, there is no doubt that the honeypot was the first system ever hit by this attacker, as there are 2,350 reports of this address. The attacker seems to be attempting large amounts of connections to multiple machines through port 23, which is normally used by Telnet. But what is the attacker’s plan if he can establish a connection? Let’s look back at the commands the honeypot logged.

How to Prevent the Attack

Now that we one kind of attack launched, how do we stop it? Since this honeypot deals with SSH and Telnet, the easiest solution would be to avoid Telnet altogether and keep that port closed, and keep good management of SSH keys. Attackers struggle with breaking SSH encryption, but hands on the keys gives them full access through SSH.

Adbhoney Overview

The hits on this honeypot are, in my opinion, more interesting than the ones on the Cowrie pot. I filtered for midnight to 8am CST and saw some interesting results. The majority of attacks came from Hong Kong, which is only a measly 36 compared to the Cowrie pot. However, the data tells a lot more than the attacks on the Cowrie.

Lots of juicy stuff in here. I saw a lot of busybox commands, like on the Cowrie, but the other commands such as “chmod” and “rm -rf” are what really caught my eye. Why would someone want to remove everything in the tmp directory? Well, let’s start with finding out more about the attacker first.

Investigating the “rm” Attacker

Now that we have the IP address of the attacker we want to investigate, we can rinse and repeat the address check.

This attacker is a little less known, but nonetheless, there are still a few reports on it. Now that we’ve found out a little more about the attacker, we can get into their commands and malware they tried to use. Let’s refer again to that picture of the commands run on the pot.

Look familiar? It looks a lot like the commands this attacker used on the honeypot. Now we have a coherent story about this attacker and their intentions for the honeypot.

How to Prevent this Attack

Luckily, preventing an attack like this on Android is relatively simple, just EXTREMELY important. First of all, keep software patched and up-to-date, the developers release them for a reason! Second, make sure you’re installing software from trusted sources, as unreliable sources could be hackers lying in wait for their next victim. And finally, avoid suspicious websites that can inject a program like this into your device.

Conclusion

Hopefully this visual representation of some popular attacks helps you see that the internet can be a scary place if you’re not careful! But by following those security best practices your IT people constantly remind you about, you have nothing to worry about. Stay safe, and browse responsibly!

Related posts:

With his cool style and his funny answers to the questions and how he smiles scornfully at stupid questions. And that has been a winner. He has made a couple of memorable figures with his laid-back…

In the Garden of Eden, there once lived a beautiful and vivacious lady named Lilith, who had flaming red hair and first coined the term “mansplain.” She lived alone for 1,000 years or so, until the…

To improve my writing, I’ve started curating and collecting articles from across the web, seeking only the best from a wide range of sources. I use Medium as well as many other sites to collect…