infosec

I don't get a lot of Kippo honeypot hits these days, but every now and then one comes along.

Even more rarely do I get one like this, where the script kiddie is more stupid than anything I could possibly have predicted...

To the kiddies out there:

Not sure why ls'ing the same directory a good 10 times is expected to deliver different results.

Typing a program's name multiple times also doesn't magically install it in between those attempts either.

Pretty sure 'net users' doesn't work on Linux either.

Two of my favourite (so far) non-bot script kiddie attacks against my Kippo SSH honeypot.

I've been running a honeypot on a server running Nepenthes, which is apt-get installable on Debian Lenny at time of writing.

Nepenthes works by starting up a bunch of emulated vulnerable services on all the typical ports you'd expect. It then monitors and reports on automated sniffers and malware attacks that think they're delivering payload to a real service.

The server has been running for 24 hours - here are my stats using the Submissions2stat.py log parser by Andrew Waite.