For about a month now I have had a SSH honeypot running on a VPS, the honeypot is Kippo which likes to taunt it victims. Over the past moth there has been hundreds of successful login attempts, and much of what seems be the standard stuff of people trying to download and run irc bots, ddos tools, irc bouncers, http servers, and generally a bunch of low quality stuff. It turns out that running a honeypot is great fun, most of the "hackers" seems to follow some sort of guide and are not very familiar with using unix systems, so when guide they are following fails they struggle with doing basic unix stuff like listing directories, downloading files, changing directory and such.
Then a "group" of "hackers" comes a long and tries to run a counter strike server on the honeypot. I put group in quotes here, because I don't actually know if they are in a group, they are not friends on Facebook, so if they are in a group they haven't reviled their identities to each other. Now you might wonder, how do I know if they are Facebook friends or not? Here Kippo's taunting implementation of the adduser commands comes into play, below is a example of how the adduser command in the honeypot works.
sales:\~# adduser example Adding user `example' ... Adding new group `example' (1001) ... Adding new user `example' (1001) with group `example' ... Creating home directory `/home/example' ... Copying files from `/etc/skel' ... Password: Password again: Changing the user information for example Enter the new value, or press ENTER for the default Username : Full Name : Room Number : Work Phone : Home Phone : Mobile Phone : Country : City : Language : Favorite movie : Other : Is the information correct? [Y/n]
It says to press ENTER for the default value, but this gives a error message to the "hackers" great despair. Once all the information is filled out it asks if the information entered is correct, by this point they are pressing random keys on the keyboard and pressing enter as fast a possible, so most of them goes right past the question and have to do it all over again. The next time they go slower, and answers yes to the question, now two things can happen; either it will say that some information was incorrect and that they have to start over again, or it will just start over again for no good reason. They now enter more and more realistic information each time it fails, and eventually they answered the questions truthfully with their real name, country, city, and favorite movie...
I thought I struck gold when just one of them did it, but when over the next two weeks a total of 9 people did it! I was dumbstruck, who fills in their real name on a server they know they are accessing without consent?
So let's take a look at these people to see who they are, some of them had very unique eastern Europe names giving only 1 result when searching for, other had more common names so I can't be as sure that I found the right Facebook profile, this is one of the reasons this post will not contain any names, because at best I don't really have any good proof that they entered this information them self except from one of them, who posted a screenshot of a putty session connection to what seems to be my server, last part of the IP was censored.
I managed to track 7 of them on social networks like Facebook, Google+ or Twitter:
- Macedonia - 3 people, 2 of them from Struga.
- Kosovo - 2 people, both from Pristina
- Albania - 2 people.
Most of these people are members of open groups on Facebook with questionable content, below is a list of a few of the groups. It amazes me how public these groups are, where people are sharing information about compromised systems using their full names.
One of the "hackers" was a member, or liked a page of over 15 similar pages to the ones above, so there is a wast number of such communities Facebook. Sadly I didn't find any group that all of them are members of, so there is likely some kind of common connection point outside of Facebook.
The name EM-Hosting seems to appear in many of the groups, EM-Hosting seems to have a bunch of groups and pages on Facebook, I have some reasons to believe that the guy that is behind EM-Hosting has something to do with all of this because of various information that was logged by the honeypot. The EM-Hosting groups on Facebook seems to be a small company that sells Counter Strike servers, which seems to match the activity in my logs very well, so it is basically a company that host services on compromised systems and sells them. Googling EM-Hosting gives a bunch of different results, there seems to be several hosting companies called EM-Hosting without much linking them except for the name. One of the groups links to http://www.em-hosting.com/, which have had it's hosting account suspended.... Looking at the whois information of the domain gives a name that does not match with who I think "owns" this company, maybe the "hacker" was scared of using his real name when buying a domain...
They haven't given up yet, and I daily have people trying to host Counter Strike servers on my honeypot, there will likely be a part 2 of this when I have some more time to dig deeper and see if I can find the common connection point.