For about a month now I have had a SSH honeypot running on a VPS, the honeypot is Kippo which likes to taunt it victims.
Over the past moth there has been hundreds of successful login attempts, and much of what seems be the standard stuff
of people trying to download and run irc bots, ddos tools, irc bouncers, http servers, and generally a bunch of low
quality stuff. It turns out that running a honeypot is great fun, most of the "hackers" seems to follow some sort of
guide and are not very familiar with using unix systems, so when guide they are following fails they struggle with
doing basic unix stuff like listing directories, downloading files, changing directory and such.
Then a "group" of "hackers" comes a long and tries to run a counter strike server on the honeypot. I put group in quotes
here, because I don't actually know if they are in a group, they are not friends on Facebook, so if they are in a group
they haven't reviled their identities to each other. Now you might wonder, how do I know if they are Facebook friends or
not? Here Kippo's taunting implementation of the adduser commands comes into play, below is a example of how the adduser
command in the honeypot works.
sales:\~# adduser example
Adding user `example' ...
Adding new group `example' (1001) ...
Adding new user `example' (1001) with group `example' ...
Creating home directory `/home/example' ...
Copying files from `/etc/skel' ...
Changing the user information for example
Enter the new value, or press ENTER for the default
Full Name :
Room Number :
Work Phone :
Home Phone :
Mobile Phone :
Favorite movie :
Is the information correct? [Y/n]
It says to press ENTER for the default value, but this gives a error message to the "hackers" great despair. Once all
the information is filled out it asks if the information entered is correct, by this point they are pressing random keys
on the keyboard and pressing enter as fast a possible, so most of them goes right past the question and have to do it
all over again. The next time they go slower, and answers yes to the question, now two things can happen; either it will
say that some information was incorrect and that they have to start over again, or it will just start over again for no
good reason. They now enter more and more realistic information each time it fails, and eventually they answered the
questions truthfully with their real name, country, city, and favorite movie...
I thought I struck gold when just one of them did it, but when over the next two weeks a total of 9 people did it! I
was dumbstruck, who fills in their real name on a server they know they are accessing without consent?
So let's take a look at these people to see who they are, some of them had very unique eastern Europe names giving only
1 result when searching for, other had more common names so I can't be as sure that I found the right Facebook profile,
this is one of the reasons this post will not contain any names, because at best I don't really have any good proof that
they entered this information them self except from one of them, who posted a screenshot of a putty session connection
to what seems to be my server, last part of the IP was censored.
I managed to track 7 of them on social networks like Facebook, Google+ or Twitter:
- Macedonia - 3 people, 2 of them from Struga.
- Kosovo - 2 people, both from Pristina
- Albania - 2 people.
Most of these people are members of open groups on Facebook with questionable content, below is a list of a few of the
groups. It amazes me how public these groups are, where people are sharing information about compromised systems using
their full names.
One of the "hackers" was a member, or liked a page of over 15 similar pages to the ones above, so there is a wast number
of such communities Facebook. Sadly I didn't find any group that all of them are members of, so there is likely some
kind of common connection point outside of Facebook.
The name EM-Hosting seems to appear in many of the groups, EM-Hosting seems to have a bunch of groups and pages on
Facebook, I have some reasons to believe that the guy that is behind EM-Hosting has something to do with all of this
because of various information that was logged by the honeypot. The EM-Hosting groups on Facebook seems to be a small
company that sells Counter Strike servers, which seems to match the activity in my logs very well, so it is basically a
company that host services on compromised systems and sells them. Googling EM-Hosting gives a bunch of different
results, there seems to be several hosting companies called EM-Hosting without much linking them except for the name.
One of the groups links to http://www.em-hosting.com/, which have had it's hosting account suspended.... Looking at the
whois information of the domain gives a name that does not match with who I think "owns" this company, maybe the
"hacker" was scared of using his real name when buying a domain...
They haven't given up yet, and I daily have people trying to host Counter Strike servers on my honeypot, there will
likely be a part 2 of this when I have some more time to dig deeper and see if I can find the common connection point.