SSH honeypot attack data: What Happens When You Put a Server on the Internet

By /

SSH honeypot attack data shows that internet-exposed servers are targeted almost immediately by automated bots performing Linux SSH brute force attacks, reconnaissance scans, and malware deployment attempts. Within days, attackers may attempt credential harvesting, install cryptominers like Redtail, or deploy botnet malware such as the Outlaw Linux campaign.

Introduction

Running a server on the public internet exposes it to continuous automated attacks. To understand exactly what attackers attempt, I deployed a cloud SSH honeypot designed to collect real-world SSH honeypot attack data.

In just five days, the honeypot recorded:

  • 28,126 attack events
  • 898 successful attacker sessions
  • 12 malware samples captured
  • 3 active attack campaigns

The results show how quickly internet honeypot attack traffic escalates when a server becomes publicly accessible.

What SSH Credential Attacks Reveal

The collected SSH honeypot attack data highlights patterns common in Linux SSH brute force attacks.

Top Usernames Attempted

156 user        81 oracle         34 git
145 admin       80 ubuntu         33 solana
 99 sol         77 postgres       33 mysql
 81 345gs5662d34 62 test          32 tomcat

These usernames are not random guesses.

Instead, they target specific infrastructure roles:

  • Database services: postgres, oracle, mysql
  • Cloud hosts: ubuntu
  • Application servers: tomcat
  • Blockchain infrastructure: sol, solana
  • IoT defaults: 345gs5662d34 (Polycom CX600 phones)

Password attempts were predictable:

  • 123456
  • password
  • admin
  • P@ssw0rd123

If a public server allows password authentication using any of these, compromise occurs almost instantly.

For deeper analysis of SSH brute force activity, see the SANS Internet Storm Center report:
https://isc.sans.edu/diary/30950

Campaign 1: Reconnaissance Scanners

The highest-volume attackers executed a single command:

uname -s -v -n -r -m

This command identifies:

  • operating system
  • kernel version
  • hostname
  • CPU architecture

The goal is target fingerprinting.

These bots build databases of vulnerable infrastructure before launching exploitation campaigns.

This type of internet honeypot attack traffic is often the first stage of multi-phase attacks.

Campaign 2: Outlaw Linux Malware

The second campaign matched indicators of the Outlaw Linux malware campaign, also known as Dota botnet.

According to research from Trend Micro and Elastic Security Labs, the group has operated since 2018.

Outbound commands deployed a persistent SSH backdoor:

cd ~ && rm -rf .ssh && mkdir .ssh
echo "ssh-rsa ...== mdrfckr" >> .ssh/authorized_keys
chmod -R go= ~/.ssh

Indicators of Compromise

Key traits of the Outlaw Linux malware campaign include:

  • SSH key comment: mdrfckr
  • Miner process name: kswapd0
  • Persistence directories:
    • ~/.configrc5/
    • ~/.configrc6/

The malware installs three components:

  1. XMRig Monero miner
  2. IRC shellbot backdoor
  3. BLITZ SSH propagation worm

A full breakdown of the malware is available from Elastic Security Labs:
https://www.elastic.co/security-labs/outlaw-linux-malware

Campaign 3: Redtail Cryptominer Malware

The third campaign deployed Redtail cryptominer malware, one of the more sophisticated Linux mining threats observed recently.

Each session uploaded six files:

clean.sh
setup.sh
redtail.arm7
redtail.arm8
redtail.i686
redtail.x86_64

The malware then executed a deployment script designed to evade common hardening techniques.

Redtail Evasion Techniques

The Redtail cryptominer malware demonstrates several advanced tactics:

  • Detects noexec mounted filesystems
  • Creates random hidden executable names
  • Deletes installer artifacts after execution
  • Enables SSH lateral movement

Example command used for C2 confirmation:

Below is a structured SEO/AEO optimization of your article.

Decoded value:

auth_ok

This beacon confirms successful compromise.

Something interesting about this campaign is the fact that the first script that they execute (clean.sh) actually looks for competing cryptominers like c3pool_miner and terminates their processes.

Akamai researchers previously documented Redtail exploitation chains targeting multiple vulnerabilities:
https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit

Key Indicators of Compromise

Redtail Campaign

  • Dropper IPs:
    • 130.12.180.51
    • 213.209.159.158
  • C2 server:
    • 178.16.55.224:25720
  • HTTP user agent:
    • libredtail-http
  • Beacon string:
    • auth_ok

Outlaw Campaign

  • SSH key comment:
    • mdrfckr
  • Miner process:
    • kswapd0
  • Persistence folders:
    • .configrc5
    • .configrc6

How to Protect Linux Servers

Based on the collected SSH honeypot attack data, the following mitigations eliminate most attacks:

1. Disable Password Authentication

Use SSH keys only.

This blocks the majority of Linux SSH brute force attacks.

2. Audit SSH Keys

Check:

~/.ssh/authorized_keys

Look for unknown entries or immutable attributes.

3. Monitor Suspicious Processes

Investigate processes named:

kswapd0

Legitimate kernel threads do not appear in normal user-space process lists.

4. Harden Temporary Directories

Mount directories with noexec:

/tmp
/dev/shm

While Redtail attempts to bypass this, it still removes common execution paths.

Why Running a Honeypot Matters

Deploying a honeypot provides real threat visibility.

Even a small instance quickly captures:

  • credential attacks
  • malware campaigns
  • botnet propagation attempts

For organizations running public infrastructure, honeypot telemetry provides valuable threat intelligence at almost no cost.

If you want to understand what attackers see when they scan the internet, the answer is simple:

Look at the logs.

P.S. Special thanks to Kat Fitzgerald for the great guidance on setting things up!

Related Posts

Scroll to Top