First attack on Honssh, Honeypot Pi – Attacker from India

This is the first real non Bot attack on my Honeypot set up with Honssh. The attacker is trying to set up sqlmap which has a known vulnerability for SQL injection and has some trouble getting it to work.

1) Even though on the outside from a web perspective the server has SQL due to fake myphpadmin and other sql based web app directories, it does not. Sort of a simple low interaction web honeypot.

2) after teaching him self how to type, apparently when he first logs in, the attacker thinks he is on an x86_64 machine due to a spoofing the uname command, when he is really in an ARM raspberry pi.

3) there are no dependencies for the sqlmap program he is trying to install.

Honssh captured all commands run, and captured all downloaded files.

Also, the attacker, who apparently logged in through some sort of proxy or tor net disguising his IP, when frustrated, “wget’s” a file from his own machine running apache2 amongst many exploitable web apps. I had full access to his PHPMyAdmin, to which I did nothing.

This is actually 3 sessions play sequentially.

Loading