My friends at DigitalOcean were nice enough to give me a generous amount of credit on their cloud platform to do some security research with so I decided to do the most reckless thing I could think of and run a full ssh honeypot on the internet.
The build out is pretty simple, it is the SSHoneypot Docker Container I wrote on a debian droplet with all outbound traffic blocked so that in theory not much damage can be done.
Surprisingly, It has taken a few days for people to start exploiting the boxes but when I got up this morning 2 of the boxes had been “hacked”:
In order to share these findings with the community I will copy all files written to these honeypots to honeyfiles.jgamblin.com.
I have a long way to go with this project as way too much of it is manual now. I need to invest the time to automate notification, moving the files to the web server and starting a new container.
If you are interested in full pcaps or any of the actual exploited SSHoneypot containers reach out to me on twitter at @jgamblin I will be glad to share.