TY - CONF T1 - Profiling Attacker Behavior Following SSH Compromises Y1 - 2007 A1 - Ramsbrock,D. A1 - Berthier,R. A1 - Michel Cukier KW - Linux KW - Linux honeypot computers KW - profiling attacker behavior KW - remote compromise KW - rogue code KW - security of data KW - SSH compromises KW - system configuration AB - This practical experience report presents the results of an experiment aimed at building a profile of attacker behavior following a remote compromise. For this experiment, we utilized four Linux honeypot computers running SSH with easily guessable passwords. During the course of our research, we also determined the most commonly attempted usernames and passwords, the average number of attempted logins per day, and the ratio of failed to successful attempts. To build a profile of attacker behavior, we looked for specific actions taken by the attacker and the order in which they occurred. These actions were: checking the configuration, changing the password, downloading a file, installing/running rogue code, and changing the system configuration. M3 - 10.1109/DSN.2007.76 ER -