Profiling Attacker Behavior Following SSH Compromises

TitleProfiling Attacker Behavior Following SSH Compromises
Publication TypeConference Papers
Year of Publication2007
AuthorsRamsbrock D, Berthier R, Cukier M
Date Published2007/06//
KeywordsLinux, Linux honeypot computers, profiling attacker behavior, remote compromise, rogue code, security of data, SSH compromises, system configuration

This practical experience report presents the results of an experiment aimed at building a profile of attacker behavior following a remote compromise. For this experiment, we utilized four Linux honeypot computers running SSH with easily guessable passwords. During the course of our research, we also determined the most commonly attempted usernames and passwords, the average number of attempted logins per day, and the ratio of failed to successful attempts. To build a profile of attacker behavior, we looked for specific actions taken by the attacker and the order in which they occurred. These actions were: checking the configuration, changing the password, downloading a file, installing/running rogue code, and changing the system configuration.