I noticed on my production Linode that there were a tonne of blocked ssh hosts in /etc/hosts.deny – I was interested to know what would happen if one of these “hackers” or “script kiddies” got into my server on root level.
So, I went and bought a 2nd Linode and set up Kippo (http://code.google.com/p/kippo/) – Kippo creates a SSH server under a restricted user, logs everything that goes on and is quite entertaining to watch them attempt to “hack” - I just did some iptables trickery to the 2nd server so I could find out what is going on, most of them are bots with a few of them being real people (looking at the logs though it seems the bots tell the user of a open host, of which the user manually connects and tries to infect with malware or IRC servers to control botnets)
So here, I present “I watched you hack, you failed”
#1 – iptables not found - http://honeypot.murfy.co.nz:8022/playlog/?l=20120218-125755-3907
#2 – Do you even know Linux? - http://honeypot.murfy.co.nz:8022/playlog/?l=20120222-035727-3285
#3 – Segmentation Fault - http://honeypot.murfy.co.nz:8022/playlog/?l=20120302-043815-1578
#4 – Yeah, PHP really doesn’t exist - http://honeypot.murfy.co.nz:8022/playlog/?l=20120308-003910-8337
If anyone else has any captured from Kippo post them here! Else, more to come.