Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Tough Times for Ukrainian Honeypot?


We've recently been inundated with news of increased cyberattacks and a general increase in cyber threats online. Hackers - both bad and good, government related or private groups - have their hands full every day as never before and compounding the situation is the Russia-Ukraine (UA) war which has sparked a cyber storm. This made us just more curious about Internet attacks on the UA telecom infrastructure. One would expect our research to at least turn up a few attacks from Russia, but, surprisingly, that was not the case.

More honeypots!

To take a closer look at the situation, I rented a VPS server located in UA. The requirement for this research was having an IP address originating from the UA pool. Unlike my previous study A handshake with MySQL Bots, I didn't use original software (e.g. MariaDB server for MySQL service) to gather information from the given service, but I decided to use open-source honeypot projects. There are good and bad sides of this approach, but was mainly focused in taking a general overview of what, how and from where attacks are made, rather than a detailed binary analysis, etc.

The honeypot operated for three weeks, collecting information about authentication attempts on several services, mainly SSH, but also: HTTP, Telnet, VNC and SMTP - and a few more:


The main idea of SSH sensor was monitoring and logging what is happening on one of the most sensitive sites on the Internet. For this purpose, I used a project called Kippo, which perfectly pretends to be an SSH service by mimicking an operating system. Kippo allowed me to not only to see how login strings and passwords are being brute-forced, but also what happens after getting into - in this case fake - operating system.

During the three weeks it operated, the honeypot counted over 50,000 authentication attempts. The honeypot was configured to simulate a successful login every other attempt. Analyzing logs, among simple Linux commands, we mainly notice attempts to download and run droppers and miners. More info about these files on the bottom of page.

Please note the numbers 3378 and 749 at the top of each screenshot. These are the numbers of the results of the same query, but without using the DISTINCT statement. This gives us some perspective on the real number of download attempts.

Only part of the addresses listed above were active. The samples that I initially analyzed turned out to be mostly part of the well-known Mirai botnet.

The top 20 most encountered passwords and usernames used during a brute-force attack are listed below.

And the number of connections made from single IP along with GeoIP information:

Albania and Vietnam top the list.

To monitor other services, I used the heralding project, which logs only login credentials and connection data. This honeypot collected information for two weeks. For the following services, I focused mainly on GeoIP information.

The numbers of authentication attempts for each service:


Telnet, the archaic terminal connection is still quite popular - at least among attacking bots. Let's look at the collected data.

Top 20 login names:

The number of connections made from a single IP along with GeoIP information: 

China noticeably on the lead.

Virtual Network Computing (VNC)

We might think that Virtual Network Computing would not find many users today, but it turns out that VNC still has many followers. According to Shodan, there are more than 320,000 devices on the Internet with recognized VNC service, and more than 1 million devices with open port 5900/TCP. These numbers alone justify the bots activity.

We found only two active sources of attacks: Poland (7042 brute-force attempts) and Kazakhstan (62 brute-force attempts).


Attacks on the mail transport protocol wasn't very heavy with just 14 unique addresses counted.

Netherlands and Lithuanian attack activity on the top.


The honeypot wasn't able to collect any information about HTTPS activity, most likely because of self-signed certificate and the lack of related domain.

There were so few authentication attempts that I limited the results to just 10 in order to illustrate the activity.

Authentication attempts on the other services were so few that we can easily leave them out of the conclusions.





1sh / 2sh

Simple dropper script


8UsA.sh / 8UsA2.sh

Simple dropper script (multi-architecture targets)



Simple dropper script (multi-architecture targets)



Simple dropper script



Simple dropper script (multi-architecture targets)



Simple dropper script (multi-architecture targets)



Simple dropper script (multi-architecture targets)



Simple dropper script (multi-architecture targets)












Crypto-miner dropper



Crypto-miner dropper






Have tough times come for the Ukrainian Honeypot? Well, on this particular one, not really.

We didn't notice any IP coming from Russia. In fact, much of the exploitation we saw could have occurred regardless of the geography the honeypot was installed in.

There could be many reasons for this. Our first thought is elite hacking groups don't necessarily pounce on a newly emerging server on the Internet. Instead, these groups have set targets on which they focus their time and energy. What our honeypot experiment did prove was that bots still function, in their usual fashion. Lazily attacking everything they can connect to on the Internet. Additionally, we found that brute-force attacks are constantly a threat to poorly managed infrastructures, servers, and IoT devices.