Wire Report #1

We Put a Server on the Internet. Here's What Happened.

We run a Cowrie SSH honeypot on a VPS in Germany. It sits on port 22 and pretends to be a real Linux box. Attackers who guess the right credentials get dropped into a fake shell where every command is logged. Within seconds, it was getting hammered and generating intelligence.

In the last 24 hours:

• 6,625 connection attempts

• 297 unique source IPs

• 4,794 successful logins (into the fake shell)

• 1,601 failed login attempts

• 11,173 commands executed

• 129 malware download attempts

We also made a live dashboard so you can view it directly in the CLI-Games terminal. Just type wire to pull it up.

The Credentials They Try

The number one credential pair tried against our honeypot isn't root / password. It's 345gs5662d34 / 345gs5662d34 — a botnet's hardcoded default, tried 392 times in 24 hours by automated scanners.

Here are the top 10:

| # | Username | Password | Attempts | |---|----------|----------|----------| | 1 | 345gs5662d34 | 345gs5662d34 | 392 | | 2 | root | 3245gs5662d34 | 297 | | 3 | root | password | 26 | | 4 | root | 123456 | 24 | | 5 | root | 12345 | 22 | | 6 | root | root | 20 | | 7 | admin | admin | 20 | | 8 | root | qwerty | 20 | | 9 | ubuntu | ubuntu | 19 | | 10 | admin | password | 18 |

Notice the pattern. After the botnet noise (345gs5662d34 is the Mirai) family's calling card), every credential is a factory default or a password from the rockyou wordlist. If your server uses any of these, it's already compromised. You just don't know it yet.

Also notable: ai / 1234 appeared 17 times. Attackers are already hunting for AI-related services with weak credentials.

What They Do After Getting In

Once an attacker lands a shell, they don't browse around. SOP is to immediately recon the environment to see if they just stumbled into a honeypot... which they did. We had a lot of immediate disconnects after spinning up the Cowrie default image, which shows that we were already losing the cat-and-mouse game. The top commands are nearly identical across hundreds of sessions:

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
uname -s -v -n -m 2 > /dev/null
uname -m 2 > /dev/null
cat /proc/uptime 2 > /dev/null | cut -d. -f1

This is fingerprinting. The attacker (or more accurately, their bot) is determining: 1. What OS the machine runs 2. What CPU architecture it has (to download the right malware binary) 3. How long it's been running (uptime indicates patch status and whether anyone is watching)

The 2 > /dev/null at the end of each command redirects errors to nowhere — the bot doesn't want noisy output if a command fails. It's quiet professionalism.

If they stick around after fingerprinting, the next wave of commands gets more aggressive:

cd ~; chattr -ia .ssh; lockr -ia .ssh
cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAA..."

This is persistence. The attacker removes your SSH authorized keys and replaces them with their own. The chattr -ia removes immutable flags first (in case the admin tried to protect the file). Once their key is planted, they own the box even if you change the password.

129 sessions attempted to download external payloads — typically cryptominers or botnet agents — via wget or curl.

Where They Come From

| Country | Unique IPs | % of Total | |---------|-----------|------------| | China | 63 | 21% | | Netherlands | 34 | 11% | | United States | 25 | 8% | | Vietnam | 16 | 5% | | Germany | 14 | 5% | | Russia | 13 | 4% | | India | 13 | 4% | | Hong Kong | 13 | 4% | | Indonesia | 11 | 4% | | Brazil | 10 | 3% |

China leads, but the Netherlands is second — not because the Dutch are prolific hackers, but because cheap VPS providers like DigitalOcean and OVH have Amsterdam data centers that botnets love.

The country of origin tells you where the infrastructure is, not where the attacker is. Anyone can spin up a $5 VPS in Amsterdam and scan the entire internet from it.

The Tools They Use

68% of all connections came from clients identifying as SSH-2.0-Go. That's not a human typing on a keyboard — that's a scanner written in Go, likely part of a botnet framework. The Go SSH library is popular for automated scanning because it's fast, compiles to a static binary, and runs on anything.

SSH-2.0-libssh_0.11.1 accounts for another 27%. Between Go and libssh, 95% of all traffic is automated. The humans with real terminal emulators are a rounding error.

What You Can Learn From This

If you're studying for CTF competitions or learning security:

1. Credential attacks are still #1. The most sophisticated exploit in the world doesn't matter if the password is password. Defending against brute force (fail2ban, key-only auth, port changes) stops the vast majority of attacks.

2. Post-exploitation follows a pattern. Fingerprint, persist, deploy. If you understand this sequence, you can detect it. Look for rapid-fire uname commands in your auth logs.

3. Attackers are automated. You're not fighting a person — you're fighting software. The bot doesn't get tired, doesn't make typos, and scans 24/7. Your defenses need to be automated too.

4. Infrastructure is global. Attribution is nearly impossible from network data alone. The IP says Netherlands, but the operator could be anywhere.

See It Live

Type wire in the CLI-Games terminal to see the live dashboard. The data updates every 5 minutes from our real honeypot.

• wire — Summary dashboard

• wire creds — Full credential list

• wire commands — Post-exploitation commands

• wire sessions — Recent attacker sessions

This is real data. Not a simulation. Not a textbook exercise. Right now, as you read this, someone is trying root / 123456 on our server. And failing, because it's a trap.

Wire Report is a series analyzing real attack data from the CLI-Games honeypot. Published periodically as the data warrants. Want to learn the commands attackers use? Start with CTF: Capture the Flag.