It occurred to me suddenly today that in every TTY session I see online if the attacker runs the ‘w’ command a uptime value of ~14 days is shown. I checked it and it’s true. Kippo has the following output for the ‘w’ command hardcoded into its source code: up 14 days, 3:53. The same thing applies to ‘who’ and ‘uptime’ commands as well.
As you can imagine this is a serious flaw that makes identification of a Kippo honeypot pretty easy. As you may have noted, ‘w’ is usually the first command an attacker will run after getting access to a honeypot system.
I have submitted the above issue here and hopefully a fix will be released in the next revision/version of Kippo. Until then it would be wise to fix this yourself by changing the output of ‘w’ and ‘uptime’ commands.
The file in question resides inside $INSTALL_DIR/kippo/commands directory and is named “base.py“. You will have to edit the following code block (lines 17-33), and more specifically lines 19 and 25 in base.py (shown as 3 and 9 below):
self.writeln(' %s up 14 days, 3:53, 0 users, load average: 0.08, 0.02, 0.01' % \
commands['/usr/bin/uptime'] = command_uptime
self.writeln(' %s up 14 days, 3:53, 1 user, load average: 0.08, 0.02, 0.01' % \
self.writeln('USER TTY FROM [email protected] IDLE JCPU PCPU WHAT')
self.writeln('%-8s pts/0 %s %s 0.00s 0.00s 0.00s w' % \
commands['/usr/bin/w'] = command_w
commands['/usr/bin/who'] = command_w
Change the “14 days, 3:53” string to something else, but make sure you use identical values in both lines. This change will affect the ‘w’, ‘who’ and ‘uptime’ commands. Restart Kippo (kill it and run start.sh again) for the changes to take effect.
A better idea would be to use a random number generator for these values but this is something the developer of Kippo will ultimately decide.