The Why

After spending some time looking for projects to work on and play around with, I came across Deutsche Telekom’s T-Pot Honeypot Platform (their Github can be found here).

This all started with a desire to see what’s going on out on the internet and getting a snapshot of the current threat landscape for services exposed on the internet.

Ideally, I was hoping to learn something from the honeypot and be able to provide some useful insights, and potentially set up a more sophisticated honeypot in the future to look for new 0days in the wild for specific services and software.

I was also inspired by a talk from DEF CON 31 on RDP honeypot anaylsis by Andreanne Bergeron and Olivier Bilodeau from GoSecure. I’ve added the link to the talk and a Bleeping Computer article below, however I would highly recommend watching the video:

• DEF CON 31 – Unparalleled RDP Monitoring Reveal Attackers Tradecraft -Bergeron, Bilodeau
• Bleeping Computer: RDP honeypot targeted 3.5 million times in brute-force attacks

This is how I came across T-Pot. From doing some reading online (thanks Reddit) and reading some blog posts, T-Pot seemed perfect for what I needed.

The Setup

T-Pot is designed to be extremely simple to set up and maintain. You can use any VPS or Cloud platform such as AWS, Azure, GCP etc. Simply put, the process goes like this:

1. Create a new virtual machine on a supported OS (I chose Ubuntu LCS)
2. Run updates on the VM and install curl if it is not installed already
3. Download and run the ISO and follow the prompts
4. Configure a public IP and network settings to limit access to T-Pot management ports to only your IP address and open all other ports to the internet

It’s really that simple, however it does get more nuanced as you go further down, with senors for running specific services that you can place globally (something that is in my sights for the future), and customisation of each individual honeypot container for more options such as MOTDs when threat actors connect, changing /etc/shadow file and more.

The High Level View

In 24 hours, I found:

79% (128,708) of all attacks were against the Dionaea Honeypot. Of these attacks:

• 382 unique IPs
• 93% of attacks were against port 445 (SMB)
• 6% of attacks were against port 1433 (SQL Server)
• Of these attacks, 20,298 came from just two IP addresses

Across the entire attack surface, the most popular ports to attack were:

• 445 (SMB)
• 1433 (SQL Server)
• 22 (SSH)
• 23 (Telnet)

The top five countries where the attacks originated from were:

1. China (45%)
2. United States (15%)
3. Vietnam (9%)
4. Taiwan (8%)
5. India (6%)

Credentials Targeted

During the 24 hours the honeypot was running, I noticed that attackers consistently used generic weak credentials, or default credentials for services such as Oracle databases, MySQL, and SQL servers. Some of the favourites of threat actors was also 123456, password and 12345678

Honeypotted Malware

Once attackers were connected with basic administrator credentials into the honeypotted SSH or Telnet port, there were some attempts to drop malware into the system.

1. XorDDOS – this is a fairly new piece of malware first detected in December 2024, target Linux systems to ‘Zombiefy’ them into a botnet for DDoS attacks. Security researcher Yashav Levin did a fantastic writeup on this strain of malware which you can find here: https://cymulate.com/blog/xorddos-strikes-again/
   
   Hash: ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
   
2. An unknown strain of malware which is currently not within VirusTotal, however adding the malware hash to Cisco Talos gave some detection aliases to a crypto miner. I will be attempting to get the copied malware off of the honeypot to report it to the file analysis websites.
   
   Hash: 2ca52a61c10810888b4a6275e443cd10485143a3d048074170e78df732b83142

The Takeaways

Wow. I expected a lot of traffic, but I did not expect 164,000 requests in 24 hours level of traffic! I am extremely excited to continue working on this honeypot and observing more malicious traffic out on the internet!

My next project with this honeypot is to set up a multi-node network to distribute the honeypots across the world to observe data and if there is any correlation between geolocation and attack types.

I also want to customise each individual honeypot within T-Pot to make it more difficult for threat actors to breach the honeypot, as I believe this may lure in some more complex threat actors.

Keep an eye out for that post, and thank you for reading!