https://burnett.sh/tags/ssh/Recent content in Ssh on Joshua's NotebookHugoenFri, 26 Jun 2026 00:00:00 +0000https://burnett.sh/posts/honeypi-observation1/Fri, 26 Jun 2026 00:00:00 +0000https://burnett.sh/posts/honeypi-observation1/<p>The full setup and configuration process behind HoneyPi was documented in the earlier parts of this series, so this post skips the build and goes straight to the first attack observation report I put together for my SANS Internet Storm Center internship. It focuses on a single attacker and walks it end to end.</p> <h2 id="initial-attack-observation">Initial Attack Observation</h2> <p><strong>Time and Date of Activity:</strong></p> <p>2026-06-15 00:00:07 UTC through 2026-06-17 02:11:21 UTC</p> <p>The attacker (source 87.251.64.176) was active for around 45 hours, with 114 successful logins occurring in bursts, indicating automated tooling running through a set of target IPs/hosts. Successful logins would occur in a burst, quiet down for a couple of hours then another burst. It should be noted that similar SSH-2.0-Go campaigns have been observed from other attackers since deployment of the HoneyPi, however this particular attacker was interesting because its attack pattern was persistent and observed from a single source, rather than cycling through different IPs like in other campaigns.</p>