I Left Port 22 Open On My Server.Here's Who Showed Up

Published on November 23, 2025

The "Always On" Myth

We always hear that attackers are "on the move 24x7." We hear that they use automation for everything rather than hacking manually. But hearing it is one thing; seeing it in your own logs is another.

This weekend, I decided to test that theory. I set up a honeypot server (Cowrie) on Microsoft Azure. I configured it to look like a standard, vulnerable Linux server and intentionally left Port 22 (SSH) open to the world.

My Expectation: I figured I was just a random IP address in a sea of millions of Azure servers. I expected a few hundred hits.

The Reality: I got 54,254.

The Data SnapshotDuration:

• 48 Hours
• Total Events: 54,254
• Unique Attackers: 733 IPs
• Avg Attacks per Minute: 20 (one attack every 3 seconds)

Finding #1: The "Miner" Hunter (The mdrfckr Signature)

The Malicious Command:

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3... [redacted] ... mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh

The Analysis: See the comment mdrfckr at the end of the key? This is a known signature associated with crypto-mining botnets (often linked to the Outlaw group).What it tries to achive:

1. It deletes my existing SSH keys (rm -rf .ssh).
2. It injects its own key so the attacker can log back in later.
3. It tries to use chattr (change attribute) to make the file immutable, effectively locking me (the admin) out of my own server so it can mine Monero undisturbed.

Finding #2: The Recon Script

Bashexport PATH=...; uname=$(uname -s -v -n -m); ... gpu_info=$(lspci | grep -i nvidia); ... echo "CPUS:$cpus"; echo "GPU:$gpu_info"

The Analysis:This script isn't looking for data; it's looking for hardware.

1. It explicitly greps for nvidia to see if I have a GPU (for mining).
2. It counts the CPUs.
3. If my Azure VM had been a powerful instance, the next command would have likely been a wget to download the XMRig miner.

Finding #3: The "IoT" Passwords

I extracted the top 10 passwords that the attackers tried. At first glance, they look random, but they tell a very specific story.

Top 10 Passwords

1. 345gs5662d34840 -> 1036 Times
2. 3245gs5662d34835 -> 1029 Times
3. 123456 -> 262 Times
4. 123 -> 131 Times
5. password -> 85 Times
6. 1234 -> 68 Times
7. nPSpP4PBW0 -> 61 Times
8. 12345678 -> 57 Times
9. P@ssw0rd -> 53 Times
10. 12345 -> 52 Times

The Insight: The high volume of 345gs... passwords is the smoking gun. These aren't random strings.These are the factory default passwords for specific brands of IP Cameras and DVRs.This suggests I was being targeted by an IoT Botnet (likely a Mirai variant). The bots were blindly throwing these specific DVR credentials at my Azure server, hoping I was actually a vulnerable security camera they could recruit into their botnet fleet.

Also nPSp... this complex string appears to be a specific default credential for a Huawei/Netgear device, proving this is a dictionary atta

The Top 10 Commands

Once they thought they were "in," here is what they tried to run.You can see them checking for GPUs (to mine crypto) and checking CPU architecture (to download the right malware binary).

Visualizing the Attack

I used Plotly (Python) to map the IP addresses of every attacker. While these IPs are likely just other infected machines (proxies), it gives a stunning visualization of the scale of the attack.

Conclusion