February honeypot report
First, the data from our Telnet & SSH honeypot. As almost always, the USA holds the top spot. Sadly, our country (Bulgaria) is among the top three:
Here is how the hourly activity looks like. The honeypot is being attacked more often than 2.2 times per second:
More than 98% of the attacks are via Telnet, the rest are via SSH:
The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.
Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. Only Gafgyt is substantially different and it accounts for only 0.26% of the uploads:
Details about the top-20 most actively attacking IPs. Again one infected machine in Verdina Ltd. is causing most of the attack traffic coming from Bulgaria:
The top-20 most actively attacking organizations. DigitalOcean is again at the top spot; only their name has changed a bit:
Speaking of DigitalOcean, as you can see, I've been sending them averagely 42 abuse reports every day - but it doesn't seem to be helping very much:
The top-20 passwords that are the most often used by the attackers; nothing unusual here:
Moving on to our SMB honeypot.
First, the big picture. Most of the action is in Russia again, although Vietnam is again well-represented too. This month we got fewer attacks against our SMB honeypot than against our Telnet & SSH honeypot due to a short period of low activity, as you'll see in a moment. Most of the attacks are just scans - the number of uploaded files is relatively small. It seems that there is a botnet out there that is looking for vulnerable hosts without actually attacking them:
Hourly activity, showing on average nearly 1.9 attacks per second. You can see how for about a week, the number of attacks was two orders of magnitude lowe than usual - I guess the botnet was taking a vacation:
Unique uploaded malware variants, according to Symantec's scanner. Lots of corrupted WannaCry variants, as usual (no kill switch check, no encryption).
Even if we don't count only the unique variants, the WannaCry samples dominate:
Details about the top-20 most actively attacking IPs. Nothing unusual here:
The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either:
Finally, the data from our ADB honeypot.
The big picture. The Far East (Hong Kong, South Korea, China) dominates but the USA and Russia figure prominently, too:
The hourly connection data, showing averagely one attack every half an hour:
The malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) is causing almost all of the malicious uploads but this month we see a Mirai variant make an appearance too:
Details about the top-20 most actively attacking IPs:
The top-20 organizations that own the IP addresses attacking us:
This concludes the February honeypot report.