August honeypot report
First, the data from our Telnet & SSH honeypot. The big picture looks like this. As usual, most attacks have come from the USA, with the Netherlands in the second place - again:
Here is how the hourly activity looks like. Slightly less than 2.5 attacks per second:
Nearly 98% of the attacks are via Telnet, the rest are via SSH. It seems that the Gafgyt botnet (which spreads via SSH) is slowly disappearing, despite the recent reports that it dominates the DDoS attack space.
The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.
Details about the top-20 most actively attacking IPs. As usual, DigitalOcean is heavily present. A bit concerning is the presence of Microsoft IPs. Azure cloud based attackers, perhaps?
The top-20 most actively attacking organizations. DigitalOcean is at the top, as usual, but Interserver is relatively close behind, the Dutch KV Solutions is at third place this time, followed by Microsoft:
As you can see, I've been sending averagely more than 60 automated abuse reports to DigitalOcean every day - but it doesn't seem to be helping very much.
The top-20 passwords that are the most often used by the attackers; nothing unusual here:
Moving on to our SMB honeypot.
First, the big picture. Most of the action is in Asia - China, Vietnam, India, and Indonesia:
Hourly activity, showing averagely about one attack per minute. I've switched to a logarithmic scale, otherwise the lonely spikes of more than a thousand attacks coming from a single IP (usually infected with a WannaCry variant) tend to drown out everything else. Otherwise the traffic is pretty steady, albeit much lower than the one that the Telnet honeypot gets.
Unique uploaded malware variants, according to Symantec's scanner. Lots of corrupted WannaCry variants, as usual (no kill switch check, no encryption).
Note that WannaCry uploads dominate, although not as overwhelmingly, even if we don't count only the unique variants:
Details about the top-20 most actively attacking IPs. A bit concerning to see India's National Internet Backbone holding the top spot:
The top-20 organizations from which most of the attacks are coming from. Nothing unexpected here:
Finally, the data from our ADB honeypot.
The big picture shows that the usual suspects (China, Hong Kong, South Korea) seem to have a huge population of devices with the ADB port open to the Internet with no authentication. This month, however, the Netherlands and the USA are also among the top offenders:
The hourly connection data, showing averagely slightly more than one attack every half an hour:
The malware uploaded to the honeypot, according to Fortinet's scanner. The same old Monero mining worm (Trinity) is causing most of the ADB traffic, plus something that is uploading a shell script that looks vaguely Mirai-like:
Details about the top-20 most actively attacking IPs. Nothing unusual here:
The top-20 organizations that own the IP addresses attacking us:
This concludes the August honeypot report.