September honeypot report
First, the data from our Telnet & SSH honeypot. The big picture looks like this. As usual, most attacks have come from the USA, with the Netherlands in the second place - again. This time our country (Bulgaria) has crept into the Top-15, because of a machine at Netcube running a Mirai C2 server:
Here is how the hourly activity looks like. The honeypot is being attacked on the average slightly more often than twice per second:
More than 94% of the attacks are via Telnet, the rest are via SSH. It seems that the Gafgyt botnet (which spreads via SSH) is slowly disappearing, despite the recent reports that it dominates the DDoS attack space.
The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.
Details about the top-20 most actively attacking IPs. As usual, DigitalOcean is heavily present, although this time an IP owned by OVH, another big cloud hosting provider, occupies the first place:
The top-20 most actively attacking organizations. DigitalOcean is way ahead of everybody else, as usual:
As you can see, I've been sending averagely nearly 40 automated abuse reports to DigitalOcean every day - but it doesn't seem to be helping very much.
The top-20 passwords that are the most often used by the attackers; nothing unusual here:
Moving on to our SMB honeypot.
First, the big picture. Much of the action is in Asia, but this month the UK and the USA are also among the top attackers:
Hourly activity, showing averagely about one attack per minute. I've switched to a logarithmic scale, otherwise the lonely spikes of more than a thousand attacks coming from a single IP (usually infected with a WannaCry variant) tend to drown out everything else. Otherwise the traffic is pretty steady, albeit much lower than the one that the Telnet honeypot gets.
Unique uploaded malware variants, according to Symantec's scanner. Lots of corrupted WannaCry variants, as usual (no kill switch check, no encryption).
Note that WannaCry uploads dominate, although not as overwhelmingly, even if we don't count only the unique variants:
Details about the top-20 most actively attacking IPs:
The top-20 organizations from which most of the attacks are coming from. Nothing unexpected here:
Finally, the data from our ADB honeypot.
The big picture. This month Russia is way ahead of everyone else:
The hourly connection data, showing averagely and attack every minute, instead of the usual slightly more than one every half an hour. Mostly caused by the huge spikes from Russian IPs:
The malware uploaded to the honeypot, according to Fortinet's scanner. The same old Monero mining worm (Trinity) is causing most of the ADB traffic, plus something that is uploading a shell script that looks vaguely Mirai-like:
Details about the top-20 most actively attacking IPs. Nothing unusual here:
The top-20 organizations that own the IP addresses attacking us:
This concludes the September honeypot report.