February honeypot report

First, the data from our Telnet & SSH honeypot. As almost always, the USA holds the top spot. Sadly, our country (Bulgaria) is among the top three:

graphic

Here is how the hourly activity looks like. The honeypot is being attacked more often than 2.2 times per second:

graphic

More than 98% of the attacks are via Telnet, the rest are via SSH:

graphic

The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.

graphic

Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. Only Gafgyt is substantially different and it accounts for only 0.26% of the uploads:

graphic

Details about the top-20 most actively attacking IPs. Again one infected machine in Verdina Ltd. is causing most of the attack traffic coming from Bulgaria:

graphic

The top-20 most actively attacking organizations. DigitalOcean is again at the top spot; only their name has changed a bit:

graphic

Speaking of DigitalOcean, as you can see, I've been sending them averagely 42 abuse reports every day - but it doesn't seem to be helping very much:

graphic

The top-20 passwords that are the most often used by the attackers; nothing unusual here:

graphic

Moving on to our SMB honeypot.

First, the big picture. Most of the action is in Russia again, although Vietnam is again well-represented too. This month we got fewer attacks against our SMB honeypot than against our Telnet & SSH honeypot due to a short period of low activity, as you'll see in a moment. Most of the attacks are just scans - the number of uploaded files is relatively small. It seems that there is a botnet out there that is looking for vulnerable hosts without actually attacking them:

graphic

Hourly activity, showing on average nearly 1.9 attacks per second. You can see how for about a week, the number of attacks was two orders of magnitude lowe than usual - I guess the botnet was taking a vacation:

graphic

Unique uploaded malware variants, according to Symantec's scanner. Lots of corrupted WannaCry variants, as usual (no kill switch check, no encryption).

graphic

Even if we don't count only the unique variants, the WannaCry samples dominate:

graphic

Details about the top-20 most actively attacking IPs. Nothing unusual here:

graphic

The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either:

graphic

Finally, the data from our ADB honeypot.

The big picture. The Far East (Hong Kong, South Korea, China) dominates but the USA and Russia figure prominently, too:

graphic

The hourly connection data, showing averagely one attack every half an hour:

graphic

The malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) is causing almost all of the malicious uploads but this month we see a Mirai variant make an appearance too:

graphic

Details about the top-20 most actively attacking IPs:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

This concludes the February honeypot report.