September honeypot report

First, the data from our Telnet & SSH honeypot. This time the UK is way ahead of everybody else. The usual favorite, the USA, is at a second place with less than half as many attacks coming from there:

graphic

Here is how the hourly activity looks like. The honeypot is being attacked 1.63 times per second, which is noticeably less often than the previous months:

graphic

More than 89% of the attacks are via Telnet, the rest are via SSH:

graphic

The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them.

graphic

Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. The only exceptions are three generic downloaders (Downloader-AAN, Downloader-JS, Agent-AGS, and Downloader-AEH) and Gafgyt:

graphic

Details about the top-20 most actively attacking IPs. You can see why the UK is at the top of attacking countries:

graphic

The top-20 most actively attacking organizations. Unusually, DigitalOcean doesn't occupy the top spot this month, but has managed to get the honorable second place:

graphic

Speaking of DigitalOcean, as you can see, I've been sending them averagely more than 46 abuse reports every day:

graphic

The top-20 passwords that are the most often used by the attackers; nothing unusual here:

graphic

Moving on to our SMB honeypot.

First, the big picture. Vietnam has the top spot again, although Russia is again very active:

graphic

Hourly activity, showing on average around 2.7 attacks per second; pretty steady traffic:

graphic

Unique uploaded malware variants, according to Symantec's scanner. The corrupted WannaCry variants (no kill switch check, no encryption) dominate, as usual, although their total number has decreased significantly:

graphic

Even if we don't count only the unique variants, WannaCry is well-represented:

graphic

Details about the top-20 most actively attacking IPs. Nothing unusual here:

graphic

The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either:

graphic

Next, the data from our ADB honeypot.

The big picture. This month the USA holds the top spot, displacing China:

graphic

The hourly connection data, showing averagely 2.1 attacks per hour:

graphic

The unique malware uploaded to the honeypot, according to Fortinet's scanner. The two parts of same old Monero mining worm (Trinity) is causing all the malicious uploads:

graphic

Details about the top-20 most actively attacking IPs:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

Next, moving to the Remote Desktop Protocol honeypot.

First, the big picture. A single IP address in Lithuania has caused most of the traffic:

graphic

Hourly activity, showing more than 3.58 attacks per minute:

graphic

Details about the top-20 attacking IP addresses. That Lithuanian IP address features prominently at the top:

graphic

The top-20 organizations that own the IP addresses attacking us:

graphic

Moving to our Elasticsearch honeypot.

First, the big picture. The USA has managed to displace China this time:

graphic

Hourly activity, showing an attack every half an hour:

graphic

The scans dominate although there are a significant number of attempts to exploit the seemingly vulnerable server and to run code on it (mostly a crypto miner). There is also one unusual scan using a HEAD request; probably somebody's overly cautious vulnerability scanner:

graphic

Details about the top-20 IP addresses that have connected to the honeypot. You can see at the top the Chinese IP address whose entire purpose in life seems to be periodically scanning the Internet for open Elasticsearch servers:

graphic

Information about the top-20 organizations that own the IP addresses attacking the honeypot. Naturally, China is at the top:

graphic

The top-20 queries most often used by the attackers:

graphic

The top-10 payloads used by the attackers. Mostly trying to install a Monero miner (there is probably a worm or a botnet that does this):

graphic

Finally, moving to our Internet Printer Protocol honeypot.

First, the big picture. All attacks come from the USA. (There are generic HTTP hits from other countries as well - from machines that scan random IP addresses for the presence of an HTTP server on any port - but I have filtered only the attacks which explicitly use the IPP protocol.)

graphic

The attacks come roughly 4 times per day. So far they have been only scans - the attackers are using only the Get-Printer-Attributes operation and are not actually trying to print anything:

graphic

Details about the top-20 IP addresses scanning the honeypot. As you can see, all of them are in the USA and belong to a very small set of ISPs. Each address has scanned the honeypot only a few times, though (1-5), suggesting that whoever is doing this is rotating VMs at these ISPs when doing the scanning from them:

graphic

Information about the top-20 organizations that own the IP addresses attacking the honeypot - except that there are only 7 different ones, one of which is unidentified. The others are just hosting providers in the USA:

graphic

This concludes the September honeypot report.