June honeypot report
First, the data from our Telnet & SSH honeypot. The USA is at the top spot this month, by far, followed by Italy:
Here is how the hourly activity looks like. The honeypot is being attacked on average 1.4 times per second:
85% of the attacks are via Telnet, the rest are via SSH:
The top-5 URLs from which malware was most actively uploaded to the honeypot. Mirai variants all of them, as usual, although the original variant is not among them:
Indeed, as you can see, uploads of various Mirai variants (IMO, "Svirtu" is a Mirai variant too) dominate heavily. The only exceptions are Hajime, Gafgyt, and some generic downloader:
Details about the top-20 most actively attacking IPs:
The top-20 most actively attacking organizations. DigitalOcean barely registers any more:
Speaking of DigitalOcean, as you can see, I've been sending them averagely nearly 27 abuse reports every day. Maybe it has finally started having an impact.
The top-20 passwords that are the most often used by the attackers; nothing unusual here:
Moving on to our SMB honeypot.
First, the big picture. Russia has the top spot this time:
Hourly activity, showing on average one attack every 2 seconds; pretty steady traffic:
Unique uploaded malware variants, according to Symantec's scanner. The corrupted WannaCry variants (no kill switch check, no encryption) dominate, as usual, although their total number has decreased significantly:
Even if we don't count only the unique variants, WannaCry still holds the top spot:
Details about the top-20 most actively attacking IPs. Nothing unusual here:
The top-20 organizations from which most of the attacks are coming from. Nothing unusual here, either:
Next, the data from our ADB honeypot.
The big picture. This month the USA is at the top spot, followed by China:
The hourly connection data, showing averagely 2.1 attacks per hour:
The unique malware uploaded to the honeypot, according to Fortinet's scanner. A new Monero miner plus some generic downloads are the stars of this month:
Details about the top-20 most actively attacking IPs:
The top-20 organizations that own the IP addresses attacking us:
Next, moving to the Remote Desktop Protocol honeypot.
First, the big picture. Russia is at the top spot this month, again:
Hourly activity, showing nearly 3 attacks per minute:
Details about the top-20 attacking IP addresses. You can see why Russia is at the top spot. Sadly, Bugaria figures prominently, too. Even more interestingly, some attacks come from an IP that belongs to AVAST Software (an anti-virus company):
The top-20 organizations that own the IP addresses attacking us:
Moving on to our Elasticsearch honeypot.
First, the big picture. The uSA is at the top spot this month, by far:
Hourly activity, showing 3 attacks per hour:
The scans dominate although there is a significant number of attempts to exploit the seemingly vulnerable server and to run code on it (mostly a crypto miner):
Details about the top-20 IP addresses that have connected to the honeypot:
Information about the top-20 organizations that own the IP addresses attacking the honeypot:
The top-20 queries most often used by the attackers:
The payloads most often used by the attackers. Mostly trying to install a Monero miner (there is probably a worm or a botnet that does this):
Finally, moving to our Internet Printer Protocol honeypot.
First, the big picture. This month, too, not all attacks come from the USA - there are some from Germany as well. (There are also generic HTTP hits from other countries as well - from machines that scan random IP addresses for the presence of an HTTP server on any port - but I have filtered only the attacks which explicitly use the IPP protocol.)
The attacks come roughly twice per day. So far they have been only scans - the attackers are using only the Get-Printer-Attributes operation and are not actually trying to print anything:
Details about the top-20 IP addresses scanning the honeypot. As you can see, almost all of them are in the USA and belong to a very small set of ISPs. Each address has scanned the honeypot only a few times, though (1-3), suggesting that whoever is doing this (probably Censys), is rotating VMs at these ISPs when doing the scanning from them:
Information about the top-20 organizations that own the IP addresses attacking the honeypot - except that there are only 6 different ones:
This concludes the June honeypot report.