Three Honeypots and a Month After

Three Honeypots and a Month After

I deployed three web honeypots, one in Singapore, another in Australia and another one in France. I then leveraged IVRE and Suricata to investigate the visitors, and respective traffic they generated.

In total, over a one month period, the three honeypots where accessed from 2967 different IP addresses. At the end of that period, only 1860 of those addresses responded to probes. The following images illustrate the geographic distribution of the (still live) visitors.

Afghanistan (AF)Angola (AO)Albania (AL)United Arab Emirates (AE)Argentina (AR)Armenia (AM)Antarctica (AQ)Fr. S. Antarctic Lands (TF)Australia (AU)Austria (AT)Azerbaijan (AZ)Burundi (BI)Belgium (BE)Benin (BJ)Burkina Faso (BF)Bangladesh (BD)Bulgaria (BG)Bahamas (BS)Bosnia and Herz. (BA)Belarus (BY)Belize (BZ)Bolivia (BO)Brazil (BR)Brunei (BN)Bhutan (BT)Botswana (BW)Central African Rep. (CF)Canada (CA)Switzerland (CH)Chile (CL)China (CN)Côte d'Ivoire (CI)Cameroon (CM)Dem. Rep. Congo (CD)Congo (CG)Colombia (CO)Costa Rica (CR)Cuba (CU)N. Cyprus (-99)Cyprus (CY)Czech Rep. (CZ)Germany (DE)Djibouti (DJ)Denmark (DK)Dominican Rep. (DO)Algeria (DZ)Ecuador (EC)Egypt (EG)Eritrea (ER)Spain (ES)Estonia (EE)Ethiopia (ET)Finland (FI)Fiji (FJ)Falkland Is. (FK)France (FR)Gabon (GA)United Kingdom (GB)Georgia (GE)Ghana (GH)Guinea (GN)Gambia (GM)Guinea-Bissau (GW)Eq. Guinea (GQ)Greece (GR)Greenland (GL)Guatemala (GT)Guyana (GY)Honduras (HN)Croatia (HR)Haiti (HT)Hungary (HU)Indonesia (ID)India (IN)Ireland (IE)Iran (IR)Iraq (IQ)Iceland (IS)Israel (IL)Italy (IT)Jamaica (JM)Jordan (JO)Japan (JP)Kazakhstan (KZ)Kenya (KE)Kyrgyzstan (KG)Cambodia (KH)Korea (KR)Kosovo (-99)Kuwait (KW)Lao PDR (LA)Lebanon (LB)Liberia (LR)Libya (LY)Sri Lanka (LK)Lesotho (LS)Lithuania (LT)Luxembourg (LU)Latvia (LV)Morocco (MA)Moldova (MD)Madagascar (MG)Mexico (MX)Macedonia (MK)Mali (ML)Myanmar (MM)Montenegro (ME)Mongolia (MN)Mozambique (MZ)Mauritania (MR)Malawi (MW)Malaysia (MY)Namibia (NA)New Caledonia (NC)Niger (NE)Nigeria (NG)Nicaragua (NI)Netherlands (NL)Norway (NO)Nepal (NP)New Zealand (NZ)Oman (OM)Pakistan (PK)Panama (PA)Peru (PE)Philippines (PH)Papua New Guinea (PG)Poland (PL)Puerto Rico (PR)Dem. Rep. Korea (KP)Portugal (PT)Paraguay (PY)Palestine (PS)Qatar (QA)Romania (RO)Russia (RU)Rwanda (RW)W. Sahara (EH)Saudi Arabia (SA)Sudan (SD)S. Sudan (SS)Senegal (SN)Solomon Is. (SB)Sierra Leone (SL)El Salvador (SV)Somaliland (-99)Somalia (SO)Serbia (RS)Suriname (SR)Slovakia (SK)Slovenia (SI)Sweden (SE)Swaziland (SZ)Syria (SY)Chad (TD)Togo (TG)Thailand (TH)Tajikistan (TJ)Turkmenistan (TM)Timor-Leste (TL)Trinidad and Tobago (TT)Tunisia (TN)Turkey (TR)Taiwan (TW)Tanzania (TZ)Uganda (UG)Ukraine (UA)Uruguay (UY)United States (US)Uzbekistan (UZ)Venezuela (VE)Vietnam (VN)Vanuatu (VU)Yemen (YE)South Africa (ZA)Zambia (ZM)Zimbabwe (ZW)
Visitors IP based location.
BR214BrazilBRTW196TaiwanTWVN131VietnamVNUS125United StatesUSRU120RussiaRUCN84ChinaCNID72IndonesiaIDIN65IndiaINIR63IranIRFR53FranceFRTR51TurkeyTRRO47RomaniaROUA42UkraineUAIT39ItalyITPL30PolandPL
Top 15 originating countries.
57TW / Taipei36VN / Ho Chi Minh City28BR / São Paulo22TW / Taichung20ID / Jakarta20TR / Istanbul19TW / Taoyuan District18US / Edison17RU / Moscow15TW / Kaohsiung City15CN / Beijing14BD / Dhaka14VN / Hanoi14TW / Tainan City13TW / Hsinchu
Top 15 originating cities.

Of these, 630 (315 already present in blacklists for spam) didn’t appear to have any ports open. Most of them seem to be hosted from residential ISP’s as illustrated in the figure bellow.

2769957TELEFÔNICA BRASIL S.A27699755236Viettel Group75524589923VNPT Corp458996078118LeaseWeb Netherlands B.V.60781346215Data Communication Business Group34625569915PT. Cemerlang Multimedia55699413414No.31,Jin-rong Street41341406113DigitalOcean, LLC1406181518Uninet S.A. de C.V.815148378CHINA UNICOM China169 Backbone48371747Cogent Communications17447887TM Net, Internet Service Provider478891217Turk Telekom9121240867Viettel Corporation2408632696Telecom Italia3269
Top 15 AS of attackers without open ports.

The other 1230 attackers, with some exceptions (e.g., Ubuntu / Debian servers), are mostly compromised routers (e.g., MikroTik, Linksys), or IP cameras as indicated by the open ports and respective services.

902tcp / 80393tcp / 554286tcp / 2000164tcp / 22110tcp / 53107tcp / 21106tcp / 44392tcp / 172387tcp / 2384tcp / 808042tcp / 338928tcp / 330627tcp / 800022tcp / 13920tcp / 8081
Top 15 open ports.
http326uc-httpd 1.0.0httpbandwidth-test273MikroTik bandwidth-test serverbandwidth-testrtsp251rtsp / [unknown]rtsptcpwrapped245tcpwrapped / [unknown]tcpwrapped[unknown]207[unknown][unknown]http148uc-httpdhttpmsrpc141Microsoft Windows RPCmsrpchttp118MikroTik router config httpdhttprtsp112LuxVision or Vacron DVR rtspdrtsphttp103Apache httpdhttphttp88lighttpdhttpdomain84MikroTik RouterOS named or OpenDNS Updaterdomainpptp81MikroTikpptpftp75MikroTik router ftpdftpssh68OpenSSHssh
Top 15 products.

Analysing the captured packets with Suricata (ET Open ruleset) it was possible to get an insight to the malicious visitors intentions. Follows a sorted list by number of occurrences of the signatures triggered by the captured traffic.

  1. ZmEu scanner User-Agent Inbound
  2. ThinkPHP RCE exploitation Attempt
  3. Microsoft IIS Remote Code Execution (CVE-2017-7269)
  4. MS Terminal Server Traffic on Non-standard Port
  5. Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)
  6. DFind w00tw00t GET-Requests
  7. Incoming Masscan detected
  8. Suspicious Chmod Usage in URI
  9. Incoming Basic Auth Base64 HTTP Password detected unencrypted
  10. D-Link DSL-2750B - OS Command Injection
  11. Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)
  12. AVTECH Unauthenticated Command Injection in DVR Devices
  13. Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials
  14. Suspected PHP Injection Attack (cmd=)
  15. ColdFusion administrator access
 To be noted that requests triggering the ZmEu scanner user-agent signature are related with phpMyAdmin exploitation attempts and I have purposely excluded SSH brute force attacks.

There isn’t anything new in the type of attacks being launched. All revolve around the same: Remote Code Execution (RCE) and credentials brute force. It’s interesting to see that Apache Struts RCE’s are being used quite a lot. There is a high probability that some of those non-router / IP camera systems where compromised by using such exploits.

Cheers :)