I deployed three web honeypots, one in Singapore, another in Australia and another one in France. I then leveraged IVRE and Suricata to investigate the visitors, and respective traffic they generated.
In total, over a one month period, the three honeypots where accessed from 2967 different IP addresses. At the end of that period, only 1860 of those addresses responded to probes. The following images illustrate the geographic distribution of the (still live) visitors.
Of these, 630 (315 already present in blacklists for spam) didn’t appear to have any ports open. Most of them seem to be hosted from residential ISP’s as illustrated in the figure bellow.
The other 1230 attackers, with some exceptions (e.g., Ubuntu / Debian servers), are mostly compromised routers (e.g., MikroTik, Linksys), or IP cameras as indicated by the open ports and respective services.
Analysing the captured packets with Suricata (ET Open ruleset) it was possible to get an insight to the malicious visitors intentions. Follows a sorted list by number of occurrences of the signatures triggered by the captured traffic.
ZmEu scanner User-Agent Inbound
ThinkPHP RCE exploitation Attempt
Microsoft IIS Remote Code Execution (CVE-2017-7269)
Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)
AVTECH Unauthenticated Command Injection in DVR Devices
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials
Suspected PHP Injection Attack (cmd=)
ColdFusion administrator access
To be noted that requests triggering the ZmEu scanner user-agent signature are related with phpMyAdmin exploitation attempts and I have purposely excluded SSH brute force attacks.
There isn’t anything new in the type of attacks being launched. All revolve around the same: Remote Code Execution (RCE) and credentials brute force. It’s interesting to see that Apache Struts RCE’s are being used quite a lot. There is a high probability that some of those non-router / IP camera systems where compromised by using such exploits.