Profile picture
Vess @VessOnSecurity
, 14 tweets, 5 min read Read on Twitter
OK, folks, the month of October is over here, so it is time for my honeypot report. Let's start with our Telnet & SSH honeypot.
First, the big picture. As always, the USA is at the top of the list of countries where the attacks are coming from. Three TIMES more attacks from there than from the next contender, Germany. The latter is somewhat unusual, Germany is rarely near the top.
Next, a graph of the number of attacks per hour. The honeypot is being attacked nearly once every second on average!
About 7% of the attacks are via SSH (mostly Gafgyt variants) and nearly 93% are via Telnet (mostly Mirai).
The top 5 URLs from which the malware is taken the most often when uploading it to the honeypot. All of them point to Mirai variants.
Details about the top 20 attacking IPs. Surprisingly, DigitalOcean isn't at the top, FranTech is, but DigitalOcean makes it up in volume:
The top ISPs from which the attacks are coming. DigitalOcean is way ahead of everybody else - three TIMES more attacks from it than from the next contender, despite my daily reports to them about the misuse of their services.
Finally, the most often used passwords during the attacks. Nothing unusual here.
But, hey, we also have an SMB honeypot now! We're still fiddling with it and it is occasionally down for maintenance, thus the gaps on some of the following charts.
Let's start with the big picture. Here China is firmly in the top spot among the attackers, closely followed by Russia. The USA is a distant third.
Graph of the number of connections every hour. Averagely once per minute. Not every connection results in malware upload and they often (but not always) go in pairs. Could be just scans or misconfigurations - hard to tell, since there are no logins and commands issued here.
The different uploaded malware files, according to Symantec's scanner (I chose that, because its names are more readable). A handful of files are not detected or not known to VirusTotal. WannaCry is prewalent (89%), Downadup is Conficker (6%), the rest are mostly downloaders.
Details about the top 20 attacking IPs. The topmost one is no longer active, I have no information about the second one. Most are Chinese.
Details about the top 20 attacking ISPs. China and Russia occupy the top spots, no suprise here. Yay, DigitalOcean is present here too.

This concludes the monthly report.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Vess
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!