Our first monthly stats are in!
In april 2015 we had 5 honeypots: 3 in USA, 1 in Norway, 1 in The Netherlands. On these honeypots the following services where capturing attacks:
We plotted the attacks on a map. The attacks on SSH originated mostly from China and the USA (click the image for a larger version):
The attacks on all other services came mostly from the USA and Venezuela:
The attacks from Venezuela where many attempts to download the same file: hxxp://220.127.116.11:3194/tvtxrqk (MD5: 9c09418c738e265a27e6c599f43d86ab, VirusTotal) which is a Conficker variant. Boring!
Besides the usual passwords (root:root, admin:admin etc.) another much-used password was ubnt:ubnt.
Besides the malware mentioned above we had some more malware sent to our honeypots. So far nothing interesting. We will set up our custom Cuckoo sandbox soon so we can pass through all malware samples we catch and analyse them.
Last but not least, we observed one funny “attack”: someone using a Macedonia proxy to download psyBNC (an IRC bouncer similar to ZNC). We wonder what he wants to use that for 🙂
See you next month!