Honeypot Stats - Day 1

Written By Luke Kavanagh

(17-18 of December)

The IP used for the honyepot is a public IP address that was purchased about 2 years ago but has never been used. This means that anything that is finding it is likely finding it through open searches and it not likely to have been cached or scanned as part of an old service.

The honeypot being used is called T-POT: https://github.com/telekom-security/tpotce

“T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeypot plattform, supporting 20+ honeypots and countless visualization options using the Elastic Stack, animated live attack maps and lots of security tools to further improve the deception experience.”

HIGH-LEVEL STATS

As you can see, there were 59k attacks during the last 24 hours. The most common being Dionaea and Cowrie.


Dionaea:

Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.

Protocols

  • blackhole

  • epmap

  • ftp

  • http

  • memcache

  • mirror

  • mqtt

  • mssql

  • mysql

  • pptp

  • sip

  • smb

  • tftp

  • upnp

This covers many of the common Microsoft protocols / services.

Cowrie

Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.

Common Usernames and Passwords attempted:

Most of these findings highlight common ‘default passwords’ being used attempted hoping to get fortunate. If you have any service, public or otherwise, please ensure the default password is changed!

IP Reputation

The following is how the IPs have been categorised. It should be noted that almost every IP has already been identified as a known attack or a common mass scanner. These IPs should be blocked by default for most services.

  • known attacker

    • 12,129

  • mass scanner

    • 146

  • bot, crawler

    • 17

  • tor exit node

    • 1

P0f (Operating System Fingerprinting) :

Apparently a Nintendo 3DS is trying to perform some level of attacks against the honeypot!

Attack Sources (Country)

It’s a clear win by Taiwan.

Most attacked port: 23

CVE ID’s attempted

CVE-2021-41773, CVE-2021-41773, CVE-2021-41773, CVE-2021-41773, CVE-2021-42013, CVE-2021-42013, CVE-2024-4577, CVE-2002-0953, CVE-2019-9621, CVE-2021-2109, CVE-2019-9621, CVE-2019-9670 CVE-2019-9670, CVE-2002-1149, CVE-2006-3602, CVE-2006-4458, CVE-2006-4542, CVE-2009-2765, CVE-2016-6563, CVE-2018-11776

Mostly old with some ‘newish’ CVE’s sprinkled in.

Attacker Source IP:

Attacker Source IPs

Those cheeky hackers…

These will probably be weekly updates going forward… If the disk drive can handle storing logs for that long!

Luke Kavanagh