Freitag, 31. Juli 2015

MongoDB - scanning ip 89.248.167.159

I have set up a MongoDB dummy some time ago. Although I am not quite sure how to handle the data I am receiving, what is the main reason I have not yet reported any of this stuff. Today, while reviewing the logs I saw that one IP is accessing my dummy on both of my Honeypots. What is at least a bit strange. In addition to that, the IP only accessed this dummy.

BEGIN OF MONGODB DATA:
2015-07-31 18:09:04
Source IP: 89.248.167.159
Country: NL RiskScore: 8.6 Malware: []
:▒▒zr▒admin.$cmd▒▒▒▒ismaster
 END OF DATA
According to IBM X-Force data this IP address is known to perform scanning activity
"geo": {
      "country": "Netherlands",
      "countrycode": "NL"
   },
   "ip": "89.248.167.159",
   "reason": "Firewall deny log analysis",
   "reasonDescription": "This IP was involved in port scanning activities.",
   "score": 8.6,
   "subnets": [
      {
         "categoryDescriptions": {},
         "cats": {},
         "created": "2012-03-22T07:26:00.000Z",
         "geo": {
            "country": "Netherlands",
            "countrycode": "NL"
         },