I have set up a MongoDB dummy some time ago. Although I am not quite sure how to handle the data I am receiving, what is the main reason I have not yet reported any of this stuff. Today, while reviewing the logs I saw that one IP is accessing my dummy on both of my Honeypots. What is at least a bit strange. In addition to that, the IP only accessed this dummy.
BEGIN OF MONGODB DATA:
2015-07-31 18:09:04
Source IP: 89.248.167.159
Country: NL RiskScore: 8.6 Malware: []
:▒▒zr▒admin.$cmd▒▒▒▒ismaster
END OF DATA
According to
IBM X-Force data this IP address is known to perform scanning activity
"geo": {
"country": "Netherlands",
"countrycode": "NL"
},
"ip": "89.248.167.159",
"reason": "Firewall deny log analysis",
"reasonDescription": "This IP was involved in port scanning activities.",
"score": 8.6,
"subnets": [
{
"categoryDescriptions": {},
"cats": {},
"created": "2012-03-22T07:26:00.000Z",
"geo": {
"country": "Netherlands",
"countrycode": "NL"
},
Keine Kommentare:
Kommentar veröffentlichen