My Web Honeypot reach the first year, so i decide to write a sumary with some statistics.
Some informations about this Web Honeypot.
The address : https://www.malekal.com/modsec/
The attacks detections are made by modsecyrity module, all the attacks are grabed and injected in a database.
The IPs are blacklisted for one hour.
Table des matières
So, from 2014-09-13 to 2014-09-13 we got a total of 21516 attacks and :
- 10262 WordPress Bruteforce attacks
- 1405 WordPress TimThumb Attacks
- 2132 Joomla JCE Attacks
- 5401 Spam attacks – and it miss a lot
First surprise, my website is a WordPress and i got more Joomla Attacks than WordPress TimThumb.
Not so much ShellShock scan.
Not mentionned but also 52 PHP exploits attacks used to spread BossaBot sometimes ago.
CHINANET is far to be the first netname as the source and the second is OVH.
OVH moved after the Nuclear Pack story and some tweets.
We can see a decrease around february 2014.
Most of the Spam attacks are spam comments on my WordPress.
China is far to be the first source with 73.6% : https://www.malekal.com/modsec/graph_categories.php?t=1&a=spam
The second is Ukrainia 16.4%
As you can see, CHINANET-FJ is the first netname with 56.9%, the second netname is UNICOM-FJ6PUTIAN-MAN (15,7%)
Blocking this netname will probably reduce the spam on your blog.
Screenshot of the attacks from CHINANET-FJ (the last increase is du to a better spam detection). Around 60 attempts per day.
WordPress Timthumb and JCE Joomla
Theses vulnerabilities are exploited to upload PHP Shell or form Upload.
A WordPress Thimthumb attempt : https://www.malekal.com/modsec/index.php?ip=126.96.36.199#305934 – remote URL is flickr.com.hotelkouris.gr/xp.php and lead to a PHP Shell :
or https://www.malekal.com/modsec/index.php?ip=188.8.131.52#305945 that upload a form upload
on the hackers side, there a a lot of bots availaible in some IRCd to scan for website and exploit severals vulnerabilities.
Example of availaible commands for some bots.
Notice that the bots dont have Shellshock scan.
Magento Shop Exploit
As you can see, most of the attempts are blind and use websearch dork to reach websites.
That can explain why i got more JCE attempt than WordPress, depend of the dork use.
Also a website with a great rank will probably get more attempt that others.
You can find a script of theses bot on this link : http://pjjoint.malekal.com/files.php?read=20141016_k8m6t10y9h6
Most of theses group selling mailer, shell etc, probably from hacked website.
I came accross a crew that seems to be very active, they call them BlackUnix Crew.
They got some bots to exploit :
DDoS stuffs :
Cardings stuffs :
of course, they are more professionnal and discreet group that hit websites depending of extension/CMS etc.