60 day Honeypot update

Steve Gathof
5 min readOct 17, 2018

Disclaimer: This post may be a little long for some. Additionally, the observed scanning traffic represents the “noise floor” for the AWS US West region and should not be interpreted as the standard for all AWS regions and zones, or any other IP space for that matter.

TL; DR Scanning traffic has been fairly consistent within the last 60 days. Chinese and Russian based IP’s account for the majority of traffic to the honeypot and account for 4 of the top 5 IP’s. Increases in scanner traffic activity have been observed following news reporting on potentially vulnerable ports/services. With these observations in mind, we want to use these increases against ports/services to potentially identify new vulnerabilities, before they have been publicly announced.

With summer ending and updates on our honeypot becoming a regular thing again, I wanted to provide an update on the last 60 days of data we’ve collected. Additionally, in close collaboration with GreyNoise, we now have additional insights into these scanners’ behaviors and can corroborate or disprove our observations.

The reason for the additional data source is that we have a single honeypot, on a single provider and in a specific region and that limits our visibility into global scanning trends and behaviors. GN on the other hand, has orders of magnitude more honeypots and data, and he’s a great guy too! So please, go check out GreyNoise and see what they’re all about. Thanks Andrew!

Data Time!

Connection attempts and unique IP’s:
25,574,717 attempts from 61,520 unique IP’s. This is the overall # of hits the honeypot has observed, since August 2nd, 2018. If you read my tutorial on installing a honeypot on AWS, you’ll recall that this honeypot is located on an AWS server in the US West Region and as a result, sees a decent amount of traffic This is largely due to the popularity of AWS IP space as a scanning target. Countless researchers and miscreants scan AWS IP ranges for easy targets and that’s the reason we chose it for our honeypot deployment.

For comparison sake, GreyNoise’s global network of honeypots observed 2,918,859 unique scanning IP’s during the same time frame.

Top 5 IP’s and the targeted ports/service:
The data presented below is the primary reason we started this project and it’s providing exactly what we were looking for. Who scans for what and (potentially) why! After reviewing the data though, the expectation was that we would have seen more scans against vanilla SSH, RDP and Telnet plus many more but, by count, these are the most popular.

Connection attempts: 183,605
Targeted Port: 2222
Honeypot: Cowrie
* A Chinese IP belonging to ASN-AS134764.
* GreyNoise characterizes this IP as an SSH scanner/worm and it’s been active since at least August of 2018.
*Port 2222 has many possible uses, however, one of the more popular targets would be alternative SSH installs like OpenSSH. Chinese bots are well known for scanning for SSH ports and it is assessed with high confidence that this is the primary goal.

Connection attempts: 179,691
Targeted Ports: 25, 80, 1080, 3128, 8082
Honeypots: Honeytrap, Dionaea and Cowrie.
* A Russian IP belonging to ASN-AS44050
* GreyNoise characterizes the IP as an SSH, RDP, Telnet and everything else scanner, active since July of 2018.
* This IP scanned several ports, among various honeypots and has a preference for ports 25 and 80. After examining the data, it is assessed with moderate confidence that this IP is scanning for open mail relays and vulnerable web apps which it can exploit to load PHP shells.

Connection attempts: 134,143
Targeted Port: 2222
Honeypot: Cowrie
* Chinese based IP belonging to ASN-AS4134.
* GreyNoise characterizes this IP as an SSH scanner/worm and has been active since July of 2018.
* As with the #1 result, the assessment is that this scanner is targeting alternative SSH installs.

Connection attempts: 119,761
Targeted Port(s): 5038, 8000, 7070, 7000, 5000
Honeypot: Honeytrap
* This is a French based IP belonging to ASN-AS16276 and unlike the other IP’s in this list, this IP doesn’t have nearly as many derogatory mentions in Threat Intel sources.
* GreyNoise has yet to observe this IP, so they were unable to provide additional context on its behavior.
* Although there are several services which run on the ports listed above, some of the more popular include Splunk’s Web interface, UPnP, AFS Fileserver and Android Debug Bridge. We are highly confident that the traffic directed towards port 5038 was attempting connections on Android phones. Analysis of the hash files, identified in the payloads show up in Virus Total as Android specific.

Connection attempts: 95,706
Targeted Port: 5900
Honeypot: VNC-lowpot
* This is another Chinese IP belonging to ASN-AS4134
* GreyNoise identifies the IP as a VNC scanner and it has been active since April of 2018.
* Analysis of the traffic sent by this IP, confirms the scanner is looking for VNC installs, like RealVNC viewer.

Scans and Vulnerability announcements!!
As previously mentioned, it’s possible to use the data we observe in our honeypots to potentially predict new vulnerability announcements as well as observing the time between those announcements and subsequent scans.

Android Debug Bridge and port 5555
Earlier this year, the Hide and Seek botnet began scanning for vulnerable Android devices with the wireless debugging feature enabled on port 5555. By default, Android has this option turned off, but some device makers enable it in the production stage to customize the operating system for their products. As a result, the manufacturers unintentionally expose these devices to external risk.

On September 26th, 2018 researchers and news outlets distributed reports of the botnet’s activity and the risk associated with port 5555. As a result, global scanning activity increased to identify vulnerable devices. Honeypot analysis of the 60-day time period around the news announcements(-45 days to +15 days after) shows a 100% rise in scanning activity against port 5555 starting September 16th, as opposed to the time period preceding it.

For those keeping score, that’s 10 days preceding the news announcement! We learned of the vulnerability announcement, as many others did, on September 26th. Now, if we had enabled alerting for port scan increases, we could have seen this change in near real time and done some analysis to identify what the scanners were attempting to exploit/find. This type of alerting is currently not implemented and we’re working to enable it. As a side note, GreyNoise already uses this method to observe deviations in scanning activity and has been a huge help in identifying best practices.

Thanks for reading and stay tuned for monthly updates and tweets from our team!