|
|
Analysis Tech Art Repositories | |||||||
Mon Dec 19 11:56:34 2022
(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there's a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)
https://bcable.net/analysis-ukr-prelim.html
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
https://bcable.net/analysis-ukr-ru_map_sessions.html
https://bcable.net/analysis-ukr-cn_map_sessions.html
https://bcable.net/analysis-ukr-miori_fail.html
https://bcable.net/analysis-ukr-botnet_perl.html
https://bcable.net/analysis-ukr-ddos_gh0st.html
https://bcable.net/analysis-ukr-indicators_2023.html
https://bcable.net/analysis-ukr-crew_001.html
https://bcable.net/analysis-ukr-inventory_attack.html
https://bcable.net/analysis-ukr-crew_002.html
library(RSQLite)
library(Rwhois)
library(Rrdap)
library(rgeolocate)
library(ggplot2)
library(RColorBrewer)
library(RcppCCTZ)
https://bcable.net/x/Rproj/shared
source("shared/country_code_cleanup.R")
source("shared/geoip.R")
source("shared/world_mapper.R")
source("shared/themes.R")
countries <- read.csv("shared/countries.csv")
For various protections:
source("redacted/env.R")
plot_colors <- c(
RColorBrewer::brewer.pal(12, "Paired"),
RColorBrewer::brewer.pal(8, "Dark2")
)
get_yloc <- function(df, ycol, xcol){
yloc <- max(aggregate(
formula(paste0(ycol, " ~ ", xcol)), data=df, FUN=sum
)[[ycol]])
}
anot_rect <- function(g, df, ycol, xcol){
yloc <- get_yloc(df, ycol, xcol)
g +
geom_rect(
xmin=5.5, xmax=7.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
inherit.aes=FALSE
) +
geom_rect(
xmin=36.5, xmax=42.5, ymin=-100, ymax=yloc+1000, fill="#E0E0FF",
inherit.aes=FALSE
) +
geom_rect(
xmin=65.5, xmax=70.5, ymin=-100, ymax=yloc+1000, fill="#E0E0FF",
inherit.aes=FALSE
) +
geom_rect(
xmin=85.5, xmax=86.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
inherit.aes=FALSE
) +
geom_rect(
xmin=107.5, xmax=109.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
inherit.aes=FALSE
) +
geom_rect(
xmin=125.5, xmax=126.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
inherit.aes=FALSE
) +
geom_rect(
xmin=138.5, xmax=141.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
inherit.aes=FALSE
) +
geom_rect(
xmin=153.5, xmax=155.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
inherit.aes=FALSE
) +
geom_rect(
xmin=163.5, xmax=167.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
inherit.aes=FALSE
) +
geom_rect(
xmin=193.5, xmax=194.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
inherit.aes=FALSE
)
}
get_date_labs <- function(df, date_col){
date_levels <- as.vector(as.character(
levels(as.factor(as.character(df[[date_col]])))
))
min_date <- min(date_levels)
max_date <- max(date_levels)
#xlabs <- NULL
#cur_date <- NULL
#date_counter <- as.POSIXlt(paste0(min_date, "T12:00:00"))
#max_posixlt <- as.POSIXlt(max_date)
#while(date_counter < max_posixlt){
#cur_date <- strftime(date_counter, "%Y-%m-%d")
#date_counter <- date_counter + (60*60*24)
#xlabs <- c(xlabs, cur_date)
#}
#date_levels <- xlabs
xlabs <- substr(date_levels, 1, 7)
xlabs[substr(date_levels, 8, 11) != "-01"] <- ""
xlabs[1] <- min_date
xlabs[length(xlabs)] <- max_date
#xlabs[length(xlabs)-1] <- date_levels[length(date_levels)-1]
list(date_levels, xlabs)
}
annotations <- function(g, df, ycol, xcol){
yloc <- get_yloc(df, ycol, xcol)
ret <- get_date_labs(df, xcol)
date_levels <- ret[[1]]
xlabs <- ret[[2]]
g +
geom_vline(xintercept=3.5, color="darkred", size=2) +
scale_x_discrete(breaks=date_levels, labels=xlabs) +
annotate("text",
x=2.90, y=yloc, hjust=1, size=5, angle=90,
label="CO.UA DNS A Record Updated"
) +
annotate("text",
x=6, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (SysAdmin Error: Dionaea Daemon)"
) +
annotate("text",
x=37, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (SysAdmin Error: Cowrie Daemon)"
) +
annotate("text",
x=66, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (SysAdmin Error: Cowrie Daemon)"
) +
annotate("text",
x=86, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
) +
annotate("text",
x=108, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
) +
annotate("text",
x=126, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
) +
annotate("text",
x=139, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
) +
annotate("text",
x=154, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
) +
annotate("text",
x=164, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
) +
annotate("text",
x=193, y=yloc, hjust=1, size=4, angle=90,
label="Data Collection Failure (SysAdmin Error: Dionaea Daemon)"
)
}
payload_annotations <- function(g, df, ycol, xcol){
yloc <- get_yloc(df, ycol, xcol)
annotations(g, df, ycol, xcol)
# annotate("text",
# x=37, y=yloc, hjust=1, size=5, angle=90,
# label="Hosting Provider Blocked SMB Traffic 2022-03-12"
# ) + theme_simple()
}
theme_honeypot <- function(){
theme_simple() %+replace% theme(
axis.text.x = element_text(angle=90, size=12)
)
}
cowrie_auth <- NULL
cowrie_clients <- NULL
cowrie_downloads <- NULL
cowrie_keyfingerprints <- NULL
cowrie_sessions <- NULL
cowrie_ttylog <- NULL
dionaea_connections <- NULL
dionaea_downloads <- NULL
dionaea_logins <- NULL
dionaea_mssql_commands <- NULL
dionaea_mssql_fingerprints <- NULL
dionaea_mysql_commands <- NULL
dionaea_mysql_commands <- NULL
dionaea_mysql_command_args <- NULL
dionaea_mysql_command_ops <- NULL
dionaea_sip_addrs <- NULL
sip_attack_20220307 <- NULL
sip_attack_20220321 <- NULL
payinvst_cnt_74.62.127.47 <- NULL
payinvst_urls_74.62.127.47 <- NULL
payinvst_cnt_20220618 <- NULL
cowrie_sqlite_files <- c(
"cowrie-20220409-004639-rebuild.sqlite",
"cowrie-20220523-145223-rebuild.sqlite",
"cowrie-20220619-201225-rebuild.sqlite",
"cowrie-20220901-231355-rebuild.sqlite",
"cowrie-20220923-135433-rebuild.sqlite",
"cowrie-20221217-122443-rebuild.sqlite"
)
#cowrie_sqlite_files <- c(cowrie_sqlite_files, "cowrie-latest.sqlite")
dionaea_sqlite_files <- c(
"dionaea-20220409-004639-rebuild.sqlite",
"dionaea-20220523-145223-rebuild.sqlite",
"dionaea-20220619-201225-rebuild.sqlite",
"dionaea-20220901-231355-rebuild.sqlite",
"dionaea-20220923-135433-rebuild.sqlite",
"dionaea-20221217-122443-rebuild.sqlite"
)
#dionaea_sqlite_files <- c(dionaea_sqlite_files, "dionaea-latest.sqlite")
populate_col <- function(ret, col, val){
if(is.data.frame(ret) && nrow(ret) > 0){
ret[[col]] <- val
}
ret
}
for(cowrie_sqlite_file in cowrie_sqlite_files){
cowrie_con <- RSQLite::dbConnect(RSQLite::SQLite(),
paste0(path_cowrie, "/", cowrie_sqlite_file)
)
tryCatch({
ret <- RSQLite::dbReadTable(cowrie_con, "auth")
ret <- populate_col(ret, "filename", cowrie_sqlite_file)
cowrie_auth <- rbind(cowrie_auth, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(cowrie_con, "clients")
ret <- populate_col(ret, "filename", cowrie_sqlite_file)
cowrie_clients <- rbind(cowrie_clients, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(cowrie_con, "downloads")
ret <- populate_col(ret, "filename", cowrie_sqlite_file)
cowrie_downloads <- rbind(cowrie_downloads, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(cowrie_con, "keyfingerprints")
ret <- populate_col(ret, "filename", cowrie_sqlite_file)
cowrie_keyfingerprints <- rbind(cowrie_keyfingerprints, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(cowrie_con, "sessions")
ret <- populate_col(ret, "filename", cowrie_sqlite_file)
cowrie_sessions <- rbind(cowrie_sessions, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(cowrie_con, "ttylog")
ret <- populate_col(ret, "filename", cowrie_sqlite_file)
cowrie_ttylog <- rbind(cowrie_ttylog, ret)
})
RSQLite::dbDisconnect(cowrie_con)
}
for(dionaea_sqlite_file in dionaea_sqlite_files){
dionaea_con <- RSQLite::dbConnect(RSQLite::SQLite(),
paste0(path_dionaea, "/", dionaea_sqlite_file)
)
tryCatch({
ret <- RSQLite::dbReadTable(dionaea_con, "connections")
ret <- populate_col(ret, "filename", dionaea_sqlite_file)
dionaea_connections <- rbind(dionaea_connections, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(dionaea_con, "downloads")
ret <- populate_col(ret, "filename", dionaea_sqlite_file)
dionaea_downloads <- rbind(dionaea_downloads, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(dionaea_con, "logins")
ret <- populate_col(ret, "filename", dionaea_sqlite_file)
dionaea_logins <- rbind(dionaea_logins, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(dionaea_con, "mssql_commands")
ret <- populate_col(ret, "filename", dionaea_sqlite_file)
ret <- populate_col(ret, "mssql_command_cmd", NULL)
dionaea_mssql_commands <- rbind(dionaea_mssql_commands, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(dionaea_con, "mssql_fingerprints")
ret <- populate_col(ret, "filename", dionaea_sqlite_file)
dionaea_mssql_fingerprints <- rbind(dionaea_mssql_fingerprints, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(dionaea_con, "mysql_commands")
ret <- populate_col(ret, "filename", dionaea_sqlite_file)
dionaea_mysql_commands <- rbind( dionaea_mysql_commands, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(dionaea_con, "mysql_command_args")
ret <- populate_col(ret, "filename", dionaea_sqlite_file)
dionaea_mysql_command_args <- rbind(dionaea_mysql_command_args, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(dionaea_con, "mysql_command_ops")
ret <- populate_col(ret, "filename", dionaea_sqlite_file)
dionaea_mysql_command_ops <- rbind(dionaea_mysql_command_ops, ret)
})
tryCatch({
ret <- RSQLite::dbReadTable(dionaea_con, "sip_addrs")
ret <- populate_col(ret, "filename", dionaea_sqlite_file)
dionaea_sip_addrs <- rbind(dionaea_sip_addrs, ret)
})
rs <- RSQLite::dbSendQuery(dionaea_con, "
SELECT * FROM (
SELECT COUNT(*) AS cnt, remote_host FROM connections
WHERE connection_protocol='SipSession' AND
connection_timestamp > 1646686800 AND
connection_timestamp < 1647546732
GROUP BY remote_host
) WHERE cnt > 100 ORDER BY cnt DESC
")
tryCatch({
ret <- RSQLite::dbFetch(rs)
sip_attack_20220307 <- rbind(sip_attack_20220307, ret)
})
RSQLite::dbClearResult(rs)
rs <- RSQLite::dbSendQuery(dionaea_con, "
SELECT * FROM (
SELECT COUNT(*) AS cnt, remote_host FROM connections
WHERE connection_protocol='SipSession' AND
connection_timestamp > 1647770400 AND
connection_timestamp < 1648375200
GROUP BY remote_host
) WHERE cnt > 100 ORDER BY cnt DESC
")
tryCatch({
ret <- RSQLite::dbFetch(rs)
sip_attack_20220321 <- rbind(sip_attack_20220321, ret)
})
RSQLite::dbClearResult(rs)
rs <- RSQLite::dbSendQuery(dionaea_con, "
SELECT * FROM (
SELECT COUNT(*) AS cnt, download_md5_hash FROM downloads
JOIN connections
WHERE remote_host='74.62.127.47'
GROUP BY download_md5_hash
) ORDER BY cnt DESC
")
tryCatch({
ret <- RSQLite::dbFetch(rs)
payinvst_cnt_74.62.127.47 <- rbind(payinvst_cnt_74.62.127.47, ret)
})
RSQLite::dbClearResult(rs)
rs <- RSQLite::dbSendQuery(dionaea_con, "
SELECT * FROM (
SELECT COUNT(*) AS cnt, remote_host FROM connections
WHERE
connection_timestamp > 1655442000 AND
connection_timestamp < 1655701200
GROUP BY remote_host
) ORDER BY cnt DESC
")
tryCatch({
ret <- RSQLite::dbFetch(rs)
payinvst_cnt_20220618 <- rbind(payinvst_cnt_20220618, ret)
})
RSQLite::dbClearResult(rs)
rs <- RSQLite::dbSendQuery(dionaea_con, "
SELECT * FROM (
SELECT COUNT(*) AS cnt, download_url FROM downloads
JOIN connections
WHERE remote_host='74.62.127.47'
GROUP BY download_url
) ORDER BY cnt DESC
")
tryCatch({
ret <- RSQLite::dbFetch(rs)
payinvst_urls_74.62.127.47 <- rbind(payinvst_urls_74.62.127.47, ret)
})
RSQLite::dbClearResult(rs)
RSQLite::dbDisconnect(dionaea_con)
}
## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob
## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob
## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob
## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob
## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob
## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob
clamscan_hashes <- read.csv("clamscan_hashes.csv")
cowrie_sessions$Connection.Start <- strptime(
cowrie_sessions$starttime, format="%Y-%m-%dT%H:%M:%S"
)
cowrie_sessions$Connection.End <- strptime(
cowrie_sessions$endtime, format="%Y-%m-%dT%H:%M:%S"
)
dionaea_connections$Connection.Timestamp <- strptime(
dionaea_connections$connection_timestamp, format="%s"
)
# March 1st, 2022
#filter_date <- 1646114400
# April 1st, 2022
#filter_date <- 1648789200
# May 1st, 2022
#filter_date <- 1651381200
# June 1st, 2022
#filter_date <- 1654059600
# July 1st, 2022
#filter_date <- 1656651600
# August 1st, 2022
#filter_date <- 1659330000
# 2999-12-31
filter_date <- 32503615200
if(!file.exists("cowrie_sessions_geo.csv")){
cowrie_sessions_geo <- geoiporg_df(cowrie_sessions[
cowrie_sessions$Connection.Start < filter_date,
], "ip")
#cowrie_sessions_geo <- geoip_df(cowrie_sessions, "ip")
write.csv(cowrie_sessions_geo, "cowrie_sessions_geo.csv", row.names=FALSE)
} else {
cowrie_sessions_geo <- read.csv("cowrie_sessions_geo.csv")
if(!file.exists("cowrie_sessions_geo_new.csv")){
cowrie_sessions_new <- cowrie_sessions[
!(cowrie_sessions$ip %in% cowrie_sessions_geo$ip) &
cowrie_sessions$Connection.Start < filter_date,
]
cowrie_new_geo <- geoiporg_df(cowrie_sessions_new, "ip")
cowrie_sessions_geo <- rbind(cowrie_sessions_geo, cowrie_new_geo)
write.csv(cowrie_sessions_geo,
"cowrie_sessions_geo_new.csv", row.names=FALSE
)
}
}
if(!file.exists("dionaea_connections_geo.csv")){
dionaea_connections_geo <- geoiporg_df(dionaea_connections[
dionaea_connections$Connection.Timestamp < filter_date,
], "remote_host")
#dionaea_connections_geo <- geoip_df(dionaea_connections, "remote_host")
write.csv(dionaea_connections_geo,
"dionaea_connections_geo.csv", row.names=FALSE
)
} else {
dionaea_connections_geo <- read.csv("dionaea_connections_geo.csv")
if(!file.exists("dionaea_connections_geo_new.csv")){
#dionaea_connections_new <- head(dionaea_connections[
# !(
# dionaea_connections$remote_host %in%
# dionaea_connections_geo$remote_host
# ) &
# dionaea_connections$Connection.Timestamp < filter_date,
#], n=20000)
dionaea_connections_new <- dionaea_connections[
!(
dionaea_connections$remote_host %in%
dionaea_connections_geo$remote_host
) &
dionaea_connections$Connection.Timestamp < filter_date,
]
dionaea_new_geo <- geoiporg_df(dionaea_connections_new, "remote_host")
dionaea_connections_geo <- rbind(
dionaea_connections_geo, dionaea_new_geo
)
write.csv(dionaea_connections_geo,
"dionaea_connections_geo_new.csv", row.names=FALSE
)
}
}
cowrie_sessions <- merge(
cowrie_sessions, cowrie_sessions_geo, by="ip"
)
dionaea_connections <- merge(
dionaea_connections, dionaea_connections_geo, by="remote_host"
)
cowrie_payloads <- merge(
cowrie_downloads, cowrie_sessions,
by.x=c("session", "filename"), by.y=c("id", "filename")
)
dionaea_payloads <- merge(
dionaea_downloads, dionaea_connections,
by=c("connection", "filename")
)
unified_dataset_cowrie <- data.frame(
Connection.Start=cowrie_sessions$Connection.Start,
Connection.End=cowrie_sessions$Connection.End,
Remote.Host=cowrie_sessions$ip,
Transport.Protocol=rep("tcp", nrow(cowrie_sessions)),
Local.Port=rep(22, nrow(cowrie_sessions)),
Remote.Port=rep(NA, nrow(cowrie_sessions)),
Country.Code=toupper(cowrie_sessions$Country.Code)
)
unified_dataset_dionaea <- data.frame(
Connection.Start=dionaea_connections$Connection.Timestamp,
Connection.End=rep(NA, nrow(dionaea_connections)),
Remote.Host=dionaea_connections$remote_host,
Transport.Protocol=dionaea_connections$connection_transport,
Local.Port=dionaea_connections$local_port,
Remote.Port=dionaea_connections$remote_port,
Country.Code=toupper(dionaea_connections$Country.Code)
)
unified_dataset <- rbind(unified_dataset_cowrie, unified_dataset_dionaea)
unified_dataset <- merge(unified_dataset, countries, by="Country.Code")
unified_dataset$Local.Port <- as.factor(unified_dataset$Local.Port)
unified_dataset$Connection.Start.NoTime <- as.factor(strptime(
strftime(toTz(
unified_dataset$Connection.Start, "America/Chicago", "Europe/Kiev"
), "%Y-%m-%d", tz="EET"),
format="%Y-%m-%d", tz="EET"
))
unified_payloads_cowrie <- data.frame(
Connection.Start=cowrie_payloads$Connection.Start,
Connection.End=cowrie_payloads$Connection.End,
Remote.Host=cowrie_payloads$ip,
Transport.Protocol=rep("tcp", nrow(cowrie_payloads)),
Local.Port=rep(22, nrow(cowrie_payloads)),
Remote.Port=rep(NA, nrow(cowrie_payloads)),
Country.Code=toupper(cowrie_payloads$Country.Code)
)
unified_payloads_dionaea <- data.frame(
Connection.Start=dionaea_payloads$Connection.Timestamp,
Connection.End=rep(NA, nrow(dionaea_payloads)),
Remote.Host=dionaea_payloads$remote_host,
Transport.Protocol=dionaea_payloads$connection_transport,
Local.Port=dionaea_payloads$local_port,
Remote.Port=dionaea_payloads$remote_port,
Country.Code=toupper(dionaea_payloads$Country.Code)
)
unified_payloads <- rbind(unified_payloads_cowrie, unified_payloads_dionaea)
unified_payloads <- merge(unified_payloads, countries, by="Country.Code")
unified_payloads$Local.Port <- as.factor(unified_payloads$Local.Port)
unified_payloads$Connection.Start.NoTime <- as.factor(strptime(
strftime(toTz(
unified_payloads$Connection.Start, "America/Chicago", "Europe/Kiev"
), "%Y-%m-%d", tz="EET"),
format="%Y-%m-%d", tz="EET"
))
maxdate_dataset <- max(as.character(unified_dataset$Connection.Start.NoTime))
maxdate_payloads <- max(as.character(unified_payloads$Connection.Start.NoTime))
unified_dataset <- unified_dataset[
unified_dataset$Connection.Start.NoTime != maxdate_dataset,
]
unified_payloads <- unified_payloads[
unified_payloads$Connection.Start.NoTime != maxdate_payloads,
]
unified_dataset_cowrie$Count <- rep(1, nrow(unified_dataset_cowrie))
unified_dataset_dionaea$Count <- rep(1, nrow(unified_dataset_dionaea))
unified_dataset$Count <- rep(1, nrow(unified_dataset))
unified_payloads$Count <- rep(1, nrow(unified_payloads))
ret <- get_date_labs(unified_dataset, "Connection.Start.NoTime")
date_levels <- ret[[1]]
xlabs <- ret[[2]]
tmp_ds_date_frame <- data.frame(Connection.Start.NoTime=date_levels)
ret <- get_date_labs(unified_payloads, "Connection.Start.NoTime")
date_levels <- ret[[1]]
xlabs <- ret[[2]]
tmp_pay_date_frame <- data.frame(Connection.Start.NoTime=date_levels)
ports_table <- table(unified_dataset$Local.Port)
country_table <- table(unified_dataset$Country.Code)
top_ports <- -sort(-ports_table)
top_countries <- -sort(-country_table)
agg_dstports_top <- aggregate(
Count ~ Connection.Start.NoTime + Local.Port,
data=unified_dataset[
unified_dataset$Local.Port %in%
rownames(head(top_ports, n=20)),
], FUN=sum
)
str(agg_dstports_top)
## 'data.frame': 4635 obs. of 3 variables:
## $ Connection.Start.NoTime: Factor w/ 265 levels "2022-02-04","2022-02-05",..: 1 2 3 4 5 6 8 9 10 11 ...
## $ Local.Port : Factor w/ 7066 levels "21","22","23",..: 1 1 1 1 1 1 1 1 1 1 ...
## $ Count : num 11 25 25 19 308 3 10 18 9 18 ...
agg_countries_top <- aggregate(
Count ~ Connection.Start.NoTime + Country.Name,
data=unified_dataset[
unified_dataset$Country.Code %in%
rownames(head(top_countries, n=20)),
], FUN=sum
)
str(agg_countries_top)
## 'data.frame': 4918 obs. of 3 variables:
## $ Connection.Start.NoTime: Factor w/ 265 levels "2022-02-04","2022-02-05",..: 1 2 3 4 5 6 7 8 9 10 ...
## $ Country.Name : chr "Australia" "Australia" "Australia" "Australia" ...
## $ Count : num 2201 27 943 6639 14948 ...
agg_payloads_cntry_top <- aggregate(
Count ~ Connection.Start.NoTime + Country.Name,
data=unified_payloads[
unified_payloads$Country.Code %in%
rownames(head(top_countries, n=20)),
], FUN=sum
)
agg_payloads_cntry_top$Connection.Start.NoTime <- as.character(
agg_payloads_cntry_top$Connection.Start.NoTime
)
str(agg_payloads_cntry_top)
## 'data.frame': 2964 obs. of 3 variables:
## $ Connection.Start.NoTime: chr "2022-02-04" "2022-02-05" "2022-02-06" "2022-02-07" ...
## $ Country.Name : chr "Australia" "Australia" "Australia" "Australia" ...
## $ Count : num 3 1 1 1 2 3 2 1 5 1 ...
agg_payloads_cntry_top <- merge(
tmp_pay_date_frame, agg_payloads_cntry_top, all.x=TRUE
)
str(agg_payloads_cntry_top)
## 'data.frame': 2965 obs. of 3 variables:
## $ Connection.Start.NoTime: chr "2022-02-04" "2022-02-04" "2022-02-04" "2022-02-04" ...
## $ Country.Name : chr "Australia" "India" "Russia" "Taiwan" ...
## $ Count : num 3 13 26 3 3 2 5 5 7 1 ...
agg_payloads_dstports_top <- aggregate(
Count ~ Connection.Start.NoTime + Local.Port,
data=unified_payloads[
unified_payloads$Local.Port %in%
rownames(head(top_ports, n=20)),
], FUN=sum
)
str(agg_payloads_dstports_top)
## 'data.frame': 444 obs. of 3 variables:
## $ Connection.Start.NoTime: Factor w/ 264 levels "2022-02-04","2022-02-05",..: 4 5 6 7 8 9 10 11 12 13 ...
## $ Local.Port : Factor w/ 5 levels "22","80","443",..: 1 1 1 1 1 1 1 1 1 1 ...
## $ Count : num 10 9 24 18 19 15 33 46 13 31 ...
cowrie_auth$Count <- rep(1, nrow(cowrie_auth))
agg_ssh_unpw <- aggregate(
Count ~ username + password, data=cowrie_auth, FUN=sum
)
top_ssh_unpw <- agg_ssh_unpw[order(-agg_ssh_unpw$Count),]
names(top_ssh_unpw) <- c("Username", "Password", "Count")
str(top_ssh_unpw)
## 'data.frame': 172578 obs. of 3 variables:
## $ Username: chr "user" "root" "admin" "support" ...
## $ Password: chr "user" "root" "admin" "support" ...
## $ Count : num 148528 20607 14672 5059 3996 ...
dionaea_logins$Count <- rep(1, nrow(dionaea_logins))
agg_other_unpw <- aggregate(
Count ~ login_username + login_password, data=dionaea_logins, FUN=sum
)
top_other_unpw <- agg_other_unpw[order(-agg_other_unpw$Count),]
names(top_other_unpw) <- c("Username", "Password", "Count")
str(top_other_unpw)
## 'data.frame': 19266 obs. of 3 variables:
## $ Username: chr "sa" "" "root" "sa" ...
## $ Password: chr "" "" "" "123456" ...
## $ Count : num 7915 3762 3574 1053 915 ...
Records: 13869735
Data Min: 2022-02-03 11:05:28
Data Max: 2022-12-17 09:57:06
Records: 33437
Data Min: 2022-02-03 11:11:46
Data Max: 2022-12-17 09:45:17
sip_addrs <- gsub(
REDACTED_HONEYPOT_IP,
"##redacted:honeypot-ip##",
dionaea_sip_addrs$sip_addr_uri_host
)
sip_addrs <- gsub(
paste0(REDACTED_HONEYPOT_SUBNET, "[0-9\\.]+[0-9]"),
"##redacted:honeypot-subnet##", sip_addrs
)
table(as.factor(sip_addrs))
##
##
## 1014
## \025
## 3
## !@##redacted:honeypot-ip##
## 9
## !100@##redacted:honeypot-ip##
## 3
## .com
## 4
## "@##redacted:honeypot-ip##
## 3
## "`$eU@##redacted:honeypot-ip##
## 3
## (5'┬\u0081'@##redacted:honeypot-ip##
## 3
## \020\030(c˜@##redacted:honeypot-ip##
## 3
## \020)Q02@##redacted:honeypot-ip##
## 3
## [20@##redacted:honeypot-ip##
## 24
## }@##redacted:honeypot-ip##
## 15
## @!mighty1107@##redacted:honeypot-ip##
## 12
## @@@@@@@##redacted:honeypot-ip##
## 6
## @@@@@##redacted:honeypot-ip##
## 3
## @@##redacted:honeypot-ip##
## 3
## @@1234@##redacted:honeypot-ip##
## 12
## @&^$%$^$%%^$%^@##redacted:honeypot-ip##
## 60
## @##redacted:honeypot-ip##
## 183
## \027@##redacted:honeypot-ip##
## 3
## \031@##redacted:honeypot-ip##
## 3
## \031\021@##redacted:honeypot-ip##
## 3
## @#$%@##redacted:honeypot-ip##
## 3
## @┬\u0090p@##redacted:honeypot-ip##
## 3
## @123@##redacted:honeypot-ip##
## 3
## @1234@@##redacted:honeypot-ip##
## 3
## @1234@##redacted:honeypot-ip##
## 3
## @12345@##redacted:honeypot-ip##
## 3
## @123456@##redacted:honeypot-ip##
## 3
## @1ظ\u0080ةYV@##redacted:honeypot-ip##
## 9
## @ā€°ā€”\020\005@##redacted:honeypot-ip##
## 3
## @Ā\u0090p@##redacted:honeypot-ip##
## 3
## @bouty0u@##redacted:honeypot-ip##
## 12
## @dh0c@dm1n@##redacted:honeypot-ip##
## 9
## @Y*MIYM9@##redacted:honeypot-ip##
## 12
## \022@\022Yb@##redacted:honeypot-ip##
## 3
## ///#@##redacted:honeypot-ip##
## 3
## //#@##redacted:honeypot-ip##
## 3
## /#@##redacted:honeypot-ip##
## 3
## /##@##redacted:honeypot-ip##
## 3
## /###@##redacted:honeypot-ip##
## 3
## \\x10A@##redacted:honeypot-ip##
## 21
## &)\a\002\b@##redacted:honeypot-ip##
## 6
## &╦£ظéشظ\u0080آX@##redacted:honeypot-ip##
## 3
## &$#45@##redacted:honeypot-ip##
## 6
## &ظ\u0080ت#pi@##redacted:honeypot-ip##
## 3
## #@##redacted:honeypot-ip##
## 138
## #/@##redacted:honeypot-ip##
## 3
## #//@##redacted:honeypot-ip##
## 3
## #///@##redacted:honeypot-ip##
## 24
## ##@##redacted:honeypot-ip##
## 57
## ###@##redacted:honeypot-ip##
## 57
## ####@##redacted:honeypot-ip##
## 54
## #####@##redacted:honeypot-ip##
## 45
## ######@##redacted:honeypot-ip##
## 3
## ##0@##redacted:honeypot-ip##
## 3
## ##00@##redacted:honeypot-ip##
## 3
## ##001@##redacted:honeypot-ip##
## 3
## ##0011@##redacted:honeypot-ip##
## 3
## ##01@##redacted:honeypot-ip##
## 3
## ##011@##redacted:honeypot-ip##
## 3
## ##1@##redacted:honeypot-ip##
## 3
## ##810@##redacted:honeypot-ip##
## 6
## ##900@##redacted:honeypot-ip##
## 3
## ##9810@##redacted:honeypot-ip##
## 3
## ##redacted:honeypot-ip##
## 27289626
## ##redacted:honeypot-subnet##/16
## 12
## #\004`0ā€¦@##redacted:honeypot-ip##
## 3
## #=QCr51@##redacted:honeypot-ip##
## 18
## #$@##redacted:honeypot-ip##
## 6
## #$%!@#$%@##redacted:honeypot-ip##
## 3
## #$%^&@##redacted:honeypot-ip##
## 12
## #$123456@##redacted:honeypot-ip##
## 3
## #$qwer@##redacted:honeypot-ip##
## 3
## #0@##redacted:honeypot-ip##
## 3
## #00@##redacted:honeypot-ip##
## 3
## #000@##redacted:honeypot-ip##
## 12
## #001@##redacted:honeypot-ip##
## 3
## #0011@##redacted:honeypot-ip##
## 3
## #01@##redacted:honeypot-ip##
## 3
## #011@##redacted:honeypot-ip##
## 6
## #1@##redacted:honeypot-ip##
## 6
## #100@##redacted:honeypot-ip##
## 3
## #111@##redacted:honeypot-ip##
## 3
## #123@##redacted:honeypot-ip##
## 3
## #1234@##redacted:honeypot-ip##
## 3
## #1234#@##redacted:honeypot-ip##
## 3
## #12345@##redacted:honeypot-ip##
## 3
## #123456@##redacted:honeypot-ip##
## 3
## #123456#@##redacted:honeypot-ip##
## 3
## #19@##redacted:honeypot-ip##
## 3
## #19010@##redacted:honeypot-ip##
## 3
## #2019@##redacted:honeypot-ip##
## 15
## #222@##redacted:honeypot-ip##
## 6
## #333@##redacted:honeypot-ip##
## 3
## #48@##redacted:honeypot-ip##
## 3
## #555@##redacted:honeypot-ip##
## 3
## #6*0@##redacted:honeypot-ip##
## 3
## #810@##redacted:honeypot-ip##
## 3
## #900@##redacted:honeypot-ip##
## 3
## #9810@##redacted:honeypot-ip##
## 3
## #999@##redacted:honeypot-ip##
## 3
## \023\a#\024ā€¢@##redacted:honeypot-ip##
## 6
## #A2t@##redacted:honeypot-ip##
## 6
## #asd@##redacted:honeypot-ip##
## 3
## #HSS2@##redacted:honeypot-ip##
## 6
## #qw@##redacted:honeypot-ip##
## 3
## #SCaribe2019@##redacted:honeypot-ip##
## 12
## #uib\a@##redacted:honeypot-ip##
## 3
## #xظ\u0080ب'\006@##redacted:honeypot-ip##
## 3
## %iIā•Ŗā••ā”¬Ā€ā”¬Ų«b@##redacted:honeypot-ip##
## 3
## %iIŲĆøÄ€ā‚¬Ä€Ā£b@##redacted:honeypot-ip##
## 6
## %iIظ\u0080£b@##redacted:honeypot-ip##
## 3
## %VG\030\003@##redacted:honeypot-ip##
## 3
## $@##redacted:honeypot-ip##
## 6
## $8\aq\021@##redacted:honeypot-ip##
## 6
## $ā€ ā€“2Q@##redacted:honeypot-ip##
## 3
## $a3\005\027@##redacted:honeypot-ip##
## 3
## $bD\024ā€°@##redacted:honeypot-ip##
## 3
## $Dā€ ā€°'@##redacted:honeypot-ip##
## 3
## $sgā€˛ā€¢@##redacted:honeypot-ip##
## 3
## \022\a$tU@##redacted:honeypot-ip##
## 6
## $ظ\u0080بظ\u0080ô2Q@##redacted:honeypot-ip##
## 6
## 0.0.0.0
## 32
## 0@##redacted:honeypot-ip##
## 9
## 00@##redacted:honeypot-ip##
## 9
## 0057#555@##redacted:honeypot-ip##
## 3
## 0057#999@##redacted:honeypot-ip##
## 6
## 02122130686@nt@##redacted:honeypot-ip##
## 12
## 0\020ā€˛8$@##redacted:honeypot-ip##
## 3
## 0ā€\u0098ā„¢Vr@##redacted:honeypot-ip##
## 3
## 0Rā„¢DX@##redacted:honeypot-ip##
## 3
## 0ŲøĀ€Ć´ā•¦Ā†IF@##redacted:honeypot-ip##
## 3
## 0ظ\u0080ô╦\u0086IF@##redacted:honeypot-ip##
## 3
## 0ظ\u0080ءظ\u0084تVr@##redacted:honeypot-ip##
## 3
## 1.1.1.1
## 36954
## 1\\
## 21
## 1\\\\
## 21
## 1#@##redacted:honeypot-ip##
## 6
## 10.128.0.19
## 1
## 10.128.0.25
## 1
## 10.128.0.26
## 1
## 10.128.0.36
## 1
## 10.128.0.39
## 1
## 10.128.0.5
## 1
## 10.128.0.51
## 1
## 10.128.0.53
## 1
## 10.128.0.56
## 1
## 10.132.0.129
## 1
## 10.132.0.137
## 2
## 10.132.0.140
## 1
## 10.132.0.143
## 1
## 10.132.0.156
## 1
## 10.132.0.165
## 2
## 10.132.0.173
## 1
## 10.140.0.12
## 1
## 10.140.0.15
## 1
## 10.140.0.53
## 1
## 10.140.0.56
## 1
## 10.140.0.60
## 1
## 10.158.0.135
## 1
## 10.158.0.139
## 1
## 10.158.0.148
## 1
## 10.158.0.149
## 1
## 10.158.0.151
## 1
## 10.158.0.155
## 1
## 10.158.0.164
## 1
## 10.158.0.167
## 1
## 10.158.0.174
## 1
## 10.158.0.175
## 1
## 100@##redacted:honeypot-ip##
## 15
## 100#@##redacted:honeypot-ip##
## 3
## 100#$@##redacted:honeypot-ip##
## 3
## 100#$100@##redacted:honeypot-ip##
## 3
## 100#100@##redacted:honeypot-ip##
## 3
## 1000@##redacted:honeypot-ip##
## 12
## 1000#@##redacted:honeypot-ip##
## 3
## 1000#$@##redacted:honeypot-ip##
## 3
## 10000@##redacted:honeypot-ip##
## 3
## 10010@##redacted:honeypot-ip##
## 3
## 100100@##redacted:honeypot-ip##
## 3
## 100200#@##redacted:honeypot-ip##
## 3
## 100200#$@##redacted:honeypot-ip##
## 3
## 1003@##redacted:honeypot-ip##
## 3
## 1004@##redacted:honeypot-ip##
## 3
## 1005@##redacted:honeypot-ip##
## 3
## 1006@##redacted:honeypot-ip##
## 3
## 1007@##redacted:honeypot-ip##
## 3
## 1008@##redacted:honeypot-ip##
## 3
## 1009@##redacted:honeypot-ip##
## 3
## 101@##redacted:honeypot-ip##
## 9
## 1010@##redacted:honeypot-ip##
## 3
## 101101@##redacted:honeypot-ip##
## 6
## 102@##redacted:honeypot-ip##
## 3
## 103@##redacted:honeypot-ip##
## 3
## 104.140.188.10
## 1
## 104.140.188.18
## 1
## 104.140.188.30
## 1
## 104.140.188.34
## 1
## 104.140.188.38
## 1
## 104.140.188.46
## 1
## 104.140.188.6
## 1
## 104.152.52.251
## 2
## 104.206.128.2
## 1
## 104.206.128.22
## 4
## 104.206.128.26
## 1
## 104.206.128.34
## 1
## 104.206.128.38
## 2
## 104.206.128.50
## 1
## 104.206.128.70
## 1
## 104@##redacted:honeypot-ip##
## 3
## 105@##redacted:honeypot-ip##
## 3
## 107@##redacted:honeypot-ip##
## 3
## 109.123.117.233
## 1
## 11#@##redacted:honeypot-ip##
## 6
## 111#@##redacted:honeypot-ip##
## 3
## 115.152.90.218
## 1
## 123@##redacted:honeypot-ip##
## 72
## 123#@##redacted:honeypot-ip##
## 3
## 123#123@##redacted:honeypot-ip##
## 3
## 123123
## 18
## 1234@##redacted:honeypot-ip##
## 15
## 1234#@##redacted:honeypot-ip##
## 3
## 1234#$@##redacted:honeypot-ip##
## 3
## 12345 06@##redacted:honeypot-ip##
## 30
## 12345#@##redacted:honeypot-ip##
## 3
## 123456#@##redacted:honeypot-ip##
## 3
## 123456##@##redacted:honeypot-ip##
## 3
## 125@##redacted:honeypot-ip##
## 12
## 127.0.0.1
## 46
## 128.1.248.27
## 1
## 128.1.248.28
## 1
## 128.1.248.42
## 1
## 128.1.248.44
## 1
## 128.14.134.170
## 2
## 128.14.141.36
## 2
## 131.22.119.168
## 1
## 13227 11@##redacted:honeypot-ip##
## 30
## 139.59.84.207
## 4
## 148.26.81
## 4
## 1539\\t@##redacted:honeypot-ip##
## 6
## 162.221.192.29
## 1
## 162.221.192.30
## 1
## 170.130.187.10
## 1
## 170.130.187.26
## 2
## 170.130.187.38
## 2
## 170.130.187.42
## 1
## 170.130.187.58
## 1
## 172.16.77.10
## 4
## 178.128.241.157
## 2
## 185.173.35.25
## 1
## 185.173.35.45
## 1
## 185.173.35.61
## 1
## 185.180.143.11
## 3
## 185.180.143.140
## 3
## 185.180.143.141
## 2
## 192.168.1.1
## 3
## 192.241.192.82
## 1
## 192.241.194.141
## 1
## 192.241.194.144
## 1
## 192.241.195.58
## 1
## 192.241.195.77
## 1
## 192.241.196.178
## 1
## 192.241.197.21
## 1
## 192.241.198.122
## 1
## 192.241.198.241
## 1
## 192.241.198.93
## 1
## 192.241.199.126
## 1
## 192.241.199.47
## 1
## 192.241.200.213
## 1
## 192.241.200.226
## 1
## 192.241.200.73
## 1
## 192.241.201.214
## 1
## 192.241.201.8
## 1
## 192.241.201.85
## 1
## 192.241.201.91
## 1
## 192.241.202.112
## 1
## 192.241.202.127
## 1
## 192.241.202.252
## 1
## 192.241.202.81
## 1
## 192.241.203.104
## 1
## 192.241.203.182
## 1
## 192.241.203.200
## 1
## 192.241.203.208
## 1
## 192.241.203.99
## 1
## 192.241.204.132
## 2
## 192.241.204.137
## 1
## 192.241.204.207
## 1
## 192.241.204.235
## 1
## 192.241.204.239
## 1
## 192.241.204.42
## 1
## 192.241.204.66
## 1
## 192.241.205.158
## 1
## 192.241.205.51
## 1
## 192.241.205.61
## 1
## 192.241.205.81
## 1
## 192.241.205.90
## 1
## 192.241.206.16
## 1
## 192.241.206.168
## 1
## 192.241.206.179
## 1
## 192.241.206.192
## 1
## 192.241.206.232
## 1
## 192.241.206.33
## 1
## 192.241.206.68
## 1
## 192.241.207.140
## 1
## 192.241.207.214
## 1
## 192.241.207.221
## 1
## 192.241.207.244
## 1
## 192.241.207.34
## 1
## 192.241.208.131
## 1
## 192.241.208.180
## 1
## 192.241.208.203
## 1
## 192.241.208.213
## 2
## 192.241.208.229
## 1
## 192.241.208.27
## 2
## 192.241.208.45
## 1
## 192.241.208.49
## 1
## 192.241.208.54
## 1
## 192.241.208.69
## 1
## 192.241.208.78
## 1
## 192.241.209.122
## 1
## 192.241.209.140
## 2
## 192.241.209.150
## 1
## 192.241.209.25
## 1
## 192.241.209.77
## 1
## 192.241.209.78
## 1
## 192.241.210.164
## 2
## 192.241.211.98
## 1
## 192.241.212.123
## 1
## 192.241.212.134
## 1
## 192.241.212.136
## 1
## 192.241.212.138
## 1
## 192.241.212.162
## 1
## 192.241.212.165
## 1
## 192.241.212.171
## 2
## 192.241.212.18
## 1
## 192.241.212.187
## 1
## 192.241.212.202
## 2
## 192.241.212.218
## 1
## 192.241.212.238
## 1
## 192.241.212.249
## 1
## 192.241.212.251
## 1
## 192.241.212.55
## 1
## 192.241.212.65
## 1
## 192.241.212.72
## 2
## 192.241.212.98
## 1
## 192.241.213.115
## 1
## 192.241.213.118
## 1
## 192.241.213.151
## 1
## 192.241.213.152
## 1
## 192.241.213.153
## 1
## 192.241.213.154
## 1
## 192.241.213.164
## 2
## 192.241.213.183
## 1
## 192.241.213.192
## 1
## 192.241.213.226
## 1
## 192.241.213.25
## 1
## 192.241.213.37
## 1
## 192.241.213.56
## 1
## 192.241.213.57
## 1
## 192.241.213.6
## 1
## 192.241.213.65
## 1
## 192.241.213.78
## 1
## 192.241.213.79
## 1
## 192.241.213.90
## 1
## 192.241.213.94
## 1
## 192.241.214.142
## 1
## 192.241.214.186
## 1
## 192.241.214.208
## 1
## 192.241.214.247
## 1
## 192.241.214.25
## 1
## 192.241.214.50
## 1
## 192.241.214.64
## 1
## 192.241.214.65
## 1
## 192.241.215.124
## 1
## 192.241.215.128
## 1
## 192.241.215.136
## 1
## 192.241.215.188
## 1
## 192.241.215.205
## 1
## 192.241.215.211
## 1
## 192.241.215.228
## 1
## 192.241.215.244
## 1
## 192.241.215.94
## 1
## 192.241.216.131
## 1
## 192.241.216.15
## 1
## 192.241.216.153
## 1
## 192.241.216.19
## 1
## 192.241.216.61
## 1
## 192.241.216.80
## 1
## 192.241.216.87
## 1
## 192.241.217.115
## 1
## 192.241.217.166
## 1
## 192.241.218.158
## 1
## 192.241.218.165
## 1
## 192.241.218.174
## 1
## 192.241.218.25
## 1
## 192.241.218.84
## 1
## 192.241.218.92
## 1
## 192.241.219.117
## 1
## 192.241.219.166
## 1
## 192.241.219.17
## 1
## 192.241.219.197
## 1
## 192.241.219.219
## 1
## 192.241.219.22
## 1
## 192.241.219.239
## 1
## 192.241.219.38
## 1
## 192.241.219.52
## 1
## 192.241.219.56
## 1
## 192.241.219.57
## 1
## 192.241.219.63
## 1
## 192.241.219.83
## 1
## 192.241.219.98
## 1
## 192.241.220.16
## 1
## 192.241.220.171
## 1
## 192.241.220.178
## 1
## 192.241.220.232
## 1
## 192.241.220.233
## 1
## 192.241.220.24
## 1
## 192.241.220.50
## 1
## 192.241.220.69
## 1
## 192.241.220.72
## 1
## 192.241.220.95
## 1
## 192.241.221.114
## 1
## 192.241.221.133
## 1
## 192.241.221.20
## 1
## 192.241.221.221
## 1
## 192.241.221.23
## 1
## 192.241.221.245
## 1
## 192.241.221.43
## 1
## 192.241.221.72
## 1
## 192.241.222.191
## 1
## 192.241.222.206
## 1
## 192.241.222.234
## 1
## 192.241.222.238
## 1
## 192.241.222.46
## 1
## 192.241.222.5
## 1
## 192.241.222.54
## 1
## 192.241.222.55
## 1
## 192.241.222.57
## 1
## 192.241.222.58
## 1
## 192.241.223.20
## 1
## 192.241.223.234
## 1
## 192.241.223.235
## 1
## 192.241.223.44
## 1
## 192.241.224.226
## 1
## 192.241.224.73
## 1
## 192.241.225.114
## 1
## 192.241.225.135
## 1
## 192.241.225.149
## 1
## 192.241.225.245
## 1
## 192.241.225.62
## 1
## 192.241.225.68
## 1
## 192.241.236.89
## 1
## 192.241.236.93
## 1
## 193.118.53.194
## 1
## 193.118.53.202
## 1
## 193.118.53.210
## 3
## 198.199.105.130
## 1
## 198.199.93.114
## 1
## 198.199.94.194
## 1
## 198.199.94.79
## 1
## 198.199.95.154
## 1
## 198.199.95.17
## 1
## 2#@##redacted:honeypot-ip##
## 3
## 2001
## 3
## 2019@##redacted:honeypot-ip##
## 144
## 2020@##redacted:honeypot-ip##
## 192
## 2021@##redacted:honeypot-ip##
## 144
## 206.249.187.212
## 1
## 22#@##redacted:honeypot-ip##
## 3
## 222#@##redacted:honeypot-ip##
## 6
## 23.251.102.75
## 1
## 23.251.102.78
## 1
## 23@##redacted:honeypot-ip##
## 9
## 234.207.217.135
## 1
## 234.76.12.189
## 1
## 23456 7@##redacted:honeypot-ip##
## 30
## 24252628@##redacted:honeypot-ip##
## 15
## 2aظ\u0080ôظ\u0080£ظ\u0080¤@##redacted:honeypot-ip##
## 3
## 2Txn@##redacted:honeypot-ip##
## 12
## 3#@##redacted:honeypot-ip##
## 6
## 3$5^7*@##redacted:honeypot-ip##
## 3
## 313@##redacted:honeypot-ip##
## 15
## 321@@#@##redacted:honeypot-ip##
## 12
## 33#@##redacted:honeypot-ip##
## 3
## 333#@##redacted:honeypot-ip##
## 3
## 3ā€\u009aAGā€\u0098@##redacted:honeypot-ip##
## 6
## 3b╞ْظ\u0080إc@##redacted:honeypot-ip##
## 3
## 3hظ\u0080ôSy@##redacted:honeypot-ip##
## 6
## 3W3h%5Exb7ft@##redacted:honeypot-ip##
## 12
## 3ظ\u0080ت\006\bQ@##redacted:honeypot-ip##
## 3
## 4\030–“e@##redacted:honeypot-ip##
## 3
## 4#@##redacted:honeypot-ip##
## 3
## 435˜\004@##redacted:honeypot-ip##
## 3
## 44#@##redacted:honeypot-ip##
## 3
## 444#@##redacted:honeypot-ip##
## 3
## 45.95.147.33
## 2
## 45.95.147.43
## 1
## 46.166.160.136
## 135
## 472F\006@##redacted:honeypot-ip##
## 3
## 48bu\003@##redacted:honeypot-ip##
## 12
## 48k@##redacted:honeypot-ip##
## 18
## 4CqH\004@##redacted:honeypot-ip##
## 3
## 4H\021\025ظ\u0080ء@##redacted:honeypot-ip##
## 3
## 5.63.151.100
## 1
## 5.63.151.104
## 1
## 5#@##redacted:honeypot-ip##
## 3
## 5#6-@##redacted:honeypot-ip##
## 3
## 55#@##redacted:honeypot-ip##
## 3
## 555#@##redacted:honeypot-ip##
## 3
## 57#555@##redacted:honeypot-ip##
## 3
## 57#999@##redacted:honeypot-ip##
## 3
## 5ā€\u009c"Cā„¢@##redacted:honeypot-ip##
## 3
## 5ā€\u009c1Ub@##redacted:honeypot-ip##
## 3
## 5I4$$(2017]11@##redacted:honeypot-ip##
## 15
## 5ظ\u0080£1Ub@##redacted:honeypot-ip##
## 24
## 5ظ\u0080ة\025\022R@##redacted:honeypot-ip##
## 3
## 6\005@##redacted:honeypot-ip##
## 3
## 6#@##redacted:honeypot-ip##
## 6
## 6╦£TGظ\u0080░@##redacted:honeypot-ip##
## 18
## 6$3#6@##redacted:honeypot-ip##
## 6
## 6010@##redacted:honeypot-ip##
## 15
## 66#@##redacted:honeypot-ip##
## 3
## 666#@##redacted:honeypot-ip##
## 3
## 6745@##redacted:honeypot-ip##
## 9
## 6ā€Cā€™u@##redacted:honeypot-ip##
## 3
## 6avā€¯\023@##redacted:honeypot-ip##
## 3
## 6D&b┬\u0081@##redacted:honeypot-ip##
## 3
## 6D&bA�@##redacted:honeypot-ip##
## 3
## 6Tt#ظ\u0084ت@##redacted:honeypot-ip##
## 18
## \0317\030@##redacted:honeypot-ip##
## 3
## 7#@##redacted:honeypot-ip##
## 6
## 705@##redacted:honeypot-ip##
## 12
## 71.6.233.159
## 1
## 71.6.233.32
## 1
## 71.6.233.70
## 1
## 71.6.233.73
## 1
## 77#@##redacted:honeypot-ip##
## 3
## 777#@##redacted:honeypot-ip##
## 3
## 8@8@##redacted:honeypot-ip##
## 9
## 8#@##redacted:honeypot-ip##
## 3
## 88#@##redacted:honeypot-ip##
## 3
## 888#@##redacted:honeypot-ip##
## 3
## 8ā€”ā€°VĘ’@##redacted:honeypot-ip##
## 9
## 8b#)Y@##redacted:honeypot-ip##
## 9
## 8ub–q@##redacted:honeypot-ip##
## 6
## 8ubظ\u0080ôq@##redacted:honeypot-ip##
## 3
## 8ŲøĀ€Ā¤ŲøĀ€ā–‘Vā•˛Ł’@##redacted:honeypot-ip##
## 6
## 8WAظ\u0080£A@##redacted:honeypot-ip##
## 6
## 8ظ\u0080¤ظ\u0080░V╞ْ@##redacted:honeypot-ip##
## 3
## 9#@##redacted:honeypot-ip##
## 3
## 92.118.160.29
## 1
## 92.118.161.1
## 1
## 92.118.161.13
## 1
## 92.118.161.17
## 2
## 92.118.161.29
## 1
## 92.118.161.37
## 3
## 92.118.161.45
## 1
## 92.118.161.5
## 1
## 92.118.161.53
## 1
## 94.102.61.7
## 1
## 99#@##redacted:honeypot-ip##
## 3
## 999#@##redacted:honeypot-ip##
## 3
## 9Y%Pظ\u0080آ@##redacted:honeypot-ip##
## 3
## a
## 454
## \024ā‚¬R\025ā€¦@##redacted:honeypot-ip##
## 3
## A"PpB@##redacted:honeypot-ip##
## 3
## A\024\021˜S@##redacted:honeypot-ip##
## 3
## \025ā€™h\a@##redacted:honeypot-ip##
## 6
## \024\025ā€wr@##redacted:honeypot-ip##
## 3
## abc@##redacted:honeypot-ip##
## 3
## abcd@##redacted:honeypot-ip##
## 3
## Ac\030F\026@##redacted:honeypot-ip##
## 6
## advoic.com@##redacted:honeypot-ip##
## 3
## aef0WH4TC=43TJGEVR=]GI@##redacted:honeypot-ip##
## 15
## akl.italk.co.nz
## 8
## Ars#h@##redacted:honeypot-ip##
## 3
## ASQC\b@##redacted:honeypot-ip##
## 3
## atlanta.com
## 357
## Av(€B@##redacted:honeypot-ip##
## 21
## Av(�B@##redacted:honeypot-ip##
## 6
## Aظ\u0080ôXuظ\u0080ô@##redacted:honeypot-ip##
## 3
## b
## 454
## B#9@##redacted:honeypot-ip##
## 54
## B#ظ\u0080ô\031@##redacted:honeypot-ip##
## 3
## B`y%@##redacted:honeypot-ip##
## 6
## B2ā„¢7@##redacted:honeypot-ip##
## 3
## bel@##redacted:honeypot-ip##
## 12
## ByH╞ْt@##redacted:honeypot-ip##
## 3
## ByHĘ’t@##redacted:honeypot-ip##
## 3
## censys.io
## 714
## chicago.com
## 1071
## combuckeye.com
## 4
## d93v1#27d8G47d7!166$16@##redacted:honeypot-ip##
## 18
## DG7#^WUg9VpHDF4Oct2018@##redacted:honeypot-ip##
## 12
## dظ\u0080¤Vr@##redacted:honeypot-ip##
## 3
## E
## 4
## e@##redacted:honeypot-ip##
## 12
## e4strategies.com@##redacted:honeypot-ip##
## 3
## E8*
## 15
## EWa@##redacted:honeypot-ip##
## 12
## \030F\005\003@##redacted:honeypot-ip##
## 3
## GBeظ\u0080ô@##redacted:honeypot-ip##
## 3
## GhhjY3245*&^(
## 12
## grupotelh{ugia@##redacted:honeypot-ip##
## 21
## H&Wi6qb6"$&QB9tbwt5426@##redacted:honeypot-ip##
## 12
## \027H\005#˜@##redacted:honeypot-ip##
## 3
## \025\027I3P@##redacted:honeypot-ip##
## 6
## ideagroupinc.net@##redacted:honeypot-ip##
## 3
## Itc#3175640016!@##redacted:honeypot-ip##
## 15
## miamitranscoding.com@##redacted:honeypot-ip##
## 3
## NFH@##redacted:honeypot-ip##
## 12
## nm
## 3751
## nm2
## 2544
## ntv2000@##redacted:honeypot-ip##
## 3
## oCZ!65^V@##redacted:honeypot-ip##
## 12
## \022q6w\025@##redacted:honeypot-ip##
## 3
## qwe@##redacted:honeypot-ip##
## 3
## sb
## 2
## sb2
## 2
## sinet8@##redacted:honeypot-ip##
## 30
## sip.internode.on.net
## 4
## sip.wa.iinet.net.au
## 8
## sip@##redacted:honeypot-ip##
## 3
## sip5060.net
## 714
## ssw0rd@##redacted:honeypot-ip##
## 3
## test
## 4
## test1
## 4
## test2
## 12
## \024\006U┬\u0081@##redacted:honeypot-ip##
## 3
## Ure@##redacted:honeypot-ip##
## 6
## voip.bhnis.net
## 28
## W#E@##redacted:honeypot-ip##
## 6
## west01.voip.evolveip.net
## 4
## WQs@##redacted:honeypot-ip##
## 12
## wsx@##redacted:honeypot-ip##
## 9
## x.x.x.x
## 4
## xe55555@##redacted:honeypot-ip##
## 12
## \024Y\021ā€\u009cS@##redacted:honeypot-ip##
## 3
## y\004b@##redacted:honeypot-ip##
## 3
## zvBE!H]W8vROx4iZ@##redacted:honeypot-ip##
## 12
## \024\025ظ\u0080ةwr@##redacted:honeypot-ip##
## 3
ports_table[ports_table >= 9]
##
## 21 22 23 42 53 80 135 443 445 1433
## 22382 1031911 691916 483 10110 60526 5243 26060 2369574 157796
## 1723 1883 1900 3306 5060 5061 9100 11211 27017 32769
## 9074 2684 3643026 11826 5633660 50770 14482 4329 36755 20
## 32771 32773 32775 32777 32779 32781 32783 32785 32787 32789
## 21 21 9 18 10 9 16 12 9 12
## 32791 32793 32797 32801 32805 32807 32809 32811 32813 32815
## 18 11 24 22 12 15 10 14 21 23
## 32821 32823 32825 32827 32829 32831 32833 32835 32837 32839
## 18 10 15 22 10 9 15 13 10 11
## 32841 32843 32845 32847 32849 32851 32853 32855 32859 32861
## 15 16 10 16 10 15 9 13 20 11
## 32863 32865 32869 32871 32873 32875 32877 32879 32883 32885
## 24 12 12 9 16 14 11 9 16 12
## 32889 32891 32893 32895 32897 32899 32901 32903 32905 32911
## 14 18 9 11 24 19 15 14 10 16
## 32915 32917 32921 32925 32927 32929 32931 32933 32939 32941
## 22 15 15 18 10 20 12 12 11 16
## 32943 32945 32947 32949 32951 32957 32959 32961 32963 32967
## 12 9 21 10 13 12 18 9 21 13
## 32969 32971 32973 32975 32977 32979 32981 32983 32985 32987
## 13 9 12 21 9 17 22 11 14 17
## 32993 32995 32997 32999 33001 33003 33005 33007 33009 33011
## 13 23 15 26 10 24 18 10 14 26
## 33013 33015 33017 33019 33021 33023 33025 33027 33029 33031
## 9 9 15 11 13 21 14 14 16 11
## 33033 33035 33037 33041 33043 33045 33047 33055 33063 33065
## 18 18 19 16 11 24 9 10 13 17
## 33067 33069 33071 33073 33075 33077 33079 33081 33083 33085
## 16 14 16 15 14 11 14 14 15 16
## 33089 33095 33099 33101 33103 33105 33107 33109 33113 33115
## 18 10 10 21 20 14 13 11 17 9
## 33119 33123 33125 33127 33129 33131 33133 33137 33139 33141
## 15 18 12 12 16 12 16 12 11 19
## 33143 33145 33147 33149 33153 33155 33157 33159 33161 33163
## 13 12 13 13 10 10 15 10 14 15
## 33167 33169 33175 33179 33183 33185 33189 33191 33195 33197
## 10 15 10 11 9 12 13 19 18 15
## 33199 33201 33203 33205 33207 33213 33217 33219 33221 33223
## 22 18 14 9 13 9 16 19 10 10
## 33227 33229 33231 33235 33237 33239 33241 33245 33247 33249
## 18 10 11 14 12 11 20 15 10 10
## 33253 33259 33263 33265 33267 33269 33271 33273 33275 33279
## 9 20 16 9 15 9 14 11 12 12
## 33281 33283 33285 33287 33289 33291 33293 33295 33297 33299
## 16 12 9 13 10 20 9 11 14 15
## 33303 33305 33307 33309 33311 33317 33319 33321 33323 33325
## 13 9 14 19 9 12 12 13 16 12
## 33327 33329 33331 33333 33335 33337 33339 33341 33343 33347
## 9 10 13 26 15 14 16 14 11 10
## 33349 33353 33355 33361 33363 33365 33367 33369 33371 33373
## 14 19 11 15 17 18 10 24 10 18
## 33379 33381 33383 33385 33387 33389 33391 33393 33395 33399
## 20 13 9 10 12 22 10 10 15 14
## 33401 33403 33405 33407 33409 33411 33415 33417 33419 33423
## 15 16 12 12 13 14 13 14 20 10
## 33425 33427 33429 33431 33433 33437 33441 33447 33449 33451
## 9 16 14 20 10 18 10 13 19 10
## 33453 33457 33459 33465 33467 33473 33475 33479 33481 33483
## 16 15 12 13 13 16 9 9 10 10
## 33485 33487 33491 33493 33495 33497 33501 33503 33507 33509
## 13 18 12 9 15 13 10 22 17 15
## 33511 33515 33517 33519 33521 33523 33525 33527 33529 33531
## 14 18 18 23 14 14 15 20 10 12
## 33533 33535 33537 33541 33543 33547 33549 33551 33553 33555
## 13 10 9 12 14 10 15 10 13 9
## 33557 33559 33561 33563 33567 33571 33573 33575 33577 33579
## 10 11 15 11 11 19 11 18 10 10
## 33581 33583 33587 33589 33591 33593 33595 33597 33599 33603
## 12 9 22 13 20 23 16 21 9 10
## 33607 33609 33611 33613 33617 33619 33621 33623 33625 33627
## 21 15 16 10 14 20 25 18 10 16
## 33629 33631 33633 33637 33639 33641 33643 33647 33651 33653
## 22 9 24 10 13 15 18 9 17 16
## 33655 33657 33659 33661 33663 33665 33669 33671 33673 33675
## 10 14 10 11 22 17 15 17 15 11
## 33677 33679 33681 33683 33685 33687 33689 33693 33699 33701
## 9 13 18 10 13 11 12 18 12 13
## 33703 33707 33709 33711 33713 33715 33717 33719 33721 33723
## 9 17 20 10 9 10 12 16 21 14
## 33725 33727 33733 33735 33737 33739 33741 33743 33745 33751
## 17 9 14 17 12 14 9 9 11 20
## 33753 33755 33757 33759 33769 33771 33775 33777 33779 33781
## 10 11 9 22 12 9 18 12 19 12
## 33783 33785 33787 33789 33793 33795 33799 33801 33803 33805
## 20 17 16 11 16 18 14 11 15 13
## 33807 33809 33815 33819 33821 33825 33827 33829 33831 33833
## 24 9 9 14 13 15 13 13 11 14
## 33835 33837 33839 33843 33845 33847 33849 33853 33855 33859
## 14 19 17 13 13 14 13 14 13 9
## 33861 33863 33865 33867 33869 33875 33877 33879 33881 33883
## 9 11 10 16 15 10 12 18 19 11
## 33885 33887 33889 33893 33895 33899 33901 33905 33907 33909
## 13 11 18 16 14 16 24 18 10 22
## 33911 33913 33915 33917 33919 33927 33929 33933 33935 33939
## 13 10 12 14 10 10 19 18 17 10
## 33941 33943 33945 33953 33955 33957 33959 33963 33967 33969
## 18 17 16 10 10 16 14 13 12 13
## 33973 33975 33977 33979 33981 33983 33985 33987 33991 33993
## 11 10 9 10 15 11 12 16 10 19
## 33995 33999 34001 34003 34005 34007 34009 34011 34013 34015
## 26 17 10 14 13 24 9 21 10 19
## 34017 34019 34021 34023 34025 34027 34029 34037 34039 34045
## 15 12 11 12 12 18 9 11 21 15
## 34047 34049 34051 34053 34055 34059 34061 34063 34065 34071
## 13 16 13 12 16 15 9 9 12 14
## 34075 34077 34079 34083 34085 34087 34089 34093 34097 34099
## 15 18 11 16 13 13 16 17 25 15
## 34101 34103 34107 34109 34111 34113 34115 34123 34125 34129
## 26 14 10 17 16 16 19 16 14 16
## 34131 34133 34135 34137 34139 34143 34145 34147 34151 34153
## 10 13 18 14 14 12 14 22 20 19
## 34157 34161 34165 34167 34169 34171 34173 34177 34179 34181
## 13 16 11 21 13 12 13 16 24 10
## 34183 34185 34187 34189 34191 34193 34195 34197 34199 34203
## 16 9 16 12 17 12 20 18 12 11
## 34205 34211 34213 34215 34217 34219 34221 34223 34225 34227
## 12 11 19 18 12 16 14 13 10 10
## 34229 34231 34233 34235 34237 34239 34241 34245 34247 34249
## 14 16 11 12 12 11 13 20 12 10
## 34251 34253 34255 34259 34263 34267 34269 34271 34273 34275
## 22 13 15 15 13 16 14 22 20 16
## 34277 34279 34283 34287 34289 34291 34299 34301 34303 34305
## 13 19 24 17 13 11 14 20 10 10
## 34309 34313 34315 34317 34319 34321 34323 34325 34327 34329
## 13 13 14 15 22 17 14 18 13 15
## 34335 34337 34339 34341 34343 34345 34347 34349 34351 34355
## 10 9 13 17 14 16 15 10 14 12
## 34357 34359 34361 34365 34367 34369 34373 34377 34379 34381
## 11 20 16 9 12 10 20 10 9 16
## 34383 34385 34387 34389 34391 34395 34397 34399 34401 34403
## 12 12 13 12 14 13 9 13 13 12
## 34405 34407 34409 34413 34415 34417 34421 34423 34425 34427
## 13 16 12 22 12 14 10 10 12 20
## 34429 34433 34437 34439 34443 34445 34447 34449 34451 34453
## 10 16 12 14 14 9 13 9 12 24
## 34455 34457 34461 34465 34467 34469 34471 34473 34475 34477
## 12 14 16 14 11 19 20 10 12 20
## 34479 34481 34483 34485 34489 34491 34493 34497 34499 34501
## 19 14 14 12 20 18 12 20 14 15
## 34503 34505 34507 34509 34511 34513 34519 34521 34523 34525
## 10 14 11 18 12 19 13 10 12 14
## 34527 34531 34533 34537 34539 34541 34543 34545 34547 34549
## 13 24 15 13 12 14 12 14 12 18
## 34553 34555 34557 34559 34563 34565 34567 34571 34573 34575
## 13 16 9 15 16 17 24 10 11 18
## 34577 34579 34581 34583 34585 34587 34589 34591 34593 34595
## 9 12 19 11 13 12 12 15 13 14
## 34597 34599 34605 34607 34609 34611 34613 34615 34617 34619
## 10 10 14 11 10 23 15 9 19 12
## 34621 34625 34629 34635 34637 34643 34645 34647 34651 34653
## 11 13 10 16 9 26 20 19 12 15
## 34661 34665 34667 34671 34679 34681 34683 34685 34687 34689
## 14 16 12 18 11 14 9 22 13 20
## 34691 34695 34697 34699 34701 34703 34705 34707 34709 34711
## 26 10 20 9 20 10 10 12 15 11
## 34715 34717 34719 34721 34723 34725 34727 34729 34731 34735
## 16 10 13 17 13 13 12 20 10 13
## 34737 34739 34743 34749 34751 34753 34755 34759 34763 34767
## 23 11 13 19 14 15 12 10 10 17
## 34769 34771 34777 34779 34783 34785 34787 34789 34791 34795
## 12 12 24 14 10 15 15 13 11 12
## 34797 34805 34813 34815 34817 34821 34823 34825 34827 34829
## 15 13 19 13 14 9 17 13 12 11
## 34831 34833 34837 34839 34843 34845 34847 34853 34855 34861
## 17 9 9 10 16 13 14 15 16 10
## 34863 34865 34879 34881 34883 34885 34887 34889 34891 34893
## 12 18 27 16 15 10 17 10 24 16
## 34895 34899 34901 34903 34905 34907 34909 34911 34915 34919
## 12 17 22 19 9 13 18 17 12 10
## 34921 34923 34925 34929 34931 34935 34939 34941 34943 34945
## 9 18 21 15 17 12 30 16 17 19
## 34947 34951 34953 34957 34959 34961 34963 34965 34969 34973
## 11 10 11 14 11 12 22 16 10 10
## 34975 34977 34979 34981 34983 34985 34987 34989 34993 34995
## 15 16 13 10 15 16 14 14 13 14
## 34997 34999 35001 35005 35007 35009 35011 35015 35017 35021
## 19 22 16 17 10 11 17 9 15 12
## 35023 35025 35027 35029 35033 35035 35037 35039 35041 35043
## 10 10 14 12 15 10 24 13 10 9
## 35045 35051 35055 35057 35059 35061 35065 35067 35069 35073
## 15 17 17 17 13 12 13 20 20 24
## 35075 35077 35079 35083 35085 35087 35089 35093 35095 35097
## 10 20 10 10 15 9 10 10 14 9
## 35099 35101 35103 35105 35109 35111 35115 35117 35119 35123
## 24 10 14 20 23 21 19 12 9 9
## 35125 35127 35129 35131 35135 35137 35139 35141 35149 35151
## 15 12 10 18 16 10 18 13 12 13
## 35153 35155 35157 35159 35161 35163 35165 35167 35169 35171
## 15 15 12 10 14 18 13 14 9 20
## 35173 35175 35177 35181 35183 35185 35189 35191 35193 35197
## 15 18 17 19 17 21 18 16 16 13
## 35199 35201 35203 35205 35209 35211 35213 35215 35219 35221
## 20 12 17 14 28 19 21 14 12 13
## 35223 35227 35229 35231 35233 35235 35237 35239 35243 35245
## 15 14 10 10 11 10 12 12 14 9
## 35247 35249 35253 35257 35263 35265 35269 35271 35273 35275
## 11 14 18 16 18 24 16 13 21 19
## 35277 35279 35281 35283 35285 35287 35289 35293 35295 35297
## 10 14 17 22 15 10 16 9 13 9
## 35301 35303 35305 35311 35315 35317 35319 35321 35323 35325
## 14 12 15 13 17 14 16 16 18 9
## 35329 35335 35337 35339 35343 35345 35347 35351 35353 35355
## 13 11 12 20 13 17 19 14 10 14
## 35357 35359 35363 35365 35367 35369 35371 35373 35375 35377
## 17 15 11 16 14 9 15 10 14 21
## 35381 35383 35385 35389 35393 35397 35401 35403 35405 35411
## 12 20 12 12 10 20 13 12 12 14
## 35413 35415 35417 35419 35421 35423 35425 35427 35429 35431
## 21 10 9 9 15 13 10 14 20 10
## 35435 35437 35439 35445 35449 35453 35455 35459 35461 35463
## 12 19 16 16 16 13 12 19 24 10
## 35465 35469 35471 35473 35475 35477 35479 35481 35483 35485
## 28 16 13 10 13 13 15 10 9 12
## 35487 35489 35491 35493 35495 35497 35501 35503 35505 35507
## 10 13 12 9 10 9 14 12 16 16
## 35509 35511 35515 35517 35519 35521 35523 35525 35527 35529
## 18 12 9 16 12 10 19 20 10 13
## 35531 35535 35537 35539 35541 35543 35545 35549 35551 35553
## 20 14 14 10 11 23 23 13 9 18
## 35557 35559 35561 35563 35565 35567 35569 35573 35575 35577
## 18 9 10 20 17 14 10 15 19 11
## 35581 35583 35585 35587 35589 35591 35593 35595 35601 35603
## 21 17 10 12 12 12 17 9 14 9
## 35605 35607 35613 35615 35617 35619 35623 35625 35629 35631
## 12 15 14 16 17 20 10 12 14 18
## 35635 35639 35641 35643 35645 35647 35649 35651 35653 35655
## 10 13 14 14 23 17 15 10 12 15
## 35657 35659 35661 35663 35665 35667 35669 35671 35673 35675
## 11 19 19 20 10 17 14 21 12 12
## 35677 35679 35681 35685 35687 35689 35693 35695 35697 35701
## 13 14 10 17 9 10 18 17 13 20
## 35703 35705 35707 35709 35711 35713 35717 35719 35721 35723
## 13 12 12 10 12 12 16 16 14 12
## 35725 35727 35729 35733 35735 35737 35739 35741 35745 35749
## 12 14 12 12 19 14 10 16 14 13
## 35751 35753 35755 35757 35763 35765 35769 35773 35775 35777
## 9 9 21 13 16 10 15 13 19 17
## 35779 35781 35783 35785 35791 35793 35795 35797 35799 35801
## 17 10 9 12 11 10 14 16 10 15
## 35805 35809 35811 35813 35815 35817 35819 35821 35823 35825
## 16 11 12 13 10 12 10 13 16 25
## 35829 35837 35841 35843 35845 35849 35851 35853 35855 35857
## 22 10 20 15 13 14 11 20 16 18
## 35859 35863 35867 35871 35873 35875 35877 35879 35885 35887
## 14 10 22 15 26 9 11 10 19 10
## 35889 35891 35897 35903 35905 35909 35911 35913 35915 35917
## 18 10 16 11 16 14 10 12 12 10
## 35919 35921 35923 35925 35929 35933 35935 35937 35939 35941
## 21 13 9 9 11 11 17 18 10 16
## 35945 35947 35951 35953 35955 35957 35959 35961 35963 35965
## 10 16 16 12 18 13 17 12 12 16
## 35967 35969 35971 35973 35975 35977 35985 35989 35991 35993
## 13 16 19 20 12 13 14 23 10 13
## 35995 36001 36003 36005 36007 36009 36013 36015 36023 36025
## 18 9 12 13 13 21 13 19 13 9
## 36031 36033 36035 36037 36039 36045 36049 36053 36055 36057
## 10 14 20 9 12 26 11 21 11 14
## 36059 36061 36063 36065 36067 36069 36071 36075 36077 36079
## 13 10 14 15 17 13 19 14 13 14
## 36081 36083 36085 36087 36091 36093 36095 36097 36101 36103
## 11 16 18 21 23 11 16 18 17 15
## 36105 36107 36113 36115 36117 36119 36123 36125 36129 36131
## 13 10 12 17 10 12 10 11 12 13
## 36133 36141 36143 36147 36149 36151 36153 36159 36161 36165
## 12 15 10 10 25 12 20 9 11 15
## 36167 36169 36171 36173 36175 36177 36179 36181 36183 36185
## 11 14 15 17 11 9 11 14 12 19
## 36187 36189 36191 36193 36195 36197 36201 36203 36205 36207
## 12 9 16 11 9 14 18 9 22 12
## 36209 36213 36215 36217 36219 36221 36223 36225 36229 36231
## 18 17 12 29 10 10 14 25 20 13
## 36233 36235 36237 36239 36241 36243 36245 36247 36249 36255
## 13 14 10 12 12 13 12 17 22 13
## 36257 36259 36263 36265 36267 36269 36271 36275 36277 36279
## 18 10 15 11 9 10 12 21 16 18
## 36283 36285 36289 36291 36293 36297 36299 36303 36305 36307
## 16 24 10 15 15 11 12 16 12 12
## 36311 36313 36315 36317 36319 36321 36323 36327 36329 36333
## 14 17 15 14 16 18 11 13 12 22
## 36335 36337 36343 36347 36351 36353 36355 36357 36359 36361
## 9 14 12 14 16 11 14 16 14 19
## 36363 36365 36369 36371 36373 36375 36379 36381 36383 36385
## 11 11 13 11 12 15 12 10 10 17
## 36387 36389 36391 36395 36397 36399 36401 36403 36405 36407
## 16 10 10 10 14 20 12 14 17 20
## 36409 36411 36413 36415 36417 36421 36423 36425 36429 36431
## 15 19 18 15 18 10 14 11 11 9
## 36433 36435 36437 36439 36441 36443 36445 36449 36451 36453
## 20 14 14 18 12 15 13 11 11 13
## 36455 36459 36461 36463 36465 36467 36471 36477 36481 36485
## 10 21 19 10 20 17 18 14 14 15
## 36491 36493 36495 36501 36503 36505 36507 36509 36511 36517
## 15 16 10 13 9 10 15 19 14 20
## 36519 36523 36525 36529 36531 36533 36535 36537 36541 36543
## 9 21 10 14 30 17 16 19 19 11
## 36545 36547 36549 36553 36555 36557 36561 36563 36565 36567
## 9 9 11 20 12 17 11 13 10 9
## 36571 36573 36575 36581 36583 36585 36589 36591 36593 36595
## 9 19 13 13 12 19 18 19 16 9
## 36597 36599 36601 36603 36609 36611 36613 36615 36617 36619
## 17 10 13 12 15 9 16 10 18 20
## 36621 36623 36625 36627 36629 36631 36637 36643 36647 36649
## 12 17 13 12 14 11 18 18 14 13
## 36651 36653 36657 36663 36667 36675 36677 36679 36681 36683
## 12 11 10 14 9 10 14 10 16 16
## 36685 36687 36689 36691 36693 36695 36697 36699 36701 36703
## 22 12 21 20 12 10 20 13 10 11
## 36709 36711 36713 36719 36721 36723 36725 36727 36729 36731
## 14 15 10 11 21 11 18 10 10 12
## 36733 36735 36737 36739 36741 36743 36745 36749 36753 36755
## 16 13 21 15 9 13 9 10 12 14
## 36757 36759 36761 36763 36765 36769 36771 36775 36777 36779
## 12 13 14 10 17 11 10 18 12 13
## 36781 36783 36785 36787 36789 36791 36795 36797 36799 36801
## 17 10 15 9 12 11 20 10 11 14
## 36805 36807 36809 36811 36815 36817 36823 36825 36829 36831
## 17 14 11 12 10 14 17 17 24 10
## 36833 36835 36837 36841 36843 36845 36847 36849 36851 36853
## 13 14 13 10 10 17 10 20 9 12
## 36855 36861 36863 36865 36867 36871 36873 36875 36877 36881
## 11 19 10 16 10 13 12 12 9 13
## 36883 36885 36887 36889 36891 36893 36895 36897 36901 36903
## 10 16 10 13 20 13 15 21 15 16
## 36905 36907 36909 36911 36913 36915 36917 36927 36929 36931
## 9 10 11 12 14 11 10 15 12 21
## 36933 36939 36941 36945 36949 36951 36953 36957 36961 36963
## 9 13 16 25 11 15 11 13 10 15
## 36965 36969 36971 36973 36975 36977 36981 36983 36987 36989
## 14 14 12 24 9 13 14 18 13 14
## 36991 36993 36995 36997 37001 37011 37019 37021 37023 37029
## 16 18 17 16 13 10 13 13 16 18
## 37033 37035 37037 37039 37041 37043 37045 37047 37049 37051
## 9 10 10 10 14 12 11 12 10 10
## 37053 37055 37057 37059 37063 37065 37067 37069 37071 37073
## 10 15 19 12 15 9 10 13 12 10
## 37075 37079 37081 37083 37085 37087 37089 37093 37095 37097
## 9 14 14 14 13 15 10 16 10 13
## 37099 37101 37103 37105 37107 37109 37111 37113 37115 37117
## 15 15 17 13 15 12 11 14 12 16
## 37119 37121 37123 37125 37127 37133 37135 37145 37147 37149
## 17 16 12 18 19 11 18 21 18 17
## 37151 37153 37155 37157 37159 37161 37165 37169 37171 37173
## 9 13 9 12 16 14 16 9 20 11
## 37175 37177 37185 37187 37189 37191 37193 37195 37199 37201
## 14 19 18 21 16 20 11 10 14 12
## 37203 37205 37207 37211 37213 37217 37221 37223 37225 37227
## 18 17 24 23 21 20 11 16 12 15
## 37229 37233 37235 37237 37239 37243 37247 37249 37251 37253
## 12 18 9 18 18 11 10 14 14 15
## 37255 37257 37259 37263 37265 37269 37275 37277 37279 37281
## 13 9 13 12 18 16 18 11 16 9
## 37283 37285 37291 37295 37297 37299 37301 37303 37305 37307
## 25 13 15 15 20 18 14 14 14 11
## 37309 37317 37319 37321 37323 37325 37327 37329 37331 37333
## 9 16 16 10 10 16 25 12 13 14
## 37335 37337 37339 37341 37343 37345 37353 37355 37361 37363
## 11 22 17 12 10 21 13 11 9 19
## 37367 37369 37373 37375 37377 37379 37381 37383 37387 37389
## 11 17 16 12 18 21 10 22 11 16
## 37395 37397 37399 37403 37407 37409 37417 37419 37421 37423
## 12 12 24 10 15 17 10 17 24 12
## 37425 37427 37429 37431 37433 37437 37439 37441 37443 37445
## 9 14 10 18 10 13 9 18 15 11
## 37447 37449 37451 37457 37463 37465 37467 37469 37471 37473
## 10 13 13 12 9 9 29 10 16 14
## 37477 37479 37481 37483 37487 37489 37491 37493 37495 37497
## 15 11 16 16 14 16 10 17 13 12
## 37499 37501 37503 37505 37507 37509 37511 37513 37515 37519
## 12 15 19 10 14 10 18 14 14 19
## 37523 37525 37527 37529 37531 37533 37535 37537 37539 37541
## 13 10 24 10 10 27 13 18 10 10
## 37543 37547 37549 37553 37555 37557 37559 37561 37563 37565
## 11 15 12 10 15 13 10 12 10 12
## 37567 37569 37571 37573 37575 37577 37579 37581 37583 37585
## 17 16 18 13 13 10 22 10 16 9
## 37597 37599 37601 37603 37605 37609 37611 37613 37615 37617
## 14 13 13 16 23 11 15 22 15 11
## 37619 37621 37623 37625 37627 37629 37631 37633 37635 37637
## 22 17 19 13 21 24 15 12 22 18
## 37639 37641 37645 37647 37649 37653 37657 37659 37661 37663
## 9 12 13 13 14 25 12 10 13 10
## 37665 37669 37671 37673 37675 37677 37685 37687 37689 37693
## 13 10 11 11 9 20 17 13 17 15
## 37697 37701 37703 37707 37709 37711 37713 37715 37719 37721
## 20 21 23 24 22 20 18 15 9 10
## 37723 37725 37727 37733 37735 37737 37739 37743 37745 37747
## 16 13 10 15 12 22 11 15 17 20
## 37749 37751 37753 37759 37761 37763 37765 37767 37769 37771
## 17 10 14 13 9 16 16 16 14 13
## 37773 37777 37781 37783 37785 37787 37789 37791 37795 37797
## 14 20 11 15 9 15 10 15 10 10
## 37799 37805 37807 37809 37811 37813 37815 37817 37819 37821
## 12 14 12 15 10 9 11 10 14 9
## 37823 37825 37827 37829 37833 37835 37837 37839 37843 37845
## 17 17 14 15 15 14 18 11 18 24
## 37847 37849 37851 37853 37855 37857 37859 37861 37863 37865
## 16 16 14 10 11 18 27 14 12 10
## 37867 37869 37871 37875 37877 37879 37881 37883 37885 37887
## 9 14 14 17 15 13 25 16 19 12
## 37891 37893 37895 37897 37899 37901 37903 37907 37911 37917
## 16 24 25 29 19 15 14 12 11 14
## 37919 37923 37925 37927 37929 37931 37933 37937 37939 37941
## 11 19 10 10 13 15 20 12 11 13
## 37943 37945 37947 37951 37953 37955 37957 37959 37963 37965
## 16 16 12 11 18 19 21 14 22 12
## 37967 37969 37971 37973 37975 37977 37981 37983 37985 37987
## 15 13 12 10 9 16 15 12 21 12
## 37989 37991 37999 38001 38005 38007 38009 38013 38015 38017
## 19 19 12 12 13 19 12 12 18 9
## 38019 38021 38023 38025 38029 38031 38033 38035 38037 38039
## 14 21 16 19 10 20 20 15 13 10
## 38043 38049 38053 38057 38059 38061 38063 38067 38069 38071
## 9 21 17 13 19 9 12 23 13 10
## 38075 38079 38083 38085 38087 38089 38095 38097 38099 38101
## 10 13 16 16 13 11 14 22 12 9
## 38105 38107 38109 38113 38117 38119 38121 38123 38125 38127
## 15 18 17 11 24 14 14 13 17 17
## 38129 38131 38137 38139 38141 38143 38145 38147 38151 38155
## 13 15 15 17 16 15 10 16 12 11
## 38157 38159 38161 38163 38167 38171 38173 38175 38177 38179
## 9 9 14 13 14 17 18 12 9 17
## 38185 38187 38189 38191 38193 38195 38197 38199 38201 38203
## 10 16 10 13 13 13 27 14 13 10
## 38205 38207 38209 38211 38217 38221 38223 38225 38227 38231
## 12 14 9 9 19 12 13 17 17 10
## 38233 38235 38241 38243 38245 38249 38251 38253 38255 38257
## 14 10 11 15 12 15 15 10 10 12
## 38259 38263 38265 38267 38271 38273 38275 38277 38279 38281
## 22 18 13 12 15 12 16 12 13 17
## 38285 38287 38289 38291 38293 38295 38297 38301 38303 38307
## 14 14 15 18 10 10 14 9 20 14
## 38309 38311 38315 38317 38321 38323 38325 38327 38331 38333
## 26 17 12 11 17 12 18 11 12 15
## 38337 38341 38343 38345 38347 38349 38357 38361 38363 38365
## 11 11 20 18 11 9 18 10 15 14
## 38367 38369 38371 38373 38375 38377 38379 38381 38387 38389
## 10 12 24 9 19 16 14 16 24 24
## 38391 38393 38395 38397 38399 38403 38405 38409 38413 38417
## 13 9 15 10 10 16 15 19 13 15
## 38421 38423 38425 38427 38429 38431 38433 38435 38437 38439
## 13 15 14 9 18 12 20 16 15 10
## 38441 38443 38445 38447 38449 38451 38453 38455 38457 38459
## 10 12 16 16 21 10 13 12 12 16
## 38461 38463 38465 38467 38469 38471 38473 38475 38477 38481
## 17 12 16 11 10 17 18 11 13 12
## 38485 38489 38495 38497 38501 38503 38505 38507 38509 38513
## 11 18 14 24 22 11 12 9 13 12
## 38517 38519 38521 38523 38525 38527 38531 38533 38537 38539
## 10 19 14 20 10 21 13 14 14 16
## 38541 38543 38545 38549 38553 38555 38557 38559 38561 38567
## 18 10 9 14 10 16 9 18 13 20
## 38569 38571 38573 38575 38577 38581 38583 38585 38587 38589
## 14 13 13 19 14 10 13 11 10 14
## 38591 38593 38595 38601 38603 38605 38607 38609 38613 38615
## 11 14 19 11 10 15 12 16 16 14
## 38617 38621 38625 38627 38629 38631 38633 38635 38637 38639
## 10 19 18 16 14 15 15 14 14 9
## 38643 38645 38649 38651 38653 38655 38659 38661 38663 38665
## 18 19 11 10 10 12 17 13 15 16
## 38667 38669 38671 38673 38675 38677 38681 38683 38685 38687
## 18 13 12 17 21 10 11 14 12 18
## 38689 38693 38695 38697 38699 38701 38703 38705 38707 38709
## 14 14 12 13 21 10 15 10 18 10
## 38713 38717 38719 38721 38723 38725 38727 38729 38731 38733
## 10 9 20 15 15 23 14 14 9 11
## 38735 38737 38741 38743 38745 38747 38749 38753 38755 38757
## 22 14 10 14 9 11 16 10 20 21
## 38759 38761 38763 38765 38767 38769 38773 38775 38777 38781
## 18 14 13 18 15 19 10 11 15 16
## 38783 38785 38787 38789 38791 38793 38795 38797 38799 38801
## 19 15 14 18 15 9 16 23 12 9
## 38803 38809 38811 38813 38815 38817 38819 38821 38825 38827
## 12 20 17 15 12 16 16 10 15 24
## 38829 38831 38833 38835 38837 38839 38843 38845 38847 38851
## 20 17 14 12 22 16 14 17 16 13
## 38855 38859 38863 38873 38877 38879 38881 38883 38885 38887
## 14 14 21 20 16 16 10 11 10 19
## 38889 38891 38893 38895 38897 38899 38901 38903 38907 38909
## 17 16 16 9 20 11 10 12 17 21
## 38911 38913 38915 38921 38923 38925 38927 38929 38931 38933
## 16 15 15 13 13 16 11 10 15 14
## 38935 38937 38939 38941 38943 38947 38949 38951 38957 38959
## 12 13 11 9 12 15 12 16 12 12
## 38961 38963 38965 38969 38971 38973 38975 38977 38981 38983
## 12 11 9 17 21 10 10 11 16 19
## 38989 38991 38993 38995 38999 39001 39005 39009 39015 39019
## 9 11 9 15 15 14 17 23 15 21
## 39025 39027 39033 39035 39037 39041 39043 39045 39047 39049
## 17 19 19 22 12 10 14 13 17 13
## 39051 39055 39057 39059 39061 39063 39065 39067 39071 39073
## 12 9 20 12 12 9 12 16 17 16
## 39075 39077 39079 39081 39083 39087 39091 39093 39095 39097
## 16 20 20 12 10 16 10 17 22 23
## 39101 39103 39107 39109 39111 39113 39117 39119 39121 39123
## 10 18 9 18 17 13 11 14 9 10
## 39125 39127 39133 39135 39139 39141 39143 39145 39147 39149
## 9 9 10 12 9 10 15 19 13 11
## 39151 39153 39155 39157 39159 39163 39165 39171 39173 39175
## 9 16 16 19 9 13 15 17 10 13
## 39177 39179 39181 39185 39187 39193 39195 39197 39199 39201
## 10 19 10 13 15 16 11 9 18 12
## 39205 39207 39209 39211 39215 39217 39219 39223 39227 39229
## 12 11 12 15 10 10 10 20 15 13
## 39233 39235 39241 39243 39247 39249 39253 39255 39257 39259
## 12 14 16 15 11 23 13 12 16 11
## 39263 39265 39269 39271 39273 39277 39279 39281 39289 39291
## 11 14 14 9 16 15 11 16 10 15
## 39293 39295 39297 39299 39301 39305 39309 39313 39315 39317
## 11 13 9 19 11 20 11 14 10 10
## 39319 39321 39325 39327 39329 39333 39339 39341 39343 39345
## 13 16 17 21 9 13 13 12 17 16
## 39347 39349 39351 39353 39355 39357 39361 39365 39367 39369
## 11 9 26 9 14 14 12 13 13 9
## 39373 39375 39383 39385 39387 39391 39393 39395 39399 39401
## 12 13 18 13 15 13 25 14 9 28
## 39403 39405 39407 39409 39413 39415 39421 39423 39425 39427
## 17 11 24 12 9 11 11 17 13 24
## 39431 39433 39435 39437 39439 39441 39443 39445 39449 39451
## 9 11 12 17 19 11 20 16 11 14
## 39455 39457 39459 39461 39463 39465 39467 39469 39471 39473
## 13 20 15 16 12 14 11 13 19 10
## 39475 39477 39481 39483 39485 39487 39491 39495 39497 39499
## 12 13 10 10 17 19 16 16 10 14
## 39505 39507 39509 39511 39513 39515 39519 39521 39523 39525
## 13 12 12 13 12 11 14 21 12 10
## 39527 39529 39533 39537 39539 39541 39543 39545 39547 39551
## 12 14 16 13 18 13 11 11 13 18
## 39553 39555 39561 39563 39567 39569 39571 39573 39575 39577
## 14 9 16 18 19 16 15 16 11 14
## 39579 39581 39589 39591 39593 39595 39597 39599 39603 39605
## 15 19 17 10 10 18 10 11 16 15
## 39607 39609 39613 39615 39621 39623 39625 39627 39629 39633
## 18 14 14 12 14 30 12 11 10 18
## 39635 39637 39639 39641 39643 39645 39651 39653 39655 39657
## 12 9 14 14 13 14 16 9 19 12
## 39659 39663 39665 39667 39671 39673 39675 39679 39681 39683
## 19 10 10 16 12 9 15 20 22 20
## 39689 39691 39693 39695 39697 39699 39701 39705 39711 39713
## 19 31 14 20 11 10 10 13 14 16
## 39715 39719 39721 39723 39725 39729 39731 39733 39735 39737
## 13 13 12 10 14 25 17 14 11 18
## 39739 39745 39747 39751 39753 39755 39757 39759 39761 39765
## 12 19 9 15 9 12 13 13 11 12
## 39767 39769 39771 39773 39775 39777 39779 39781 39783 39787
## 12 16 10 17 18 12 16 12 14 14
## 39789 39791 39793 39795 39797 39801 39803 39805 39807 39809
## 12 10 10 12 10 10 14 14 9 18
## 39811 39813 39815 39817 39819 39821 39823 39825 39827 39831
## 12 9 13 16 9 14 16 16 17 14
## 39833 39837 39839 39841 39845 39847 39849 39851 39853 39855
## 19 12 13 11 18 14 12 11 10 12
## 39857 39859 39861 39865 39867 39871 39875 39877 39879 39881
## 10 11 17 12 11 16 20 12 13 25
## 39883 39887 39889 39891 39893 39897 39899 39901 39903 39909
## 20 15 25 16 16 11 12 12 12 9
## 39911 39913 39915 39917 39919 39921 39923 39925 39927 39929
## 10 15 9 12 15 18 10 10 11 10
## 39931 39933 39935 39939 39941 39945 39947 39949 39951 39959
## 10 21 9 33 18 10 11 9 26 13
## 39961 39963 39967 39969 39971 39973 39975 39977 39983 39985
## 14 17 15 9 9 18 18 23 13 10
## 39989 39991 39993 39995 39997 39999 40001 40003 40005 40007
## 12 14 15 12 12 16 13 12 12 15
## 40009 40011 40013 40017 40019 40021 40023 40025 40027 40029
## 24 24 12 9 11 23 14 11 16 12
## 40033 40035 40039 40041 40047 40049 40051 40053 40055 40059
## 12 14 10 14 24 12 24 15 15 13
## 40063 40067 40071 40075 40077 40079 40081 40083 40085 40087
## 11 13 10 14 15 10 12 12 15 11
## 40089 40093 40095 40097 40099 40101 40103 40109 40111 40113
## 11 9 16 14 15 14 11 24 12 16
## 40115 40117 40119 40123 40125 40127 40129 40131 40133 40137
## 13 11 12 17 15 9 18 10 20 12
## 40141 40145 40147 40151 40153 40155 40157 40159 40161 40163
## 9 12 14 11 14 23 12 15 12 26
## 40167 40169 40171 40175 40179 40183 40185 40187 40191 40193
## 24 10 10 11 19 16 10 14 11 9
## 40197 40199 40201 40203 40205 40207 40209 40213 40215 40219
## 10 11 10 10 11 12 12 17 10 19
## 40225 40227 40229 40233 40235 40237 40239 40247 40249 40251
## 13 15 9 22 10 14 12 14 22 18
## 40253 40255 40257 40259 40261 40263 40269 40271 40273 40275
## 10 9 16 11 14 9 9 18 16 10
## 40277 40279 40283 40285 40287 40289 40291 40295 40299 40301
## 20 13 15 10 15 11 10 12 16 13
## 40303 40305 40307 40309 40313 40315 40317 40319 40321 40323
## 22 23 11 13 16 10 15 31 12 11
## 40325 40327 40329 40331 40333 40335 40337 40339 40343 40345
## 16 14 22 9 18 12 19 11 17 14
## 40349 40351 40355 40357 40359 40363 40365 40367 40373 40375
## 18 14 16 12 18 14 9 14 12 18
## 40377 40379 40383 40385 40387 40389 40393 40395 40397 40399
## 15 15 14 17 15 12 13 15 17 12
## 40401 40403 40407 40411 40413 40415 40417 40419 40425 40427
## 13 17 11 14 10 9 10 9 11 24
## 40429 40431 40433 40435 40437 40439 40441 40443 40445 40447
## 10 12 10 14 12 19 10 10 14 15
## 40449 40451 40455 40459 40461 40463 40469 40471 40475 40477
## 16 11 17 11 15 16 9 11 10 17
## 40479 40481 40483 40485 40487 40493 40505 40509 40511 40513
## 10 13 14 10 13 12 10 13 24 22
## 40515 40517 40519 40523 40525 40529 40531 40533 40535 40537
## 13 15 15 9 13 14 12 14 21 18
## 40539 40543 40545 40547 40551 40553 40557 40561 40563 40565
## 25 10 16 19 12 13 15 16 11 14
## 40567 40569 40571 40573 40575 40577 40579 40581 40583 40585
## 10 14 14 14 22 11 12 13 10 20
## 40587 40589 40593 40595 40597 40599 40601 40603 40605 40607
## 14 10 10 19 11 11 20 10 21 10
## 40609 40611 40613 40615 40617 40619 40621 40623 40625 40627
## 15 22 17 15 13 21 18 10 10 16
## 40633 40635 40637 40641 40643 40647 40649 40651 40653 40655
## 19 20 22 11 12 13 11 9 11 12
## 40659 40661 40665 40667 40669 40671 40673 40675 40677 40681
## 14 10 11 13 10 14 12 17 11 25
## 40685 40687 40689 40691 40693 40695 40697 40699 40701 40703
## 9 12 16 21 17 16 19 15 9 17
## 40705 40707 40711 40713 40715 40717 40719 40723 40725 40727
## 11 9 9 13 11 23 15 14 10 15
## 40729 40733 40735 40737 40739 40741 40743 40745 40747 40749
## 10 13 13 9 16 19 15 12 9 22
## 40753 40755 40761 40765 40767 40769 40771 40775 40777 40779
## 16 11 10 29 14 15 9 11 10 21
## 40781 40783 40785 40789 40791 40793 40795 40799 40805 40811
## 12 11 15 16 13 10 12 9 13 11
## 40813 40815 40821 40823 40825 40829 40831 40833 40837 40839
## 9 20 10 10 14 12 14 11 10 9
## 40841 40843 40845 40847 40849 40851 40853 40855 40857 40859
## 11 14 9 15 9 15 17 9 13 13
## 40861 40863 40867 40873 40877 40879 40881 40883 40885 40887
## 17 11 14 12 12 14 11 17 15 17
## 40889 40891 40895 40897 40899 40901 40903 40905 40907 40909
## 12 18 12 13 10 9 9 12 16 16
## 40911 40913 40921 40923 40925 40927 40929 40931 40935 40941
## 10 12 12 17 17 16 14 14 16 17
## 40943 40951 40953 40955 40957 40961 40963 40965 40967 40969
## 12 14 14 16 13 9 9 17 11 11
## 40971 40979 40981 40985 40987 40989 40991 40993 40995 40997
## 9 12 13 10 14 14 17 11 14 14
## 40999 41005 41007 41009 41011 41013 41015 41017 41019 41023
## 15 16 21 25 12 17 18 11 17 21
## 41025 41027 41029 41033 41035 41037 41041 41045 41047 41049
## 11 16 18 9 10 14 18 13 11 14
## 41051 41053 41055 41059 41061 41063 41067 41071 41073 41075
## 12 14 10 12 9 9 17 21 11 11
## 41077 41079 41085 41087 41097 41099 41101 41105 41107 41109
## 21 18 11 12 16 10 27 13 19 18
## 41111 41113 41115 41117 41121 41123 41127 41129 41131 41133
## 18 17 12 18 12 15 17 14 21 10
## 41135 41137 41139 41141 41143 41149 41153 41155 41157 41159
## 20 16 9 14 12 24 13 12 10 20
## 41163 41165 41167 41169 41171 41175 41177 41179 41181 41183
## 18 13 14 9 18 18 14 14 15 18
## 41187 41189 41191 41195 41199 41201 41203 41205 41207 41213
## 11 16 10 16 17 18 23 11 9 11
## 41215 41217 41219 41221 41227 41229 41231 41233 41235 41237
## 18 15 19 16 10 16 19 12 25 11
## 41245 41247 41249 41253 41255 41257 41259 41261 41263 41265
## 10 13 16 13 13 12 11 10 13 10
## 41267 41269 41271 41273 41275 41277 41279 41281 41283 41285
## 27 12 18 17 15 12 20 9 9 10
## 41287 41289 41291 41293 41295 41297 41299 41301 41303 41305
## 22 9 10 11 9 13 10 25 11 11
## 41309 41311 41315 41317 41319 41321 41323 41325 41331 41333
## 19 11 13 24 14 11 14 24 19 9
## 41337 41339 41343 41345 41349 41351 41353 41355 41357 41359
## 11 13 14 14 12 18 16 15 11 23
## 41361 41363 41365 41369 41371 41373 41375 41377 41379 41383
## 9 11 13 15 9 11 10 16 9 11
## 41385 41389 41393 41397 41399 41401 41403 41405 41411 41413
## 16 10 14 19 11 13 22 17 16 12
## 41415 41417 41421 41423 41425 41427 41429 41431 41433 41435
## 16 11 11 11 14 12 23 10 14 14
## 41437 41443 41445 41447 41449 41451 41453 41455 41457 41461
## 12 16 16 13 20 10 11 12 22 13
## 41463 41465 41467 41469 41471 41475 41481 41483 41485 41487
## 16 9 12 10 10 15 12 19 23 9
## 41489 41491 41495 41497 41499 41501 41503 41505 41507 41511
## 19 16 18 15 10 13 13 13 22 14
## 41515 41517 41525 41527 41529 41531 41533 41537 41539 41541
## 15 18 14 15 11 10 11 16 14 13
## 41543 41551 41553 41555 41559 41561 41563 41565 41569 41571
## 13 12 14 14 17 17 14 17 10 22
## 41575 41577 41579 41583 41585 41587 41589 41593 41597 41599
## 12 18 14 14 14 9 12 9 15 16
## 41601 41605 41607 41609 41613 41615 41619 41621 41625 41627
## 17 19 10 10 12 9 12 10 10 16
## 41631 41633 41635 41639 41641 41643 41647 41649 41651 41653
## 11 19 9 19 17 22 18 14 24 17
## 41655 41659 41661 41665 41669 41671 41673 41675 41677 41679
## 10 12 13 20 11 11 19 13 12 19
## 41681 41683 41685 41687 41689 41691 41693 41695 41697 41699
## 11 21 10 14 15 10 13 17 12 13
## 41701 41703 41705 41707 41709 41711 41713 41715 41717 41719
## 10 17 18 21 14 16 12 18 12 19
## 41721 41723 41725 41729 41733 41737 41741 41743 41745 41747
## 10 12 11 9 16 9 12 13 15 25
## 41751 41753 41755 41761 41763 41765 41769 41771 41773 41775
## 18 13 9 14 15 14 13 9 23 12
## 41777 41781 41785 41789 41791 41793 41795 41797 41801 41803
## 9 14 18 10 18 22 13 9 11 12
## 41805 41807 41811 41813 41815 41819 41823 41827 41831 41833
## 16 14 19 12 13 10 10 10 15 13
## 41837 41839 41841 41845 41847 41849 41855 41857 41859 41863
## 13 14 10 9 18 10 17 16 12 19
## 41865 41867 41869 41871 41873 41877 41879 41881 41883 41885
## 10 22 13 19 28 18 19 19 10 17
## 41889 41891 41893 41895 41899 41901 41903 41905 41907 41909
## 11 13 14 12 20 14 17 20 16 12
## 41911 41915 41917 41919 41921 41923 41925 41927 41931 41933
## 13 13 14 18 14 14 16 20 17 12
## 41935 41937 41939 41941 41943 41945 41947 41949 41951 41953
## 18 15 17 14 20 15 14 14 10 11
## 41955 41957 41959 41961 41963 41967 41969 41971 41973 41975
## 21 18 12 19 14 15 14 13 12 20
## 41979 41981 41983 41985 41987 41991 41993 41995 41997 41999
## 12 10 14 11 11 22 17 14 11 19
## 42003 42005 42007 42009 42011 42013 42017 42019 42021 42025
## 13 20 11 17 21 13 10 17 9 9
## 42027 42029 42031 42033 42035 42037 42039 42041 42043 42045
## 12 16 12 13 18 19 20 14 12 11
## 42047 42053 42055 42057 42059 42061 42063 42065 42067 42069
## 18 12 16 13 15 20 12 13 12 18
## 42071 42073 42075 42077 42079 42081 42087 42089 42091 42093
## 12 11 10 14 18 9 14 20 11 11
## 42095 42099 42103 42105 42107 42109 42111 42119 42121 42123
## 9 10 17 11 12 11 14 11 9 15
## 42125 42127 42129 42131 42135 42137 42139 42141 42147 42149
## 10 13 10 18 17 11 21 10 19 10
## 42151 42155 42157 42161 42163 42165 42167 42169 42171 42173
## 18 10 12 13 16 15 16 11 17 12
## 42175 42177 42179 42181 42183 42185 42187 42189 42193 42195
## 10 20 22 14 16 15 17 18 24 17
## 42199 42201 42203 42207 42209 42211 42215 42217 42221 42223
## 17 15 14 11 10 11 15 16 9 16
## 42225 42227 42229 42231 42233 42235 42239 42241 42243 42245
## 10 12 14 15 12 10 20 14 22 9
## 42247 42249 42251 42255 42257 42259 42261 42263 42265 42267
## 9 22 14 20 15 15 18 13 10 13
## 42269 42271 42273 42275 42285 42289 42291 42295 42299 42301
## 10 12 9 11 12 9 14 17 17 19
## 42303 42305 42307 42309 42311 42317 42321 42323 42325 42329
## 15 18 11 13 13 13 14 9 16 14
## 42333 42339 42343 42347 42349 42351 42353 42355 42357 42359
## 17 12 16 13 14 21 13 20 12 16
## 42361 42363 42367 42371 42373 42375 42377 42383 42385 42389
## 18 10 13 18 14 14 15 17 18 13
## 42391 42393 42395 42397 42399 42403 42407 42409 42413 42419
## 14 13 14 14 17 18 13 14 10 11
## 42421 42423 42425 42427 42429 42433 42435 42437 42439 42441
## 13 11 21 10 14 9 22 10 22 16
## 42443 42445 42447 42449 42455 42457 42459 42461 42463 42465
## 20 14 13 21 15 14 16 20 13 16
## 42467 42469 42471 42473 42475 42481 42483 42485 42487 42489
## 11 11 13 23 11 18 14 10 18 15
## 42491 42495 42499 42505 42507 42509 42511 42513 42515 42517
## 17 16 11 15 18 9 18 11 19 9
## 42519 42521 42523 42527 42529 42531 42535 42537 42539 42541
## 10 17 9 19 15 9 17 15 9 9
## 42543 42545 42547 42549 42553 42555 42557 42559 42561 42563
## 19 14 12 13 10 9 16 14 11 16
## 42565 42567 42569 42571 42575 42579 42581 42583 42585 42589
## 12 14 19 10 11 16 18 16 13 16
## 42593 42597 42599 42601 42603 42605 42607 42609 42611 42613
## 22 11 17 12 11 16 15 10 12 23
## 42619 42621 42623 42627 42629 42631 42635 42637 42641 42643
## 9 14 10 12 13 10 13 16 9 11
## 42645 42647 42653 42655 42657 42661 42663 42665 42667 42669
## 17 10 17 14 21 14 13 13 12 12
## 42671 42673 42675 42677 42679 42681 42683 42687 42691 42695
## 9 17 10 16 17 17 13 10 10 14
## 42697 42699 42701 42703 42707 42709 42711 42715 42723 42725
## 12 20 12 20 13 12 11 12 18 13
## 42727 42729 42733 42735 42737 42741 42743 42745 42747 42749
## 14 11 10 12 15 10 19 10 24 9
## 42751 42753 42755 42759 42761 42763 42765 42767 42769 42771
## 11 10 10 12 14 11 15 13 15 12
## 42775 42779 42789 42791 42793 42797 42799 42801 42803 42805
## 18 21 32 10 9 12 15 10 13 14
## 42811 42815 42819 42821 42823 42825 42827 42833 42835 42837
## 12 11 10 14 9 14 10 16 11 14
## 42839 42841 42843 42845 42847 42849 42851 42853 42855 42857
## 10 14 9 11 13 21 19 14 15 10
## 42859 42865 42867 42873 42875 42877 42879 42881 42883 42885
## 12 9 15 14 11 11 18 19 16 16
## 42887 42891 42893 42895 42897 42899 42901 42903 42905 42907
## 17 24 9 13 11 15 13 12 10 14
## 42909 42911 42915 42917 42919 42921 42923 42927 42929 42931
## 13 9 12 20 12 16 13 14 11 15
## 42933 42935 42937 42941 42943 42945 42947 42949 42951 42953
## 12 16 14 14 19 15 12 10 16 14
## 42955 42957 42959 42965 42967 42969 42971 42973 42977 42979
## 11 16 16 19 13 12 17 17 11 10
## 42981 42983 42987 42989 42991 42993 42995 42997 42999 43001
## 26 14 13 12 9 12 20 14 14 20
## 43003 43005 43007 43011 43015 43017 43019 43021 43023 43025
## 15 12 13 14 18 16 11 18 13 11
## 43027 43029 43037 43039 43041 43043 43045 43051 43053 43055
## 11 17 15 19 12 10 14 11 18 20
## 43057 43059 43061 43063 43065 43067 43069 43073 43075 43077
## 15 16 13 15 9 15 11 9 20 15
## 43085 43087 43089 43093 43097 43099 43101 43103 43105 43111
## 21 13 11 13 16 18 20 10 11 10
## 43113 43115 43117 43119 43123 43125 43127 43131 43133 43139
## 12 14 13 16 37 16 13 9 15 16
## 43147 43149 43151 43155 43157 43159 43161 43163 43165 43167
## 26 19 11 11 13 14 14 12 14 22
## 43169 43171 43173 43177 43179 43181 43185 43189 43191 43195
## 14 22 18 12 13 13 15 11 17 16
## 43197 43199 43203 43205 43209 43211 43213 43215 43217 43219
## 19 17 14 15 10 16 15 11 10 14
## 43225 43227 43229 43233 43235 43237 43239 43241 43243 43245
## 18 12 18 17 14 14 14 12 11 13
## 43247 43251 43253 43255 43257 43259 43261 43263 43267 43269
## 22 16 13 17 15 11 16 10 11 10
## 43271 43273 43275 43277 43279 43281 43283 43285 43287 43291
## 12 13 10 11 15 12 14 10 14 11
## 43293 43295 43299 43301 43303 43305 43307 43309 43313 43317
## 10 21 16 19 9 20 12 12 12 12
## 43321 43323 43325 43327 43329 43331 43333 43335 43337 43339
## 21 12 9 23 9 11 17 14 13 16
## 43341 43343 43347 43349 43351 43353 43355 43357 43359 43361
## 9 15 21 12 13 13 9 9 23 10
## 43363 43365 43367 43369 43371 43375 43379 43381 43385 43387
## 19 11 17 15 15 18 11 17 14 16
## 43389 43393 43395 43397 43401 43403 43407 43409 43411 43413
## 20 10 14 13 19 16 11 11 17 14
## 43415 43417 43419 43421 43423 43425 43427 43429 43433 43437
## 10 11 25 14 14 12 13 9 10 13
## 43439 43441 43443 43445 43449 43451 43457 43461 43463 43465
## 14 13 13 9 12 17 11 11 10 12
## 43467 43469 43471 43473 43475 43477 43481 43483 43485 43487
## 12 9 14 10 10 11 9 12 12 10
## 43489 43495 43499 43503 43507 43509 43511 43513 43515 43517
## 12 9 17 12 13 17 23 13 14 16
## 43519 43525 43527 43529 43535 43537 43539 43541 43543 43545
## 12 16 14 9 22 15 14 10 9 12
## 43547 43549 43551 43555 43559 43563 43565 43567 43569 43571
## 15 19 16 9 19 11 15 12 14 21
## 43573 43575 43577 43579 43581 43583 43585 43587 43589 43593
## 13 17 9 11 16 9 12 11 10 11
## 43595 43597 43599 43601 43603 43607 43609 43611 43613 43615
## 10 14 21 11 10 12 9 10 11 17
## 43617 43619 43623 43627 43631 43633 43637 43639 43641 43643
## 10 13 19 14 15 16 23 9 10 19
## 43645 43651 43653 43655 43657 43659 43661 43663 43665 43667
## 14 15 12 10 18 14 9 9 17 16
## 43669 43671 43675 43677 43679 43681 43683 43685 43687 43693
## 9 10 16 19 9 11 17 15 10 13
## 43697 43699 43701 43703 43711 43713 43715 43717 43719 43721
## 16 12 10 11 12 24 12 12 15 11
## 43723 43729 43733 43737 43739 43743 43745 43747 43751 43753
## 14 10 9 14 17 16 13 12 21 13
## 43757 43761 43765 43769 43771 43773 43775 43777 43779 43781
## 13 12 18 26 14 19 16 18 18 16
## 43785 43787 43789 43791 43795 43797 43799 43801 43803 43807
## 24 9 9 9 10 16 18 21 13 11
## 43811 43813 43815 43817 43819 43821 43825 43827 43829 43831
## 16 14 16 10 11 16 15 24 10 22
## 43833 43835 43839 43841 43845 43849 43851 43855 43857 43861
## 16 17 24 13 9 13 20 12 9 14
## 43863 43869 43871 43873 43875 43877 43881 43883 43885 43887
## 26 16 10 17 19 10 16 13 18 16
## 43889 43891 43895 43897 43899 43905 43907 43909 43911 43913
## 21 11 11 12 9 13 9 13 12 15
## 43915 43917 43919 43921 43923 43927 43929 43931 43937 43939
## 15 20 11 18 15 9 20 18 17 12
## 43941 43943 43945 43949 43957 43961 43963 43967 43969 43973
## 14 10 15 17 11 16 9 14 12 18
## 43975 43977 43979 43985 43987 43989 43991 43993 43997 43999
## 11 20 18 11 11 18 10 10 10 18
## 44001 44005 44007 44009 44011 44015 44017 44021 44023 44027
## 16 17 15 12 12 11 15 9 14 20
## 44029 44035 44037 44039 44043 44045 44047 44049 44055 44057
## 17 15 16 9 12 18 14 16 12 14
## 44059 44063 44065 44069 44073 44079 44081 44083 44087 44093
## 9 9 22 15 10 19 10 16 12 14
## 44095 44103 44105 44107 44109 44113 44115 44117 44119 44121
## 10 20 17 9 9 15 18 10 21 21
## 44123 44125 44129 44131 44135 44139 44141 44143 44147 44149
## 17 15 17 11 9 10 16 23 22 12
## 44153 44155 44157 44159 44161 44163 44165 44167 44169 44171
## 9 16 20 11 10 16 21 12 29 15
## 44173 44177 44179 44185 44187 44189 44191 44193 44195 44197
## 14 15 13 10 9 19 12 13 15 16
## 44199 44201 44203 44205 44207 44209 44211 44213 44217 44219
## 10 17 15 10 12 16 9 12 13 9
## 44221 44223 44225 44229 44231 44233 44235 44237 44239 44245
## 12 10 17 14 23 14 14 11 11 26
## 44247 44249 44251 44255 44259 44263 44265 44267 44269 44271
## 22 15 13 16 10 17 23 16 15 12
## 44273 44275 44277 44279 44281 44283 44285 44293 44297 44299
## 10 19 17 19 9 13 14 9 13 15
## 44301 44303 44305 44309 44311 44313 44317 44319 44321 44323
## 22 12 23 12 11 11 13 15 10 11
## 44325 44327 44329 44331 44333 44335 44339 44341 44343 44347
## 20 15 25 9 11 14 9 12 11 21
## 44349 44353 44355 44357 44361 44363 44367 44369 44373 44375
## 10 13 17 11 15 12 20 10 12 11
## 44377 44381 44383 44387 44389 44391 44399 44403 44405 44407
## 16 12 17 12 15 10 9 20 15 13
## 44413 44415 44417 44423 44425 44427 44429 44433 44437 44439
## 16 18 21 12 25 9 15 12 11 15
## 44441 44443 44445 44447 44449 44451 44453 44457 44461 44463
## 12 14 10 21 18 14 12 11 12 12
## 44465 44467 44469 44471 44473 44475 44479 44489 44491 44499
## 10 22 18 17 24 10 22 12 10 13
## 44501 44503 44505 44507 44509 44513 44515 44517 44521 44523
## 15 15 17 12 20 14 10 12 23 11
## 44525 44527 44529 44531 44533 44537 44541 44545 44547 44551
## 9 24 15 12 21 15 20 10 9 11
## 44553 44555 44557 44559 44561 44563 44565 44567 44569 44571
## 21 17 22 13 18 12 10 32 17 12
## 44573 44575 44577 44579 44581 44583 44585 44587 44589 44599
## 11 15 11 10 14 10 17 13 19 12
## 44601 44603 44605 44607 44609 44613 44615 44617 44619 44621
## 10 18 19 13 9 15 15 14 16 14
## 44623 44625 44627 44629 44631 44635 44637 44641 44645 44647
## 9 15 16 11 10 14 13 10 13 12
## 44649 44653 44655 44657 44659 44663 44665 44667 44669 44671
## 10 20 12 10 13 15 9 20 12 14
## 44673 44675 44681 44683 44685 44687 44689 44695 44697 44699
## 16 11 12 10 9 17 16 12 13 13
## 44703 44707 44709 44711 44713 44715 44719 44723 44725 44729
## 15 15 18 15 16 19 19 16 13 14
## 44731 44735 44737 44739 44741 44743 44747 44755 44757 44759
## 14 10 16 10 13 18 16 25 14 14
## 44761 44765 44769 44771 44775 44777 44779 44785 44787 44789
## 14 12 12 9 14 11 20 20 11 13
## 44793 44795 44797 44799 44803 44807 44813 44815 44819 44821
## 25 11 14 10 17 19 14 10 12 23
## 44823 44825 44833 44837 44839 44841 44843 44845 44847 44849
## 13 10 14 14 9 16 11 15 20 9
## 44851 44855 44857 44859 44861 44863 44865 44867 44869 44875
## 12 17 14 14 14 14 14 15 17 16
## 44877 44881 44883 44885 44889 44891 44893 44895 44899 44903
## 18 17 12 19 11 11 10 16 18 20
## 44905 44909 44913 44915 44919 44921 44923 44925 44927 44931
## 19 18 22 14 14 13 16 15 20 13
## 44933 44935 44937 44941 44945 44947 44949 44951 44953 44957
## 12 17 16 10 12 11 10 10 15 19
## 44959 44961 44963 44965 44967 44969 44971 44973 44977 44979
## 23 20 12 11 10 17 9 11 9 19
## 44981 44985 44987 44989 44993 44995 44997 45001 45003 45005
## 12 11 9 18 17 10 11 12 28 13
## 45007 45009 45013 45015 45019 45025 45027 45029 45031 45035
## 20 12 13 9 14 10 16 9 17 19
## 45037 45039 45041 45043 45045 45049 45051 45055 45057 45059
## 11 19 16 10 11 9 25 11 12 10
## 45061 45063 45065 45069 45071 45075 45077 45079 45081 45085
## 12 10 12 26 18 17 24 12 19 17
## 45087 45089 45091 45093 45095 45097 45099 45101 45105 45107
## 22 9 10 10 10 12 10 12 17 22
## 45109 45111 45113 45117 45119 45121 45123 45125 45127 45131
## 10 10 12 17 13 10 16 14 19 14
## 45133 45135 45137 45143 45145 45147 45149 45151 45153 45157
## 12 20 14 10 9 16 19 11 13 15
## 45159 45165 45169 45171 45173 45175 45179 45181 45183 45189
## 11 14 11 16 13 12 18 10 13 16
## 45193 45195 45197 45199 45201 45205 45207 45209 45211 45213
## 10 10 13 14 13 13 17 18 11 9
## 45215 45217 45219 45221 45231 45235 45237 45239 45245 45247
## 13 14 10 15 22 16 11 15 16 21
## 45249 45251 45253 45255 45257 45261 45263 45265 45267 45271
## 22 18 18 13 18 13 10 9 14 16
## 45273 45275 45279 45285 45287 45289 45291 45293 45295 45301
## 14 13 14 9 12 19 13 17 15 13
## 45303 45305 45307 45309 45311 45313 45315 45317 45321 45327
## 9 9 24 11 17 9 16 17 14 15
## 45329 45331 45333 45337 45339 45345 45347 45349 45351 45353
## 14 12 18 14 14 17 11 9 9 11
## 45357 45363 45365 45369 45371 45373 45375 45377 45379 45381
## 9 20 19 24 25 15 10 9 13 20
## 45383 45385 45387 45389 45395 45399 45401 45405 45407 45411
## 21 9 18 12 11 19 12 12 10 10
## 45413 45415 45417 45419 45423 45425 45427 45429 45431 45433
## 9 13 12 13 16 17 15 12 10 10
## 45435 45437 45439 45445 45447 45449 45451 45453 45455 45457
## 9 16 10 11 15 14 10 15 11 11
## 45459 45461 45463 45469 45471 45475 45477 45481 45483 45485
## 11 10 11 13 11 9 15 9 9 16
## 45489 45491 45493 45495 45499 45503 45505 45507 45509 45511
## 17 23 12 14 10 14 11 26 9 27
## 45513 45515 45517 45519 45521 45523 45525 45527 45529 45531
## 15 13 17 13 14 14 11 10 14 17
## 45533 45535 45539 45541 45543 45547 45549 45551 45553 45555
## 13 24 10 9 14 25 15 18 10 11
## 45557 45561 45563 45565 45567 45569 45571 45573 45575 45581
## 13 11 10 13 11 14 9 14 11 12
## 45585 45587 45591 45593 45595 45597 45601 45607 45609 45613
## 10 10 14 17 9 9 11 19 14 19
## 45615 45617 45623 45625 45627 45629 45631 45633 45635 45637
## 13 14 10 15 9 18 18 20 16 11
## 45639 45641 45643 45645 45647 45649 45653 45655 45661 45665
## 12 9 11 13 21 16 18 10 10 15
## 45667 45675 45677 45679 45681 45683 45685 45689 45691 45697
## 12 12 11 12 12 14 19 10 22 12
## 45699 45701 45703 45705 45707 45709 45711 45713 45715 45717
## 12 15 10 15 17 9 11 10 11 12
## 45719 45721 45723 45727 45729 45731 45733 45735 45737 45741
## 13 10 14 14 15 10 18 19 22 17
## 45743 45747 45749 45751 45753 45755 45757 45759 45763 45765
## 23 13 10 14 23 23 12 14 23 16
## 45769 45773 45775 45777 45779 45781 45785 45787 45789 45795
## 15 10 17 13 10 11 10 15 10 15
## 45799 45803 45805 45807 45813 45815 45817 45821 45823 45825
## 14 12 24 22 11 13 23 9 9 13
## 45829 45831 45833 45835 45837 45839 45841 45845 45847 45849
## 12 13 9 12 16 14 23 10 10 14
## 45851 45855 45857 45861 45865 45869 45871 45877 45879 45881
## 13 18 14 9 19 11 23 14 21 12
## 45883 45885 45887 45891 45893 45895 45897 45899 45901 45903
## 11 15 20 20 12 12 12 12 13 10
## 45905 45907 45909 45911 45913 45915 45919 45923 45925 45927
## 27 14 9 21 20 34 13 15 15 13
## 45929 45931 45937 45939 45941 45947 45953 45955 45957 45961
## 15 15 9 10 18 12 15 10 14 28
## 45963 45967 45969 45973 45975 45977 45979 45983 45985 45989
## 12 14 14 12 14 14 10 9 16 21
## 45993 45995 45997 46001 46005 46009 46011 46021 46025 46031
## 21 13 11 20 14 20 12 14 21 12
## 46033 46035 46037 46039 46041 46043 46045 46047 46049 46053
## 11 9 15 14 13 18 11 16 10 18
## 46055 46057 46059 46061 46065 46067 46069 46075 46077 46079
## 10 15 12 11 10 13 23 9 14 10
## 46081 46083 46085 46087 46089 46091 46093 46095 46097 46101
## 15 10 10 11 12 11 9 12 13 11
## 46103 46107 46111 46113 46115 46117 46119 46123 46127 46131
## 13 12 11 14 16 11 9 12 10 11
## 46135 46137 46139 46141 46143 46145 46147 46149 46151 46153
## 15 9 13 14 12 17 10 20 17 9
## 46155 46157 46159 46161 46163 46169 46171 46175 46177 46183
## 13 14 14 12 16 25 12 12 19 29
## 46185 46187 46189 46191 46195 46197 46199 46201 46203 46205
## 13 16 13 17 16 10 13 13 17 12
## 46207 46219 46223 46225 46227 46229 46233 46235 46237 46239
## 13 12 11 10 14 9 20 15 12 18
## 46241 46243 46245 46251 46255 46257 46261 46263 46265 46267
## 12 14 13 12 15 12 17 18 10 16
## 46269 46271 46273 46275 46279 46281 46283 46287 46289 46291
## 10 22 11 18 10 12 13 12 14 15
## 46293 46295 46297 46299 46301 46303 46305 46307 46309 46311
## 14 16 16 12 20 19 11 10 12 13
## 46313 46317 46321 46323 46325 46327 46329 46331 46333 46339
## 14 13 14 17 15 14 11 24 13 14
## 46341 46343 46345 46347 46349 46351 46355 46357 46363 46365
## 10 10 10 10 14 13 12 18 12 13
## 46367 46369 46371 46373 46375 46377 46381 46383 46385 46387
## 14 22 16 15 9 10 24 10 17 14
## 46389 46391 46395 46401 46403 46405 46407 46409 46411 46413
## 19 9 12 15 11 12 16 10 13 15
## 46415 46417 46419 46421 46423 46427 46429 46435 46437 46439
## 14 17 16 17 14 23 19 9 19 10
## 46441 46443 46445 46447 46449 46451 46453 46455 46457 46459
## 12 17 10 12 20 14 13 11 18 20
## 46461 46463 46465 46467 46469 46473 46479 46481 46483 46485
## 14 12 20 13 14 17 19 16 22 16
## 46489 46491 46493 46495 46497 46499 46501 46505 46507 46509
## 14 12 16 14 12 11 19 16 26 16
## 46513 46515 46517 46521 46523 46525 46527 46529 46531 46533
## 12 18 16 23 15 13 10 11 9 20
## 46535 46537 46539 46541 46543 46545 46547 46549 46553 46561
## 10 10 14 11 14 10 15 16 18 12
## 46563 46565 46567 46571 46573 46575 46577 46579 46581 46583
## 10 10 9 20 12 22 10 17 13 17
## 46585 46587 46593 46595 46597 46599 46601 46603 46605 46609
## 19 12 18 16 11 10 23 13 12 16
## 46611 46613 46615 46619 46621 46627 46633 46635 46637 46641
## 9 11 10 16 11 10 17 17 14 12
## 46643 46645 46647 46649 46651 46653 46657 46659 46661 46663
## 14 9 10 10 13 18 12 11 12 12
## 46667 46669 46671 46673 46675 46677 46679 46681 46685 46687
## 10 15 13 18 25 17 16 10 20 18
## 46689 46691 46693 46695 46697 46699 46701 46703 46705 46707
## 11 10 9 14 13 12 13 18 18 11
## 46711 46715 46719 46721 46723 46725 46729 46731 46735 46737
## 10 10 20 10 11 21 13 10 13 11
## 46739 46741 46743 46747 46749 46753 46755 46759 46767 46769
## 13 15 14 10 16 12 23 19 13 18
## 46771 46773 46775 46777 46779 46783 46791 46793 46795 46797
## 12 10 20 15 20 12 22 15 12 10
## 46799 46801 46803 46805 46807 46811 46813 46815 46819 46821
## 20 12 21 11 12 11 14 16 10 16
## 46823 46825 46827 46829 46831 46837 46839 46847 46851 46853
## 10 18 12 13 14 14 19 13 12 18
## 46857 46863 46869 46871 46875 46877 46879 46881 46883
## 11 17 12 14 9 11 9 10 13
top_countries
##
## US FR UY BR DE CN RU NL AU GB
## 3580264 1970352 1704311 1275052 816246 777290 480333 340540 252246 243391
## MX VN PH KR HK IN PL TW LT TH
## 185064 156944 144097 139409 128384 126641 122528 100753 94570 89093
## PK PS MU AE ID CR IR TR SE SG
## 78509 48603 48394 43636 42344 39779 38725 35698 35686 31278
## PA LK JP BO HN EG VE ES CL CA
## 29898 27121 26360 24851 20460 19964 19715 19179 18266 17422
## AR IT SA GR PY CO UA AT PE MY
## 15741 14806 13693 13538 12716 12044 11934 9761 8650 8507
## BD KH RO ET SD KZ CH LV BG KW
## 8097 7639 5381 4173 4167 3970 3770 3735 3580 3509
## ZA MD EC LU TN IE CY NZ IL UZ
## 3138 3027 2812 2705 2700 2676 2584 2534 2461 2393
## BE MK GE KM DZ PT IQ IS CZ HU
## 1992 1982 1980 1931 1897 1817 1802 1799 1771 1661
## KE BY AZ NG MV AM MN BZ NO HR
## 1574 1562 1462 1454 1374 1321 1298 1139 1131 1115
## SV DK NP MA NI JO AL LB KG RS
## 1072 925 903 901 881 848 746 735 684 672
## FI DO ZM GH GT QA SI MO UG SN
## 600 538 510 489 483 466 450 442 440 420
## LR SY SK TZ MM LA BA BN BH SC
## 358 347 338 338 334 325 299 279 269 248
## AO ZW MQ JM BW BB OM PR TJ SR
## 238 233 227 207 205 151 142 124 123 121
## RW MT TT EE CM MW RE SL LY PG
## 120 114 114 104 100 96 90 80 79 75
## MG ME CD GN NE AD MZ LS BF AF
## 74 71 66 59 53 51 49 47 42 41
## CG TG FJ CI BS HT GM GY BI GU
## 40 30 29 27 23 22 20 20 18 17
## GA TD BJ NC YE YT NF BV AG GL
## 14 11 10 10 10 10 9 8 7 6
## PW ER GQ KY SB CV GP BT KN TM
## 6 4 4 4 4 3 3 2 2 2
## GI SO VG VI VU
## 1 1 1 1 1
table(as.factor(clamscan_hashes$ClamAV))
##
## Empty file
## 1
## Heuristics.W32.Parite.B
## 1
## Multios.Coinminer.Miner-6781728-2
## 3
## OK
## 770
## Txt.Trojan.XMRig-9915823-0
## 2
## Unix.Dropper.Mirai-7135858-0
## 5
## Unix.Dropper.Mirai-7135870-0
## 12
## Unix.Dropper.Mirai-7135881-0
## 9
## Unix.Dropper.Mirai-7135890-0
## 55
## Unix.Dropper.Mirai-7135906-0
## 3
## Unix.Dropper.Mirai-7135925-0
## 10
## Unix.Dropper.Mirai-7135928-0
## 4
## Unix.Dropper.Mirai-7135957-0
## 9
## Unix.Dropper.Mirai-7135965-0
## 52
## Unix.Dropper.Mirai-7135968-0
## 1
## Unix.Dropper.Mirai-7136014-0
## 2
## Unix.Dropper.Mirai-7136015-0
## 9
## Unix.Dropper.Mirai-7136035-0
## 8
## Unix.Dropper.Mirai-7136288-0
## 12
## Unix.Dropper.Mirai-7138865-0
## 19
## Unix.Dropper.Mirai-7139232-0
## 16
## Unix.Dropper.Mirai-7171431-0
## 1
## Unix.Dropper.Mirai-7341644-0
## 1
## Unix.Dropper.Mirai-7355719-0
## 1
## Unix.Dropper.Mirai-7360510-0
## 7
## Unix.Dropper.Mirai-7464847-0
## 23
## Unix.Dropper.Mirai-7816558-0
## 2
## Unix.Dropper.Mirai-8011185-0
## 1
## Unix.Dropper.Mirai-9961242-0
## 6
## Unix.Dropper.Mirai-9965028-0
## 2
## Unix.Malware.Agent-7141082-0
## 2
## Unix.Malware.Agent-7464514-0
## 1
## Unix.Malware.Mirai-9950761-0
## 10
## Unix.Tool.Dnsamp-7647492-0
## 1
## Unix.Tool.Generic-7660958-0
## 1
## Unix.Trojan.Agent-37008
## 1
## Unix.Trojan.Agent-37066
## 1
## Unix.Trojan.Gafgyt-6981154-0
## 8
## Unix.Trojan.Gafgyt-6981156-0
## 4
## Unix.Trojan.Gafgyt-7641309-0
## 2
## Unix.Trojan.Gafgyt-9499853-0
## 1
## Unix.Trojan.Generic-9917199-0
## 1
## Unix.Trojan.Mirai-6976991-0
## 33
## Unix.Trojan.Mirai-6981169-0
## 3
## Unix.Trojan.Mirai-6981989-0
## 29
## Unix.Trojan.Mirai-7100807-0
## 33
## Unix.Trojan.Mirai-7135937-0
## 13
## Unix.Trojan.Mirai-7138377-0
## 4
## Unix.Trojan.Mirai-7139482-0
## 1
## Unix.Trojan.Mirai-7666587-0
## 7
## Unix.Trojan.Mirai-7669677-0
## 9
## Unix.Trojan.Mirai-7829191-0
## 5
## Unix.Trojan.Mirai-7831925-0
## 1
## Unix.Trojan.Mirai-7846756-0
## 2
## Unix.Trojan.Mirai-7853646-0
## 1
## Unix.Trojan.Mirai-8011183-0
## 2
## Unix.Trojan.Mirai-8026838-0
## 2
## Unix.Trojan.Mirai-9769110-0
## 1
## Unix.Trojan.Mirai-9770090-0
## 1
## Unix.Trojan.Mirai-9853181-0
## 7
## Unix.Trojan.Mirai-9854559-0
## 1
## Unix.Trojan.Mirai-9866113-0
## 1
## Unix.Trojan.Mirai-9894781-0
## 13
## Unix.Trojan.Mirai-9907086-0
## 8
## Unix.Trojan.Mirai-9936831-0
## 7
## Unix.Trojan.Mirai-9939496-0
## 1
## Unix.Trojan.Mirai-9940367-0
## 3
## Unix.Trojan.Mirai-9942909-0
## 7
## Unix.Trojan.Mirai-9943114-0
## 7
## Unix.Trojan.Mirai-9946361-0
## 2
## Unix.Trojan.Mirai-9948345-0
## 5
## Unix.Trojan.Mirai-9949346-0
## 5
## Unix.Trojan.Mirai-9949755-0
## 1
## Unix.Trojan.Mirai-9950082-0
## 10
## Unix.Trojan.Mirai-9950937-0
## 1
## Unix.Trojan.Mirai-9954198-0
## 20
## Unix.Trojan.Mirai-9954878-0
## 12
## Unix.Trojan.Mirai-9955102-0
## 6
## Unix.Trojan.Mirai-9955243-0
## 6
## Unix.Trojan.Mirai-9956602-0
## 9
## Unix.Trojan.Mirai-9961243-0
## 1
## Unix.Trojan.Mozi-9840825-0
## 1
## Unix.Trojan.Muhstik-7555544-0
## 3
## Unix.Trojan.Spike-6301360-0
## 1
## Unix.Trojan.Tsunami-6981155-0
## 13
## Unix.Trojan.Tsunami-9845728-0
## 2
## Unix.Trojan.Tsunami-9869508-0
## 2
## Win.Downloader.Regsvr32Unregister-6335678-1
## 1
## Win.Downloader.Webdown-9850242-0
## 3
## Win.Downloader.Zegost-6484584-1
## 1
## Win.Dropper.DarkKomet-9370806-0
## 114
## Win.Dropper.Gh0stRAT-6997745-0
## 6
## Win.Dropper.Gh0stRAT-7696262-0
## 3
## Win.Dropper.Gh0stRAT-9792320-0
## 1
## Win.Dropper.Gh0stRAT-9897356-0
## 1
## Win.Exploit.Generic-9685083-0
## 2
## Win.Malware.A0jb20mi-9815631-0
## 11
## Win.Malware.Agent-6404242-0
## 1
## Win.Malware.Blouiroet-9785356-0
## 1
## Win.Malware.Generic-9968329-0
## 1
## Win.Malware.Johnnie-6858836-0
## 4
## Win.Malware.Mikey-9917879-0
## 2
## Win.Malware.Nitol-6802818-0
## 2
## Win.Malware.Nitol-9953104-0
## 2
## Win.Malware.Redosdru-9770864-0
## 1
## Win.Malware.Siscos-6993581-0
## 2
## Win.Malware.Temr-7070541-0
## 4
## Win.Malware.Zusy-9783455-0
## 2
## Win.Packed.Esfury-7649595-0
## 1
## Win.Ransomware.Wanna-9769986-0
## 2709
## Win.Spyware.78857-1
## 3
## Win.Spyware.80656-1
## 1
## Win.Trojan.Agent-6352691-0
## 1
## Win.Trojan.Agent-6354872-0
## 1
## Win.Trojan.Agent-6368865-0
## 1
## Win.Trojan.Agent-6376660-0
## 1
## Win.Trojan.Agent-6382009-0
## 1
## Win.Trojan.Agent-6429662-0
## 1
## Win.Trojan.Agent-6441339-0
## 1
## Win.Trojan.Agent-6442363-0
## 1
## Win.Trojan.Agent-6471210-0
## 1
## Win.Trojan.Agent-6479271-0
## 1
## Win.Trojan.Agent-6479896-0
## 1
## Win.Trojan.Agent-6482383-0
## 1
## Win.Trojan.Agent-6486397-0
## 1
## Win.Trojan.Agent-6497970-0
## 1
## Win.Trojan.Agent-6501829-0
## 1
## Win.Trojan.Agent-6501842-0
## 1
## Win.Trojan.Agent-6503241-0
## 1
## Win.Trojan.Agent-6505036-0
## 1
## Win.Trojan.Agent-6512880-0
## 1
## Win.Trojan.Agent-6515213-0
## 1
## Win.Trojan.Agent-6549573-0
## 1
## Win.Trojan.Agent-6562448-0
## 1
## Win.Trojan.Agent-6563389-0
## 1
## Win.Trojan.Agent-6565223-0
## 1
## Win.Trojan.Agent-6568811-0
## 1
## Win.Trojan.Agent-6570622-0
## 1
## Win.Trojan.Agent-6572174-0
## 1
## Win.Trojan.Agent-6576247-0
## 1
## Win.Trojan.Agent-6576890-0
## 1
## Win.Trojan.Agent-6577345-0
## 1
## Win.Trojan.Agent-6580643-0
## 1
## Win.Trojan.Agent-6580684-0
## 1
## Win.Trojan.Agent-6581489-0
## 1
## Win.Trojan.Agent-6582841-0
## 1
## Win.Trojan.Agent-6584103-0
## 1
## Win.Trojan.Agent-6591713-0
## 1
## Win.Trojan.Agent-6598660-0
## 1
## Win.Trojan.Agent-6602038-0
## 1
## Win.Trojan.Agent-6604168-0
## 1
## Win.Trojan.Agent-6621055-0
## 1
## Win.Trojan.Agent-6625054-0
## 1
## Win.Trojan.Agent-6639407-0
## 1
## Win.Trojan.Agent-6640099-0
## 1
## Win.Trojan.Agent-6640474-0
## 1
## Win.Trojan.Agent-6644223-0
## 1
## Win.Trojan.Agent-6645561-0
## 1
## Win.Trojan.Agent-6645965-0
## 1
## Win.Trojan.Agent-6646417-0
## 1
## Win.Trojan.Agent-6647257-0
## 1
## Win.Trojan.Agent-6666738-0
## 1
## Win.Trojan.Agent-6691585-0
## 1
## Win.Trojan.Agent-6744015-0
## 1
## Win.Trojan.Agent-6814940-0
## 1
## Win.Trojan.Farfli-7639977-0
## 2
## Win.Trojan.Farfli-9831481-0
## 1
## Win.Trojan.Gh0stRAT-8026910-0
## 1
## Win.Trojan.Gh0stRAT-9955419-1
## 4
## Win.Trojan.IRCBot-785
## 3
## Win.Trojan.MSShellcode-7
## 2
## Win.Trojan.Perl-35
## 1
## Win.Trojan.Perlbot-1
## 1
## Win.Trojan.Ramnit-1847
## 1
## Win.Trojan.Spy-16
## 1
## Win.Trojan.Zegost-7007928-0
## 1
## Win.Trojan.Zegost-8369819-0
## 1
## Win.Trojan.Zegost-9886625-1
## 1
## Win.Worm.Autorunvb-7053731-0
## 2
table(as.factor(sub("^([^,]+),.*$", "\\1", clamscan_hashes$File.Type, perl=TRUE)))
##
## ASCII text
## 113
## Audio file with ID3 version 2.3.0
## 1
## Bourne-Again shell script
## 117
## data
## 289
## ELF 32-bit LSB executable
## 494
## ELF 32-bit LSB shared object
## 1
## ELF 32-bit MSB executable
## 186
## ELF 64-bit LSB executable
## 61
## ELF 64-bit LSB pie executable
## 4
## ELF 64-bit LSB shared object
## 2
## ELF 64-bit MSB executable
## 3
## empty
## 1
## exported SGML document
## 1
## GIF image data
## 16
## gzip compressed data
## 5
## HTML document
## 21
## ISO-8859 text
## 1
## JPEG image data
## 1
## JSON data
## 10
## MS Windows COFF Motorola 68000 object file
## 1
## MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB)
## 1
## OpenPGP Secret Key
## 2
## OpenSSH RSA public key
## 3
## PE32 executable (console) Intel 80386
## 5
## PE32 executable (console) Intel 80386 Mono/.Net assembly
## 1
## PE32 executable (DLL) (GUI) Intel 80386
## 2910
## PE32 executable (GUI) Intel 80386
## 56
## PE32+ executable (console) x86-64
## 1
## PE32+ executable (GUI) x86-64 (stripped to external PDB)
## 1
## Perl script text executable
## 5
## PHP script
## 1
## POSIX shell script
## 9
## SysEx File -
## 1
## very short file (no magic)
## 1
## XML 1.0 document
## 9
## Zip archive data
## 2
write.csv(top_ssh_unpw, "unpw_ssh.csv", row.names=FALSE)
print(head(top_ssh_unpw, n=100), row.names=FALSE)
## Username Password Count
## user user 148528
## root root 20607
## admin admin 14672
## support support 5059
## user 1 3996
## root password 3253
## oracle oracle 2075
## nproc nproc 1887
## 123 123 1743
## root 123456 650
## root admin 647
## test test 624
## ubuntu ubuntu 610
## pi raspberry 581
## root 12345 494
## postgres postgres 440
## pi raspberryraspberry993311 435
## root 12345678 431
## git git 414
## root 123456789 388
## root 1qaz@WSX 381
## root 1234567890 357
## ubnt ubnt 354
## ftpuser ftpuser 333
## root P@ssw0rd 331
## ansible ansible 327
## root 1234 326
## admin 1234 324
## testuser testuser 323
## root root123 318
## root toor 303
## root admin123 301
## user 123456 296
## jenkins jenkins 293
## user1 user1 291
## ftp ftp 288
## root 1 285
## guest guest 284
## root test 272
## root 123 268
## admin password 267
## dev dev 261
## zabbix zabbix 259
## root 257
## www www 253
## root 1qaz2wsx 243
## root p@ssw0rd 243
## admin admin01 234
## root !QAZ2wsx 227
## root @ 227
## server server 219
## root redhat 206
## client client 203
## user 1234 202
## odoo odoo 201
## root eve 200
## root 0 196
## root 111111 195
## system system 192
## hadoop hadoop 188
## butter xuelp123 188
## mysql mysql 186
## admin 123456 184
## root Admin@123 184
## mc mc 181
## admin 0l0ctyQh243O63uD 177
## vagrant vagrant 174
## root admin1234 173
## system OkwKcECs8qJP2Z 173
## root abcd1234 169
## root root@123 168
## demo demo 166
## root 1234567 163
## ansible 123456 161
## root abc123 161
## ftpadmin ftpadmin 161
## teamspeak teamspeak 158
## root centos 157
## root 1q2w3e 156
## test test123 155
## root test123 154
## root 112233 153
## weblogic weblogic 153
## root root1234 150
## root Passw0rd 147
## steam steam 147
## ubuntu 123456 146
## root 1qaz@wsx 145
## a a 145
## minecraft minecraft 144
## student student 144
## es es 142
## oracle 123456 141
## admin 12345678 140
## root 1q2w3e4r 139
## root 123123 138
## admin 12345 137
## centos centos 137
## webadmin webadmin 137
## admin admin123 136
write.csv(top_other_unpw, "unpw_other.csv", row.names=FALSE)
print(head(top_other_unpw, n=100), row.names=FALSE)
## Username Password Count
## sa 7915
## 3762
## root 3574
## sa 123456 1053
## sa 1234 915
## anonymous anonymous@ 867
## sa 1qaz2wsx 716
## sa 12345 622
## sa !QAZ2wsx 614
## sa 12345678 578
## sa 123 566
## sa password 544
## sa abc123 483
## sa 1 470
## sa 123456789 468
## sa 000000 450
## sa 1111 419
## sa 123123 414
## sa Aa123456 400
## admin 396
## sa sa 390
## sa 123321 383
## sa admin@123 379
## sa ABCabc123 371
## sa sasa 371
## sa 1qaz!QAZ 363
## sa 112233 354
## sa saadmin 345
## sa qwerty 326
## sa 111111 322
## sa 654321 321
## sa 111111111 320
## sa 1234567890 315
## sa 88888888 314
## sa 123123123 309
## sa 888888 308
## sa qwertyuiop 304
## sa 123456789a 302
## sa 123456a 300
## sa 1q2w3e4r 300
## sa 5201314 300
## sa qwe123 299
## sa sa123456 299
## sa sunshine 298
## sa a123456789 297
## sa monkey 297
## sa 666666 296
## sa a123456 296
## sa password1 296
## sa welcome 296
## sa !@#$%^&* 295
## sa baseball 295
## sa sql2005 295
## sa dragon 294
## sa 1q2w3e4r5t 293
## sa football 293
## sa iloveyou 292
## sa princess 292
## sa sa123 291
## sa 123qwe 289
## sa homelesspa 289
## sa charlie 288
## sa abc 286
## sa admin 286
## sa aa123456 285
## sa sa2008 285
## sa sql2008 283
## sa passw0rd 280
## sa ^_^$$wanniMaBI:: 1433 vl 279
## sa sqlpassword 278
## sa abcdefg 276
## sa sapassword 276
## sa 4yqbm4,m`~!@~#$%^&*(),.; 275
## sa Aa12345678 274
## sa 4yqbm4,m`~!@~#$%^&*(),.; 270
## sa A123456 267
## sa ksa8hd4,m@~#$%^&*() 266
## sa !@#123qwe 223
## sa @dmin123 219
## sa admin123 218
## sa sql2000 218
## sa database 213
## sa sasasa 212
## sa sql123 211
## sa sqlpass 210
## sa adminsa 209
## sa sql2010 209
## sa p@ssword 206
## sa sa12345 205
## sa letmein 182
## anonymous qwert@qwert.ru 169
## anonymous mozilla@example.com 168
## sa 0000 161
## mssqla 1qaz2wsx 161
## anonymous anonymous 160
## usera 1qaz2wsx 151
## sa Admin@123 134
## sa 0 130
## sa 123@qwe 121
## mssqla 12345678 121
top_passwords <- rbind(top_ssh_unpw, top_other_unpw)
agg_top_pw <- aggregate(Count ~ Password, data=top_passwords, FUN=sum)
agg_top_pw <- agg_top_pw[order(-agg_top_pw$Count),]
print(head(agg_top_pw, n=100), row.names=FALSE)
## Password Count
## user 149065
## 123456 30078
## root 25098
## admin 17834
## 17494
## 123 11836
## password 11740
## 1 7725
## 1234 6782
## 12345 5475
## support 5294
## 12345678 3727
## 123123 3536
## test 3163
## 123456789 2680
## 1qaz2wsx 2476
## qwerty 2367
## oracle 2207
## abc123 2158
## 111111 1960
## nproc 1887
## 1q2w3e4r 1703
## P@ssw0rd 1673
## 1234567890 1670
## 1qaz@WSX 1506
## admin123 1470
## passw0rd 1440
## test123 1431
## 123321 1408
## 1234567 1385
## 123qwe 1359
## p@ssw0rd 1358
## pass 1302
## qwe123 1287
## 000000 1127
## !QAZ2wsx 1113
## 1111 1073
## 654321 1046
## a 1012
## password1 1009
## password123 1005
## changeme 918
## anonymous@ 867
## Passw0rd 856
## admin@123 851
## ubuntu 816
## welcome 811
## raspberry 802
## 1q2w3e 777
## 666666 777
## Aa123456 726
## 123123123 720
## qwertyuiop 704
## 112233 686
## 1qaz!QAZ 685
## qwerty123 665
## 1q2w3e4r5t 662
## abc 634
## 888888 631
## toor 627
## ABCabc123 617
## 0000 610
## ftp 606
## q1w2e3r4 595
## server 593
## ubnt 592
## abcd1234 584
## 0 576
## system 575
## 12 574
## guest 567
## passwd 564
## letmein 560
## 88888888 554
## p@ssword 552
## 5201314 542
## sa 536
## monkey 534
## dragon 526
## root123 524
## qwer1234 523
## 321 512
## princess 506
## iloveyou 504
## git 501
## Password123 501
## Pa$$w0rd 500
## postgres 500
## a123456 496
## ftpuser 493
## sasa 492
## abcdefg 490
## football 488
## 123456a 487
## 123456789a 486
## Abcd1234 486
## sunshine 485
## testuser 483
## a123456789 482
## pass123 480
g <- world_mapper(country_code_cleanup(unified_dataset$Country.Code))
g <- g + labs(title="CO.UA Honeypot: Total Incoming Connections", x="", y="")
g <- g + scale_fill_continuous(low="#000030", high="#0000E0", guide="colorbar")
g
g <- world_mapper(country_code_cleanup(unified_payloads$Country.Code))
g <- g + labs(title="CO.UA Honeypot: Received Payloads", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g
agg_countries_top$Count <- agg_countries_top$Count/1000
g <- ggplot(agg_countries_top,
aes(x=Connection.Start.NoTime, y=Count, fill=Country.Name)
)
g <- g + labs(
title="CO.UA Honeypot: Established Sessions by Country",
fill="Country", x="", y="Sessions (thousands)"
)
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_countries_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity", width=1)
g <- annotations(g, agg_countries_top, "Count", "Connection.Start.NoTime")
g <- g + theme_honeypot()
g
agg_dstports_top$Count <- agg_dstports_top$Count/1000
g <- ggplot(agg_dstports_top,
aes(x=Connection.Start.NoTime, y=Count, fill=Local.Port)
)
g <- g + labs(
title="CO.UA Honeypot: Established Sessions by Port Number",
fill="Incoming Port", x="", y="Sessions (thousands)"
)
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity", width=1)
g <- annotations(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + theme_honeypot()
g
Note the uptick in traffic in port 5060 after 2022-02-25, which is for SIP (which handles VOIP, LTE, and other wireless and communications things).
Update: Who cares about 2022-02-25??!? The SIP traffic on 2022-03-07 broke my scale!
Update: Glad to see on 2022-03-17 that the SIP traffic has died down. Not sure if that's because it was noticed or not. I will say that the amount of storage it was using was ridiculous, and I can't even list the directory contents for those dates because of how many SipSession files exist in those directories. Insane quantities of repetitive data, thankfully it compresses nicely. Hopefully that attack didn't do much disruption to communications.
I have also checked and SIP is still open and receiving much smaller quantities of traffic, so it's not from the hosting provider this time, these hosts look to have been handled directly or something. I have no idea what happened.
g <- ggplot(agg_payloads_cntry_top,
aes(x=Connection.Start.NoTime, y=Count, fill=Country.Name)
)
g <- g + labs(
title="CO.UA Honeypot: Payloads by Country",
fill="Country", x="", y=""
)
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity", width=1)
g <- payload_annotations(g,
agg_payloads_cntry_top, "Count", "Connection.Start.NoTime"
)
g <- g + theme_honeypot()
g
## Warning: Removed 1 rows containing missing values (position_stack).
Looking directly at Russia, their segment is noticeably large. The simultaneous drop-off on 2022-02-21 suggests that the other traffic is also them, too. There's no real way to tell if they are just using proxies/VPNs or something.
The USA traffic is noticeably large as well initally. I think they pulled some Manchurian Candidate stuff with some Microsoft cloud instances as you'll see below. Took some time, but Microsoft seems to have gotten a lot of it under control (as did some other cloud service providers, I don't want to single Microsoft out here but damn did they get targeted).
g <- ggplot(agg_payloads_dstports_top,
aes(x=Connection.Start.NoTime, y=Count, fill=Local.Port)
)
g <- g + labs(
title="CO.UA Honeypot: Payloads by Port Number",
fill="Country", x="", y=""
)
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity", width=1)
g <- payload_annotations(g,
agg_payloads_dstports_top, "Count", "Connection.Start.NoTime"
)
g <- g + theme_honeypot()
g
Payloads 2022-03-10 and on 2022-03-11 are noticeably large as well, and coming from the US. Most likely a botnet waking up to attack after Russia has been cut off from Cogent, Lumen, and other ISPs.
The coordinated drop off on 2022-03-12 between Russian AND all other countries yet again suggests these botnets are controlled by the same individuals/organizations. What caused the dropoff could be anything, either their infrastructure getting taken out by nation-states, hacktivists, or them choosing to turn the spigot off. It's most likely their choice with this many hosts.
Update: That last paragraph turned out to be incorrect speculation. All SMB (port 445) traffic was blocked at the hosting provider upon further examination. This is definitely a good call by them, as this is the main source of malware dumps and as noted down below, there was at least one other host inside of their network that managed to get compromised with some form of a WannaCry variant. This will make the payloads graph mostly useless going forward, and I'll probably tail that off as that's not really relevant anymore. I'll keep collecting payloads from other ports and honeypot daemons, but the visual dropoff is quite obviously significant on blocking SMB traffic and if any organization wants to protect against ransomware the number one thing to make sure is to secure, firewall, and protect any and all SMB traffic and daemons you are using.
Update: Guess I'm not going to tail this off, there's still plenty to graph it just looked like it was going to drop to almost nothing.
Update: Yet again, a misread on the situation. As you can see SMB wasn't actually blocked, it was blocked for the incoming connections to a certain VPN that I was using that is a commonly used VPN provider. I'm guessing that the VPN provider has traffic that has someone using it spamming SMB malware and is tagged as malicious, and this hosting provider is using one of those blocklists. When I portscanned, it was showing up as a blocked port.
I only realized this when the non-standard port I was using to offload this data from the honeypot got blocked. It is used for nothing normally, and a subsequent portscan showed most ports being blocked off. I switched VPN hosts, and the port opened back up, and so did SMB. Afterwards, I thought to make the payloads by port number graph to check, and lo and behold, the graph shows that SMB traffic never ceased. Basically, just ignore most of the big block text written by me because 99% of it is just ridiculous or wrong. Even this sentence and the last one. I don't even know what's going on anymore.
The real drop in traffic appears to be because I have too much on my plate and didn't notice the cowrie process die on the system. I thought I was paying closer attention after the dionaea failure at the beginning of collection, but apparently not. Oops.
Back to the payload increase, let's look at those hosts:
payload_attack_20220310 <- unified_payloads[
(as.character(unified_payloads$Connection.Start.NoTime) == "2022-03-10" |
as.character(unified_payloads$Connection.Start.NoTime) == "2022-03-11") &
!grepl(paste0("^", REDACTED_HONEYPOT_SUBNET), unified_payloads$Remote.Host),
]
tab_payload_attack_20220310 <- table(as.factor(payload_attack_20220310$Remote.Host))
tab_payload_attack_20220310[tab_payload_attack_20220310 > 2]
##
## 143.198.77.103 194.31.98.122 194.31.98.246 195.2.239.27 20.115.110.73
## 15 27 4 27 27
## 20.116.105.72 20.118.171.1 20.150.151.233 20.200.223.84 20.214.168.59
## 27 54 27 27 54
## 20.216.16.28 20.222.16.64 20.222.37.249 20.53.15.254 20.73.164.164
## 27 24 27 27 27
## 20.89.234.17 20.89.236.220 20.91.248.101 211.72.43.163 23.97.67.249
## 27 24 16 6 27
## 23.98.142.138 40.74.73.139 51.107.78.98 51.107.82.193 52.161.86.181
## 27 27 41 27 27
## 52.224.4.156 74.62.127.47
## 27 4
When looking at these, most seem like Microsoft cloud instances, a couple are Russian hosts, and a couple are from the Netherlands (easy VPNs likely), but this one stands out:
$ whois 74.62.127.47
NetRange: 74.62.127.0 - 74.62.127.63
CIDR: 74.62.127.0/26
NetName: NET-74-62-127-0-1
NetHandle: NET-74-62-127-0-1
Parent: RCWE (NET-74-62-0-0-1)
NetType: Reassigned
OriginAS:
Customer: ME- BONNER SPRINGS HIGH SCHOOL (C07173788)
RegDate: 2018-10-26
Updated: 2018-10-26
Ref: https://rdap.arin.net/registry/ip/74.62.127.0
CustName: ME- BONNER SPRINGS HIGH SCHOOL
Address: 100 N. MCDANIELD
City: BONNER SPRINGS
StateProv: KS
PostalCode: 66012
Country: US
RegDate: 2018-10-26
Updated: 2018-10-26
Ref: https://rdap.arin.net/registry/entity/C07173788
This really seems like exclusively compromised botnet traffic given these are full identifiable payloads that were dumped on this server.
Let's look at those payloads:
payinvst_urls_74.62.127.47
## cnt download_url
## 1 355632
## 2 2640 smb://211.72.43.163
## 3 1200 http://185.156.72.4:47487/s.exe
## 4 288 http://185.156.72.4:4773/s.exe
## 5 288 http://185.156.72.4:4784/s.exe
## 6 288 http://185.156.72.4:573/LinkOpener.exe
## 7 144 http://185.156.72.4:13978/exiles.exe
## 8 144 http://185.156.72.4:14758/s.exe
## 9 144 http://185.156.72.4:745/exiles.exe
## 10 144 http://holl.f3322.net:8888/Server.exe
## 11 48 http://103.200.31.97/libcef.exe
## 12 48 smb://187.193.180.215
## 13 108144
## 14 1392 smb://85.246.80.143
## 15 72 http://185.199.224.210:7845/s.exe
## 16 19308
## 17 36 http://112.30.131.72:6745/s.exe
## 18 28014
## 19 14 http://115.28.78.227:4477/FileSu.scr
## 20 286740
## 21 432 http://holl.f3322.net:8888/Server.exe
## 22 144 http://103.56.114.162:927/libcurl.exe
## 23 144 http://154.39.107.104:6170/1Helllllo.exe
## 24 108 http://125.77.165.223:4656/xx.exe
## 25 108 http://185.199.224.193:12421/AV520.exe
## 26 108 http://185.199.224.193:1342/AV520.exe
## 27 108 http://185.199.224.193:43421/A.exe
## 28 108 http://185.199.224.193:51874/AV520.exe
## 29 108 http://43.226.74.228:8080/libcurll.exe
## 30 108 http://43.226.74.228:9090/Servera.exe
## 31 108 http://47.108.154.176:7777/libcurl.exe
## 32 72 http://43.143.197.151:555/123.exe
## 33 72 http://43.143.197.151:555/666.exe
## 34 72 http://43.143.197.151:8080/Hello.exe
## 35 72 http://s99999999.f3322.net/svchost.exe
## 36 72 smb://187.193.169.236
## 37 72 smb://79.116.129.6
## 38 36 http://125.77.165.182:53532/ssql.exe
## 39 36 http://185.199.224.193:4325/A.exe
## 40 36 http://43.249.193.140:666/hm.exe
## 41 36 http://43.249.193.140:666/svshost.exe
## 42 36 http://43.251.17.160/svchost.exe
## 43 36 smb://122.117.73.48
## 44 36 smb://187.193.156.113
## 45 36 smb://189.245.181.88
## 46 36 smb://61.125.45.27
payinvst_mrgtmp <- merge(
payinvst_cnt_74.62.127.47, clamscan_hashes,
by.x="download_md5_hash", by.y="Hash.MD5",
all.x=TRUE
)
table(as.factor(payinvst_mrgtmp$ClamAV))
##
## Empty file
## 1
## OK
## 60
## Win.Downloader.Regsvr32Unregister-6335678-1
## 5
## Win.Downloader.Webdown-9850242-0
## 5
## Win.Dropper.DarkKomet-9370806-0
## 157
## Win.Dropper.Gh0stRAT-7696262-0
## 3
## Win.Dropper.Gh0stRAT-9897356-0
## 1
## Win.Exploit.Generic-9685083-0
## 4
## Win.Malware.A0jb20mi-9815631-0
## 28
## Win.Malware.Agent-6404242-0
## 5
## Win.Malware.Blouiroet-9785356-0
## 1
## Win.Malware.Generic-9968329-0
## 1
## Win.Malware.Mikey-9917879-0
## 3
## Win.Malware.Nitol-6802818-0
## 1
## Win.Malware.Nitol-9953104-0
## 1
## Win.Malware.Zusy-9783455-0
## 2
## Win.Packed.Esfury-7649595-0
## 1
## Win.Ransomware.Wanna-9769986-0
## 3755
## Win.Spyware.78857-1
## 3
## Win.Trojan.Agent-6354872-0
## 1
## Win.Trojan.Agent-6368865-0
## 1
## Win.Trojan.Agent-6376660-0
## 1
## Win.Trojan.Agent-6382009-0
## 1
## Win.Trojan.Agent-6429662-0
## 3
## Win.Trojan.Agent-6442363-0
## 3
## Win.Trojan.Agent-6471210-0
## 1
## Win.Trojan.Agent-6479271-0
## 4
## Win.Trojan.Agent-6479896-0
## 1
## Win.Trojan.Agent-6482383-0
## 1
## Win.Trojan.Agent-6486397-0
## 4
## Win.Trojan.Agent-6497970-0
## 3
## Win.Trojan.Agent-6501829-0
## 2
## Win.Trojan.Agent-6501842-0
## 3
## Win.Trojan.Agent-6503241-0
## 3
## Win.Trojan.Agent-6505036-0
## 1
## Win.Trojan.Agent-6512880-0
## 1
## Win.Trojan.Agent-6515213-0
## 5
## Win.Trojan.Agent-6549573-0
## 3
## Win.Trojan.Agent-6563389-0
## 2
## Win.Trojan.Agent-6565223-0
## 1
## Win.Trojan.Agent-6568811-0
## 1
## Win.Trojan.Agent-6572174-0
## 1
## Win.Trojan.Agent-6576247-0
## 3
## Win.Trojan.Agent-6576890-0
## 1
## Win.Trojan.Agent-6577345-0
## 1
## Win.Trojan.Agent-6580643-0
## 1
## Win.Trojan.Agent-6580684-0
## 4
## Win.Trojan.Agent-6581489-0
## 3
## Win.Trojan.Agent-6582841-0
## 4
## Win.Trojan.Agent-6584103-0
## 2
## Win.Trojan.Agent-6591713-0
## 1
## Win.Trojan.Agent-6598660-0
## 1
## Win.Trojan.Agent-6602038-0
## 2
## Win.Trojan.Agent-6604168-0
## 3
## Win.Trojan.Agent-6621055-0
## 3
## Win.Trojan.Agent-6625054-0
## 1
## Win.Trojan.Agent-6639407-0
## 1
## Win.Trojan.Agent-6640099-0
## 1
## Win.Trojan.Agent-6640474-0
## 3
## Win.Trojan.Agent-6644223-0
## 1
## Win.Trojan.Agent-6645561-0
## 1
## Win.Trojan.Agent-6645965-0
## 5
## Win.Trojan.Agent-6646417-0
## 1
## Win.Trojan.Agent-6647257-0
## 2
## Win.Trojan.Agent-6666738-0
## 2
## Win.Trojan.Agent-6691585-0
## 1
## Win.Trojan.Agent-6744015-0
## 1
## Win.Trojan.Agent-6814940-0
## 1
## Win.Trojan.Farfli-9831481-0
## 1
## Win.Trojan.Gh0stRAT-8026910-0
## 1
## Win.Trojan.Gh0stRAT-9955419-1
## 4
## Win.Trojan.MSShellcode-7
## 9
## Win.Trojan.Ramnit-1847
## 1
## Win.Trojan.Spy-16
## 2
## Win.Trojan.Zegost-7007928-0
## 1
## Win.Trojan.Zegost-9886625-1
## 1
## Win.Worm.Autorunvb-7053731-0
## 2
Notable strings in libcef.exe:
PASSWORD
' AND IDENTIFY = '
SELECT * FROM UserTab WHERE NAME = '
Provider=SQLOLEDB.1;Persist Security Info=False; User ID=sa; Password=sa;Initial Catalog=JXIMS;Data Source=(local)
Unknown error 0x%0lX
IDispatch error #%d
BMP Files (*.bmp)|*.bmp|All Files (*.*)|*.*||
SELECT * FROM TeacherTab
SELECT * FROM PayTab
)
Jiaofei printing
IDENTIFY
Select * From UserTab Where NAME = '
BMP Files (*.bmp)|*.bmp|All Files (*.*)|*.*||
SELECT * FROM StudentTab
SELECT * FROM PayTab WHERE ID = '
SELECT * FROM BookTab WHERE ID = '
SELECT * FROM TrainTab WHERE ID = '
SELECT * FROM TrainTab
KEYCRYPT
FFHSTL-B
Copyright (c) 1994-1997 by Compuware Corporation
VxD KEYCRYPT (VtoolsD)
_The_DDB
D:\code\KeyCrypt\KeyCryptVxd\KEYCRYPT.PDB
C:\Documents and Settings\Administrator\
star 5.0
123\vc
SQL server7
\www.NewXing.com\jxims\Release\JXIMS.pdb
E:\8168\vc98\linker\release\lib.pdb
I can't tell what's going on, but they might be dealing with a ransomware attack or covertly being a part of a botnet that's launching WannaCry, or trying to disguise itself as WannaCry (seems to be happening a lot here).
But one thing seems for sure, Bonner Springs High School in Kansas is compromised and launching attacks against Ukrainian hosts, specifically my honeypot, either by intention of the botnet mastermind or by accident by scanning randomly on the internet.
Not exactly what I was expecting to find when looking at this spike given this is a much smaller part of the spike in traffic.
Giant spike on 2022-06-18, investigating what caused it…
str(payinvst_cnt_20220618)
## 'data.frame': 57814 obs. of 2 variables:
## $ cnt : int 10947 9463 9050 6069 2881 2860 2398 1534 1522 1108 ...
## $ remote_host: chr "146.20.225.35" "187.202.30.85" "179.126.6.146" "140.238.181.231" ...
sum(payinvst_cnt_20220618$cnt)
## [1] 1142555
head(payinvst_cnt_20220618, n=50)
## cnt remote_host
## 1 10947 146.20.225.35
## 2 9463 187.202.30.85
## 3 9050 179.126.6.146
## 4 6069 140.238.181.231
## 5 2881 20.107.219.143
## 6 2860 146.20.224.60
## 7 2398 213.232.235.29
## 8 1534 177.66.116.124
## 9 1522 165.22.52.53
## 10 1108 36.37.178.200
## 11 1020 141.98.11.91
## 12 887 201.208.159.19
## 13 697 45.93.16.72
## 14 667 212.83.136.106
## 15 620 45.175.94.36
## 16 620 45.175.95.164
## 17 616 45.175.94.164
## 18 613 203.150.90.33
## 19 612 45.175.95.36
## 20 224 103.145.13.101
## 21 207 20.222.16.155
## 22 178 103.145.13.74
## 23 164 200.10.227.116
## 24 164 200.10.227.156
## 25 164 200.10.227.196
## 26 164 200.10.227.224
## 27 164 200.10.227.48
## 28 164 200.10.227.76
## 29 164 200.10.227.8
## 30 164 200.10.227.88
## 31 163 200.10.227.104
## 32 163 200.10.227.144
## 33 163 200.10.227.184
## 34 163 200.10.227.252
## 35 163 200.10.227.36
## 36 162 200.10.227.212
## 37 162 200.10.227.64
## 38 161 200.10.227.172
## 39 159 200.10.227.132
## 40 159 200.10.227.24
## 41 159 200.10.227.240
## 42 159 200.10.227.92
## 43 158 200.10.227.200
## 44 155 200.10.227.12
## 45 155 200.10.227.120
## 46 155 200.10.227.128
## 47 155 200.10.227.160
## 48 155 200.10.227.168
## 49 155 200.10.227.20
## 50 155 200.10.227.208
unipay_20220618 <- merge(
payinvst_cnt_20220618, unified_payloads,
by.x="remote_host", by.y="Remote.Host",
all.x=TRUE, all.y=FALSE
)
table(as.factor(unipay_20220618$Country.Code))
##
## AM AR AU BD BG BR CL CO EG HR ID IN IR IT JP KZ
## 3 1 3 4 4 12 2 19 4 2 6 18 5 3 2 7
## MN MU MX NG NL PH PK PT QA RU SA SN TH TR TW UA
## 2 2 5 2 1 4 38 5 2 5060 1 4 3 1 3 2
## US UY VN
## 8 5 14
The hosting provider I am using, being under heavy attack, has had one of its clients compromised and it is launching “Win.Ransomware.Wanna-9769986-0”. I found evidence of over 4000 attacks from a neighbor VPS and reported it to the hosting provider. I will not be disclosing much more information about this, if any.
Since the SIP traffic broke my scale, I had to investigate further despite being incredibly sleep deprived.
sip_attack_20220307
## cnt remote_host
## 1 922273 212.129.30.110
## 2 591947 89.163.129.219
## 3 538301 212.83.187.89
## 4 36243 20.88.2.212
## 5 27357 20.106.89.142
## 6 22161 20.115.23.37
## 7 13571 20.90.5.68
## 8 11120 51.107.183.206
## 9 10193 20.199.119.129
## 10 7913 20.223.136.216
## 11 7833 141.98.10.83
## 12 5907 45.95.147.6
## 13 5636 68.183.220.94
## 14 4531 193.19.97.129
## 15 4204 52.136.119.53
## 16 4198 144.24.160.187
## 17 3768 20.223.163.175
## 18 3723 20.119.237.254
## 19 3605 141.98.10.81
## 20 2083 20.106.160.34
## 21 1313 72.11.158.139
## 22 1092 45.95.147.4
## 23 846 20.127.48.179
## 24 503 52.161.0.155
## 25 358 8.211.4.193
## 26 310 193.107.216.101
## 27 292 104.214.69.222
## 28 199 92.42.110.210
## 29 146 193.107.216.70
## 30 138 45.134.144.54
## 31 112 170.178.190.42
It is odd how few servers made that jump. WHOIS of the top three servers:
inetnum: 212.129.0.0 - 212.129.31.255
org: ORG-ONLI1-RIPE
netname: Online
descr: Online SAS - Dedibox
country: FR
admin-c: TTFR1-RIPE
tech-c: TTFR1-RIPE
status: ASSIGNED PA
mnt-by: MNT-TISCALIFR
mnt-by: MNT-TISCALIFR-B2B
created: 2016-02-23T12:20:33Z
last-modified: 2016-02-23T12:30:00Z
source: RIPE
organisation: ORG-ONLI1-RIPE
mnt-ref: MNT-TISCALIFR-B2B
org-name: ONLINE SAS
org-type: OTHER
address: 8 rue de la ville l'eveque 75008 PARIS
abuse-c: AR32851-RIPE
mnt-ref: ONLINESAS-MNT
mnt-by: ONLINESAS-MNT
created: 2015-07-10T15:20:41Z
last-modified: 2017-10-30T14:40:53Z
source: RIPE # Filtered
inetnum: 89.163.128.0 - 89.163.255.255
netname: DE-MYLOC-DUS-20060217
country: DE
org: ORG-MMIA3-RIPE
admin-c: MOPS-RIPE
tech-c: MOPS-RIPE
status: ALLOCATED PA
mnt-by: MYLOC-MNT
mnt-by: RIPE-NCC-HM-MNT
created: 2020-11-04T10:31:12Z
last-modified: 2020-11-04T10:31:12Z
source: RIPE
organisation: ORG-MMIA3-RIPE
org-name: myLoc managed IT AG
country: DE
org-type: LIR
address: Am Gatherhof 44
address: 40472
address: D�sseldorf
address: GERMANY
phone: +4921161708110
fax-no: +4921161708111
admin-c: MOPS-RIPE
tech-c: MOPS-RIPE
abuse-c: MOPS-RIPE
mnt-ref: MYLOC-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: MYLOC-MNT
created: 2019-10-28T10:48:29Z
last-modified: 2021-02-09T10:11:49Z
source: RIPE # Filtered
inetnum: 212.83.160.0 - 212.83.191.255
netname: FRWOL
descr: Iliad
country: FR
admin-c: ACP23-RIPE
tech-c: TCP8-RIPE
status: ASSIGNED PA
mnt-by: MNT-TISCALIFR
mnt-by: MNT-TISCALIFR-B2B
remarks: Tag: Int
created: 2002-09-24T15:24:29Z
last-modified: 2017-05-03T15:23:26Z
source: RIPE
role: Administrative Contact for ProXad
address: Free SAS / ProXad
address: 8, rue de la Ville L'Eveque
address: 75008 Paris
phone: +33 1 73 50 20 00
fax-no: +33 1 73 92 25 69
remarks: trouble: Information: http://www.proxad.net/
remarks: trouble: Spam/Abuse requests: mailto:abuse@proxad.net
admin-c: APfP1-RIPE
tech-c: TPfP1-RIPE
nic-hdl: ACP23-RIPE
mnt-by: PROXAD-MNT
abuse-mailbox: abuse@proxad.net
created: 2002-06-26T12:46:56Z
last-modified: 2013-08-01T12:16:00Z
source: RIPE # Filtered
They mostly seem like rented servers, so it could be anyone, but obviously Russia is the elephant in the room especially with internet connections being cut off from places like Cogent and Lumen so their ability to drop payloads and subvert directly from Russian hosts might be leading them to other means and other hosting providers. That last one seems like an ISP, though, so I'm unclear there. There could be a small hosting provider using that ISP, or it could be someone being a general nuisance. One of those servers is a Microsoft Cloud server, though, and the ISP may be a home modem/router, so I'm really thinking this is some group of unknown origin repurposing some botnet hosts. Not every attack even in this moment is going to be from a nation-state, so as usual, who knows.
sip_attack_20220321
## cnt remote_host
## 1 441416 20.199.119.129
## 2 392706 52.229.66.96
## 3 39498 20.223.136.216
## 4 26169 20.70.31.10
## 5 24251 40.86.215.4
## 6 12726 20.115.126.57
## 7 7703 89.239.40.4
## 8 4849 37.49.230.128
## 9 4785 23.148.145.101
## 10 3040 74.208.137.225
## 11 2335 20.110.209.108
## 12 2199 5.180.137.137
## 13 1781 89.239.42.100
## 14 1662 8.211.4.193
## 15 1277 45.130.97.193
## 16 920 20.118.164.17
## 17 716 20.38.1.73
## 18 596 185.108.25.136
## 19 318 51.120.77.73
## 20 165 89.239.36.195
## 21 139 45.93.16.27
## 22 128 20.214.144.56
NetRange: 20.192.0.0 - 20.255.255.255
CIDR: 20.192.0.0/10
NetName: MSFT
NetHandle: NET-20-192-0-0-1
Parent: NET20 (NET-20-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Microsoft Corporation (MSFT)
RegDate: 2017-10-18
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/20.192.0.0
OrgName: Microsoft Corporation
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2022-03-28
NetRange: 52.224.0.0 - 52.255.255.255
CIDR: 52.224.0.0/11
NetName: MSFT
NetHandle: NET-52-224-0-0-1
Parent: NET52 (NET-52-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Microsoft Corporation (MSFT)
RegDate: 2015-11-24
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/52.224.0.0
OrgName: Microsoft Corporation
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2022-03-28
More Microsoft hosts for the main two IPs for the SIP attacks that start on 2022-03-21. These hosts are more than likely rented cloud instances that were vulnerable and broken into to join a botnet.
Regardless, whomever is doing this broke my scale on my graph, does that count as reportable abuse under internet networking rules?
Reality - Ukraine: Under massive active SIP Cyberattack potentially disrupting communications during wartime.
Me - Acting like a sociopath:
Geolocation based on IP address is not to be taken as entirely accurate as to the source of traffic or attacks conducted. There are many reasons for this, which include (but are not limited to):
Large quantities of traffic, especially attack based traffic, will use a VPN or the Tor network (or some reasonable facsimile), to mask the origin of the traffic. This will in turn change the appearance of the location of origin. Usually, an attacker will also intentionally want the traffic to appear to come from somewhere that has some form of lesser legal jurisdiction, some form of lesser ability to police traffic, or come from a well known source of malicious attacks such as China or Russia.
For instance, the following log entry was generated by myself against my servers while sitting at my desk in the United States, but it gets geolocated as Russia because of how the packet was sent. This sort of masking is trivial to perform, even by a nine year old on a cellphone.
httpd_data[grep("/from/russia/with/logs", httpd_data$Request), c("Request", "Response.Code", "Country.Code")]
## Request Response.Code Country.Code
## 1 GET /from/russia/with/logs HTTP/1.1 404 RU
Some locations will have a higher distribution of virtual servers than others, such as Silicon Valley or China. This can lead to larger quantities of vulnerable virtual machines and servers in those regions, and distort the resulting aggregate data.
It is possible that due to address assignment for governmental intelligence purposes or other economic or political reasons a nation could re-allocate address space and forge the identity similarly to a NAT (network address translation). They could also funnel information via VPN technologies for another nation.
Because most of these agreements are made in private, and due to the fact that most geolocation, RDAP, and WHOIS records are based on self-reporting, it is impossible to know the 100% true nature of geographic address assignment.
This geolocation uses the rgeolocate package available in CRAN, and uses the internal country database that is shipped with it. There could be an error in the database shipped, there could be an error in the lookup code, etc. Bugs happen. I have no reason to believe that any false geolocation is being performed by these packages, however.
Also used is the self-reported RDAP or WHOIS systems which can frequently be self-reported falsely or misleadingly. Which of the systems (RDAP, WHOIS, or rgeolocate) used are disclosed when necessary.
Despite these weaknesses, this doesn't change the fact that looking at this sort of data can be quite fun and interesting, and potentially enlightening. Generalized conclusions should not be made from this data or the maps herein. You have been warned.