Ukrainian Honeypot ::001:: Initial Graphs

Last Updated

Fri Aug 19 21:00:26 2022

Captain John Sheridan

“We have begun a difficult and uncertain journey, and none of us can see its end, but our cause remains a just one. That truth honours and sanctifies our fallen comrades who have made the ultimate sacrifice so that we might carry on the work that is ahead of us. We are gathered here today to honour their memory and their names.”

“May God stand between you and harm in all the empty places where you must walk.”

See Also

(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there's a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)

https://bcable.net/analysis-ukr-prelim.html

https://bcable.net/analysis-ukr-graphs.html

https://bcable.net/analysis-ukr-indicators.html

https://bcable.net/analysis-ukr-ru_map_sessions.html

https://bcable.net/analysis-ukr-cn_map_sessions.html

https://bcable.net/analysis-ukr-miori_fail.html

https://bcable.net/analysis-ukr-botnet_perl.html

https://bcable.net/analysis-ukr-ddos_gh0st.html

R Prep

library(RSQLite)
library(Rwhois)
library(Rrdap)
library(rgeolocate)
library(ggplot2)
library(RColorBrewer)
library(RcppCCTZ)

https://bcable.net/x/Rproj/shared

source("shared/country_code_cleanup.R")
source("shared/geoip.R")
source("shared/world_mapper.R")

source("shared/themes.R")
countries <- read.csv("shared/countries.csv")

For various protections:

source("redacted/env.R")

Color Themes

plot_colors <- c(
    RColorBrewer::brewer.pal(12, "Paired"),
    RColorBrewer::brewer.pal(8, "Dark2")
)
get_yloc <- function(df, ycol, xcol){
    yloc <- max(aggregate(
        formula(paste0(ycol, " ~ ", xcol)), data=df, FUN=sum
    )[[ycol]])
}

anot_rect <- function(g, df, ycol, xcol){
    yloc <- get_yloc(df, ycol, xcol)

    g +
        geom_rect(
            xmin=5.5, xmax=7.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=36.5, xmax=42.5, ymin=-100, ymax=yloc+1000, fill="#E0E0FF",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=65.5, xmax=70.5, ymin=-100, ymax=yloc+1000, fill="#E0E0FF",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=85.5, xmax=86.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=107.5, xmax=109.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=125.5, xmax=126.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=138.5, xmax=141.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=153.5, xmax=155.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
            inherit.aes=FALSE
        ) +
        geom_rect(
            xmin=163.5, xmax=167.5, ymin=-100, ymax=yloc+1000, fill="#E0FFE0",
            inherit.aes=FALSE
        )
}

get_date_labs <- function(df, date_col){
    date_levels <- as.vector(as.character(
        levels(as.factor(as.character(df[[date_col]])))
    ))

    min_date <- min(date_levels)
    max_date <- max(date_levels)

    #xlabs <- NULL
    #cur_date <- NULL
    #date_counter <- as.POSIXlt(paste0(min_date, "T12:00:00"))
    #max_posixlt <- as.POSIXlt(max_date)
    #while(date_counter < max_posixlt){
        #cur_date <- strftime(date_counter, "%Y-%m-%d")
        #date_counter <- date_counter + (60*60*24)
        #xlabs <- c(xlabs, cur_date)
    #}

    #date_levels <- xlabs
    xlabs <- substr(date_levels, 1, 7)
    xlabs[substr(date_levels, 8, 11) != "-01"] <- ""
    xlabs[1] <- min_date
    xlabs[length(xlabs)] <- max_date
    #xlabs[length(xlabs)-1] <- date_levels[length(date_levels)-1]

    list(date_levels, xlabs)
}

annotations <- function(g, df, ycol, xcol){
    yloc <- get_yloc(df, ycol, xcol)
    ret <- get_date_labs(df, xcol)
    date_levels <- ret[[1]]
    xlabs <- ret[[2]]

    g +
        geom_vline(xintercept=3.5, color="darkred", size=2) +
        scale_x_discrete(breaks=date_levels, labels=xlabs) +
        annotate("text",
            x=2.90, y=yloc, hjust=1, size=5, angle=90,
            label="CO.UA DNS A Record Updated"
        ) +
        annotate("text",
            x=6, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (SysAdmin Error: Dionaea Daemon)"
        ) +
        annotate("text",
            x=37, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (SysAdmin Error: Cowrie Daemon)"
        ) +
        annotate("text",
            x=66, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (SysAdmin Error: Cowrie Daemon)"
        ) +
        annotate("text",
            x=86, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
        ) +
        annotate("text",
            x=108, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
        ) +
        annotate("text",
            x=126, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
        ) +
        annotate("text",
            x=139, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
        ) +
        annotate("text",
            x=154, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
        ) +
        annotate("text",
            x=164, y=yloc, hjust=1, size=4, angle=90,
            label="Data Collection Failure (Daemon Crash: Dionaea Daemon)"
        )
}

payload_annotations <- function(g, df, ycol, xcol){
    yloc <- get_yloc(df, ycol, xcol)
    annotations(g, df, ycol, xcol)
#       annotate("text",
#           x=37, y=yloc, hjust=1, size=5, angle=90,
#           label="Hosting Provider Blocked SMB Traffic 2022-03-12"
#       ) + theme_simple()
}
theme_honeypot <- function(){
    theme_simple() %+replace% theme(
        axis.text.x = element_text(angle=90, size=12)
    )
}

R Load Data

cowrie_auth <- NULL
cowrie_clients <- NULL
cowrie_downloads <- NULL
cowrie_keyfingerprints <- NULL
cowrie_sessions <- NULL
cowrie_ttylog <- NULL
dionaea_connections <- NULL
dionaea_downloads <- NULL
dionaea_logins <- NULL
dionaea_mssql_commands <- NULL
dionaea_mssql_fingerprints <- NULL
dionaea_mysql_commands <- NULL
dionaea_mysql_commands <- NULL
dionaea_mysql_command_args <- NULL
dionaea_mysql_command_ops <- NULL
dionaea_sip_addrs <- NULL
sip_attack_20220307 <- NULL
sip_attack_20220321 <- NULL
payinvst_cnt_74.62.127.47 <- NULL
payinvst_urls_74.62.127.47 <- NULL
payinvst_cnt_20220618 <- NULL
cowrie_sqlite_files <- c(
    "cowrie-20220409-004639-rebuild.sqlite",
    "cowrie-20220523-145223-rebuild.sqlite",
    "cowrie-20220619-201225-rebuild.sqlite"
)
cowrie_sqlite_files <- c(cowrie_sqlite_files, "cowrie-latest.sqlite")
dionaea_sqlite_files <- c(
    "dionaea-20220409-004639-rebuild.sqlite",
    "dionaea-20220523-145223-rebuild.sqlite",
    "dionaea-20220619-201225-rebuild.sqlite"
)
dionaea_sqlite_files <- c(dionaea_sqlite_files, "dionaea-latest.sqlite")
populate_col <- function(ret, col, val){
    if(is.data.frame(ret) && nrow(ret) > 0){
        ret[[col]] <- val
    }
    ret
}
for(cowrie_sqlite_file in cowrie_sqlite_files){
    cowrie_con <- RSQLite::dbConnect(RSQLite::SQLite(),
        paste0(path_cowrie, "/", cowrie_sqlite_file)
    )

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "auth")
        ret <- populate_col(ret, "filename", cowrie_sqlite_file)
        cowrie_auth <- rbind(cowrie_auth, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "clients")
        ret <- populate_col(ret, "filename", cowrie_sqlite_file)
        cowrie_clients <- rbind(cowrie_clients, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "downloads")
        ret <- populate_col(ret, "filename", cowrie_sqlite_file)
        cowrie_downloads <- rbind(cowrie_downloads, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "keyfingerprints")
        ret <- populate_col(ret, "filename", cowrie_sqlite_file)
        cowrie_keyfingerprints <- rbind(cowrie_keyfingerprints, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "sessions")
        ret <- populate_col(ret, "filename", cowrie_sqlite_file)
        cowrie_sessions <- rbind(cowrie_sessions, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(cowrie_con, "ttylog")
        ret <- populate_col(ret, "filename", cowrie_sqlite_file)
        cowrie_ttylog <- rbind(cowrie_ttylog, ret)
    })

    RSQLite::dbDisconnect(cowrie_con)
}
for(dionaea_sqlite_file in dionaea_sqlite_files){
    dionaea_con <- RSQLite::dbConnect(RSQLite::SQLite(),
        paste0(path_dionaea, "/", dionaea_sqlite_file)
    )

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "connections")
        ret <- populate_col(ret, "filename", dionaea_sqlite_file)
        dionaea_connections <- rbind(dionaea_connections, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "downloads")
        ret <- populate_col(ret, "filename", dionaea_sqlite_file)
        dionaea_downloads <- rbind(dionaea_downloads, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "logins")
        ret <- populate_col(ret, "filename", dionaea_sqlite_file)
        dionaea_logins <- rbind(dionaea_logins, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mssql_commands")
        ret <- populate_col(ret, "filename", dionaea_sqlite_file)
        ret <- populate_col(ret, "mssql_command_cmd", NULL)
        dionaea_mssql_commands <- rbind(dionaea_mssql_commands, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mssql_fingerprints")
        ret <- populate_col(ret, "filename", dionaea_sqlite_file)
        dionaea_mssql_fingerprints <- rbind(dionaea_mssql_fingerprints, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mysql_commands")
        ret <- populate_col(ret, "filename", dionaea_sqlite_file)
        dionaea_mysql_commands <- rbind( dionaea_mysql_commands, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mysql_command_args")
        ret <- populate_col(ret, "filename", dionaea_sqlite_file)
        dionaea_mysql_command_args <- rbind(dionaea_mysql_command_args, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "mysql_command_ops")
        ret <- populate_col(ret, "filename", dionaea_sqlite_file)
        dionaea_mysql_command_ops <- rbind(dionaea_mysql_command_ops, ret)
    })

    tryCatch({
        ret <- RSQLite::dbReadTable(dionaea_con, "sip_addrs")
        ret <- populate_col(ret, "filename", dionaea_sqlite_file)
        dionaea_sip_addrs <- rbind(dionaea_sip_addrs, ret)
    })

    rs <- RSQLite::dbSendQuery(dionaea_con, "
        SELECT * FROM (
            SELECT COUNT(*) AS cnt, remote_host FROM connections
            WHERE connection_protocol='SipSession' AND
            connection_timestamp > 1646686800 AND
            connection_timestamp < 1647546732
            GROUP BY remote_host
        ) WHERE cnt > 100 ORDER BY cnt DESC
    ")

    tryCatch({
        ret <- RSQLite::dbFetch(rs)
        sip_attack_20220307 <- rbind(sip_attack_20220307, ret)
    })

    RSQLite::dbClearResult(rs)

    rs <- RSQLite::dbSendQuery(dionaea_con, "
        SELECT * FROM (
            SELECT COUNT(*) AS cnt, remote_host FROM connections
            WHERE connection_protocol='SipSession' AND
            connection_timestamp > 1647770400 AND
            connection_timestamp < 1648375200
            GROUP BY remote_host
        ) WHERE cnt > 100 ORDER BY cnt DESC
    ")

    tryCatch({
        ret <- RSQLite::dbFetch(rs)
        sip_attack_20220321 <- rbind(sip_attack_20220321, ret)
    })

    RSQLite::dbClearResult(rs)

    rs <- RSQLite::dbSendQuery(dionaea_con, "
        SELECT * FROM (
            SELECT COUNT(*) AS cnt, download_md5_hash FROM downloads
            JOIN connections
            WHERE remote_host='74.62.127.47'
            GROUP BY download_md5_hash
        ) ORDER BY cnt DESC
    ")

    tryCatch({
        ret <- RSQLite::dbFetch(rs)
        payinvst_cnt_74.62.127.47 <- rbind(payinvst_cnt_74.62.127.47, ret)
    })

    RSQLite::dbClearResult(rs)

    rs <- RSQLite::dbSendQuery(dionaea_con, "
        SELECT * FROM (
            SELECT COUNT(*) AS cnt, remote_host FROM connections
            WHERE
            connection_timestamp > 1655442000 AND
            connection_timestamp < 1655701200
            GROUP BY remote_host
        ) ORDER BY cnt DESC
    ")

    tryCatch({
        ret <- RSQLite::dbFetch(rs)
        payinvst_cnt_20220618 <- rbind(payinvst_cnt_20220618, ret)
    })

    RSQLite::dbClearResult(rs)

    rs <- RSQLite::dbSendQuery(dionaea_con, "
        SELECT * FROM (
            SELECT COUNT(*) AS cnt, download_url FROM downloads
            JOIN connections
            WHERE remote_host='74.62.127.47'
            GROUP BY download_url
        ) ORDER BY cnt DESC
    ")

    tryCatch({
        ret <- RSQLite::dbFetch(rs)
        payinvst_urls_74.62.127.47 <- rbind(payinvst_urls_74.62.127.47, ret)
    })

    RSQLite::dbClearResult(rs)

    RSQLite::dbDisconnect(dionaea_con)
}
## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob

## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob

## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob

## Warning in result_fetch(res@ptr, n = n): Column `login_username`: mixed type,
## first seen values of type string, coercing other values of type blob
clamscan_hashes <- read.csv("clamscan_hashes.csv")

Session Date Processing

cowrie_sessions$Connection.Start <- strptime(
    cowrie_sessions$starttime, format="%Y-%m-%dT%H:%M:%S"
)

cowrie_sessions$Connection.End <- strptime(
    cowrie_sessions$endtime, format="%Y-%m-%dT%H:%M:%S"
)

dionaea_connections$Connection.Timestamp <- strptime(
    dionaea_connections$connection_timestamp, format="%s"
)

Process Geocoding

# March 1st, 2022
#filter_date <- 1646114400
# April 1st, 2022
#filter_date <- 1648789200
# May 1st, 2022
#filter_date <- 1651381200
# June 1st, 2022
#filter_date <- 1654059600
# July 1st, 2022
#filter_date <- 1656651600
# August 1st, 2022
#filter_date <- 1659330000
# 2999-12-31
filter_date <- 32503615200
if(!file.exists("cowrie_sessions_geo.csv")){
    cowrie_sessions_geo <- geoiporg_df(cowrie_sessions[
        cowrie_sessions$Connection.Start < filter_date,
    ], "ip")
    #cowrie_sessions_geo <- geoip_df(cowrie_sessions, "ip")
    write.csv(cowrie_sessions_geo, "cowrie_sessions_geo.csv", row.names=FALSE)

} else {
    cowrie_sessions_geo <- read.csv("cowrie_sessions_geo.csv")

    if(!file.exists("cowrie_sessions_geo_new.csv")){
        cowrie_sessions_new <- cowrie_sessions[
            !(cowrie_sessions$ip %in% cowrie_sessions_geo$ip) &
            cowrie_sessions$Connection.Start < filter_date,
        ]
        cowrie_new_geo <- geoiporg_df(cowrie_sessions_new, "ip")
        cowrie_sessions_geo <- rbind(cowrie_sessions_geo, cowrie_new_geo)

        write.csv(cowrie_sessions_geo,
            "cowrie_sessions_geo_new.csv", row.names=FALSE
        )
    }
}

cowrie_sessions_geo.csv

if(!file.exists("dionaea_connections_geo.csv")){
    dionaea_connections_geo <- geoiporg_df(dionaea_connections[
        dionaea_connections$Connection.Timestamp < filter_date,
    ], "remote_host")
    #dionaea_connections_geo <- geoip_df(dionaea_connections, "remote_host")
    write.csv(dionaea_connections_geo,
        "dionaea_connections_geo.csv", row.names=FALSE
    )

} else {
    dionaea_connections_geo <- read.csv("dionaea_connections_geo.csv")

    if(!file.exists("dionaea_connections_geo_new.csv")){
        #dionaea_connections_new <- head(dionaea_connections[
        #   !(
        #       dionaea_connections$remote_host %in%
        #       dionaea_connections_geo$remote_host
        #   ) &
        #   dionaea_connections$Connection.Timestamp < filter_date,
        #], n=20000)
        dionaea_connections_new <- dionaea_connections[
            !(
                dionaea_connections$remote_host %in%
                dionaea_connections_geo$remote_host
            ) &
            dionaea_connections$Connection.Timestamp < filter_date,
        ]
        dionaea_new_geo <- geoiporg_df(dionaea_connections_new, "remote_host")
        dionaea_connections_geo <- rbind(
            dionaea_connections_geo, dionaea_new_geo
        )

        write.csv(dionaea_connections_geo,
            "dionaea_connections_geo_new.csv", row.names=FALSE
        )
    }
}

dionaea_connections_geo.csv

Merges

cowrie_sessions <- merge(
    cowrie_sessions, cowrie_sessions_geo, by="ip"
)
dionaea_connections <- merge(
    dionaea_connections, dionaea_connections_geo, by="remote_host"
)
cowrie_payloads <- merge(
    cowrie_downloads, cowrie_sessions,
    by.x=c("session", "filename"), by.y=c("id", "filename")
)
dionaea_payloads <- merge(
    dionaea_downloads, dionaea_connections,
    by=c("connection", "filename")
)

Generate Unified Connection/Payload Datasets

unified_dataset

unified_dataset_cowrie <- data.frame(
    Connection.Start=cowrie_sessions$Connection.Start,
    Connection.End=cowrie_sessions$Connection.End,
    Remote.Host=cowrie_sessions$ip,
    Transport.Protocol=rep("tcp", nrow(cowrie_sessions)),
    Local.Port=rep(22, nrow(cowrie_sessions)),
    Remote.Port=rep(NA, nrow(cowrie_sessions)),
    Country.Code=toupper(cowrie_sessions$Country.Code)
)
unified_dataset_dionaea <- data.frame(
    Connection.Start=dionaea_connections$Connection.Timestamp,
    Connection.End=rep(NA, nrow(dionaea_connections)),
    Remote.Host=dionaea_connections$remote_host,
    Transport.Protocol=dionaea_connections$connection_transport,
    Local.Port=dionaea_connections$local_port,
    Remote.Port=dionaea_connections$remote_port,
    Country.Code=toupper(dionaea_connections$Country.Code)
)
unified_dataset <- rbind(unified_dataset_cowrie, unified_dataset_dionaea)
unified_dataset <- merge(unified_dataset, countries, by="Country.Code")
unified_dataset$Local.Port <- as.factor(unified_dataset$Local.Port)
unified_dataset$Connection.Start.NoTime <- as.factor(strptime(
    strftime(toTz(
        unified_dataset$Connection.Start, "America/Chicago", "Europe/Kiev"
    ), "%Y-%m-%d", tz="EET"),
    format="%Y-%m-%d", tz="EET"
))

unified_payloads

unified_payloads_cowrie <- data.frame(
    Connection.Start=cowrie_payloads$Connection.Start,
    Connection.End=cowrie_payloads$Connection.End,
    Remote.Host=cowrie_payloads$ip,
    Transport.Protocol=rep("tcp", nrow(cowrie_payloads)),
    Local.Port=rep(22, nrow(cowrie_payloads)),
    Remote.Port=rep(NA, nrow(cowrie_payloads)),
    Country.Code=toupper(cowrie_payloads$Country.Code)
)
unified_payloads_dionaea <- data.frame(
    Connection.Start=dionaea_payloads$Connection.Timestamp,
    Connection.End=rep(NA, nrow(dionaea_payloads)),
    Remote.Host=dionaea_payloads$remote_host,
    Transport.Protocol=dionaea_payloads$connection_transport,
    Local.Port=dionaea_payloads$local_port,
    Remote.Port=dionaea_payloads$remote_port,
    Country.Code=toupper(dionaea_payloads$Country.Code)
)
unified_payloads <- rbind(unified_payloads_cowrie, unified_payloads_dionaea)
unified_payloads <- merge(unified_payloads, countries, by="Country.Code")
unified_payloads$Local.Port <- as.factor(unified_payloads$Local.Port)
unified_payloads$Connection.Start.NoTime <- as.factor(strptime(
    strftime(toTz(
        unified_payloads$Connection.Start, "America/Chicago", "Europe/Kiev"
    ), "%Y-%m-%d", tz="EET"),
    format="%Y-%m-%d", tz="EET"
))

Strip Last Date (Incomplete Data)

maxdate_dataset <- max(as.character(unified_dataset$Connection.Start.NoTime))
maxdate_payloads <- max(as.character(unified_payloads$Connection.Start.NoTime))
unified_dataset <- unified_dataset[
    unified_dataset$Connection.Start.NoTime != maxdate_dataset,
]
unified_payloads <- unified_payloads[
    unified_payloads$Connection.Start.NoTime != maxdate_payloads,
]

Add Counts for Aggregation

unified_dataset_cowrie$Count <- rep(1, nrow(unified_dataset_cowrie))
unified_dataset_dionaea$Count <- rep(1, nrow(unified_dataset_dionaea))
unified_dataset$Count <- rep(1, nrow(unified_dataset))
unified_payloads$Count <- rep(1, nrow(unified_payloads))

Aggregation

ret <- get_date_labs(unified_dataset, "Connection.Start.NoTime")
date_levels <- ret[[1]]
xlabs <- ret[[2]]
tmp_ds_date_frame <- data.frame(Connection.Start.NoTime=date_levels)

ret <- get_date_labs(unified_payloads, "Connection.Start.NoTime")
date_levels <- ret[[1]]
xlabs <- ret[[2]]
tmp_pay_date_frame <- data.frame(Connection.Start.NoTime=date_levels)
ports_table <- table(unified_dataset$Local.Port)
country_table <- table(unified_dataset$Country.Code)
top_ports <- -sort(-ports_table)
top_countries <- -sort(-country_table)
agg_dstports_top <- aggregate(
    Count ~ Connection.Start.NoTime + Local.Port,
    data=unified_dataset[
        unified_dataset$Local.Port %in%
            rownames(head(top_ports, n=20)),
    ], FUN=sum
)
str(agg_dstports_top)
## 'data.frame':    3279 obs. of  3 variables:
##  $ Connection.Start.NoTime: Factor w/ 191 levels "2022-02-04","2022-02-05",..: 1 2 3 4 5 6 8 9 10 11 ...
##  $ Local.Port             : Factor w/ 5322 levels "21","22","23",..: 1 1 1 1 1 1 1 1 1 1 ...
##  $ Count                  : num  11 25 25 19 308 3 10 18 9 18 ...
agg_countries_top <- aggregate(
    Count ~ Connection.Start.NoTime + Country.Name,
    data=unified_dataset[
        unified_dataset$Country.Code %in%
            rownames(head(top_countries, n=20)),
    ], FUN=sum
)
str(agg_countries_top)
## 'data.frame':    3502 obs. of  3 variables:
##  $ Connection.Start.NoTime: Factor w/ 191 levels "2022-02-04","2022-02-05",..: 1 2 3 4 5 6 7 8 9 10 ...
##  $ Country.Name           : chr  "Australia" "Australia" "Australia" "Australia" ...
##  $ Count                  : num  2201 27 943 6639 14948 ...
agg_payloads_cntry_top <- aggregate(
    Count ~ Connection.Start.NoTime + Country.Name,
    data=unified_payloads[
        unified_payloads$Country.Code %in%
            rownames(head(top_countries, n=20)),
    ], FUN=sum
)
agg_payloads_cntry_top$Connection.Start.NoTime <- as.character(
    agg_payloads_cntry_top$Connection.Start.NoTime
)
str(agg_payloads_cntry_top)
## 'data.frame':    2010 obs. of  3 variables:
##  $ Connection.Start.NoTime: chr  "2022-02-04" "2022-02-05" "2022-02-06" "2022-02-07" ...
##  $ Country.Name           : chr  "Australia" "Australia" "Australia" "Australia" ...
##  $ Count                  : num  3 1 1 1 2 3 2 1 5 1 ...
agg_payloads_cntry_top <- merge(
    tmp_pay_date_frame, agg_payloads_cntry_top, all.x=TRUE
)
str(agg_payloads_cntry_top)
## 'data.frame':    2013 obs. of  3 variables:
##  $ Connection.Start.NoTime: chr  "2022-02-04" "2022-02-04" "2022-02-04" "2022-02-04" ...
##  $ Country.Name           : chr  "Australia" "Pakistan" "Netherlands" "Brazil" ...
##  $ Count                  : num  3 5 2 7 26 7 2 5 5 3 ...
agg_payloads_dstports_top <- aggregate(
    Count ~ Connection.Start.NoTime + Local.Port,
    data=unified_payloads[
        unified_payloads$Local.Port %in%
            rownames(head(top_ports, n=20)),
    ], FUN=sum
)
str(agg_payloads_dstports_top)
## 'data.frame':    353 obs. of  3 variables:
##  $ Connection.Start.NoTime: Factor w/ 191 levels "2022-02-04","2022-02-05",..: 4 5 6 7 8 9 10 11 12 13 ...
##  $ Local.Port             : Factor w/ 5 levels "22","80","443",..: 1 1 1 1 1 1 1 1 1 1 ...
##  $ Count                  : num  10 9 24 18 19 15 33 46 13 31 ...
cowrie_auth$Count <- rep(1, nrow(cowrie_auth))
agg_ssh_unpw <- aggregate(
    Count ~ username + password, data=cowrie_auth, FUN=sum
)
top_ssh_unpw <- agg_ssh_unpw[order(-agg_ssh_unpw$Count),]
names(top_ssh_unpw) <- c("Username", "Password", "Count")
str(top_ssh_unpw)
## 'data.frame':    164940 obs. of  3 variables:
##  $ Username: chr  "user" "root" "admin" "support" ...
##  $ Password: chr  "user" "root" "admin" "support" ...
##  $ Count   : num  151076 21294 19411 5113 4027 ...
dionaea_logins$Count <- rep(1, nrow(dionaea_logins))
agg_other_unpw <- aggregate(
    Count ~ login_username + login_password, data=dionaea_logins, FUN=sum
)
top_other_unpw <- agg_other_unpw[order(-agg_other_unpw$Count),]
names(top_other_unpw) <- c("Username", "Password", "Count")
str(top_other_unpw)
## 'data.frame':    18462 obs. of  3 variables:
##  $ Username: chr  "sa" "" "root" "sa" ...
##  $ Password: chr  "" "" "" "123456" ...
##  $ Count   : num  5941 2962 1806 889 667 ...

Tables

Dataset Stats

unified_dataset

Records: 10290143
Data Min: 2022-02-03 11:05:28
Data Max: 2022-08-12 10:59:58

unified_payloads

Records: 24231
Data Min: 2022-02-03 11:11:46
Data Max: 2022-08-12 07:53:11

SIP Sessions

sip_addrs <- gsub(
    REDACTED_HONEYPOT_IP,
    "##redacted:honeypot-ip##",
    dionaea_sip_addrs$sip_addr_uri_host
)
sip_addrs <- gsub(
    paste0(REDACTED_HONEYPOT_SUBNET, "[0-9\\.]+[0-9]"),
    "##redacted:honeypot-subnet##", sip_addrs
)
table(as.factor(sip_addrs))
## 
##                                                     
##                                                  11 
##                                                \025 
##                                                   3 
##                          !@##redacted:honeypot-ip## 
##                                                   9 
##                       !100@##redacted:honeypot-ip## 
##                                                   3 
##                          "@##redacted:honeypot-ip## 
##                                                  15 
##               \020\030(c˜@##redacted:honeypot-ip## 
##                                                   3 
##                   \020)Q02@##redacted:honeypot-ip## 
##                                                   3 
##                        [20@##redacted:honeypot-ip## 
##                                                  21 
##           {self.extension}@##redacted:honeypot-ip## 
##                                                   1 
##                          }@##redacted:honeypot-ip## 
##                                                  15 
##               @!mighty1107@##redacted:honeypot-ip## 
##                                                  12 
##                     @@@@@@@##redacted:honeypot-ip## 
##                                                   6 
##                       @@@@@##redacted:honeypot-ip## 
##                                                   3 
##                     @@1234@##redacted:honeypot-ip## 
##                                                  12 
##                           @##redacted:honeypot-ip## 
##                                                 177 
##                       \027@##redacted:honeypot-ip## 
##                                                   3 
##                       \031@##redacted:honeypot-ip## 
##                                                   3 
##                       @#$%@##redacted:honeypot-ip## 
##                                                   3 
##                       @123@##redacted:honeypot-ip## 
##                                                   3 
##                     @1234@@##redacted:honeypot-ip## 
##                                                   3 
##                      @1234@##redacted:honeypot-ip## 
##                                                   3 
##                     @12345@##redacted:honeypot-ip## 
##                                                   3 
##                    @123456@##redacted:honeypot-ip## 
##                                                   3 
##               @1ظ\u0080ةYV@##redacted:honeypot-ip## 
##                                                   6 
##                   @bouty0u@##redacted:honeypot-ip## 
##                                                  12 
##                 @dh0c@dm1n@##redacted:honeypot-ip## 
##                                                   9 
##                   @Y*MIYM9@##redacted:honeypot-ip## 
##                                                  12 
##                     \\x10A@##redacted:honeypot-ip## 
##                                                  18 
##            &╦£ظéشظ\u0080آX@##redacted:honeypot-ip## 
##                                                   3 
##                      &$#45@##redacted:honeypot-ip## 
##                                                   3 
##               &ظ\u0080ت#pi@##redacted:honeypot-ip## 
##                                                   3 
##                          #@##redacted:honeypot-ip## 
##                                                 108 
##                       #///@##redacted:honeypot-ip## 
##                                                  12 
##                         ##@##redacted:honeypot-ip## 
##                                                  33 
##                        ###@##redacted:honeypot-ip## 
##                                                  33 
##                       ####@##redacted:honeypot-ip## 
##                                                  33 
##                      #####@##redacted:honeypot-ip## 
##                                                  24 
##                     ######@##redacted:honeypot-ip## 
##                                                   3 
##                            ##redacted:honeypot-ip## 
##                                            21327097 
##                    #=QCr51@##redacted:honeypot-ip## 
##                                                  12 
##                         #$@##redacted:honeypot-ip## 
##                                                   6 
##                   #$%!@#$%@##redacted:honeypot-ip## 
##                                                   9 
##                      #$%^&@##redacted:honeypot-ip## 
##                                                  12 
##                   #$123456@##redacted:honeypot-ip## 
##                                                   3 
##                     #$qwer@##redacted:honeypot-ip## 
##                                                   3 
##                       #000@##redacted:honeypot-ip## 
##                                                  12 
##                       #100@##redacted:honeypot-ip## 
##                                                   3 
##                       #123@##redacted:honeypot-ip## 
##                                                   3 
##                      #1234@##redacted:honeypot-ip## 
##                                                   3 
##                     #1234#@##redacted:honeypot-ip## 
##                                                   3 
##                     #12345@##redacted:honeypot-ip## 
##                                                   3 
##                    #123456@##redacted:honeypot-ip## 
##                                                   3 
##                   #123456#@##redacted:honeypot-ip## 
##                                                   3 
##                      #2019@##redacted:honeypot-ip## 
##                                                  12 
##                        #48@##redacted:honeypot-ip## 
##                                                   3 
##                       #A2t@##redacted:honeypot-ip## 
##                                                   3 
##                       #asd@##redacted:honeypot-ip## 
##                                                   3 
##                      #HSS2@##redacted:honeypot-ip## 
##                                                   3 
##                        #qw@##redacted:honeypot-ip## 
##                                                   3 
##               #SCaribe2019@##redacted:honeypot-ip## 
##                                                  12 
##            #xظ\u0080ب'\006@##redacted:honeypot-ip## 
##                                                   3 
##                %VG\030\003@##redacted:honeypot-ip## 
##                                                   3 
##                  $8\aq\021@##redacted:honeypot-ip## 
##                                                   3 
##                $a3\005\027@##redacted:honeypot-ip## 
##                                                   3 
##        $ظ\u0080بظ\u0080ô2Q@##redacted:honeypot-ip## 
##                                                   6 
##                          0@##redacted:honeypot-ip## 
##                                                   9 
##                         00@##redacted:honeypot-ip## 
##                                                   9 
##             02122130686@nt@##redacted:honeypot-ip## 
##                                                  12 
##         0ظ\u0080ô╦\u0086IF@##redacted:honeypot-ip## 
##                                                   3 
##                                             1.1.1.1 
##                                               25452 
##                                                 1\\ 
##                                                  18 
##                                               1\\\\ 
##                                                  18 
##                        100@##redacted:honeypot-ip## 
##                                                  15 
##                       100#@##redacted:honeypot-ip## 
##                                                   3 
##                      100#$@##redacted:honeypot-ip## 
##                                                   3 
##                   100#$100@##redacted:honeypot-ip## 
##                                                   3 
##                    100#100@##redacted:honeypot-ip## 
##                                                   3 
##                      1000#@##redacted:honeypot-ip## 
##                                                   3 
##                     1000#$@##redacted:honeypot-ip## 
##                                                   3 
##                      10000@##redacted:honeypot-ip## 
##                                                   3 
##                      10010@##redacted:honeypot-ip## 
##                                                   3 
##                     100100@##redacted:honeypot-ip## 
##                                                   3 
##                    100200#@##redacted:honeypot-ip## 
##                                                   3 
##                   100200#$@##redacted:honeypot-ip## 
##                                                   3 
##                       1003@##redacted:honeypot-ip## 
##                                                   3 
##                       1004@##redacted:honeypot-ip## 
##                                                   3 
##                       1005@##redacted:honeypot-ip## 
##                                                   3 
##                       1006@##redacted:honeypot-ip## 
##                                                   3 
##                       1007@##redacted:honeypot-ip## 
##                                                   3 
##                       1008@##redacted:honeypot-ip## 
##                                                   3 
##                       1009@##redacted:honeypot-ip## 
##                                                   3 
##                                      101.148.48.168 
##                                                   1 
##                        101@##redacted:honeypot-ip## 
##                                                   9 
##                       1010@##redacted:honeypot-ip## 
##                                                   3 
##                     101101@##redacted:honeypot-ip## 
##                                                   6 
##                        102@##redacted:honeypot-ip## 
##                                                   3 
##                        103@##redacted:honeypot-ip## 
##                                                   3 
##                                      104.140.188.10 
##                                                   1 
##                                      104.140.188.18 
##                                                   1 
##                                       104.140.188.2 
##                                                   1 
##                                      104.140.188.30 
##                                                   2 
##                                      104.140.188.34 
##                                                   1 
##                                      104.140.188.38 
##                                                   1 
##                                       104.140.188.6 
##                                                   1 
##                                      104.152.52.251 
##                                                   2 
##                                       104.206.128.2 
##                                                   1 
##                                      104.206.128.22 
##                                                   4 
##                                      104.206.128.26 
##                                                   1 
##                                      104.206.128.34 
##                                                   1 
##                                      104.206.128.38 
##                                                   3 
##                                      104.206.128.50 
##                                                   2 
##                                      104.206.128.70 
##                                                   1 
##                                      104.206.128.78 
##                                                   1 
##                        104@##redacted:honeypot-ip## 
##                                                   3 
##                        105@##redacted:honeypot-ip## 
##                                                   3 
##                        107@##redacted:honeypot-ip## 
##                                                   3 
##                        11#@##redacted:honeypot-ip## 
##                                                   3 
##                                      115.152.90.218 
##                                                   1 
##                        123@##redacted:honeypot-ip## 
##                                                  66 
##                    123#123@##redacted:honeypot-ip## 
##                                                   3 
##                                              123123 
##                                                   6 
##                       1234@##redacted:honeypot-ip## 
##                                                  15 
##                      1234#@##redacted:honeypot-ip## 
##                                                   3 
##                     1234#$@##redacted:honeypot-ip## 
##                                                   3 
##                   12345 06@##redacted:honeypot-ip## 
##                                                   3 
##                     12345#@##redacted:honeypot-ip## 
##                                                   3 
##                    123456#@##redacted:honeypot-ip## 
##                                                   3 
##                   123456##@##redacted:honeypot-ip## 
##                                                   3 
##                        125@##redacted:honeypot-ip## 
##                                                  12 
##                                           127.0.0.1 
##                                                  51 
##                                        128.1.248.28 
##                                                   1 
##                                        128.1.248.30 
##                                                   1 
##                                        128.1.248.42 
##                                                   1 
##                                        128.1.248.44 
##                                                   1 
##                                       128.14.141.36 
##                                                   2 
##                                      131.22.119.168 
##                                                   1 
##                  13227  11@##redacted:honeypot-ip## 
##                                                   3 
##                                      133.170.230.78 
##                                                   1 
##                                       139.59.84.207 
##                                                   4 
##                                           148.26.81 
##                                                   8 
##                    1539\\t@##redacted:honeypot-ip## 
##                                                   3 
##                                      162.221.192.29 
##                                                   1 
##                                      162.221.192.30 
##                                                   1 
##                                      170.130.187.10 
##                                                   1 
##                                       170.130.187.2 
##                                                   1 
##                                      170.130.187.26 
##                                                   2 
##                                      170.130.187.38 
##                                                   2 
##                                      170.130.187.42 
##                                                   1 
##                                      170.130.187.58 
##                                                   1 
##                                     178.128.241.157 
##                                                   2 
##                                       185.173.35.13 
##                                                   1 
##                                       185.173.35.25 
##                                                   1 
##                                       185.173.35.37 
##                                                   1 
##                                       185.173.35.45 
##                                                   1 
##                                        185.173.35.5 
##                                                   1 
##                                        185.173.35.9 
##                                                   1 
##                                      185.237.216.76 
##                                                   3 
##                                         192.168.1.1 
##                                                   3 
##                                     192.241.196.178 
##                                                   1 
##                                      192.241.200.29 
##                                                   1 
##                                     192.241.202.228 
##                                                   1 
##                                     192.241.202.252 
##                                                   1 
##                                     192.241.204.137 
##                                                   1 
##                                     192.241.204.207 
##                                                   1 
##                                     192.241.204.235 
##                                                   1 
##                                     192.241.204.239 
##                                                   1 
##                                      192.241.204.42 
##                                                   1 
##                                      192.241.206.15 
##                                                   1 
##                                     192.241.206.192 
##                                                   1 
##                                     192.241.206.198 
##                                                   1 
##                                     192.241.206.232 
##                                                   1 
##                                      192.241.206.34 
##                                                   1 
##                                      192.241.206.67 
##                                                   1 
##                                      192.241.206.68 
##                                                   1 
##                                     192.241.207.140 
##                                                   1 
##                                     192.241.207.214 
##                                                   1 
##                                     192.241.207.244 
##                                                   2 
##                                      192.241.208.16 
##                                                   1 
##                                     192.241.208.229 
##                                                   1 
##                                      192.241.208.27 
##                                                   1 
##                                      192.241.208.49 
##                                                   1 
##                                      192.241.208.54 
##                                                   1 
##                                      192.241.208.69 
##                                                   1 
##                                      192.241.208.78 
##                                                   1 
##                                      192.241.209.25 
##                                                   1 
##                                      192.241.209.77 
##                                                   1 
##                                      192.241.209.78 
##                                                   1 
##                                      192.241.211.98 
##                                                   1 
##                                     192.241.212.123 
##                                                   1 
##                                     192.241.212.138 
##                                                   1 
##                                     192.241.212.162 
##                                                   1 
##                                     192.241.212.165 
##                                                   1 
##                                     192.241.212.171 
##                                                   2 
##                                      192.241.212.18 
##                                                   1 
##                                     192.241.212.187 
##                                                   1 
##                                     192.241.212.202 
##                                                   1 
##                                     192.241.212.218 
##                                                   1 
##                                     192.241.212.249 
##                                                   2 
##                                     192.241.212.251 
##                                                   1 
##                                      192.241.212.65 
##                                                   1 
##                                      192.241.212.72 
##                                                   1 
##                                      192.241.212.93 
##                                                   1 
##                                      192.241.212.98 
##                                                   1 
##                                      192.241.213.10 
##                                                   1 
##                                     192.241.213.113 
##                                                   1 
##                                     192.241.213.115 
##                                                   1 
##                                     192.241.213.118 
##                                                   1 
##                                     192.241.213.151 
##                                                   1 
##                                     192.241.213.152 
##                                                   1 
##                                     192.241.213.153 
##                                                   1 
##                                     192.241.213.154 
##                                                   1 
##                                     192.241.213.183 
##                                                   1 
##                                     192.241.213.192 
##                                                   1 
##                                      192.241.213.25 
##                                                   1 
##                                      192.241.213.37 
##                                                   1 
##                                       192.241.213.6 
##                                                   1 
##                                      192.241.213.65 
##                                                   1 
##                                      192.241.213.78 
##                                                   1 
##                                      192.241.213.79 
##                                                   1 
##                                      192.241.213.85 
##                                                   1 
##                                      192.241.213.90 
##                                                   1 
##                                     192.241.214.142 
##                                                   1 
##                                     192.241.214.208 
##                                                   1 
##                                     192.241.214.239 
##                                                   1 
##                                      192.241.214.25 
##                                                   2 
##                                      192.241.214.37 
##                                                   1 
##                                      192.241.214.50 
##                                                   1 
##                                      192.241.214.51 
##                                                   1 
##                                      192.241.214.64 
##                                                   1 
##                                     192.241.215.124 
##                                                   2 
##                                     192.241.215.136 
##                                                   1 
##                                     192.241.215.188 
##                                                   1 
##                                     192.241.215.211 
##                                                   1 
##                                     192.241.215.228 
##                                                   1 
##                                     192.241.215.244 
##                                                   1 
##                                     192.241.216.113 
##                                                   1 
##                                     192.241.216.153 
##                                                   1 
##                                      192.241.216.80 
##                                                   1 
##                                      192.241.216.87 
##                                                   1 
##                                     192.241.217.115 
##                                                   1 
##                                     192.241.217.166 
##                                                   1 
##                                      192.241.218.84 
##                                                   1 
##                                      192.241.218.92 
##                                                   1 
##                                     192.241.219.166 
##                                                   1 
##                                     192.241.219.219 
##                                                   1 
##                                      192.241.219.22 
##                                                   1 
##                                     192.241.219.239 
##                                                   1 
##                                      192.241.219.38 
##                                                   1 
##                                      192.241.219.52 
##                                                   1 
##                                      192.241.219.57 
##                                                   1 
##                                      192.241.219.63 
##                                                   1 
##                                      192.241.219.83 
##                                                   1 
##                                      192.241.219.98 
##                                                   1 
##                                     192.241.220.125 
##                                                   1 
##                                     192.241.220.171 
##                                                   1 
##                                     192.241.220.212 
##                                                   1 
##                                     192.241.220.245 
##                                                   1 
##                                      192.241.220.50 
##                                                   1 
##                                      192.241.220.69 
##                                                   1 
##                                     192.241.221.114 
##                                                   1 
##                                     192.241.221.133 
##                                                   1 
##                                      192.241.221.23 
##                                                   1 
##                                     192.241.221.245 
##                                                   1 
##                                      192.241.221.43 
##                                                   1 
##                                     192.241.222.117 
##                                                   1 
##                                     192.241.222.174 
##                                                   1 
##                                     192.241.222.191 
##                                                   1 
##                                      192.241.222.20 
##                                                   1 
##                                     192.241.222.204 
##                                                   1 
##                                     192.241.222.206 
##                                                   1 
##                                     192.241.222.234 
##                                                   1 
##                                     192.241.222.238 
##                                                   1 
##                                      192.241.222.46 
##                                                   1 
##                                       192.241.222.5 
##                                                   1 
##                                      192.241.222.54 
##                                                   1 
##                                      192.241.222.55 
##                                                   1 
##                                      192.241.222.57 
##                                                   1 
##                                      192.241.222.58 
##                                                   1 
##                                      192.241.223.20 
##                                                   1 
##                                     192.241.223.234 
##                                                   1 
##                                     192.241.223.235 
##                                                   1 
##                                       192.241.223.4 
##                                                   1 
##                                      192.241.223.44 
##                                                   1 
##                                     192.241.224.226 
##                                                   1 
##                                      192.241.224.73 
##                                                   1 
##                                     192.241.225.114 
##                                                   1 
##                                     192.241.225.135 
##                                                   1 
##                                     192.241.225.149 
##                                                   1 
##                                     192.241.225.245 
##                                                   1 
##                                      192.241.225.62 
##                                                   1 
##                                      192.241.225.68 
##                                                   1 
##                                     192.241.235.217 
##                                                   1 
##                                     192.241.235.218 
##                                                   1 
##                                      192.241.236.11 
##                                                   1 
##                                     192.241.236.183 
##                                                   1 
##                                      193.118.53.194 
##                                                   1 
##                                      193.118.53.202 
##                                                   1 
##                                      193.118.53.210 
##                                                   3 
##                                      198.199.115.37 
##                                                   1 
##                                     198.199.119.206 
##                                                   1 
##                                       198.199.94.79 
##                                                   1 
##                                                2001 
##                                                   3 
##                       2019@##redacted:honeypot-ip## 
##                                                  90 
##                       2020@##redacted:honeypot-ip## 
##                                                 120 
##                       2021@##redacted:honeypot-ip## 
##                                                  90 
##                                     206.249.187.212 
##                                                   1 
##                                     210.158.230.116 
##                                                   1 
##                                         223.8.101.9 
##                                                   1 
##                                       23.251.102.75 
##                                                   1 
##                                       23.251.102.77 
##                                                   1 
##                         23@##redacted:honeypot-ip## 
##                                                   9 
##                                     234.207.217.135 
##                                                   1 
##                                       234.76.12.189 
##                                                   1 
##                    23456 7@##redacted:honeypot-ip## 
##                                                   3 
##                   24252628@##redacted:honeypot-ip## 
##                                                  12 
##                                      252.226.121.56 
##                                                   1 
##                                               26.81 
##                                                   4 
## 2aظ\u0080ôظ\u0080£ظ\u0080¤@##redacted:honeypot-ip## 
##                                                   3 
##                       2Txn@##redacted:honeypot-ip## 
##                                                  12 
##                        313@##redacted:honeypot-ip## 
##                                                  12 
##                     321@@#@##redacted:honeypot-ip## 
##                                                  12 
##               3hظ\u0080ôSy@##redacted:honeypot-ip## 
##                                                   3 
##               3W3h%5Exb7ft@##redacted:honeypot-ip## 
##                                                  12 
##           3ظ\u0080ت\006\bQ@##redacted:honeypot-ip## 
##                                                   3 
##                  435˜\004@##redacted:honeypot-ip## 
##                                                   3 
##                                        45.95.147.35 
##                                                   1 
##                                      46.166.160.136 
##                                                 114 
##                   48bu\003@##redacted:honeypot-ip## 
##                                                   3 
##                        48k@##redacted:honeypot-ip## 
##                                                  12 
##         4H\021\025ظ\u0080ء@##redacted:honeypot-ip## 
##                                                   3 
##                                        5.63.151.100 
##                                                   1 
##                                        5.63.151.104 
##                                                   1 
##              5I4$$(2017]11@##redacted:honeypot-ip## 
##                                                  12 
##               5ظ\u0080£1Ub@##redacted:honeypot-ip## 
##                                                  24 
##         5ظ\u0080ة\025\022R@##redacted:honeypot-ip## 
##                                                   3 
##              6╦£TGظ\u0080░@##redacted:honeypot-ip## 
##                                                  18 
##                      6$3#6@##redacted:honeypot-ip## 
##                                                   3 
##                       6010@##redacted:honeypot-ip## 
##                                                  12 
##                       6745@##redacted:honeypot-ip## 
##                                                   9 
##               6Tt#ظ\u0084ت@##redacted:honeypot-ip## 
##                                                  18 
##                                        71.6.233.159 
##                                                   1 
##                                        71.6.233.230 
##                                                   1 
##                                         71.6.233.70 
##                                                   1 
##                                         71.6.233.73 
##                                                   1 
##                                         71.6.233.75 
##                                                   1 
##                      8b#)Y@##redacted:honeypot-ip## 
##                                                   3 
##               8ubظ\u0080ôq@##redacted:honeypot-ip## 
##                                                   3 
##               8WAظ\u0080£A@##redacted:honeypot-ip## 
##                                                   3 
##        8ظ\u0080¤ظ\u0080░V╞ْ@##redacted:honeypot-ip## 
##                                                   3 
##                                       92.118.160.25 
##                                                   1 
##                                       92.118.160.29 
##                                                   1 
##                                        92.118.160.9 
##                                                   2 
##                                        92.118.161.1 
##                                                   2 
##                                       92.118.161.13 
##                                                   1 
##                                       92.118.161.17 
##                                                   2 
##                                       92.118.161.29 
##                                                   1 
##                                       92.118.161.37 
##                                                   3 
##                                        92.118.161.5 
##                                                   1 
##                                       92.118.161.53 
##                                                   1 
##                                         94.102.61.7 
##                                                   1 
##               9Y%Pظ\u0080آ@##redacted:honeypot-ip## 
##                                                   3 
##                                                   a 
##                                                 312 
##                      A"PpB@##redacted:honeypot-ip## 
##                                                   3 
##               A\024\021˜S@##redacted:honeypot-ip## 
##                                                   3 
##                        abc@##redacted:honeypot-ip## 
##                                                   3 
##                       abcd@##redacted:honeypot-ip## 
##                                                   3 
##                Ac\030F\026@##redacted:honeypot-ip## 
##                                                   6 
##                 advoic.com@##redacted:honeypot-ip## 
##                                                   3 
##     aef0WH4TC=43TJGEVR=]GI@##redacted:honeypot-ip## 
##                                                  12 
##                      Ars#h@##redacted:honeypot-ip## 
##                                                   3 
##                                         atlanta.com 
##                                                 194 
##                      Av(€B@##redacted:honeypot-ip## 
##                                                  21 
##                      Av(�B@##redacted:honeypot-ip## 
##                                                   6 
##                                                   b 
##                                                 312 
##                        B#9@##redacted:honeypot-ip## 
##                                                  33 
##             B#ظ\u0080ô\031@##redacted:honeypot-ip## 
##                                                   3 
##                       B`y%@##redacted:honeypot-ip## 
##                                                   3 
##                        bel@##redacted:honeypot-ip## 
##                                                  12 
##                                           censys.io 
##                                                 440 
##                                         chicago.com 
##                                                 582 
##     d93v1#27d8G47d7!166$16@##redacted:honeypot-ip## 
##                                                  12 
##     DG7#^WUg9VpHDF4Oct2018@##redacted:honeypot-ip## 
##                                                  12 
##                                                   E 
##                                                   4 
##                          e@##redacted:honeypot-ip## 
##                                                  12 
##           e4strategies.com@##redacted:honeypot-ip## 
##                                                   3 
##                                                 E8* 
##                                                  12 
##                        EWa@##redacted:honeypot-ip## 
##                                                  12 
##                GBeظ\u0080ô@##redacted:honeypot-ip## 
##                                                   3 
##                                       GhhjY3245*&^( 
##                                                  12 
##             grupotelh{ugia@##redacted:honeypot-ip## 
##                                                  18 
##     H&Wi6qb6"$&QB9tbwt5426@##redacted:honeypot-ip## 
##                                                  12 
##               \027H\005#˜@##redacted:honeypot-ip## 
##                                                   3 
##           ideagroupinc.net@##redacted:honeypot-ip## 
##                                                   3 
##            Itc#3175640016!@##redacted:honeypot-ip## 
##                                                  12 
##       miamitranscoding.com@##redacted:honeypot-ip## 
##                                                   3 
##                        NFH@##redacted:honeypot-ip## 
##                                                  12 
##                                                  nm 
##                                                3195 
##                                                 nm2 
##                                                1994 
##                    ntv2000@##redacted:honeypot-ip## 
##                                                   3 
##                   oCZ!65^V@##redacted:honeypot-ip## 
##                                                  12 
##                        qwe@##redacted:honeypot-ip## 
##                                                   3 
##                                                  sb 
##                                                   2 
##                                                 sb2 
##                                                   2 
##                     sinet8@##redacted:honeypot-ip## 
##                                                  12 
##                        sip@##redacted:honeypot-ip## 
##                                                   3 
##                                         sip5060.net 
##                                                 440 
##                     ssw0rd@##redacted:honeypot-ip## 
##                                                   3 
##                                                test 
##                                                   4 
##                                               test1 
##                                                   2 
##                                               test2 
##                                                   8 
##           \024\006U┬\u0081@##redacted:honeypot-ip## 
##                                                   3 
##                        W#E@##redacted:honeypot-ip## 
##                                                   6 
##                        WQs@##redacted:honeypot-ip## 
##                                                  12 
##                        wsx@##redacted:honeypot-ip## 
##                                                   3 
##                                             x.x.x.x 
##                                                   2 
##                    xe55555@##redacted:honeypot-ip## 
##                                                  12 
##                     y\004b@##redacted:honeypot-ip## 
##                                                   3 
##           zvBE!H]W8vROx4iZ@##redacted:honeypot-ip## 
##                                                  12 
##         \024\025ظ\u0080ةwr@##redacted:honeypot-ip## 
##                                                   3

Ports

ports_table[ports_table >= 9]
## 
##      21      22      23      42      53      80     135     443     445    1433 
##    9583 1125164  405671     230    6824   38998    3779   15064 2323674  139858 
##    1723    1883    1900    3306    5060    5061    9100   11211   27017   33023 
##    5639    2083 1202421    5512 4898094   69890   11074    2454    8685       9 
##   33045   33419   33473   33621   33995   34093   34271   35293   35453   35873 
##      13       9       9      11      10      10       9       9       9       9 
##   36009   37177   37635   37653   37825   38523   38837   39391   40021   40087 
##       9       9       9      14       9       9      10       9      10       9 
##   41143   41633   41649   41733   42179   42461   42589   43171   44069   44383 
##      12      10       9      10      10      10       9      10      11       9 
##   44663   44755   44793   45271   45383   45915   46069   46257   46741 
##       9       9       9       9       9       9      11       9       9

Countries

top_countries
## 
##      US      FR      DE      UY      BR      CN      RU      NL      MX      AU 
## 3049438 1961570  801725  665726  664792  446807  378425  306505  191745  158847 
##      GB      VN      PH      LT      TH      HK      KR      IN      PK      TW 
##  133224  116078  115299  110971   89077   88512   80062   80022   61099   47817 
##      FI      PS      AE      MU      TR      CR      SG      ID      VE      JP 
##   46224   46055   43398   38353   32087   31616   30248   29654   20346   19895 
##      LK      ES      BO      CA      IR      PY      EG      SA      AR      CO 
##   18205   17585   17527   16113   14732   14311   13218   13077   11190   10799 
##      IT      PL      UA      GR      SE      KH      MY      BD      PA      LV 
##   10584   10572    9908    9069    8747    6305    6275    6258    3663    3491 
##      MD      KZ      CL      ZA      RO      EC      BG      UZ      ET      CH 
##    3192    3059    2908    2657    2579    2432    2287    2273    2155    2056 
##      PE      IL      MK      HU      SD      GE      PT      TN      BE      KW 
##    2045    1904    1858    1791    1775    1567    1545    1545    1512    1468 
##      KE      CZ      MV      DZ      MN      NG      BY      IQ      HR      DK 
##    1448    1426    1401    1281    1143    1085    1075    1050    1045    1017 
##      NP      AM      NO      QA      JO      AZ      MA      ZM      KM      RS 
##    1016     973     890     695     634     619     602     571     556     546 
##      SK      KG      GT      SN      GH      LB      ZW      MO      SI      DO 
##     543     499     496     487     450     448     441     417     409     395 
##      NZ      UG      AL      IE      BH      BA      AT      BZ      MM      JM 
##     394     385     372     335     324     323     312     292     292     289 
##      SY      MQ      TZ      HN      BW      SC      LA      MT      AO      LS 
##     279     255     246     234     230     225     212     204     174     164 
##      CY      BB      MZ      MW      SR      RW      OM      BN      LR      TT 
##     157     152     151     136     119     109     105      84      77      77 
##      IS      TJ      PG      LU      LY      SL      EE      GN      ME      CM 
##      71      71      66      65      62      60      59      59      59      58 
##      AD      MG      BF      CG      SV      PR      CD      RE      NI      HT 
##      50      47      40      35      35      33      31      30      28      23 
##      BS      SZ      TG      GY      AF      GU      NC      VI      FJ      BV 
##      21      19      18      14      10      10      10      10       9       8 
##      CI      GA      NE      TM      AG      BI      TD      ER      GQ      KY 
##       8       8       8       8       7       7       7       4       4       4 
##      PW      SB      BM      CV      NF      YE      VG      BJ      GI      VU 
##       4       4       3       3       3       3       2       1       1       1

Payloads

ClamAV Results

clamscan_hashes.csv

table(as.factor(clamscan_hashes$ClamAV))
## 
##                                  Empty file 
##                                           1 
##                     Heuristics.W32.Parite.B 
##                                           1 
##           Multios.Coinminer.Miner-6781728-2 
##                                           3 
##                                          OK 
##                                         527 
##                  Txt.Trojan.XMRig-9915823-0 
##                                           2 
##                Unix.Dropper.Mirai-7135858-0 
##                                           2 
##                Unix.Dropper.Mirai-7135870-0 
##                                           7 
##                Unix.Dropper.Mirai-7135881-0 
##                                           9 
##                Unix.Dropper.Mirai-7135890-0 
##                                          55 
##                Unix.Dropper.Mirai-7135906-0 
##                                           3 
##                Unix.Dropper.Mirai-7135925-0 
##                                           7 
##                Unix.Dropper.Mirai-7135957-0 
##                                           4 
##                Unix.Dropper.Mirai-7135968-0 
##                                           1 
##                Unix.Dropper.Mirai-7136014-0 
##                                           2 
##                Unix.Dropper.Mirai-7136015-0 
##                                           9 
##                Unix.Dropper.Mirai-7136035-0 
##                                           8 
##                Unix.Dropper.Mirai-7136288-0 
##                                           7 
##                Unix.Dropper.Mirai-7138865-0 
##                                          19 
##                Unix.Dropper.Mirai-7139232-0 
##                                           8 
##                Unix.Dropper.Mirai-7171431-0 
##                                           1 
##                Unix.Dropper.Mirai-7341644-0 
##                                           1 
##                Unix.Dropper.Mirai-7355719-0 
##                                           1 
##                Unix.Dropper.Mirai-7816558-0 
##                                           2 
##                Unix.Dropper.Mirai-8011185-0 
##                                           1 
##                Unix.Dropper.Mirai-9961242-0 
##                                           2 
##                Unix.Malware.Agent-7141082-0 
##                                           1 
##                Unix.Malware.Agent-7464514-0 
##                                           1 
##                  Unix.Tool.Dnsamp-7647492-0 
##                                           1 
##                 Unix.Tool.Generic-7660958-0 
##                                           1 
##                Unix.Trojan.Gafgyt-6981154-0 
##                                           4 
##                Unix.Trojan.Gafgyt-6981156-0 
##                                           3 
##                Unix.Trojan.Gafgyt-7641309-0 
##                                           2 
##                Unix.Trojan.Gafgyt-9499853-0 
##                                           1 
##               Unix.Trojan.Generic-9917199-0 
##                                           1 
##                 Unix.Trojan.Mirai-6976991-0 
##                                          25 
##                 Unix.Trojan.Mirai-6981989-0 
##                                          18 
##                 Unix.Trojan.Mirai-7100807-0 
##                                          19 
##                 Unix.Trojan.Mirai-7135937-0 
##                                          12 
##                 Unix.Trojan.Mirai-7138377-0 
##                                           2 
##                 Unix.Trojan.Mirai-7139482-0 
##                                           1 
##                 Unix.Trojan.Mirai-7666587-0 
##                                           3 
##                 Unix.Trojan.Mirai-7669677-0 
##                                           5 
##                 Unix.Trojan.Mirai-7829191-0 
##                                           3 
##                 Unix.Trojan.Mirai-7831925-0 
##                                           1 
##                 Unix.Trojan.Mirai-7846756-0 
##                                           2 
##                 Unix.Trojan.Mirai-7853646-0 
##                                           1 
##                 Unix.Trojan.Mirai-8011183-0 
##                                           2 
##                 Unix.Trojan.Mirai-8026838-0 
##                                           2 
##                 Unix.Trojan.Mirai-9769110-0 
##                                           1 
##                 Unix.Trojan.Mirai-9770090-0 
##                                           1 
##                 Unix.Trojan.Mirai-9853181-0 
##                                           7 
##                 Unix.Trojan.Mirai-9854559-0 
##                                           1 
##                 Unix.Trojan.Mirai-9866113-0 
##                                           1 
##                 Unix.Trojan.Mirai-9894781-0 
##                                           5 
##                 Unix.Trojan.Mirai-9936831-0 
##                                           4 
##                 Unix.Trojan.Mirai-9939496-0 
##                                           1 
##                 Unix.Trojan.Mirai-9940367-0 
##                                           2 
##                 Unix.Trojan.Mirai-9942909-0 
##                                           7 
##                 Unix.Trojan.Mirai-9943114-0 
##                                           7 
##                 Unix.Trojan.Mirai-9948345-0 
##                                           5 
##                 Unix.Trojan.Mirai-9949346-0 
##                                           5 
##                 Unix.Trojan.Mirai-9949755-0 
##                                           1 
##                 Unix.Trojan.Mirai-9950082-0 
##                                          10 
##                 Unix.Trojan.Mirai-9950937-0 
##                                           1 
##                 Unix.Trojan.Mirai-9954198-0 
##                                          20 
##                 Unix.Trojan.Mirai-9954878-0 
##                                          12 
##                 Unix.Trojan.Mirai-9955102-0 
##                                           6 
##                 Unix.Trojan.Mirai-9955243-0 
##                                           6 
##                 Unix.Trojan.Mirai-9956602-0 
##                                           9 
##                  Unix.Trojan.Mozi-9840825-0 
##                                           1 
##               Unix.Trojan.Muhstik-7555544-0 
##                                           3 
##                 Unix.Trojan.Spike-6301360-0 
##                                           1 
##               Unix.Trojan.Tsunami-6981155-0 
##                                          13 
##               Unix.Trojan.Tsunami-9845728-0 
##                                           2 
##               Unix.Trojan.Tsunami-9869508-0 
##                                           2 
## Win.Downloader.Regsvr32Unregister-6335678-1 
##                                           1 
##            Win.Downloader.Webdown-9850242-0 
##                                           2 
##             Win.Downloader.Zegost-6484584-1 
##                                           1 
##             Win.Dropper.DarkKomet-9370806-0 
##                                          78 
##              Win.Dropper.Gh0stRAT-6997745-0 
##                                           6 
##              Win.Dropper.Gh0stRAT-7696262-0 
##                                           1 
##              Win.Dropper.Gh0stRAT-9792320-0 
##                                           1 
##               Win.Exploit.Generic-9685083-0 
##                                           2 
##              Win.Malware.A0jb20mi-9815631-0 
##                                           9 
##                 Win.Malware.Agent-6404242-0 
##                                           1 
##             Win.Malware.Blouiroet-9785356-0 
##                                           1 
##               Win.Malware.Johnnie-6858836-0 
##                                           4 
##                 Win.Malware.Mikey-9917879-0 
##                                           2 
##                 Win.Malware.Nitol-6802818-0 
##                                           2 
##              Win.Malware.Redosdru-9770864-0 
##                                           1 
##                Win.Malware.Siscos-6993581-0 
##                                           2 
##                  Win.Malware.Temr-7070541-0 
##                                           4 
##                 Win.Packed.Esfury-7649595-0 
##                                           1 
##              Win.Ransomware.Wanna-9769986-0 
##                                        1763 
##                         Win.Spyware.78857-1 
##                                           2 
##                  Win.Trojan.Agent-6352691-0 
##                                           1 
##                  Win.Trojan.Agent-6368865-0 
##                                           1 
##                  Win.Trojan.Agent-6429662-0 
##                                           1 
##                  Win.Trojan.Agent-6441339-0 
##                                           1 
##                  Win.Trojan.Agent-6442363-0 
##                                           1 
##                  Win.Trojan.Agent-6479271-0 
##                                           1 
##                  Win.Trojan.Agent-6479896-0 
##                                           1 
##                  Win.Trojan.Agent-6486397-0 
##                                           1 
##                  Win.Trojan.Agent-6497970-0 
##                                           1 
##                  Win.Trojan.Agent-6501829-0 
##                                           1 
##                  Win.Trojan.Agent-6501842-0 
##                                           1 
##                  Win.Trojan.Agent-6503241-0 
##                                           1 
##                  Win.Trojan.Agent-6505036-0 
##                                           1 
##                  Win.Trojan.Agent-6515213-0 
##                                           1 
##                  Win.Trojan.Agent-6549573-0 
##                                           1 
##                  Win.Trojan.Agent-6562448-0 
##                                           1 
##                  Win.Trojan.Agent-6563389-0 
##                                           1 
##                  Win.Trojan.Agent-6565223-0 
##                                           1 
##                  Win.Trojan.Agent-6568811-0 
##                                           1 
##                  Win.Trojan.Agent-6570622-0 
##                                           1 
##                  Win.Trojan.Agent-6576247-0 
##                                           1 
##                  Win.Trojan.Agent-6580643-0 
##                                           1 
##                  Win.Trojan.Agent-6580684-0 
##                                           1 
##                  Win.Trojan.Agent-6581489-0 
##                                           1 
##                  Win.Trojan.Agent-6582841-0 
##                                           1 
##                  Win.Trojan.Agent-6584103-0 
##                                           1 
##                  Win.Trojan.Agent-6598660-0 
##                                           1 
##                  Win.Trojan.Agent-6602038-0 
##                                           1 
##                  Win.Trojan.Agent-6621055-0 
##                                           1 
##                  Win.Trojan.Agent-6625054-0 
##                                           1 
##                  Win.Trojan.Agent-6639407-0 
##                                           1 
##                  Win.Trojan.Agent-6640099-0 
##                                           1 
##                  Win.Trojan.Agent-6640474-0 
##                                           1 
##                  Win.Trojan.Agent-6645561-0 
##                                           1 
##                  Win.Trojan.Agent-6645965-0 
##                                           1 
##                  Win.Trojan.Agent-6646417-0 
##                                           1 
##                  Win.Trojan.Agent-6647257-0 
##                                           1 
##                  Win.Trojan.Agent-6666738-0 
##                                           1 
##                  Win.Trojan.Agent-6691585-0 
##                                           1 
##                  Win.Trojan.Agent-6744015-0 
##                                           1 
##                 Win.Trojan.Farfli-7639977-0 
##                                           2 
##                 Win.Trojan.Farfli-9831481-0 
##                                           1 
##                       Win.Trojan.IRCBot-785 
##                                           3 
##                    Win.Trojan.MSShellcode-7 
##                                           2 
##                          Win.Trojan.Perl-35 
##                                           1 
##                           Win.Trojan.Spy-16 
##                                           1 
##                 Win.Trojan.Zegost-7007928-0 
##                                           1 
##                 Win.Trojan.Zegost-8369819-0 
##                                           1

File Types

table(as.factor(sub("^([^,]+),.*$", "\\1", clamscan_hashes$File.Type, perl=TRUE)))
## 
##                                                                     ASCII text 
##                                                                             96 
##                                              Audio file with ID3 version 2.3.0 
##                                                                              1 
##                                                      Bourne-Again shell script 
##                                                                             64 
##                                                                           data 
##                                                                            197 
##                                                      ELF 32-bit LSB executable 
##                                                                            329 
##                                                   ELF 32-bit LSB shared object 
##                                                                              1 
##                                                      ELF 32-bit MSB executable 
##                                                                            117 
##                                                      ELF 64-bit LSB executable 
##                                                                             38 
##                                                  ELF 64-bit LSB pie executable 
##                                                                              4 
##                                                   ELF 64-bit LSB shared object 
##                                                                              2 
##                                                      ELF 64-bit MSB executable 
##                                                                              1 
##                                                                          empty 
##                                                                              1 
##                                                         exported SGML document 
##                                                                              1 
##                                                                 GIF image data 
##                                                                             16 
##                                                           gzip compressed data 
##                                                                              4 
##                                                                  HTML document 
##                                                                             14 
##                                                                  ISO-8859 text 
##                                                                              1 
##                                                                JPEG image data 
##                                                                              1 
##                                                                      JSON data 
##                                                                              3 
##                                     MS Windows COFF Motorola 68000 object file 
##                                                                              1 
## MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB) 
##                                                                              1 
##                                                             OpenPGP Secret Key 
##                                                                              1 
##                                                         OpenSSH RSA public key 
##                                                                              3 
##                                          PE32 executable (console) Intel 80386 
##                                                                              5 
##                       PE32 executable (console) Intel 80386 Mono/.Net assembly 
##                                                                              1 
##                                        PE32 executable (DLL) (GUI) Intel 80386 
##                                                                           1908 
##                                              PE32 executable (GUI) Intel 80386 
##                                                                             35 
##                                              PE32+ executable (console) x86-64 
##                                                                              1 
##                                                    Perl script text executable 
##                                                                              4 
##                                                                     PHP script 
##                                                                              1 
##                                                             POSIX shell script 
##                                                                              1 
##                                                     very short file (no magic) 
##                                                                              1 
##                                                               XML 1.0 document 
##                                                                              9 
##                                                               Zip archive data 
##                                                                              1

Passwords

Top SSH Usernames and Passwords

write.csv(top_ssh_unpw, "unpw_ssh.csv", row.names=FALSE)

unpw_ssh.csv

print(head(top_ssh_unpw, n=100), row.names=FALSE)
##   Username                 Password  Count
##       user                     user 151076
##       root                     root  21294
##      admin                    admin  19411
##    support                  support   5113
##       user                        1   4027
##       root                 password   3219
##     oracle                   oracle   2572
##      nproc                    nproc   2535
##        123                      123   2034
##      admin                            1095
##         pi                raspberry    715
##       root                    admin    678
##       root                   123456    650
##       test                     test    642
##         pi raspberryraspberry993311    602
##     ubuntu                   ubuntu    596
##       root                    12345    511
##   postgres                 postgres    429
##      admin                     1234    406
##       root                123456789    401
##       root                 12345678    398
##       ubnt                     ubnt    374
##        git                      git    365
##       root                 1qaz@WSX    361
##      user1                    user1    342
##       root                        1    341
##       user                   123456    340
##       root                 admin123    336
##    ansible                  ansible    332
##    ftpuser                  ftpuser    330
##       root               1234567890    325
##        ftp                      ftp    322
##       root                     1234    317
##       root                             306
##       root                  root123    301
##       root                     toor    298
##      guest                    guest    286
##   testuser                 testuser    280
##       root                      eve    276
##       root                     test    270
##       root                 P@ssw0rd    263
##      admin                  admin01    259
##    jenkins                  jenkins    254
##     zabbix                   zabbix    250
##       root                      123    241
##       root                 !QAZ2wsx    240
##     client                   client    240
##     server                   server    240
##       root                   redhat    238
##       root                 1qaz2wsx    233
##       user                     1234    227
##       root                        0    223
##       root                        @    220
##        dev                      dev    220
##       root                Admin@123    217
##     system                   system    215
##      admin                 password    213
##     butter                 xuelp123    202
##      admin         0l0ctyQh243O63uD    198
##     system           OkwKcECs8qJP2Z    193
##       root                 p@ssw0rd    187
##       root                   111111    178
##       root             password@123    178
##       odoo                     odoo    175
##        www                      www    174
##      admin                   123456    173
##     hadoop                   hadoop    170
##       root                 root@123    170
##       root                   centos    169
##       root                 1q2w3e4r    167
##         mc                       mc    164
##  teamspeak                teamspeak    161
##       root                   123123    160
##    ansible                   123456    160
##       root                 1qaz@wsx    160
##       demo                     demo    160
##      mysql                    mysql    160
##       root                  abc.123    159
##       user                    12345    155
##        ts3                      ts3    155
##       root                  1234567    154
##       root                   abc123    152
##    ossuser             Changeme_123    152
##    student                  student    152
##       root                   qwerty    148
##     centos                   centos    145
##   weblogic                 weblogic    145
##       root                  default    142
##       root               Huawei12#$    142
##      admin                admin1234    141
##       root                   qwe123    141
##       test                  test123    141
##     tomcat                   tomcat    141
##       root                   1q2w3e    138
##      admin                    bosco    138
##       user                      123    136
##       root                admin@123    136
##       root                 passw0rd    136
##      admin                      123    134
##   webadmin                 webadmin    134

Top Other Usernames and Passwords

write.csv(top_other_unpw, "unpw_other.csv", row.names=FALSE)

unpw_other.csv

print(head(top_other_unpw, n=100), row.names=FALSE)
##   Username                  Password Count
##         sa                            5941
##                                       2962
##       root                            1806
##         sa                    123456   889
##         sa                      1234   667
##         sa                  !QAZ2wsx   634
##         sa                  1qaz2wsx   519
##         sa                     12345   490
##         sa                       123   454
##         sa                  12345678   412
##         sa                  password   385
##         sa                 123456789   381
##         sa                         1   365
##         sa                    abc123   348
##         sa                  Aa123456   339
##         sa                 admin@123   330
##         sa                        sa   326
##         sa                    000000   321
##         sa  ^_^$$wanniMaBI:: 1433 vl   318
##      admin                             315
##         sa                  1qaz!QAZ   311
##         sa                 ABCabc123   311
##         sa                      sasa   311
##         sa                      1111   297
##         sa                    123123   276
##  anonymous                anonymous@   272
##         sa                  sa123456   253
##         sa                    112233   242
##         sa                    123321   242
##         sa                    qwerty   235
##         sa                 !@#123qwe   234
##         sa                    111111   233
##         sa                   saadmin   231
##         sa                 111111111   230
##         sa                  88888888   228
##         sa                 123123123   226
##         sa                    654321   226
##         sa                    888888   224
##         sa                1234567890   220
##         sa                qwertyuiop   220
##         sa                123456789a   217
##         sa                   123456a   217
##         sa                  1q2w3e4r   216
##         sa                   5201314   216
##         sa                a123456789   216
##         sa                  baseball   216
##         sa                    qwe123   216
##         sa                   welcome   216
##         sa                  !@#$%^&*   215
##         sa                    dragon   214
##         sa                    666666   213
##         sa                   a123456   213
##         sa                  football   213
##         sa                    monkey   213
##         sa                 password1   213
##         sa                  sunshine   213
##         sa                  iloveyou   211
##         sa                     sa123   211
##         sa                  princess   210
##         sa                   sql2005   209
##         sa                    123qwe   208
##         sa                  aa123456   207
##         sa                homelesspa   207
##         sa                  passw0rd   207
##         sa                       abc   206
##         sa                   charlie   206
##         sa                    sa2008   206
##         sa                1q2w3e4r5t   205
##         sa                   sql2008   205
##         sa                     admin   204
##         sa               sqlpassword   204
##         sa                Aa12345678   202
##         sa                   abcdefg   201
##         sa                   A123456   200
##         sa  4yqbm4,m`~!@~#$%^&*(),.;   199
##         sa 4yqbm4,m`~!@~#$%^&*(),.;    199
##         sa                sapassword   199
##         sa       ksa8hd4,m@~#$%^&*()   194
##         sa                   letmein   182
##         sa                  @dmin123   180
##  anonymous            qwert@qwert.ru   174
##         sa                      0000   160
##     mssqla                  1qaz2wsx   153
##         sa                         0   150
##         sa                    sasasa   149
##         sa                  admin123   148
##         sa                   sqlpass   148
##         sa                   sa12345   146
##      usera                  1qaz2wsx   145
##         sa                    sql123   145
##         sa                 Admin@123   143
##         sa                  database   143
##         sa                  p@ssword   143
##         sa                   sql2000   143
##         sa                   sql2010   143
##         sa                   123@qwe   142
##         sa                  123456@a   141
##         sa                   adminsa   141
##         sa                  1qaz@WSX   134
##         sa                    525464   134

Top Passwords

top_passwords <- rbind(top_ssh_unpw, top_other_unpw)
agg_top_pw <- aggregate(Count ~ Password, data=top_passwords, FUN=sum)
agg_top_pw <- agg_top_pw[order(-agg_top_pw$Count),]
print(head(agg_top_pw, n=100), row.names=FALSE)
##                  Password  Count
##                      user 151692
##                    123456  34064
##                      root  25839
##                     admin  22637
##                            13115
##                       123  13107
##                  password  12083
##                         1   8387
##                      1234   7156
##                     12345   5454
##                   support   5370
##                  12345678   3704
##                      test   3618
##                 123456789   2859
##                    oracle   2707
##                     nproc   2535
##                  1qaz2wsx   2355
##                    123123   2311
##                    qwerty   2275
##                    111111   2086
##                  P@ssw0rd   1906
##                    abc123   1872
##                  1q2w3e4r   1799
##                   test123   1549
##                  admin123   1523
##                  p@ssw0rd   1475
##                1234567890   1459
##                  passw0rd   1435
##                      pass   1394
##                    123321   1391
##                  !QAZ2wsx   1350
##                    qwe123   1310
##                    123qwe   1287
##                  1qaz@WSX   1268
##                         a   1199
##                   1234567   1194
##                    654321   1051
##               password123   1039
##                      1111    999
##                    000000    979
##                 raspberry    952
##                  changeme    898
##                 admin@123    870
##                 password1    862
##                  q1w2e3r4    856
##                  Passw0rd    841
##                   welcome    824
##                    ubuntu    811
##                 qwerty123    809
##                    1q2w3e    745
##                  Aa123456    707
##                        12    704
##                      0000    697
##                       321    680
##                 123123123    679
##                    server    676
##                      toor    671
##                         0    668
##                  1qaz!QAZ    666
##                qwertyuiop    656
##                   pass123    645
##                       ftp    639
##                  qwer1234    638
##                    passwd    624
##                  Pa$$w0rd    617
##                   letmein    616
##                      ubnt    609
##                1q2w3e4r5t    604
##                    666666    604
##  raspberryraspberry993311    602
##                 ABCabc123    579
##                     guest    573
##                  P@ssword    572
##                  p@ssword    570
##                       abc    567
##                 Admin@123    562
##                    112233    553
##                    888888    551
##                   root123    548
##               Password123    545
##                    system    535
##                    q1w2e3    531
##                  Password    530
##                    qazwsx    516
##                   abc@123    508
##                   ftpuser    503
##                  P@$$w0rd    501
##                  abcd1234    499
##                  postgres    499
##              password@123    493
##                  P@55w0rd    489
##                    redhat    485
##                        sa    483
##             administrator    471
##                  88888888    467
##                     user1    465
##                  Admin123    459
##                   default    459
##                  1234qwer    455
##                       git    455

Maps // Plots

Connections World Map

g <- world_mapper(country_code_cleanup(unified_dataset$Country.Code))
g <- g + labs(title="CO.UA Honeypot: Total Incoming Connections", x="", y="")
g <- g + scale_fill_continuous(low="#000030", high="#0000E0", guide="colorbar")
g

plot of chunk world_map

Payloads World Map

g <- world_mapper(country_code_cleanup(unified_payloads$Country.Code))
g <- g + labs(title="CO.UA Honeypot: Received Payloads", x="", y="")
g <- g + scale_fill_continuous(low="#300000", high="#E00000", guide="colorbar")
g

plot of chunk payloads_map

Plot Established Sessions by Country

agg_countries_top$Count <- agg_countries_top$Count/1000
g <- ggplot(agg_countries_top,
    aes(x=Connection.Start.NoTime, y=Count, fill=Country.Name)
)
g <- g + labs(
    title="CO.UA Honeypot: Established Sessions by Country",
    fill="Country", x="", y="Sessions (thousands)"
)
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_countries_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity", width=1)
g <- annotations(g, agg_countries_top, "Count", "Connection.Start.NoTime")
g <- g + theme_honeypot()
g

plot of chunk plot_countries

Plot Established Sessions by Port Number

agg_dstports_top$Count <- agg_dstports_top$Count/1000
g <- ggplot(agg_dstports_top,
    aes(x=Connection.Start.NoTime, y=Count, fill=Local.Port)
)
g <- g + labs(
    title="CO.UA Honeypot: Established Sessions by Port Number",
    fill="Incoming Port", x="", y="Sessions (thousands)"
)
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity", width=1)
g <- annotations(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + theme_honeypot()
g

plot of chunk plot_dstports_top

Note the uptick in traffic in port 5060 after 2022-02-25, which is for SIP (which handles VOIP, LTE, and other wireless and communications things).

Update: Who cares about 2022-02-25??!? The SIP traffic on 2022-03-07 broke my scale!

Update: Glad to see on 2022-03-17 that the SIP traffic has died down. Not sure if that's because it was noticed or not. I will say that the amount of storage it was using was ridiculous, and I can't even list the directory contents for those dates because of how many SipSession files exist in those directories. Insane quantities of repetitive data, thankfully it compresses nicely. Hopefully that attack didn't do much disruption to communications.

I have also checked and SIP is still open and receiving much smaller quantities of traffic, so it's not from the hosting provider this time, these hosts look to have been handled directly or something. I have no idea what happened.

Payloads by Country

g <- ggplot(agg_payloads_cntry_top,
    aes(x=Connection.Start.NoTime, y=Count, fill=Country.Name)
)
g <- g + labs(
    title="CO.UA Honeypot: Payloads by Country",
    fill="Country", x="", y=""
)
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity", width=1)
g <- payload_annotations(g,
    agg_payloads_cntry_top, "Count", "Connection.Start.NoTime"
)
g <- g + theme_honeypot()
g
## Warning: Removed 3 rows containing missing values (position_stack).

plot of chunk plot_payloads_cntry

Looking directly at Russia, their segment is noticeably large. The simultaneous drop-off on 2022-02-21 suggests that the other traffic is also them, too. There's no real way to tell if they are just using proxies/VPNs or something.

The USA traffic is noticeably large as well initally. I think they pulled some Manchurian Candidate stuff with some Microsoft cloud instances as you'll see below. Took some time, but Microsoft seems to have gotten a lot of it under control (as did some other cloud service providers, I don't want to single Microsoft out here but damn did they get targeted).

Payloads by Port Number

g <- ggplot(agg_payloads_dstports_top,
    aes(x=Connection.Start.NoTime, y=Count, fill=Local.Port)
)
g <- g + labs(
    title="CO.UA Honeypot: Payloads by Port Number",
    fill="Country", x="", y=""
)
g <- g + scale_fill_manual(values=plot_colors)
g <- anot_rect(g, agg_dstports_top, "Count", "Connection.Start.NoTime")
g <- g + geom_bar(stat="identity", width=1)
g <- payload_annotations(g,
    agg_payloads_dstports_top, "Count", "Connection.Start.NoTime"
)
g <- g + theme_honeypot()
g

plot of chunk plot_payloads_dstports

Payloads 2022-03-10 // 2022-03-11 Investigation

Payloads 2022-03-10 and on 2022-03-11 are noticeably large as well, and coming from the US. Most likely a botnet waking up to attack after Russia has been cut off from Cogent, Lumen, and other ISPs.

The coordinated drop off on 2022-03-12 between Russian AND all other countries yet again suggests these botnets are controlled by the same individuals/organizations. What caused the dropoff could be anything, either their infrastructure getting taken out by nation-states, hacktivists, or them choosing to turn the spigot off. It's most likely their choice with this many hosts.

Update: That last paragraph turned out to be incorrect speculation. All SMB (port 445) traffic was blocked at the hosting provider upon further examination. This is definitely a good call by them, as this is the main source of malware dumps and as noted down below, there was at least one other host inside of their network that managed to get compromised with some form of a WannaCry variant. This will make the payloads graph mostly useless going forward, and I'll probably tail that off as that's not really relevant anymore. I'll keep collecting payloads from other ports and honeypot daemons, but the visual dropoff is quite obviously significant on blocking SMB traffic and if any organization wants to protect against ransomware the number one thing to make sure is to secure, firewall, and protect any and all SMB traffic and daemons you are using.

Update: Guess I'm not going to tail this off, there's still plenty to graph it just looked like it was going to drop to almost nothing.

Update: Yet again, a misread on the situation. As you can see SMB wasn't actually blocked, it was blocked for the incoming connections to a certain VPN that I was using that is a commonly used VPN provider. I'm guessing that the VPN provider has traffic that has someone using it spamming SMB malware and is tagged as malicious, and this hosting provider is using one of those blocklists. When I portscanned, it was showing up as a blocked port.

I only realized this when the non-standard port I was using to offload this data from the honeypot got blocked. It is used for nothing normally, and a subsequent portscan showed most ports being blocked off. I switched VPN hosts, and the port opened back up, and so did SMB. Afterwards, I thought to make the payloads by port number graph to check, and lo and behold, the graph shows that SMB traffic never ceased. Basically, just ignore most of the big block text written by me because 99% of it is just ridiculous or wrong. Even this sentence and the last one. I don't even know what's going on anymore.

The real drop in traffic appears to be because I have too much on my plate and didn't notice the cowrie process die on the system. I thought I was paying closer attention after the dionaea failure at the beginning of collection, but apparently not. Oops.

Back to the payload increase, let's look at those hosts:

payload_attack_20220310 <- unified_payloads[
    (as.character(unified_payloads$Connection.Start.NoTime) == "2022-03-10" |
    as.character(unified_payloads$Connection.Start.NoTime) == "2022-03-11") &
    !grepl(paste0("^", REDACTED_HONEYPOT_SUBNET), unified_payloads$Remote.Host),
]
tab_payload_attack_20220310 <- table(as.factor(payload_attack_20220310$Remote.Host))
tab_payload_attack_20220310[tab_payload_attack_20220310 > 2]
## 
## 143.198.77.103  194.31.98.122  194.31.98.246   195.2.239.27  20.115.110.73 
##             15             27              4             27             27 
##  20.116.105.72   20.118.171.1 20.150.151.233  20.200.223.84  20.214.168.59 
##             27             54             27             27             54 
##   20.216.16.28   20.222.16.64  20.222.37.249   20.53.15.254  20.73.164.164 
##             27             24             27             27             27 
##   20.89.234.17  20.89.236.220  20.91.248.101  211.72.43.163   23.97.67.249 
##             27             24             16              6             27 
##  23.98.142.138   40.74.73.139   51.107.78.98  51.107.82.193  52.161.86.181 
##             27             27             41             27             27 
##   52.224.4.156   74.62.127.47 
##             27              4

When looking at these, most seem like Microsoft cloud instances, a couple are Russian hosts, and a couple are from the Netherlands (easy VPNs likely), but this one stands out:

$ whois 74.62.127.47
NetRange:       74.62.127.0 - 74.62.127.63
CIDR:           74.62.127.0/26
NetName:        NET-74-62-127-0-1
NetHandle:      NET-74-62-127-0-1
Parent:         RCWE (NET-74-62-0-0-1)
NetType:        Reassigned
OriginAS:
Customer:       ME- BONNER SPRINGS HIGH SCHOOL (C07173788)
RegDate:        2018-10-26
Updated:        2018-10-26
Ref:            https://rdap.arin.net/registry/ip/74.62.127.0


CustName:       ME- BONNER SPRINGS HIGH SCHOOL
Address:        100 N. MCDANIELD
City:           BONNER SPRINGS
StateProv:      KS
PostalCode:     66012
Country:        US
RegDate:        2018-10-26
Updated:        2018-10-26
Ref:            https://rdap.arin.net/registry/entity/C07173788

This really seems like exclusively compromised botnet traffic given these are full identifiable payloads that were dumped on this server.

Let's look at those payloads:

payinvst_urls_74.62.127.47
##       cnt                           download_url
## 1  355632                                       
## 2    2640                    smb://211.72.43.163
## 3    1200        http://185.156.72.4:47487/s.exe
## 4     288         http://185.156.72.4:4773/s.exe
## 5     288         http://185.156.72.4:4784/s.exe
## 6     288 http://185.156.72.4:573/LinkOpener.exe
## 7     144   http://185.156.72.4:13978/exiles.exe
## 8     144        http://185.156.72.4:14758/s.exe
## 9     144     http://185.156.72.4:745/exiles.exe
## 10    144  http://holl.f3322.net:8888/Server.exe
## 11     48        http://103.200.31.97/libcef.exe
## 12     48                  smb://187.193.180.215
## 13 108144                                       
## 14   1392                    smb://85.246.80.143
## 15     72      http://185.199.224.210:7845/s.exe
## 16 222900                                       
## 17    600    http://106.126.3.206:680/server.exe
## 18    240  http://185.199.224.190:7785/AV520.exe
## 19    120        http://112.30.131.72:6745/s.exe
## 20    120     http://185.199.224.190:18888/s.exe
## 21    120 http://221.229.215.227:9091/LSrust.exe
payinvst_mrgtmp <- merge(
    payinvst_cnt_74.62.127.47, clamscan_hashes,
    by.x="download_md5_hash", by.y="Hash.MD5",
    all.x=TRUE
)
table(as.factor(payinvst_mrgtmp$ClamAV))
## 
##                     Heuristics.W32.Parite.B 
##                                           1 
##                                          OK 
##                                          41 
## Win.Downloader.Regsvr32Unregister-6335678-1 
##                                           3 
##            Win.Downloader.Webdown-9850242-0 
##                                           3 
##             Win.Dropper.DarkKomet-9370806-0 
##                                         104 
##              Win.Dropper.Gh0stRAT-7696262-0 
##                                           1 
##               Win.Exploit.Generic-9685083-0 
##                                           2 
##              Win.Malware.A0jb20mi-9815631-0 
##                                          16 
##                 Win.Malware.Agent-6404242-0 
##                                           3 
##             Win.Malware.Blouiroet-9785356-0 
##                                           2 
##                 Win.Malware.Mikey-9917879-0 
##                                           3 
##                 Win.Packed.Esfury-7649595-0 
##                                           1 
##              Win.Ransomware.Wanna-9769986-0 
##                                        2234 
##                         Win.Spyware.78857-1 
##                                           2 
##                  Win.Trojan.Agent-6352691-0 
##                                           1 
##                  Win.Trojan.Agent-6368865-0 
##                                           1 
##                  Win.Trojan.Agent-6429662-0 
##                                           1 
##                  Win.Trojan.Agent-6441339-0 
##                                           1 
##                  Win.Trojan.Agent-6442363-0 
##                                           3 
##                  Win.Trojan.Agent-6479271-0 
##                                           3 
##                  Win.Trojan.Agent-6479896-0 
##                                           1 
##                  Win.Trojan.Agent-6486397-0 
##                                           3 
##                  Win.Trojan.Agent-6497970-0 
##                                           2 
##                  Win.Trojan.Agent-6501829-0 
##                                           1 
##                  Win.Trojan.Agent-6501842-0 
##                                           3 
##                  Win.Trojan.Agent-6503241-0 
##                                           2 
##                  Win.Trojan.Agent-6505036-0 
##                                           1 
##                  Win.Trojan.Agent-6515213-0 
##                                           3 
##                  Win.Trojan.Agent-6549573-0 
##                                           2 
##                  Win.Trojan.Agent-6562448-0 
##                                           1 
##                  Win.Trojan.Agent-6563389-0 
##                                           1 
##                  Win.Trojan.Agent-6565223-0 
##                                           1 
##                  Win.Trojan.Agent-6568811-0 
##                                           1 
##                  Win.Trojan.Agent-6570622-0 
##                                           1 
##                  Win.Trojan.Agent-6576247-0 
##                                           2 
##                  Win.Trojan.Agent-6580643-0 
##                                           2 
##                  Win.Trojan.Agent-6580684-0 
##                                           2 
##                  Win.Trojan.Agent-6581489-0 
##                                           1 
##                  Win.Trojan.Agent-6582841-0 
##                                           3 
##                  Win.Trojan.Agent-6584103-0 
##                                           1 
##                  Win.Trojan.Agent-6598660-0 
##                                           1 
##                  Win.Trojan.Agent-6602038-0 
##                                           1 
##                  Win.Trojan.Agent-6621055-0 
##                                           1 
##                  Win.Trojan.Agent-6625054-0 
##                                           1 
##                  Win.Trojan.Agent-6639407-0 
##                                           2 
##                  Win.Trojan.Agent-6640099-0 
##                                           1 
##                  Win.Trojan.Agent-6640474-0 
##                                           2 
##                  Win.Trojan.Agent-6645561-0 
##                                           2 
##                  Win.Trojan.Agent-6645965-0 
##                                           3 
##                  Win.Trojan.Agent-6646417-0 
##                                           1 
##                  Win.Trojan.Agent-6647257-0 
##                                           1 
##                  Win.Trojan.Agent-6691585-0 
##                                           1 
##                  Win.Trojan.Agent-6744015-0 
##                                           1 
##                 Win.Trojan.Farfli-7639977-0 
##                                           2 
##                 Win.Trojan.Farfli-9831481-0 
##                                           1 
##                    Win.Trojan.MSShellcode-7 
##                                           6 
##                           Win.Trojan.Spy-16 
##                                           1 
##                 Win.Trojan.Zegost-7007928-0 
##                                           1 
##                 Win.Trojan.Zegost-8369819-0 
##                                           1

Notable strings in libcef.exe:

PASSWORD
' AND IDENTIFY = '
SELECT * FROM UserTab WHERE NAME = '
Provider=SQLOLEDB.1;Persist Security Info=False; User ID=sa; Password=sa;Initial Catalog=JXIMS;Data Source=(local)
Unknown error 0x%0lX
IDispatch error #%d
BMP Files (*.bmp)|*.bmp|All Files (*.*)|*.*||
SELECT * FROM TeacherTab
SELECT * FROM PayTab
)
Jiaofei printing
IDENTIFY
Select * From UserTab Where NAME = '
BMP Files (*.bmp)|*.bmp|All Files (*.*)|*.*||
SELECT * FROM StudentTab
SELECT * FROM PayTab WHERE ID = '
SELECT * FROM BookTab WHERE ID = '
SELECT * FROM TrainTab WHERE ID = '
SELECT * FROM TrainTab
KEYCRYPT
FFHSTL-B
Copyright (c) 1994-1997 by Compuware Corporation
VxD KEYCRYPT (VtoolsD)
_The_DDB
D:\code\KeyCrypt\KeyCryptVxd\KEYCRYPT.PDB
C:\Documents and Settings\Administrator\
star 5.0
123\vc
SQL server7
\www.NewXing.com\jxims\Release\JXIMS.pdb
E:\8168\vc98\linker\release\lib.pdb

I can't tell what's going on, but they might be dealing with a ransomware attack or covertly being a part of a botnet that's launching WannaCry, or trying to disguise itself as WannaCry (seems to be happening a lot here).

But one thing seems for sure, Bonner Springs High School in Kansas is compromised and launching attacks against Ukrainian hosts, specifically my honeypot, either by intention of the botnet mastermind or by accident by scanning randomly on the internet.

Not exactly what I was expecting to find when looking at this spike given this is a much smaller part of the spike in traffic.

Payloads 2022-06-18 // 2022-06-20 Investigation

Giant spike on 2022-06-18, investigating what caused it…

str(payinvst_cnt_20220618)
## 'data.frame':    61664 obs. of  2 variables:
##  $ cnt        : int  10947 9463 9050 6069 2881 2860 2398 1534 1522 1108 ...
##  $ remote_host: chr  "146.20.225.35" "187.202.30.85" "179.126.6.146" "140.238.181.231" ...
sum(payinvst_cnt_20220618$cnt)
## [1] 1192381
head(payinvst_cnt_20220618, n=50)
##      cnt     remote_host
## 1  10947   146.20.225.35
## 2   9463   187.202.30.85
## 3   9050   179.126.6.146
## 4   6069 140.238.181.231
## 5   2881  20.107.219.143
## 6   2860   146.20.224.60
## 7   2398  213.232.235.29
## 8   1534  177.66.116.124
## 9   1522    165.22.52.53
## 10  1108   36.37.178.200
## 11  1020    141.98.11.91
## 12   887  201.208.159.19
## 13   697     45.93.16.72
## 14   667  212.83.136.106
## 15   620    45.175.94.36
## 16   620   45.175.95.164
## 17   616   45.175.94.164
## 18   613   203.150.90.33
## 19   612    45.175.95.36
## 20   224  103.145.13.101
## 21   207   20.222.16.155
## 22   178   103.145.13.74
## 23   164  200.10.227.116
## 24   164  200.10.227.156
## 25   164  200.10.227.196
## 26   164  200.10.227.224
## 27   164   200.10.227.48
## 28   164   200.10.227.76
## 29   164    200.10.227.8
## 30   164   200.10.227.88
## 31   163  200.10.227.104
## 32   163  200.10.227.144
## 33   163  200.10.227.184
## 34   163  200.10.227.252
## 35   163   200.10.227.36
## 36   162  200.10.227.212
## 37   162   200.10.227.64
## 38   161  200.10.227.172
## 39   159  200.10.227.132
## 40   159   200.10.227.24
## 41   159  200.10.227.240
## 42   159   200.10.227.92
## 43   158  200.10.227.200
## 44   155   200.10.227.12
## 45   155  200.10.227.120
## 46   155  200.10.227.128
## 47   155  200.10.227.160
## 48   155  200.10.227.168
## 49   155   200.10.227.20
## 50   155  200.10.227.208
unipay_20220618 <- merge(
    payinvst_cnt_20220618, unified_payloads,
    by.x="remote_host", by.y="Remote.Host",
    all.x=TRUE, all.y=FALSE
)
table(as.factor(unipay_20220618$Country.Code))
## 
##   AM   AR   AU   BD   BG   BR   CL   CO   EG   ET   HR   ID   IN   IR   IT   JP 
##    2    1    4    4    4    9    2    8    4    1    2    7   19    6    3    2 
##   KZ   MN   MU   MX   NG   NL   PH   PK   PT   QA   RU   SA   SN   TH   TR   TW 
##    7    2    2    6    2    1    4   41    4    2 5725    1    1    3    1    3 
##   UA   US   UY   VN 
##    2    9    3   14

Lateral Compromise

The hosting provider I am using, being under heavy attack, has had one of its clients compromised and it is launching “Win.Ransomware.Wanna-9769986-0”. I found evidence of over 4000 attacks from a neighbor VPS and reported it to the hosting provider. I will not be disclosing much more information about this, if any.

SIP Breaking My Scale

Since the SIP traffic broke my scale, I had to investigate further despite being incredibly sleep deprived.

sip_attack_20220307
##       cnt     remote_host
## 1  922273  212.129.30.110
## 2  591947  89.163.129.219
## 3  538301   212.83.187.89
## 4   36243     20.88.2.212
## 5   27357   20.106.89.142
## 6   22161    20.115.23.37
## 7   13571      20.90.5.68
## 8   11120  51.107.183.206
## 9   10193  20.199.119.129
## 10   7913  20.223.136.216
## 11   7833    141.98.10.83
## 12   5907     45.95.147.6
## 13   5636   68.183.220.94
## 14   4531   193.19.97.129
## 15   4204   52.136.119.53
## 16   4198  144.24.160.187
## 17   3768  20.223.163.175
## 18   3723  20.119.237.254
## 19   3605    141.98.10.81
## 20   2083   20.106.160.34
## 21   1313   72.11.158.139
## 22   1092     45.95.147.4
## 23    846   20.127.48.179
## 24    503    52.161.0.155
## 25    358     8.211.4.193
## 26    310 193.107.216.101
## 27    292  104.214.69.222
## 28    199   92.42.110.210
## 29    146  193.107.216.70
## 30    138   45.134.144.54
## 31    112  170.178.190.42

It is odd how few servers made that jump. WHOIS of the top three servers:

inetnum:        212.129.0.0 - 212.129.31.255
org:            ORG-ONLI1-RIPE
netname:        Online
descr:          Online SAS - Dedibox
country:        FR
admin-c:        TTFR1-RIPE
tech-c:         TTFR1-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TISCALIFR
mnt-by:         MNT-TISCALIFR-B2B
created:        2016-02-23T12:20:33Z
last-modified:  2016-02-23T12:30:00Z
source:         RIPE

organisation:   ORG-ONLI1-RIPE
mnt-ref:        MNT-TISCALIFR-B2B
org-name:       ONLINE SAS
org-type:       OTHER
address:        8 rue de la ville l'eveque 75008 PARIS
abuse-c:        AR32851-RIPE
mnt-ref:        ONLINESAS-MNT
mnt-by:         ONLINESAS-MNT
created:        2015-07-10T15:20:41Z
last-modified:  2017-10-30T14:40:53Z
source:         RIPE # Filtered
inetnum:        89.163.128.0 - 89.163.255.255
netname:        DE-MYLOC-DUS-20060217
country:        DE
org:            ORG-MMIA3-RIPE
admin-c:        MOPS-RIPE
tech-c:         MOPS-RIPE
status:         ALLOCATED PA
mnt-by:         MYLOC-MNT
mnt-by:         RIPE-NCC-HM-MNT
created:        2020-11-04T10:31:12Z
last-modified:  2020-11-04T10:31:12Z
source:         RIPE

organisation:   ORG-MMIA3-RIPE
org-name:       myLoc managed IT AG
country:        DE
org-type:       LIR
address:        Am Gatherhof 44
address:        40472
address:        D�sseldorf
address:        GERMANY
phone:          +4921161708110
fax-no:         +4921161708111
admin-c:        MOPS-RIPE
tech-c:         MOPS-RIPE
abuse-c:        MOPS-RIPE
mnt-ref:        MYLOC-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         MYLOC-MNT
created:        2019-10-28T10:48:29Z
last-modified:  2021-02-09T10:11:49Z
source:         RIPE # Filtered
inetnum:        212.83.160.0 - 212.83.191.255
netname:        FRWOL
descr:          Iliad
country:        FR
admin-c:        ACP23-RIPE
tech-c:         TCP8-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TISCALIFR
mnt-by:         MNT-TISCALIFR-B2B
remarks:        Tag: Int
created:        2002-09-24T15:24:29Z
last-modified:  2017-05-03T15:23:26Z
source:         RIPE

role:           Administrative Contact for ProXad
address:        Free SAS / ProXad
address:        8, rue de la Ville L'Eveque
address:        75008 Paris
phone:          +33 1 73 50 20 00
fax-no:         +33 1 73 92 25 69
remarks:        trouble:      Information: http://www.proxad.net/
remarks:        trouble:      Spam/Abuse requests: mailto:abuse@proxad.net
admin-c:        APfP1-RIPE
tech-c:         TPfP1-RIPE
nic-hdl:        ACP23-RIPE
mnt-by:         PROXAD-MNT
abuse-mailbox:  abuse@proxad.net
created:        2002-06-26T12:46:56Z
last-modified:  2013-08-01T12:16:00Z
source:         RIPE # Filtered

They mostly seem like rented servers, so it could be anyone, but obviously Russia is the elephant in the room especially with internet connections being cut off from places like Cogent and Lumen so their ability to drop payloads and subvert directly from Russian hosts might be leading them to other means and other hosting providers. That last one seems like an ISP, though, so I'm unclear there. There could be a small hosting provider using that ISP, or it could be someone being a general nuisance. One of those servers is a Microsoft Cloud server, though, and the ISP may be a home modem/router, so I'm really thinking this is some group of unknown origin repurposing some botnet hosts. Not every attack even in this moment is going to be from a nation-state, so as usual, who knows.

sip_attack_20220321
##       cnt    remote_host
## 1  441416 20.199.119.129
## 2  392706   52.229.66.96
## 3   39498 20.223.136.216
## 4   26169    20.70.31.10
## 5   24251    40.86.215.4
## 6   12726  20.115.126.57
## 7    7703    89.239.40.4
## 8    4849  37.49.230.128
## 9    4785 23.148.145.101
## 10   3040 74.208.137.225
## 11   2335 20.110.209.108
## 12   2199  5.180.137.137
## 13   1781  89.239.42.100
## 14   1662    8.211.4.193
## 15   1277  45.130.97.193
## 16    920  20.118.164.17
## 17    716     20.38.1.73
## 18    596 185.108.25.136
## 19    318   51.120.77.73
## 20    165  89.239.36.195
## 21    139    45.93.16.27
## 22    128  20.214.144.56
NetRange:       20.192.0.0 - 20.255.255.255
CIDR:           20.192.0.0/10
NetName:        MSFT
NetHandle:      NET-20-192-0-0-1
Parent:         NET20 (NET-20-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Microsoft Corporation (MSFT)
RegDate:        2017-10-18
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/20.192.0.0

OrgName:        Microsoft Corporation
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-10
Updated:        2022-03-28
NetRange:       52.224.0.0 - 52.255.255.255
CIDR:           52.224.0.0/11
NetName:        MSFT
NetHandle:      NET-52-224-0-0-1
Parent:         NET52 (NET-52-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Microsoft Corporation (MSFT)
RegDate:        2015-11-24
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/52.224.0.0

OrgName:        Microsoft Corporation
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-10
Updated:        2022-03-28

More Microsoft hosts for the main two IPs for the SIP attacks that start on 2022-03-21. These hosts are more than likely rented cloud instances that were vulnerable and broken into to join a botnet.

Regardless, whomever is doing this broke my scale on my graph, does that count as reportable abuse under internet networking rules?

Reality - Ukraine: Under massive active SIP Cyberattack potentially disrupting communications during wartime.
Me - Acting like a sociopath:

Biolerplate GeoIP Disclaimer

Geolocation based on IP address is not to be taken as entirely accurate as to the source of traffic or attacks conducted. There are many reasons for this, which include (but are not limited to):

Proxies, VPNs, and Tor

Large quantities of traffic, especially attack based traffic, will use a VPN or the Tor network (or some reasonable facsimile), to mask the origin of the traffic. This will in turn change the appearance of the location of origin. Usually, an attacker will also intentionally want the traffic to appear to come from somewhere that has some form of lesser legal jurisdiction, some form of lesser ability to police traffic, or come from a well known source of malicious attacks such as China or Russia.

For instance, the following log entry was generated by myself against my servers while sitting at my desk in the United States, but it gets geolocated as Russia because of how the packet was sent. This sort of masking is trivial to perform, even by a nine year old on a cellphone.

httpd_data[grep("/from/russia/with/logs", httpd_data$Request), c("Request", "Response.Code", "Country.Code")]

##                               Request Response.Code Country.Code
## 1 GET /from/russia/with/logs HTTP/1.1           404           RU

Vulnerable Servers and Botnets

Some locations will have a higher distribution of virtual servers than others, such as Silicon Valley or China. This can lead to larger quantities of vulnerable virtual machines and servers in those regions, and distort the resulting aggregate data.

Government Interference

It is possible that due to address assignment for governmental intelligence purposes or other economic or political reasons a nation could re-allocate address space and forge the identity similarly to a NAT (network address translation). They could also funnel information via VPN technologies for another nation.

Because most of these agreements are made in private, and due to the fact that most geolocation, RDAP, and WHOIS records are based on self-reporting, it is impossible to know the 100% true nature of geographic address assignment.

Weaknesses or errors in MaxMind, rgeolocate, RDAP, or WHOIS

This geolocation uses the rgeolocate package available in CRAN, and uses the internal country database that is shipped with it. There could be an error in the database shipped, there could be an error in the lookup code, etc. Bugs happen. I have no reason to believe that any false geolocation is being performed by these packages, however.

Also used is the self-reported RDAP or WHOIS systems which can frequently be self-reported falsely or misleadingly. Which of the systems (RDAP, WHOIS, or rgeolocate) used are disclosed when necessary.

Final Note

Despite these weaknesses, this doesn't change the fact that looking at this sort of data can be quite fun and interesting, and potentially enlightening. Generalized conclusions should not be made from this data or the maps herein. You have been warned.