Hello & Happy 2023!

At the end of the last summer, we kicked of a small honeypot project where we deployed HoneyDB agents across 18 countries. There’s a couple regions with more than one agent installed, otherwise it’s an agent per country. Agents are configured to run services like RDP, VNC, SSH, FTP, MySQL, WebLogic, Elasticsearch, Telnet, Redis and others. Below is an outline of the agent architecture and their locations. Out of curiosity we setup these agents to monitor their activities and collect data to be crunched and beautifully displayed via Splunk dashboards. Starting today we are going to be sharing our data. Moving forward, all updates will be sent out via @below∅day and our git.

HoneyDB Agents

 

Top 50 Attack Hosts [for the full list, check out our git]

  • 202.139.198.181 >> Mueang Nonthaburi, TH : AS135566 Thailand Government Data Center and Cloud service (TGDCC)
  • 111.22.113.168 >> Changsha, CN : AS56047 China Mobile communications corporation
  • 45.81.39.103 >> Amsterdam, NL : AS211252 Delis LLC
  • 164.163.98.28 >> Carlópolis, BR : AS265949 INFO TELECOM INTERNET LTDA
  • 51.255.71.16 >> Roubaix, FR : AS16276 OVH SAS
  • 124.133.28.21 >> Jinan, CN : AS4837 CHINA UNICOM China169 Backbone
  • 116.131.149.222 >> Tianjin, CN : AS4837 CHINA UNICOM China169 Backbone
  • 185.216.35.46 >> Prague, CZ : AS9009 M247 Europe SRL
  • 193.138.218.160 >> Malmö, SE : AS39351 31173 Services AB
  • 104.236.5.183 >> Clifton, US : AS14061 DigitalOcean, LLC
  • 82.102.19.110 >> Saint-Amand-les-Eaux, FR : AS9009 M247 Europe SRL
  • 37.120.194.174 >> Copenhagen, DK : AS9009 M247 Europe SRL
  • 188.163.96.4 >> Zaporizhzhya, UA : AS15895 Kyivstar PJSC
  • 171.244.57.196 >> Hanoi, VN : AS38731 Vietel – CHT Compamy Ltd
  • 89.248.165.213 >> The Hague, NL : AS202425 IP Volume inc
  • 203.138.24.130 >> Yokohama, JP : AS2514 NTT PC Communications, Inc.
  • 194.99.104.58 >> Madrid, ES : AS9009 M247 Europe SRL
  • 154.22.127.56 >> San Jose, US : AS139646 HONG KONG Megalayer Technology Co.,Limited
  • 35.162.102.100 >> Boardman, US : AS16509 Amazon.com, Inc.
  • 45.12.5.100 >> Moscow, RU : AS212872 Serverio technologijos MB
  • 195.206.107.134 >> Madrid, ES : AS9009 M247 Europe SRL
  • 45.12.6.136 >> Moscow, RU : AS212872 Serverio technologijos MB
  • 45.130.87.15 >> Stockholm, SE : AS42201 PVDataNet AB
  • 45.12.6.138 >> Moscow, RU : AS212872 Serverio technologijos MB
  • 45.12.6.145 >> Moscow, RU : AS212872 Serverio technologijos MB
  • 45.12.6.139 >> Moscow, RU : AS212872 Serverio technologijos MB
  • 45.12.5.156 >> Moscow, RU : AS212872 Serverio technologijos MB
  • 147.135.137.107 >> Roubaix, FR : AS16276 OVH SAS
  • 112.133.106.140 >> Jeju City, KR : AS9946 KCTV JEJU BROADCASTING
  • 84.18.110.194 >> Naberezhnyye Chelny, RU : AS28840 PJSC TATTELECOM
  • 216.189.154.168 >> New York City, US : AS7489 HostUS
  • 45.84.120.94 >> Dallas, US : AS9009 M247 Europe SRL
  • 84.18.110.170 >> Naberezhnyye Chelny, RU : AS28840 PJSC TATTELECOM
  • 45.65.213.86 >> Ribeirão Preto, BR : AS266525 Eurocorp Vialux Internet Eireli
  • 113.220.28.137 >> Changsha, CN : AS4134 CHINANET-BACKBONE
  • 175.5.14.19 >> Changsha, CN : AS4134 CHINANET-BACKBONE
  • 222.242.249.239 >> Changsha, CN : AS4134 CHINANET-BACKBONE
  • 45.65.213.13 >> Ribeirão Preto, BR : AS266525 Eurocorp Vialux Internet Eireli
  • 45.65.213.49 >> Ribeirão Preto, BR : AS266525 Eurocorp Vialux Internet Eireli
  • 45.65.213.53 >> Ribeirão Preto, BR : AS266525 Eurocorp Vialux Internet Eireli
  • 146.70.111.86 >> Belgrade, RS : AS9009 M247 Europe SRL
  • 23.224.144.90 >> Los Angeles, US : AS40065 CNSERVERS LLC
  • 118.34.201.246 >> Suwon, KR : AS4766 Korea Telecom
  • 120.27.41.13 >> Qingdao, CN : AS37963 Hangzhou Alibaba Advertising Co.,Ltd.
  • 139.99.8.163 >> Singapore, SG : AS16276 OVH SAS
  • 211.199.73.243 >> Daegu, KR : AS4766 Korea Telecom
  • 20.141.129.111 >> Boydton, US : AS8070 Microsoft Corporation
  • 185.246.221.248 >> Brielle, NL : AS211252 Delis LLC
  • 109.205.213.36 >> New York City, US : AS19318 Interserver, Inc
  • 31.220.3.140 >> Amsterdam, NL : AS206264 Amarutu Technology Ltd

Top Attack Origins

 

Top Targeted HoneyDB Agents

 

Top Services Attacked

 

Events by Service