{ ake.c2e.com : phlog : redis honeypot recap }
Introduction
~~~~~~~~~~~~
Somewhen I've become interested in redis protocol
and decided to make my own library in python for
fun. Not having much ideas of its usage, I've
created a something like honeypot, which to some
extent tries to simulate real redis server and logs
received commands and established connections.
It was running since april so now I'll try to
analyze results I've got.
Brief summary
~~~~~~~~~~~~~
Total number of connections - 11758
Total number of source IP addresses that were used
to connect honeypot - 1629
Maximum connections from same address - 348
Number of hosts those have HTTP server - 407
HTTP responses from "attacker" hosts overview
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- seemingly most popular one is default server
page, sometimes referring host distro
(obviously Apache, nginx; distros are Fedora,
CentOS, Ubuntu, Debian; rare one is XAMPP)
- server error response - not found, forbidden,
gateway timeout and 500s
- hosting custom error responses - several
reported misconfigured domain, one from DO
contains message about unfinished WP
installation
- slightly separate from previous, hosting
misconfiguration error message, but in
Chinese
- 3 Tor exit nodes
- network scanners (Censys, Shadowserver,
Onyphe)
- some login forms in Chinese, most probably
related to back office software
- blogs in Chinese, seemingly most of them
are programming related
- business sites and internet-shops in
Chinese
- something that looks like part of mobile
application (at least having that layout)
- something that looks like web photoalbum
containing wedding photos (Chinese)
- two "home page"s that contains caption and
photo and nothing more
- some non-Chinese business sites - dentist
from Spain, financial organization, airport
related software and some foundations
- OpenEMR instance with default password,
seemingly test one
- PIXIE-2R router with default password
- some Atlassian solution
(DIR) Index
(DIR) Back