{ ake.c2e.com : phlog : redis honeypot recap } Introduction ~~~~~~~~~~~~ Somewhen I've become interested in redis protocol and decided to make my own library in python for fun. Not having much ideas of its usage, I've created a something like honeypot, which to some extent tries to simulate real redis server and logs received commands and established connections. It was running since april so now I'll try to analyze results I've got. Brief summary ~~~~~~~~~~~~~ Total number of connections - 11758 Total number of source IP addresses that were used to connect honeypot - 1629 Maximum connections from same address - 348 Number of hosts those have HTTP server - 407 HTTP responses from "attacker" hosts overview ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - seemingly most popular one is default server page, sometimes referring host distro (obviously Apache, nginx; distros are Fedora, CentOS, Ubuntu, Debian; rare one is XAMPP) - server error response - not found, forbidden, gateway timeout and 500s - hosting custom error responses - several reported misconfigured domain, one from DO contains message about unfinished WP installation - slightly separate from previous, hosting misconfiguration error message, but in Chinese - 3 Tor exit nodes - network scanners (Censys, Shadowserver, Onyphe) - some login forms in Chinese, most probably related to back office software - blogs in Chinese, seemingly most of them are programming related - business sites and internet-shops in Chinese - something that looks like part of mobile application (at least having that layout) - something that looks like web photoalbum containing wedding photos (Chinese) - two "home page"s that contains caption and photo and nothing more - some non-Chinese business sites - dentist from Spain, financial organization, airport related software and some foundations - OpenEMR instance with default password, seemingly test one - PIXIE-2R router with default password - some Atlassian solution (DIR) Index (DIR) Back