Another weeks worth of logs from my honeypot VPS

May 24, 2015 in #infosec

SSH Login attempts

A little quieter over this period

Attempts | Login 129410 | root 668 | admin 181 | ubnt 116 | nagios 94 | user 91 | ftp 85 | alex 83 | apache 83 | PlcmSpIp 78 | backup 78 | Library

Tailing off pretty quickly there as expected, compared to the last week of logging. Interesting new appearences in the top 10 of ubnt (ubuntu?) nagios, alex (No idea) and PlcmSp1p, which apparently is the default username that Polycom SIP phones use to download a config from an ftp server.

IP Address access

Nothing much different here from last time, ideally I want to implement so automated geolookup to create a graph or something sexy! (Perhaps for the next report)

httpd Access

In a shocking turn of events.

Amount | URL / Attack vector? 114 | /phpmyadmin/scripts/setup.php (or variants of, phpmyadmin) 51 | /manager/html (Tomcat) 4 | /wp/wp-login.php (or variants of, Wordpress login)

In a shocking turn of events, phpmyadmin has arrived to the number on this week, with Tomcat taking the second place. A couple of one of other interesting things were attempted, including a couple more /cycy/cy/cy.php a-like requests. Finally, an interesting request was made to


which after some url decoding turns into

/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

Guessing that is has been url encoded as an attempt to not trigger an IDS? Now, I am no expert on php config, but allowing url includes would lead to allowing a remote file includes. Not good.

Only 3 hits from masscan on the httpd this week :(

For the next week of logging, I am going to install something like denyhosts to see how much that tails off the login attempts, and maybe change the ssh port the week after!