Tracking

JanMap
January Threat Report

Hit Count: 1,124

Top 5 Ports

  • 80
  • 5501
  • 52869
  • 49152
  • 23

Top 5 Signatures

  • ET WEB_SERVER WebShell Generic - wget http - POST
  • ET SCAN Mirai Variant User-Agent (Inbound)
  • ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
  • SURICATA HTTP Unexpected Request body
  • ET EXPLOIT MVPower DVR Shell UCE

Top 5 User-Agent

  • Hello, world
  • Hello, World
  • Wget/1.11.4
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
  • Hello-World

Top 5 URL

  • /GponForm/diag_Form?images/
  • /soap.cgi?service=WANIPConn1
  • /UD/act?1
  • /bins/m-i.p-s.SNOOPY
  • /picdesc.xml

Payloads

https://github.com/hypoweb/capture-list

feb
February Threat Report

Hit Count: 2,227

Top 5 Ports

  • 80
  • 23
  • 60001
  • 7574
  • 49152

Top 5 Signatures

  • ET SCAN Mirai Variant User-Agent (Inbound)
  • ET WEB_SERVER WebShell Generic - wget http - POST
  • ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
  • ET EXPLOIT MVPower DVR Shell UCE
  • ET HUNTING Suspicious Chmod Usage in URI (Inbound)

Top 5 User-Agent

  • Hello, world
  • Wget/1.11.4
  • Hello, World
  • Hello-World
  • Go-http-client/1.1

Top 5 URL

  • /UD/act?1
  • /GponForm/diag_Form?images/
  • /soap.cgi?service=WANIPConn1
  • /picsdesc.xml
  • /_search?pretty

Payloads

https://github.com/hypoweb/capture-list

Screen Shot 2021-04-01 at 9.21.22 AM
March Threat Report

Hit Count: 2,306

Top 5 Ports

  • 80
  • 60001
  • 52869
  • 8080
  • 8081

Top 5 Signatures

  • SURICATA STREAM reassembly sequence GAP -- missing packet(s)
  • SURICATA HTTP missing Host header
  • ET SCAN Mirai Variant User-Agent (Inbound)
  • SURICATA HTTP Unexpected Request body
  • ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE

Top 5 User-Agent

  • Wget/1.11.4
  • Hello, world
  • ImSowwyForUsingMrCrabs
  • Hello-World
  • HelloBadPacketZ

Top 5 URL

  • /UD/act?1
  • /soap.cgi?service=WANIPConn1
  • /picsdesc.xml
  • /GponForm/diag_Form?images/
  • /tmUnblock.cgi

Payloads

https://github.com/hypoweb/capture-list

Screen Shot 2021-05-01 at 10.46.28 AM
April Threat Report

Hit Count: 1,762

Top 5 Ports

  • 80
  • 23
  • 5501
  • 49152
  • 52869

Top 5 Signatures

  • ET SCAN Mirai Variant User-Agent (Inbound)
  • ET WEB_SERVER WebShell Generic - wget http - POST
  • ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
  • ET EXPLOIT MVPower DVR Shell UCE
  • ET HUNTING Suspicious Chmod Usage in URI (Inbound)

Top 5 User-Agent

  • Hello, world
  • Hello, World
  • Hello-World
  • Wget/1.11.4
  • wr3

Top 5 URL

  • /UD/act?1
  • /soap.cgi?service=WANIPConn1
  • /picsdesc.xml
  • /GponForm/diag_Form?images/
  • /HNAP1/

Payloads

https://github.com/hypoweb/capture-list

Capture
May Threat Report

Hit Count: 1,708

Top 5 Ports

  • 80
  • 49152
  • 23
  • 60001
  • 52869

Top 5 Signatures

  • ET WEB_SERVER WebShell Generic - wget http - POST
  • ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
  • ET SCAN Mirai Variant User-Agent (Inbound)
  • ET EXPLOIT MVPower DVR Shell UCE
  • ET HUNTING Suspicious Chmod Usage in URI (Inbound)

Top 5 User-Agent

  • Hello, world
  • Hello, World
  • Hello-World
  • Wget/1.11.4
  • LickMyCunt

Top 5 URL

  • /UD/act?1
  • /soap.cgi?service=WANIPConn1
  • /picsdesc.xml
  • /GponForm/diag_Form?images/
  • /HNAP1/

Payloads

https://github.com/hypoweb/capture-list

June
June Threat Report

Hit Count: 1,708

Top 5 Ports

  • 80
  • 60001
  • 52869
  • 23
  • 7574

Top 5 Signatures

  • SURICATA STREAM Packet with invalid timestamp
  • ET WEB_SERVER WebShell Generic - wget http - POST
  • ET SCAN Mirai Variant User-Agent (Inbound)
  • ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
  • ET EXPLOIT MVPower DVR Shell UCE

Top 5 User-Agent

  • Wget/1.11.4
  • Hello, world
  • Hello, World
  • Hello-World
  • Tya

Top 5 URL

  • /UD/act?1
  • /picsdesc.xml
  • /GponForm/diag_Form?images/
  • /soap.cgi?service=WANIPConn1
  • /HNAP1/

Payloads

https://github.com/hypoweb/capture-list

July
July Threat Report

Hit Count: 1,835

Top 5 Ports

  • 80
  • 23
  • 49152
  • 5555
  • 60001

Top 5 Signatures

  • ET SCAN Mirai Variant User-Agent (Inbound)
  • ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in bodyT
  • ET WEB_SERVER WebShell Generic - wget http - POST
  • ET EXPLOIT MVPower DVR Shell UCE
  • ET SCAN JAWS Webserver Unauthenticated Shell Command Execution

Top 5 User-Agent

  • Wget/1.11.4
  • Hello, world
  • Hello, World
  • Hello-World
  • KrebsOnSecurity

Top 5 URL

  • /UD/act?1
  • /soap.cgi?service=WANIPConn1
  • /HNAP1/
  • /picdesc.xml
  • /GponForm/diag_Form?images/

Payloads

https://github.com/hypoweb/capture-list

Aug
August Threat Report

Hit Count: 1,350

Top 5 Ports

  • 80
  • 23
  • 49152
  • 60001
  • 52869

Top 5 Signatures

  • ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
  • ET WEB_SERVER WebShell Generic - wget http - POST
  • ET SCAN Mirai Variant User-Agent (Inbound)
  • SURICATA STREAM reassembly sequence GAP -- missing packet(s)
  • ET HUNTING SUSPICIOUS Path to BusyBox

Top 5 User-Agent

  • Wget/1.11.4
  • Hello, world
  • Hello, World
  • KrebsOnSecurity
  • Hello-World

Top 5 URL

  • /soap.cgi?service=WANIPConn1
  • /UD/act?1
  • /picdesc.xml
  • /HNAP1/
  • /GponForm/diag_Form?images/

Payloads

https://github.com/hypoweb/capture-list

*Data is sourced from a series of personal honeypots and does not represent my employer.