CERTHoneypots

Honeypots: activity of the week 44

In week 44, the IP addresses responsible for most of the malicious network activity on TEHTRIS honeypots are recorded in the Netherlands (24,53%), in the United-States (19,75%), in China (9,78%), in Bulgaria (8,38%) and in Russia (6,8%).

This week, TEHTRIS is referring to 2 malicious activities observed on its international honeypot network.

1. Credentials abuse for File Transfer Protocol (FTP)

This week, TEHTRIS monitored a significant number of SSH exploits regarding File Transfer Protocol, performed by 18 IP addresses. Threat actors have scanned TEHTRIS honeypots with “ftpuser” login combined with 58 different passwords. The same number of combinations have been observed with the login “ftp”.

IoCs :

IPASCountry
63.143.127[.]250AS 33576 ( DIG001 )JM
153.122.21[.]26AS 131921 ( GMO GlobalSign Holdings K.K. )JP
45.95.55[.]28AS 200303 ( LUMASERV Systems )DE
171.251.16[.]198AS 7552 ( Viettel Group )VN
193.47.61[.]212AS 211252 ( Delis LLC )US
116.105.209[.]180AS 24086 ( Viettel Corporation )VN
85.31.46[.]66AS 211252 ( Delis LLC )US
162.241.189[.]135AS 19871 ( NETWORK-SOLUTIONS-HOSTING )US
165.90.105[.]105AS 37517 ( CV-Multimedia )CV
189.215.82[.]40AS 28509 ( Cablemas Telecomunicaciones SA de CV )MX
116.105.209[.]180AS 24086 ( Viettel Corporation )VN
122.202.44[.]19AS 10175 ( Kumho Cable )KR
165.90.116[.]21AS 37517 ( CV-Multimedia )CV
178.219.126[.]129AS 202281 ( C3 NET Sp. z o.o. Sp. k. )PL
181.118.101[.]254AS 28075 ( ARLINK S.A. )AR
182.16.184[.]3AS 17995 ( PT iForte Global Internet )ID
188.244.32[.]137AS 8334 ( LLC SETEL )RU
197.255.131[.]152AS 37517 ( CV-Multimedia )CV

TEHTRIS underlines that FTP is not a secured exchange protocol as it doesn’t rely on encryption. Data sent through FTP is vulnerable to sniffing, spoofing, identity theft, and brute force attacks. In the cases monitored by TEHTRIS on its honeypot network, the threat actors are trying to compromise accounts created with basic and unsecure passwords.

TEHTRIS recommends using secure encrypted connections and always choosing a strong and unique password.

2. Hijacked Easter Eggs in PHP

Since many years, Easter Eggs (IT word to name hidden functionalities) are created and inserted in programs, or video games, by its creators. It is supposed to be considered as hidden nods or jokes.

This week, TEHTRIS warns that these jokes can be misused. Indeed, TEHTRIS monitored the use of 2 URLs on its WEB honeypots network allowing to display Easter Eggs in PHP programming language. These Easter Eggs exist since 2004 to display funny pictures. But beyond the joke, these requests can be dangerous. Any person surfing on a PHP written website could add one of these requests to the URL to gain information:

/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

or

/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

The first URL is displaying PHP credits, and the second displays funny logos according to the PHP version used on the website. All versions are concerned (refer to the list in the picture below). This might look harmless. However, PHP credits and the logo are revealing information on the website environment. A threat actor can get the information regarding the PHP version used and then search for a vulnerability to exploit regarding this version. Then, he will be able to compromise the website.

PHP Easter Eggs examples[1]

TEHTRIS recommends making sure that, in your php.ini file, the following line is well configured to avoid public exposition of your information:

expose_php = off

The less publicly-exposed information about your server, the better. If you limit the amount of public information that is available on your sever, you automatically limit the attack attempts it might face. Cyber criminals are still actively searching vulnerabilities on this programming language in November 2022.

IoCs :

IPASCountry
172.105.83[.]46AS 63949 ( Linode, LLC )DE
172.105.131[.]104AS 63949 ( Linode, LLC )DE
109.74.204[.]123AS 63949 ( Linode, LLC )GB
172.104.137[.]47AS 63949 ( Linode, LLC )DE
178.79.148[.]229AS 63949 ( Linode, LLC )GB
88.80.186[.]144AS 63949 ( Linode, LLC )GB
80.85.85[.]235AS 63949 ( Linode, LLC )GB
139.162.229[.]202AS 63949 ( Linode, LLC )GB
151.236.216[.]243AS 63949 ( Linode, LLC )GB
195.96.137[.]4AS 400161 ( HAWAIIRESEARCH )US
195.96.137[.]5AS 400161 ( HAWAIIRESEARCH )US
195.96.137[.]6AS 400161 ( HAWAIIRESEARCH )US
195.96.137[.]7AS 400161 ( HAWAIIRESEARCH )US

[1] https://php.watch/articles/php-easter-eggs