In week 44, the IP addresses responsible for most of the malicious network activity on TEHTRIS honeypots are recorded in the Netherlands (24,53%), in the United-States (19,75%), in China (9,78%), in Bulgaria (8,38%) and in Russia (6,8%).
This week, TEHTRIS is referring to 2 malicious activities observed on its international honeypot network.
1. Credentials abuse for File Transfer Protocol (FTP)
This week, TEHTRIS monitored a significant number of SSH exploits regarding File Transfer Protocol, performed by 18 IP addresses. Threat actors have scanned TEHTRIS honeypots with “ftpuser” login combined with 58 different passwords. The same number of combinations have been observed with the login “ftp”.
IoCs :
IP | AS | Country |
63.143.127[.]250 | AS 33576 ( DIG001 ) | JM |
153.122.21[.]26 | AS 131921 ( GMO GlobalSign Holdings K.K. ) | JP |
45.95.55[.]28 | AS 200303 ( LUMASERV Systems ) | DE |
171.251.16[.]198 | AS 7552 ( Viettel Group ) | VN |
193.47.61[.]212 | AS 211252 ( Delis LLC ) | US |
116.105.209[.]180 | AS 24086 ( Viettel Corporation ) | VN |
85.31.46[.]66 | AS 211252 ( Delis LLC ) | US |
162.241.189[.]135 | AS 19871 ( NETWORK-SOLUTIONS-HOSTING ) | US |
165.90.105[.]105 | AS 37517 ( CV-Multimedia ) | CV |
189.215.82[.]40 | AS 28509 ( Cablemas Telecomunicaciones SA de CV ) | MX |
116.105.209[.]180 | AS 24086 ( Viettel Corporation ) | VN |
122.202.44[.]19 | AS 10175 ( Kumho Cable ) | KR |
165.90.116[.]21 | AS 37517 ( CV-Multimedia ) | CV |
178.219.126[.]129 | AS 202281 ( C3 NET Sp. z o.o. Sp. k. ) | PL |
181.118.101[.]254 | AS 28075 ( ARLINK S.A. ) | AR |
182.16.184[.]3 | AS 17995 ( PT iForte Global Internet ) | ID |
188.244.32[.]137 | AS 8334 ( LLC SETEL ) | RU |
197.255.131[.]152 | AS 37517 ( CV-Multimedia ) | CV |
TEHTRIS underlines that FTP is not a secured exchange protocol as it doesn’t rely on encryption. Data sent through FTP is vulnerable to sniffing, spoofing, identity theft, and brute force attacks. In the cases monitored by TEHTRIS on its honeypot network, the threat actors are trying to compromise accounts created with basic and unsecure passwords.
TEHTRIS recommends using secure encrypted connections and always choosing a strong and unique password.
2. Hijacked Easter Eggs in PHP
Since many years, Easter Eggs (IT word to name hidden functionalities) are created and inserted in programs, or video games, by its creators. It is supposed to be considered as hidden nods or jokes.
This week, TEHTRIS warns that these jokes can be misused. Indeed, TEHTRIS monitored the use of 2 URLs on its WEB honeypots network allowing to display Easter Eggs in PHP programming language. These Easter Eggs exist since 2004 to display funny pictures. But beyond the joke, these requests can be dangerous. Any person surfing on a PHP written website could add one of these requests to the URL to gain information:
/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
or
/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
The first URL is displaying PHP credits, and the second displays funny logos according to the PHP version used on the website. All versions are concerned (refer to the list in the picture below). This might look harmless. However, PHP credits and the logo are revealing information on the website environment. A threat actor can get the information regarding the PHP version used and then search for a vulnerability to exploit regarding this version. Then, he will be able to compromise the website.
TEHTRIS recommends making sure that, in your php.ini file, the following line is well configured to avoid public exposition of your information:
expose_php = off
The less publicly-exposed information about your server, the better. If you limit the amount of public information that is available on your sever, you automatically limit the attack attempts it might face. Cyber criminals are still actively searching vulnerabilities on this programming language in November 2022.
IoCs :
IP | AS | Country |
172.105.83[.]46 | AS 63949 ( Linode, LLC ) | DE |
172.105.131[.]104 | AS 63949 ( Linode, LLC ) | DE |
109.74.204[.]123 | AS 63949 ( Linode, LLC ) | GB |
172.104.137[.]47 | AS 63949 ( Linode, LLC ) | DE |
178.79.148[.]229 | AS 63949 ( Linode, LLC ) | GB |
88.80.186[.]144 | AS 63949 ( Linode, LLC ) | GB |
80.85.85[.]235 | AS 63949 ( Linode, LLC ) | GB |
139.162.229[.]202 | AS 63949 ( Linode, LLC ) | GB |
151.236.216[.]243 | AS 63949 ( Linode, LLC ) | GB |
195.96.137[.]4 | AS 400161 ( HAWAIIRESEARCH ) | US |
195.96.137[.]5 | AS 400161 ( HAWAIIRESEARCH ) | US |
195.96.137[.]6 | AS 400161 ( HAWAIIRESEARCH ) | US |
195.96.137[.]7 | AS 400161 ( HAWAIIRESEARCH ) | US |
[1] https://php.watch/articles/php-easter-eggs