Honeypots: activity of the week 49

TEHTRIS honeypots network recorded again numerous malicious activities performed this week. Focus on 3 events and the related IoCs.

Attempt to exploit the ShellShock vulnerability on a finnish infrastructure

In week 49, two IP addresses targeted a Finnish infrastructure and attempted to exploit a vulnerability in the Bash shell ( CVE-2014-6271 CVSS3 9.8), specifically on Sonicwall products:

URL: /cgi-bin/jarrewrite.sh
UserAgent : "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd\'"

Some versions of Sonicwall Virtual Office SSL-VPN are vulnerable to ShellShock, which allows an attacker to execute arbitrary commands. This vulnerability was patched in 2015 but attackers continue to include it in their scans searching for exposed versions.

The first malicious IP address is the Australian IP 170.64.142[.]27 (AS14061 – DIGITALOCEAN-ASN), which is unknown to public databases. Itmade over 400 web requests on the 5th of December 2022. Other vulnerabilities that the attacker is attempting to exploit include:

  • The CVE-2022-26134 (CVSS3 9.8) and CVE-2021-26084 (CVSS3 9.8), which both affect Confluence servers and data centers, and allow OGNL code injection and arbitrary code execution
  • The CVE-2018-0125 (CVSS3 9.8) that affects the web-based interface of some Cisco routers that allows an attacker to execute arbitrary code and gain administrator rights on the system.
  • The CVE-2019-16662 (CVSS3 9.8) discovered in rConfig 3.9.2 (an opensource configuration tool)

The second malicious IP is the Finnish address 37.228.129[.]133 (AS 200651 – FLOKINET LTD) which made two requests on the 6th of December 2022. It is believed to be a Tor node exit according to some public repositories. In addition to the ShellShock exploit attempt, the attacker performed a web request to exploit the CVE-2019-9082 (CVSS3 8.8) on ThinkPHP (an enterprise and professional applications framework), again on the same Finnish honeypot.

Attempted exploitation of a VMWare vulnerability

Five IP addresses attempted to exploit the CVE-2021-21985 (CVSS3.9.8) affecting some versions of VMWare vSphere and allowing an unauthenticated attacker to remotely execute arbitrary code with a high level of privilege.

4 IP addresses are hosted by the Dutch AS57043 HOSTKEY B.V. and, according to TEHTRIS NTA, conduct the same malicious activities:

  • Using cURL to scan the web (cURL is a command tool to get or send data using URL syntax)
  • Attempted exploitation of CVE-2021-31207 (CVSS3 7.2) in Microsoft Exchange Server that allows remote arbitrary code execution and privilege escalation
  • Using NMAP (network exploration tool) to perform a scan



The fifth IP address is the Australian IP 170.64.150[.]255 of AS14061 (DIGITALOCEAN-ASN), unknown to public databases. It targets a Spanish infrastructure with more than 400 web requests, some of which aimed at exploiting Log4Shell (CVE-2021-44228 – CVSS3 10) and a vulnerability in F5 BIG-IP allowing remotely execution of arbitrary code, as well as breaching data’s integrity and confidentiality (CVE-2020-5902 – CVSS3 9.8).

The management interfaces should not be accessible directly on the Internet.

This week, 30% of SSH login attempts are associated with two logins/passwords that were not – or not very – seen in previous weeks. These are:

  • knockknockwhosthere / knockknockwhosthere, requested by more than 6,500 different IP addresses in particular on the 8th and 9th of December 2022, representing 16% of the total observed SSH activity
Timeline of the last 2 months (11/10/22 – 11/12/22)
  • 345gs5662d34 / 345gs5662d34, requested by more than 5,770 different IP addresses between 09 and 11/12/22, corresponding to 14% of total observed SSH activity

The lessons learned of the week:

  • Don’t forget to update all your software because even dated vulnerabilities continue to be exploited by attackers.
  • Avoid exposing machines or interfaces on the Internet that don’t need to be exposed.
  • Always change your passwords according to the strength rules.