The Honeypot Diaries: Thousands of Daily Attacks on My Home Network

Have I missed 99% of the content or is this purely to raise awarness? There is no description of the honeypot. Did the person running it manage to intercept any root kits, if yes what were they?<p>I remember years ago there was this vnc vulnerability that allowed one to login without a password. At the time I was doing &quot;it support&quot; for various small businesses in West Yorkshire, UK. All of my regulars had firewalls with (site to site) vpn for remote access, but often I&#x27;d get new clients I never saw before asking to fix something. When that vulnerability came out I was getting calls from such new customers daily about &quot;their system is slow&quot;, &quot;our email is not going out&quot; (in these days even small businesses used to run their own email servers). Every single &quot;new customer&quot; I had during next few weeks was &quot;hacked&quot; by the vnc bug. It seems whoever used to do IT for them left vnc accessible from the Internet (not even limiting the source IPs on the firewall). Every single time the root kits I found had outputs in Chinese (it required changing windows cmds settings to even see it). Most were very basic, but they did manage to successfully kill the AV software and they all had their own storage drivers that hid certain folders unless I booted the system in the safe mode(tgese were mostly windows 2000&#x2F;2003 sbs servers BTW). Frequently I&#x27;d find lists of other victims IPs on these systems and their scanning software. What was the goal of this campaign? Sending spam of course. As mentioned most clients only realised they were &quot;hacked&quot; when their system became horribly slow, or their outgoing email was cut off by their ISP blocking outgoing smtp traffic from their IPs following complaints. What was the spam? Viagra of course.... I saw lots of these. Many of these systems had personal data of people, I never noticed attempts to exfiltrate such data. The only time I dealt with proper attempt to steal money from a business account using the IT system was after a disgruntled it admin was fired.<p>This was almost 20 years ago. I&#x27;d love to find out how small network attackers try to &quot;monetize&quot; their victims today. Are they just searching for crypto, attempting &quot;encrypting data&quot; scams, or is there something more interesting? Curious minds want to know?

I&#x27;ve build a simple telnet honeypot that emulated some embedded device. I also got thousand of samples. I think it was mostly different strains of Mirai.<p>I learned some things about how bots fingerprint the honeypots, and patched it accordingly that they do not identify my service as a honeypot.<p>The funny thing about this was, that my ISP send me a letter (by post o.0), that i run a vulnerable service on my network.<p>The honeypot had a &quot;MOD&quot; from an old nuclear power plant, and did some random tarpit and randomly let random user&#x2F;password combinations to log in.<p>It was a fun experiment

It is important that we all know that if we intentionally configure our networks to draw attention from automated scans that we will draw attention from automated scans.

I’d love to know more about the honeypot and the whole process.

please excuse my ignorance but it looks like most incidents are from romania and germany, am i wrong? why is he highlighting china?

Interesting link at the bottom, the 1MB club:<p><i>1MB Club is a growing collection of performance-focused web pages weighing less than 1 megabyte.</i>

I wouldn&#x27;t consider these attacks. Anything on the internet is going to receive background bot&#x2F;spam traffic by default

The author&#x27;s IP was likely added to a databases like shodan that includ information showing vulnerable services were running.<p>The attempts are not because the author is a bank, but rather because the percieved difficulty is deemed to be trivial.

I&#x27;m still convinced that the majority of IoT devices are unnecessary nonsense. And I don&#x27;t think manufacturers care about their great contribution to botnets either.

What are good and battle proven tools to<p>A) monitor traffic on my home network - especially in a MikroTik environment<p>B) identify malicious activity<p>Thx

This information is somewhat interesting, but what action does it allow you to take?<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Information-action_ratio" rel="nofollow noreferrer">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Information-action_ratio</a>

I have several honeypots on different services (some of them mimics industrial automation systems like SCADA), and the majority of these attacks are coming from China, followed by the US and then the Netherlands.

So may IPs from China. Would they not be stopped from Chinas firewall? I think you can&#x27;t make an outging VPN or SSH connection. Is it possible somebody does a BGP hack and then reuse china IPs?

This seems a bit confusing. It highlights all the external hits, with no internal hits shown, then worries about IoT devices internally.<p>Most people aren’t going to have any external ingress at all.

scanners check full IPv4 all the time with known attack vectors.

Regarding the list of things that people buy, I have to admit that I couldn&#x27;t resist to buy a Plumbus.<p>And for those who don&#x27;t want to spend money buying it and prefer to DIY it, here are the instructions: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=eMJk4y9NGvE">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=eMJk4y9NGvE</a>