13 posts tagged with "security"

Everybody knows the Internet is full of crawlers, bots, scanners and other opportunistic traffic. This is not breaking news, but sometimes you come across a scanner so aggressive it makes you think you are actively targeted for a second.

We first noticed this particularly aggressive scan on our support ticketing platform during September 2024, with over 18 000 requests in the span of 20 minutes from 52.86.221.173.

[root@server tmp]# cat osticket_syslog.txt | grep 52.86.221.173 | grep 2024-09-07 | less | wc -l
18546

Every publicly exposed server will be, at some point, attacked by botnets. In this blog post, we will concentrate on the SSH botnets, i.e., the ones that try to connect via SSH to vulnerable endpoints (due to weak user:password combinations, SSH daemon misconfigurations and so on). After connecting to an endpoint, they usually run various commands (e.g., download and execute malware).

As part of the SOCcare project where Politehnica Bucharest is one of the partners, we deployed a honeypot to detect and study the SSH botnets’ behavior. During the month of August, we discovered some interesting patterns.

The SOCcare project is aimed at building better cyber threat intelligence through improved analysis of digital artefacts, and then sharing this threat intelligence across the Eastern Europe region and beyond to increase cooperation and cyber resilience of Digital Europe.