In [3]:
import pandas as pd
import requests
import warnings
warnings.filterwarnings("ignore")
import json

In [4]:
# read log file
with open("../fixed_log.log") as f:
    log = f.readlines()

In [5]:
# if you want to read the data into elastic/opensearch/wazuh you can use this 1 by 1 approach or use the _bulk api
# https://opensearch.org/docs/latest/api-reference/document-apis/bulk/
# make sure to create an index template FIRST so that all the log keys are correctly mapped to their data type
# https://opensearch.org/docs/latest/opensearch/index-templates/

#for i, entry in enumerate(log):
#    requests.post(f"https://localhost:9200/gluttonhoneypot/_doc/{i+1}", json=json.loads(entry), auth=('admin', 'admin'), verify=False)

In [6]:
# check logs for layout, parameters and general sanity
log[3:5]

['{"level":"info","ts":1673794463.1364226,"msg":"IP from a known scanner","sensorID":"cd00083f-1221-429d-9d07-49cc5e1c2005","host":"167.94.138.61","scanner":"censys","dest_port":"53482"}\n',
 '{"level":"info","ts":1673794464.202223,"msg":"IP from a known scanner","sensorID":"cd00083f-1221-429d-9d07-49cc5e1c2005","host":"167.94.138.61","scanner":"censys","dest_port":"53482"}\n']

In [7]:
# create a list of dictionaries/json objects to load into a pandas dataframe
list_of_dicts = []
for line in log[3:]:
    list_of_dicts.append(json.loads(line))

In [8]:
# create dataframe (tabular data structure for easy analysis)
df = pd.DataFrame(list_of_dicts)

In [9]:
# show first 5 lines of the dataframe table to visualize and sanity check the data
# looks like the timestamp column was not correctly categorized but we dont care about that for now
df.head()

Unnamed: 0,level,ts,msg,sensorID,host,scanner,dest_port,handler,src_ip,src_port,...,password,message,direction,error,payload_hash,peer_id,inf_hash,sha256,source,sha
0,info,1673794000.0,IP from a known scanner,cd00083f-1221-429d-9d07-49cc5e1c2005,167.94.138.61,censys,53482.0,,,,...,,,,,,,,,,
1,info,1673794000.0,IP from a known scanner,cd00083f-1221-429d-9d07-49cc5e1c2005,167.94.138.61,censys,53482.0,,,,...,,,,,,,,,,
2,info,1673794000.0,IP from a known scanner,cd00083f-1221-429d-9d07-49cc5e1c2005,167.94.138.61,censys,53482.0,,,,...,,,,,,,,,,
3,info,1673794000.0,"running Go routines: 35, open files: 8",cd00083f-1221-429d-9d07-49cc5e1c2005,,,,,,,...,,,,,,,,,,
4,info,1673794000.0,IP from a known scanner,cd00083f-1221-429d-9d07-49cc5e1c2005,167.94.138.61,censys,53482.0,,,,...,,,,,,,,,,


In [10]:
# make sure that the correct amount of rows are shown (dont use this in production...)
pd.set_option("display.max_rows", None)

# show me the top 10 ports that were attacked and their request frequencies
# WAOW... 2.41M of 3.4M are port 23 (telnet) and 2323 (alternative telnet to hide from attackers) 
df.dest_port.value_counts().head(10)

23       2416231
2323      177774
3399       41689
37215      34065
23231       4162
80          3808
21          3255
8080        2802
8888        1478
6379        1462
Name: dest_port, dtype: int64

### lets unpack the ports
23 - TELNET

2323 - probably similar to 2222/22 for ssh, so most likely also targeting telnet

3399 - SAP enterprise management port, or CSMS which could either be cisco router management via CLI or content management systems (we need to dive deeper into this topic - https://www.speedguide.net/port.php?port=3399)

37215 - Huawei HG532 routers that have a LFI vulnerability

23231 - associated with mirai botnet scanners (https://isc.sans.edu/diary/UPDATED+x1:+Mirai+Scanning+for+Port+6789+Looking+for+New+Victims++Now+hitting+tcp23231/21833)

80 - good old web application port

21 - even better old FTP

8080 - typical web app testing port / dev environment port

8888 - typical web app testing port / dev environment port

6379 - redis (in memory database / cache) - associated with https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20821 ?

In [11]:
# the top 100 attacker IPs make up 72% of the registered hits
(df.src_ip.value_counts().to_frame().head(100).sum() / len(list_of_dicts)) * 100

src_ip    72.164882
dtype: float64

In [12]:
df.src_ip.value_counts().head(10)

194.180.49.134     1444948
78.135.85.216       469213
171.22.30.173       183565
85.209.134.96        73187
170.250.201.168      47101
54.39.186.162        41618
195.133.40.73        14987
107.189.6.194         8608
14.33.109.148         8489
185.225.73.79         7530
Name: src_ip, dtype: int64

In [18]:
# check which ports were attacked by our number 1 IP (194.180.49.134)
number_one_attacker = df.loc[df['src_ip'] == '194.180.49.134']

In [19]:
# this attacker focussed on port 23 (telnet) and 2323 (alternative telnet) only
number_one_attacker.dest_port.value_counts()

23      1359863
2323      85085
Name: dest_port, dtype: int64

In [16]:
# this attacker ALSO focussed on port 23 (telnet) and 2323 (alternative telnet) only
number_two_attacker = df.loc[df['src_ip'] == '78.135.85.216']
number_two_attacker.dest_port.value_counts()

23      415921
2323     53292
Name: dest_port, dtype: int64

In [17]:
# attacker #3 went for port 23 (telnet) only
number_three_attacker = df.loc[df['src_ip'] == '171.22.30.173']
number_three_attacker.dest_port.value_counts()

23    183565
Name: dest_port, dtype: int64

In [13]:
# identify attacker IP locations (https://www.hostip.info/use.php)
for ip in df.src_ip.value_counts().head(10).index.to_list():
    r = requests.get(f"https://api.hostip.info/get_html.php?ip={ip}")
    print(r.text)

Country: EUROPEAN UNION (EU)
City: (Unknown city)
IP: 194.180.49.134

Country: GERMANY (DE)
City: Berlin
IP: 78.135.85.216

Country: EUROPEAN UNION (EU)
City: (Unknown city)
IP: 171.22.30.173

Country: (Unknown Country?) (XX)
City: (Unknown City?)
IP: 85.209.134.96

Country: UNITED STATES (US)
City: (Unknown city)
IP: 170.250.201.168

Country: UNITED STATES (US)
City: (Unknown city)
IP: 54.39.186.162

Country: RUSSIAN FEDERATION (RU)
City: (Unknown city)
IP: 195.133.40.73

Country: (Unknown Country?) (XX)
City: (Unknown City?)
IP: 107.189.6.194

Country: UNITED STATES (US)
City: (Unknown city)
IP: 14.33.109.148

Country: (Unknown Country?) (XX)
City: (Unknown City?)
IP: 185.225.73.79



Since this was not too descriptive we can also check https://ipinfo.io/
for details, e.g. which hosting/cloud provider is behind the IPs.

```
194.180.49.134 - amsterdam, netherlands - hosting: des.capital/serverion.com
78.135.85.216 - istanbul, turkey - hosting: hostingdunyam.com.tr
171.22.30.173 - brielle, netherlands - hosting: des.capital/serverion.com
85.209.134.96 - brielle, netherlands - hosting: des.capital/serverion.com
170.250.201.168 - fort lauderdale, florida USA - hosting: hotwirecommunications.com
54.39.186.162 - montreal, canada - hosting: ovh.net
195.133.40.73 - brielle, netherlands - hosting: des.capital/serverion.com
107.189.6.194 - bissen, luxemburg - hosting: frantech.ca
14.33.109.148 - suwon, south korea - hosting: kt.com
185.225.73.79 - amsterdam, netherlands - hosting: des.capital/serverion.com
```

We can see that a lot of IPs are hosted by des.capital in the netherlands, so maybe we should send them a nice email that their service is abused by bots. I shall try to do that and see what happens - will update you on twitter/youtube.

# #1 attacker IP reverse lookup
![image](top_attacker_ip.png)

`poweredbycrazy.ru` huh?
I am not sure which provider this is from but location seems to be in the Netherlands

lets check how long the page has been registered

virustotal: https://www.virustotal.com/gui/domain/poweredbycrazy.ru/relations

crt.sh: https://crt.sh/?q=poweredbycrazy.ru

That shows that the domain is less than 12 months old but more than 6, usually for spammers/bots these have a much shorter half-life.

Next is some google-dorking to check if someone knows the domain.

https://www.google.com/search?q=%22poweredbycrazy.ru%22

One source that added them to their blocklist as the most frequent entry (I think) because they are `Known Spammers or Unauth Logins`
https://www.krowverse.services/blocked_domains.txt

There are also a lot of IPs associated with the domain:
```
212.192.241.42
109.206.241.176 
208.67.106.199
81.161.229.112
194.31.98.130
185.246.221.157
208.67.104.38
208.67.105.236
2.56.57.178
208.67.105.73
141.98.6.32
185.216.71.0
85.31.46.89
212.192.241.132
80.76.51.29
195.178.120.89
107.182.129.118
```

If we cluster those we can see a couple connections
```
2.56.57.178

80.76.51.29 - serverion.com/des.capital


81.161.229.112

85.31.46.89


107.182.129.118 - delis.one/des.capital

109.206.241.176

141.98.6.32


185.216.71.0
185.246.221.157 - serverion.com/des.capital


194.31.98.130
195.178.120.89 - serverion.com/des.capital


208.67.104.38 - serverion.com/des.capital
208.67.105.73

208.67.106.199
208.67.105.236


212.192.241.42
212.192.241.132 - voldeta.com/des.capital
```

In the google results we find two nameserver that might be interesting. We run reverse IP lookups (`dig -x <IP>`) and checking the responses:
ns1.crazy.bz (no response, maybe old?)
ns1.opendns.pw (IP: 107.182.129.157) - there is also ns2.opendns.pw (PW: 208.67.106.208)

(ps. currently the page is "protected" by cloudflare, I am 99% sure though that one could report it and it would be taken down - anyone wanna try?)


### What do you see? 
It appears that the opendns.pw IPs are closely associated with poweredbycrazy.ru (107.182.129.xxx / 208.67.106.xxx - so maybe some kind of malicious nameservers on their side?

PLUS - all the ones we checked come back to the same company - des.capital - WHO is that?