Global Glastopf statistics for April 2014

During the month of April the following information was obtained from Glastopf installations worldwide

Number of alert for the period: 1325919

Filenames (RFI) - 10 most common during the period:

Hash: Hits:
b8cbfe520d4c2d8961de557ae7211cd2 1072
3cc11c8fa7e3e36f0164bdcae9de78ec 998
7de0bcb903eaba7881c6d03a8c7769a8 682
9e866b8855c08a93f23afce1b9a79756 460
67b873f7541b039c049414dfe3fd7993 352
9f67913d2c77545a4187053ad18230e4 187
fbef119cf310d6b0b40af7e486416f82 186
ab4d03072cc0532afc83d13854ed7e4f 173
afdc0866a82a6bb23bc4d4fb329672b6 172

Specifically newsworthy event: Ping back”, which is a legit WordPress feature is misused to DoS victims using legit WordPress sites.

URL describing the issue: denial-of-service-attack.html


param></params></methodCall >'


We started monitoring this event, late into the month. But even so, the top 10 victim sites was hit with a total of 13441 requests.


The targets that we detected was a blend of a legit businesses/services but also a mix of underground forums, hacking and carding sites. Some of the sites targeted were also protected by DDoS mitigation services.

Top pick from list of requested resources:

Resource: Count (requests):
/xmlrpc.php 35500
/stats/ 7694
/stats/ 5862
/wp-login.php 5146
/wp-login.php?action=register 4255
/phpMyAdmin-2.5.5/index.php 2353
/phpMyAdmin-2.5.5-pl1/index.php 2297
/administrator/index.php 1933
/api/v1/notice/ios/?type=pro 1450
/phpMyAdmin-2.7.0-beta1/scripts/setup.php 896
/server-status/ 852
/phpTest/zologize/axa.php 758
/ 750
/sqlmanager/setup.php 730
/sprawdza.php 694
/azenv.php 615
/plugins/content/plugin_googlemap2_proxy.php 552

And a few other request that are "interesting" to highlight

Resource: Count: Reference:
/zabbix/httpmon.php 464
/%22GRC.DAT/%22 397 (?)
/HNAP1/ 343 %3A+What+we+know+so+far/17633
/cgi-bin/nph-test-cgi 170 party like it's 1996 (still included in some scanners ..)

This was a small excerpt from the collected data. I hope this encouraged you to continue to have hpfeeds enabled (or to enable it, if you have turned it off) on your honeypot/honeypots as the data gives a very valuable insight into current threats globally.

System reference:

“Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.”

For more information please visit: or

All data was collected using hpfriends, for more information please visit: