Global Glastopf statistics for April 2014

During the month of April the following information was obtained from Glastopf installations worldwide

Number of alert for the period: 1325919

Filenames (RFI) - 10 most common during the period:

Specifically newsworthy event: Ping back”

pingback.ping, which is a legit WordPress feature is misused to DoS victims using legit WordPress sites.

URL describing the issue: http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed- denial-of-service-attack.html

Method:
pingback.pinghttp://victim.com www.anywordpresssite.com/postchosenparam>'
Extent:

We started monitoring this event, late into the month. But even so, the top 10 victim sites was hit with a total of 13441 requests.

Summary:

The targets that we detected was a blend of a legit businesses/services but also a mix of underground forums, hacking and carding sites. Some of the sites targeted were also protected by DDoS mitigation services.

Top pick from list of requested resources:

And a few other request that are “interesting” to highlight

This was a small excerpt from the collected data. I hope this encouraged you to continue to have hpfeeds enabled (or to enable it, if you have turned it off) on your honeypot/honeypots as the data gives a very valuable insight into current threats globally.

System reference:

“Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.”

For more information please visit:
http://www.glastopf.org/index.php or https://github.com/glastopf/glastopf

All data was collected using hpfriends, for more information please visit: http://hpfriends.honeycloud.net/