Global Glastopf statistics for May 2014

During the month of May the following information was obtained from Glastopf installations worldwide

Number of alert for the period: 1859863

Filenames (RFI) - 10 most popular during the period:

Hash: Hits:
48101bbdd897877cc62b8704a293a436 2425
4997ed27142837860014e946eed96124 2050
d070c4cccf556b9da81da1e2de3cba54 644
3cc11c8fa7e3e36f0164bdcae9de78ec 330
ab4d03072cc0532afc83d13854ed7e4f 286
8f8adad762a39ba298b9ee8b7555acf3 261
474c4daeff3d82ae49d7c96acb8c0d84 208
e5f9687d94bf23f395799dec3fcafc3f 199
873f84fe2b641c2934203c7f6621b7fb 167
7de0bcb903eaba7881c6d03a8c7769a8 124

Ping back

pingback.ping, which is a legit WordPress feature misused to DoS victims using legit WordPress sites.

URL describing the issue: http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

Method:

<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'

Extent:

During may we collected 37705 pingback.ping request targeting various sites. This month it were sites that was facilitating DDoS attacks that was in focus, most likely from competition.

Top pick from list of requested resources

Resource: Count:
/wp-content/plugins/yd-recent-posts-widget/timthumb/timthumb.php?src&sa&sa 44348
/xmlrpc.php 37918
/awstats/awstats.pl 10917
/awstats/awstats.pl?framename=mainright&output=refererpages 9319
/PMA/index.php 7444
/wp-login.php 5609
/pma2005/index.php 5224
/phpMyAdmin-2.6.3/index.php 5182
/phpMyAdmin-2.2.3/index.php 5017
/phpMyAdmin-2.5.7/setup.php 4883
/phpMyAdmin/ 4541
/phpMyAdmin-2.6.4-rc1/index.php 4442
/bb_lib/index2.php 4435
/administrator/index.php 4171

And ..

Resource: Count: Reference:
/cgi-bin/rtpd.cgi 252 http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities

This was a small excerpt from the collected data. I hope this encouraged you to continue to have hpfeeds enabled (or to enable it, if you have turned it off) on your honeypot/honeypots as the data gives a very valuable insight into current threats globally.

System reference:

“Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.”

For more information please visit:
http://www.glastopf.org/index.php or https://github.com/glastopf/glastopf

All data was collected using hpfriends, for more information please visit: http://hpfriends.honeycloud.net/