CRITICAL: Honeypot Brute Force Events Report

DESCRIPTION LAST UPDATED: 2024-08-16

DEFAULT SEVERITY LEVEL: CRITICAL

This report identifies hosts that have been observed performing brute force attacks, using different networks of honeypots. This includes attacks brute forcing credentials to obtain access using various protocols, such as SSH, telnet, VNC, RDP, FTP etc.

Once access has been obtained, devices may be used for other attacks, which may involve installing malicious software that enables the device to function as part of a botnet. For example, the well-known Mirai botnets were used in this way to launch DDoS attacks.

Hacked devices may also be used to launch scans on other vulnerable Internet devices. In still other cases, using brute force to breach networking devices may enable a criminal to attempt financial theft. By inserting rogue DNS server entries into a home router’s network configuration, they can redirect user traffic to malicious webpages, making phishing attacks on the home network user.

When we detect brute force attacks, our system reports them to the owners of the network from which the attacks originate, or to the National CERTs responsible for that network.

You can learn more on the report in our Honeypot Brute Force Events Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

Filename: event4_honeypot_brute_force

This report type was originally created as part of the EU Horizon 2020 SISSDEN Project.

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • service
    The type of service that was attacked, i.e. SSH, RDP, Telnet, etc
  • start_time
    Timestamp of last activity seen in the attack
  • end_time
    Timestamp of last activity seen in the attack
  • client_version
    The version string served by the attacker, if applicable and recorded
  • username
    The first username that was attempted, if recorded
  • password
    The first password that was attempted, if recorded
  • payload_url
    If a payload was downloaded onto the target, the URL where the payload was downloaded from, if recorded
  • payload_md5
    The md5sum of the payload downloaded onto the target, if recorded.

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","service","start_time","end_time","client_version","username","password","payload_url","payload_md5"
"2010-02-10 00:00:00",tcp,192.168.0.1,56994,64512,ZZ,Region,City,node01.example.com,0,,,,,critical,172.16.0.1,22,65534,ZZ,Region,City,node01.example.net,0,"Communications, Service Provider, and Hosting Service",,ssh-brute-force,,,ssh,,,,,"2010-02-10 00:00:00",,bob,ca,,
"2010-02-10 00:00:01",tcp,192.168.0.2,39446,64512,ZZ,Region,City,node02.example.com,0,"Communications, Service Provider, and Hosting Service",,,,critical,172.16.0.2,23,65534,ZZ,Region,City,node02.example.net,0,,,telnet-brute-force,,,telnet,,,,,"2010-02-10 00:00:01",,enable,linuxshell,,
"2010-02-10 00:00:02",tcp,192.168.0.3,35940,64512,ZZ,Region,City,node03.example.com,0,,,,,critical,172.16.0.3,5900,65534,ZZ,Region,City,node03.example.net,0,,,vnc-brute-force,,,vnc,,,,,"2010-02-10 00:00:02",,,,,

Our 132 Report Types