Analysis of this weeks attack trending.
These attacks are distributed across many different sources and destination nodes. It appears that the majority of attacks are SSH brute force. Something interesting that I found during these attacks were that they happened to be somewhat intelligent. They were iterating through not only the common default username/password lists, but also iterating through interpolations of domain, whois data, etc. So, that was an interesting find this week.
The rest were fairly generic, except I did see a pretty substantial number of attempts to connect to Netis Routers presumably to exploit a vulnerability that’s been sitting on those devices for a while.
There was also a bit of SIP and DNS traffic. I don’t run most of the probed services on these devices, so these are mostly just scanners. The source of almost ALL of the SSH brute force was from China. It would interesting to see how many nodes they compromise due to poor configuration practices.
Port 23: SSH attacks are primarily brute force login attacks. If anyone is interested I can actually post the username’s they are testing.
Port 3306: MySQL, better lock down your servers. You shouldn’t allow remote access to the server that’s hosting an external site. Generally, these are only open to localhost.
Port 80/443: These look like probes and sessionless requests. So, UDP requests to these ports.
Port 53413: Looks like Netis Router Vuln Scan, https://netisscan.shadowserver.org/
Port 3389/3390: RDP Server
Port 8080: Scanning for open proxies and common HTTP ports.