The Christmas season brings, besides joy and lights, warm emails with a twist. Good samaritans who want to share their joy and money with you will send you an email with an incredible offer that cannot be refused.

If you are enticed by their offer, you can send them your personal information in return (name, bank information and so on).

Everybody knows the Internet is full of crawlers, bots, scanners and other opportunistic traffic. This is not breaking news, but sometimes you come across a scanner so aggressive it makes you think you are actively targeted for a second.

We first noticed this particularly aggressive scan on our support ticketing platform during September 2024, with over 18 000 requests in the span of 20 minutes from 52.86.221.173.

[root@server tmp]# cat osticket_syslog.txt | grep 52.86.221.173 | grep 2024-09-07 | less | wc -l
18546

Every publicly exposed server will be, at some point, attacked by botnets. In this blog post, we will concentrate on the SSH botnets, i.e., the ones that try to connect via SSH to vulnerable endpoints (due to weak user:password combinations, SSH daemon misconfigurations and so on). After connecting to an endpoint, they usually run various commands (e.g., download and execute malware).

As part of the SOCcare project where Politehnica Bucharest is one of the partners, we deployed a honeypot to detect and study the SSH botnets’ behavior. During the month of August, we discovered some interesting patterns.

The SOCcare project is aimed at building better cyber threat intelligence through improved analysis of digital artefacts, and then sharing this threat intelligence across the Eastern Europe region and beyond to increase cooperation and cyber resilience of Digital Europe.

Welcome to our SysDevOps and Security corner. Here you will find sysadmin and security stuff and random facts.