Matt Jezorek

Recently I have decided to put one of my honeypots back online and within about 8 seconds it was hit with a MSSQL probe. I am hoping that this honeypot will bring me much joy and happy days as I learn more about the attacks, the mechanisms of spreading and what they are spreading. During this time I am also looking forward to analyzing malware samples that seem interesting from this honeypot.

Over the past 2 days I have noticed a very interesting trend in attack times so I wanted to look at the attacks per hour and determine what is going on.

Also with this honeypot I see a vast majority of the attacks on one port. This is the MSSQL port (1433) and all are attempting to login with the user “sa” and credentials of "". More proof that this is still working is the sheer number of attacks.

Another interesting item is the remote hosts that have attacked over the past 2 days. Apparently some scanners have not figured out that once they hit an IP address they should not pound on it so much.

Last I want to point out is that the malware being delivered is not that unique per attacker and I have noticed that several hosts are delivering the same malware as others.

I hope to be able to publish more information from this honeypot as it seems to be active.