Last Updated: 2016-03-14 08:23:10 UTC
by Xavier Mertens (Version: 1)
$ ssh -L 8443:192.168.254.10:443 email@example.com
$ ssh -D 8080 firstname.lastname@example.org
If we analyze the relations between the honeypots, sources and destinations, we see that some destinations (blue) were targeted by more than one attacker (green) connected on different honeypots (red):
- tags.tagcade.com (an ads tag management system)
Some people trying to abuse those services? Feel free to share your findings if you also detected such kind of activity!
To conclude: attackers are not only scanning the Internet to find vulnerable hosts and turn them in bots. They are also looking for ways to hide themselves to perform (maybe) more complex or dangerous attacks.
And keep in mind that if you allow users to SSH to systems that can access the Internet, they can be used as a solution to bypass classic controls in place!
ISC Handler - Freelance Security Consultant