{"id":263,"date":"2013-01-28T05:00:47","date_gmt":"2013-01-28T05:00:47","guid":{"rendered":"http:\/\/www.randomnoun.com\/wp\/?p=263"},"modified":"2023-12-18T19:25:24","modified_gmt":"2023-12-18T19:25:24","slug":"intruder-alert","status":"publish","type":"post","link":"https:\/\/www.randomnoun.com\/wp\/2013\/01\/28\/intruder-alert\/","title":{"rendered":"Intruder alert"},"content":{"rendered":"<figure id=\"attachment_264\" aria-describedby=\"caption-attachment-264\" style=\"width: 240px\" class=\"wp-caption alignright\"><a href=\"https:\/\/www.randomnoun.com\/wp\/wp-content\/uploads\/2013\/01\/danger-will-robinson.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.randomnoun.com\/wp\/wp-content\/uploads\/2013\/01\/danger-will-robinson.png\" alt=\"Danger Will Robinson!\" width=\"240\" height=\"171\" class=\"size-full wp-image-264\" srcset=\"https:\/\/www.randomnoun.com\/wp\/wp-content\/uploads\/2013\/01\/danger-will-robinson.png 240w, https:\/\/www.randomnoun.com\/wp\/wp-content\/uploads\/2013\/01\/danger-will-robinson-140x100.png 140w\" sizes=\"auto, (max-width: 240px) 100vw, 240px\" \/><\/a><figcaption id=\"caption-attachment-264\" class=\"wp-caption-text\"><a href=\"http:\/\/www.youtube.com\/watch?v=RG0ochx16Dg\">Danger Will Robinson!<\/a><\/figcaption><\/figure>\n<p>So I&#8217;ve been running a <b>Secure shell honeypot<\/b> for about a year or so, so might as well open up the log files and see what people have been <a href=\"http:\/\/en.wikipedia.org\/wiki\/Leet\">l33ting<\/a> these days.<\/p>\n<p>For the uninitiated, or for normal people, <a href=\"http:\/\/en.wikipedia.org\/wiki\/Secure_Shell\">Secure shell (or SSH)<\/a> is the traditional method that people log in remotely to Linux (or other unix-based) servers. <\/p>\n<p>A <a href=\"http:\/\/en.wikipedia.org\/wiki\/Honeypot_%28computing%29\">honeypot<\/a> <b>pretends<\/b> to be a standard login server, but instead of logging into a real server, it allows would-be hackers to fairly easily guess their way into a sandbox environment, where they can be prodded and observed to see what they get up to. <\/p>\n<p>The honeypot reacts like a normal server would, logging any input that it receives, and pretends to do the sorts of things that people normally try to do when they gain unauthorised access to a computer system (i.e. the electronic equivalent of putting <a href=\"http:\/\/mashable.com\/2012\/11\/04\/nbc-hacked\/\">graffiti in the toilet stalls<\/a> and <a href=\"http:\/\/torrentfreak.com\/riaa-website-hacked-080120\/\">having their way with the photocopier<\/a>).<\/p>\n<p>And now, what with Julia Gillard <a href=\"http:\/\/www.smh.com.au\/opinion\/political-news\/911-decade-over-defence-focus-on-cyber-security-20130123-2d7jc.html\">declaring a new War on Technology<\/a> and throwing money at <a href=\"http:\/\/www.theaustralian.com.au\/national-affairs\/defence\/julia-gillard-announces-cyber-security-centre-warning-a-long-fight-lies-ahead\/story-e6frg8yo-1226559907481\">a new &#8220;cyber security centre&#8221;<\/a> (which will <b>certainly<\/b> be money well spent), it should be <b>every citizen&#8217;s prerogative<\/b> to try to see what the <b>evil commies<\/b> are getting up to on their computer networks.<\/p>\n<p>So after pretty much a <b>full day<\/b> of number-crunching and regexing the 2012 logfiles, and a second full day of fiddling about with databases and wordpress, this is what I&#8217;ve got:<\/p>\n<h2>Executive Summary<\/h2>\n<pre style=\"display:none\"><style>\r\n.hpExecSummary TH { text-align: left; }\r\n.hpExecSummary TD { text-align: right; }\r\n.hpIndent { font-style: italic; padding-left: 10px; font-weight: normal; }\r\n<\/style><\/pre>\n<table class=\"hpExecSummary\">\n<tr>\n<th>Total number of connections:<\/th>\n<td>143,039<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<th>Total number of unique IP addresses:<\/th>\n<td>1,488<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<th>Total number of logins:<\/th>\n<td>179,671<\/td>\n<\/tr>\n<tr>\n<th class=\"hpIndent\">(failed):<\/th>\n<td>175,020<\/td>\n<\/tr>\n<tr>\n<th class=\"hpIndent\">(succeeded):<\/th>\n<td>4,651<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<th>Total number of unique usernames:<\/th>\n<td>18,413<\/td>\n<\/tr>\n<tr>\n<th>Total number of unique passwords:<\/th>\n<td>38,010<\/td>\n<\/tr>\n<tr>\n<th>Total number of unique username\/passwords combinations:<\/th>\n<td>78,568<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<th>Total session time:<\/th>\n<td>65 days, 7 minutes, 51 hours, 29 seconds<\/td>\n<\/tr>\n<tr>\n<th class=\"hpIndent\">(minimum session time):<\/th>\n<td>0 seconds<\/td>\n<\/tr>\n<tr>\n<th class=\"hpIndent\">(average session time):<\/th>\n<td>39.5 seconds<\/td>\n<\/tr>\n<tr>\n<th class=\"hpIndent\">(maximum session time):<\/th>\n<td>2 days, 13 minutes, 35 hours, 27 seconds<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<th>Total number of interactive commands:<\/th>\n<td>394<\/td>\n<\/tr>\n<tr>\n<th>Total number of non-interactive commands:<\/th>\n<td>59<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<th>Total number of file transfers:<\/th>\n<td>11<\/td>\n<\/tr>\n<\/table>\n<div class=\"chartcaption\">\n&#9650; So a couple of interesting stats to start off with:<\/p>\n<ul>\n<li>I&#8217;m getting about 400 connections a day to the honeypot (the honeypot is exposed via a single public IP address)\n<li>There&#8217;s a comparatively small number of IP addresses that are connecting\n<li>About 2-3% of the login attempts are successful (I can increase this percentage if I think it&#8217;s worthwhile)\n<li>In total, about 2 months of wallclock time has spent by people logged in to the honeypot\n<li>Only a dozen or so logins have attempted to download a file to the honeypot (presumably with the intention of doing nasty things to the system)\n<\/ul>\n<p>Also note that <b>everything<\/b> in the reports above and below consist of <b>unauthorised<\/b> login attempts; there&#8217;s no reason why an authorised person would attempt to log into the public-facing side of the honeypot.<\/i>.\n<\/div>\n<pre style=\"display:none\"><style>\r\n.tabHeader {\r\n    background: #e7dbd6;\r\n    font-size: 8pt;\r\n    width: 100%;\r\n    line-height: normal;\r\n    border-radius: 10px 10px 0 0;\r\n    margin-top: 40px;\r\n}\r\n.tabHeader1, .tabHeader1s { font-family: Arial; font-size: 14pt; color: black; font-weight: bold; margin-top: 15px; padding-left: 15px; }\r\n.tabHeader1s { padding-bottom: 5px; }\r\n.tabHeader2 { font-family: Arial; font-size: 10pt; color: #666666; font-weight: bold; text-style: italic; padding-bottom: 5px; padding-left: 15px; }\r\n.tabs {\r\n    background: url(\"\/wpf\/honey\/tab-back.gif\") repeat-x scroll right top transparent;\r\n    font-size: 8pt;\r\n    width: 100%;\r\n    line-height: normal;\r\n}\r\n.tabs UL {\r\n    list-style-type: none;\r\n    margin: 0;\r\n    padding: 0 10px 0 4px;\r\n}\r\n.tabs UL LI {\r\n    background: url(\"\/wpf\/honey\/tab-left.gif\") no-repeat scroll left top transparent;\r\n    float: left;\r\n    margin: 0;\r\n    padding: 0 0 0 4px;\r\n    list-style-type: none;\r\n}\r\n.tabs A {\r\n    background: url(\"\/wpf\/honey\/tab-right.gif\") no-repeat scroll right top transparent;\r\n    color: #776655;\r\n    display: block;\r\n    font-family: tahoma;\r\n    padding: 5px 15px 4px 6px;\r\n    text-decoration: none;\r\n    border-bottom: none;\r\n}\r\n.tabs A:hover {\r\n    color: #333333;\r\n    text-decoration: underline;\r\n    border-bottom: none;\r\n}\r\n.tabs .current {\r\n    background-image: url(\"\/wpf\/honey\/tab-on-left.gif\");\r\n}\r\n.tabs .current A {\r\n    background-image: url(\"\/wpf\/honey\/tab-on-right.gif\");\r\n    color: #333333;\r\n    padding-bottom: 5px;\r\n    padding-right: 15px;\r\n}\r\n.outputHeader {\r\n    background-color: #ffffff;\r\n    \/*border-top: 1px solid #BBD0E5; *\/\r\n    border: 1px solid #adaa9c;\r\n    color: #003366;\r\n    font-family: Arial,Helvetica,sans-serif;\r\n    font-size: 14pt;\r\n    padding: 0 0 2px 2px;\r\n}\r\n.scrollableContainer {\r\n    \/*border-bottom: 1px dashed #CCCCCC;\r\n    border-top: 1px dashed #CCCCCC; *\/\r\n    width: 570px;\r\n    \/*height: 300px; *\/\r\n    margin: 0;\r\n    \/* overflow-y: scroll; *\/\r\n    width: 100%;\r\n}\r\ntable.pie { position: absolute; top: 0px; right: 3px; }\r\ntable.pie TD { padding: 2px 5px;  }\r\n.pie { width: auto; font-size: 8pt; font-family: Arial; line-height: normal; }\r\n.pie .c1 { text-align: left; font-weight: bold; } \/* column 1 *\/\r\n.pie .cc { text-align: right; } \/* column count *\/\r\n.pie .cp { text-align: right; } \/* column percent *\/\r\n.pie .cl { text-align: left; } \/* column location *\/\r\n.chartcaption {\r\n    border-left: 5px solid #CCCCCC;\r\n    color: #777777;\r\n    margin-bottom: 20px;\r\n    margin-left: 30px;\r\n    margin-top: 5px;\r\n    padding-left: 10px;\r\n    padding-top: 10px;\r\n}\r\n\r\n<\/style><\/pre>\n<h2>Network intrustion statistics<\/h2>\n<div class=\"tabHeader\">\n<div class=\"tabHeader1\">Connections<\/a><\/div>\n<div class=\"tabHeader2\">1) How many connections are made to my computer network over time ?<\/div>\n<\/div>\n<p>[rn-tabs id=&#8221;t1&#8243; selected=&#8221;2&#8243;]<br \/>\n[rn-tab id=&#8221;1&#8243; label=&#8221;Daily&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/connections-daily.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;2&#8243; label=&#8221;Weekly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/connections-weekly.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;3&#8243; label=&#8221;Monthly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/connections-monthly.png\"\/>[\/rn-tab]<br \/>\n[\/rn-tabs]<\/p>\n<div class=\"chartcaption\">\n&#9650; The gaps in the connections (during February, and July-August) here are most likely to the honeypot not running during those times. <\/p>\n<p>You can click the tabs above the graph in order to see the same statistics using different histogram intervals.\n<\/p><\/div>\n<div class=\"tabHeader\">\n<div class=\"tabHeader1\">Login attempts<\/a><\/div>\n<div class=\"tabHeader2\">2) How many (failed and successful) login attempts are made to my computer network over time ?<\/div>\n<\/div>\n<p>[rn-tabs id=&#8221;t2&#8243; selected=&#8221;2&#8243;]<br \/>\n[rn-tab id=&#8221;1&#8243; label=&#8221;Daily&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/login-attempts-daily.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;2&#8243; label=&#8221;Weekly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/login-attempts-weekly.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;3&#8243; label=&#8221;Monthly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/login-attempts-monthly.png\"\/>[\/rn-tab]<br \/>\n[\/rn-tabs]<\/p>\n<div class=\"chartcaption\">\n&#9650; Login attempts closely matches the connections graph. The spike at the beginning of the year was due to some enterprising people performing what appears to be thousands of separate login attempts over a much smaller number of connections.\n<\/div>\n<div class=\"tabHeader\">\n<div class=\"tabHeader1\">Logins<\/a><\/div>\n<div class=\"tabHeader2\">3) How many successful login attempts are made to my computer network over time ?<\/div>\n<\/div>\n<p>[rn-tabs id=&#8221;t3&#8243; selected=&#8221;2&#8243;]<br \/>\n[rn-tab id=&#8221;1&#8243; label=&#8221;Daily&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/logins-daily.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;2&#8243; label=&#8221;Weekly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/logins-weekly.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;3&#8243; label=&#8221;Monthly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/logins-monthly.png\"\/>[\/rn-tab]<br \/>\n[\/rn-tabs]<\/p>\n<div class=\"chartcaption\">\n&#9650; A bit of variation here, but averaging about 300 successful logins to the honeypot every month.\n<\/div>\n<div class=\"tabHeader\">\n<div class=\"tabHeader1\">Session time<\/a><\/div>\n<div class=\"tabHeader2\">4) How long do successful login sessions last (in hours:minutes:seconds) ?<br \/>\n<span style=\"font-weight:normal;\">Long sessions are graphed at 1:00:00<\/span><\/div>\n<\/div>\n<p>[rn-tabs id=&#8221;t4&#8243; selected=&#8221;2&#8243;]<br \/>\n[rn-tab id=&#8221;1&#8243; label=&#8221;Daily&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/session-times-daily.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;2&#8243; label=&#8221;Weekly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/session-times-weekly.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;3&#8243; label=&#8221;Monthly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/session-times-monthly.png\"\/>[\/rn-tab]<br \/>\n[\/rn-tabs]<\/p>\n<div class=\"chartcaption\">\n&#9650; Not sure how useful this is, but thought it would be interesting to see how long people stay logged on to the honeypot. Pretty much everyone has logged out within 6 minutes, except for a handful of connections that stay on for much longer. The graph above is clipped on the vertical axis at 1hr; any sessions over this time have their login time printed next to the marker\n<\/div>\n<div class=\"tabHeader\">\n<div class=\"tabHeader1\">Commands<\/a><\/div>\n<div class=\"tabHeader2\">5) How many commands are run during successful logins to my computer network ?<\/div>\n<\/div>\n<p>[rn-tabs id=&#8221;t5&#8243; selected=&#8221;2&#8243;]<br \/>\n[rn-tab id=&#8221;1&#8243; label=&#8221;Daily&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/commands-daily.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;2&#8243; label=&#8221;Weekly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/commands-weekly.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;3&#8243; label=&#8221;Monthly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/commands-monthly.png\"\/>[\/rn-tab]<br \/>\n[\/rn-tabs]<\/p>\n<div class=\"chartcaption\">\n&#9650; Surprisingly few people even attempt running any commands once they gain access to the system\n<\/div>\n<div class=\"tabHeader\">\n<div class=\"tabHeader1\">File transfers<\/a><\/div>\n<div class=\"tabHeader2\">6) How many files are transferred during successful logins to my computer network ?<\/div>\n<\/div>\n<p>[rn-tabs id=&#8221;t6&#8243; selected=&#8221;2&#8243;]<br \/>\n[rn-tab id=&#8221;1&#8243; label=&#8221;Daily&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/transfers-daily.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;2&#8243; label=&#8221;Weekly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/transfers-weekly.png\"\/>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;3&#8243; label=&#8221;Monthly&#8221;]<img decoding=\"async\" src=\"\/wpf\/honey\/transfers-monthly.png\"\/>[\/rn-tab]<br \/>\n[\/rn-tabs]<\/p>\n<div class=\"chartcaption\">\n&#9650; And here are the nasty people who are trying to download <a href=\"http:\/\/en.wikipedia.org\/wiki\/Malware\">malware<\/a> or <a href=\"http:\/\/en.wikipedia.org\/wiki\/Rootkit\">rootkit<\/a> the machine.\n<\/div>\n<p>If you&#8217;re interested in the files people are downloading, the ones I&#8217;m seeing (with server names redacted to stop you from inadvertently clicking on the things):<\/p>\n<ul>\n<li>http:\/\/lost.in.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.ro\/haha.tgz\n<li>http:\/\/lost.in.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.ro\/mata.tgz\n<li>http:\/\/raydennn.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.net\/pico.tgz\n<li>http:\/\/&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.se\/wru\n<li>http:\/\/download.microsoft.com\/download\/win2000platform\/SP\/SP3\/NT5\/EN-US\/W2Ks\n<li>http:\/\/download.microsoft.com\/download\/win2000platform\/SP\/SP3\/NT5\/EN-US\/W2Ksp3.exe\n<li>http:\/\/root-arhive.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.am\/scanner\/gosh.jpg\n<li>http:\/\/&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.ucoz.com\/GeekzMech,.tgz\n<li>http:\/\/www.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.ro\/redirecte_linux_v2.0.tar.gz\n<li>http:\/\/&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.altervista.org\/boti.tgz\n<li>http:\/\/bucuresti.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.net\/R\/D\/N\/udp.pl\n<li>http:\/\/ddospower.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.org\/udp.pl\n<li>http:\/\/inplm.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.com\/p.jpg\n<li>http:\/\/copilash.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;\/boti.tgz\n<li>http:\/\/bucuresti.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.net\/R\/D\/N\/ryo.tgz\n<li>http:\/\/root-arhive.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.ua\/emech\/emech-fast.jpg\n<li>http:\/\/&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.ucoz.com\/nethack.jp\n<li>http:\/\/fitza.&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.su\/sc\/33180.tar\n<li>http:\/\/a\n<li>http:\/\/&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;&#9608;.djmixtv.net\/puffu\/gosh.tgz\n<\/ul>\n<p>which also includes a microsoft windows service pack in there, amusingly enough.<\/p>\n<p>I would check out these <code>.tar<\/code> and <code>.tgz<\/code> archives to see what&#8217;s in there, but hey&#8230; only so many hours in the day.<\/p>\n<p>\nAnd it&#8217;s always amusing to see the sorts of usernames\/passwords that people attempt to jiggle the locks with, so:<\/p>\n<h2>Top 20 Login credentials<\/h2>\n<div class=\"tabHeader\">\n<div class=\"tabHeader1s\">Login credentials<\/a><\/div>\n<\/div>\n<p>[rn-tabs id=&#8221;t7&#8243; selected=&#8221;1&#8243;]<br \/>\n[rn-tab id=&#8221;1&#8243; label=&#8221;Usernames&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 usernames<\/a><\/div>\n<div class=\"tabHeader2\">1) What are the most-commonly supplied usernames during login attempts to my computer network ?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-username.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"c1\">root<\/td>\n<td class=\"cc\">60513<\/td>\n<td class=\"cp\">33.680%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">test<\/td>\n<td class=\"cc\">2395<\/td>\n<td class=\"cp\">1.333%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">oracle<\/td>\n<td class=\"cc\">1484<\/td>\n<td class=\"cp\">0.826%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">admin<\/td>\n<td class=\"cc\">1441<\/td>\n<td class=\"cp\">0.802%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">www<\/td>\n<td class=\"cc\">1306<\/td>\n<td class=\"cp\">0.727%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">nagios<\/td>\n<td class=\"cc\">1160<\/td>\n<td class=\"cp\">0.646%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">bin<\/td>\n<td class=\"cc\">1153<\/td>\n<td class=\"cp\">0.642%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">mysql<\/td>\n<td class=\"cc\">1084<\/td>\n<td class=\"cp\">0.603%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">user<\/td>\n<td class=\"cc\">1062<\/td>\n<td class=\"cp\">0.591%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">info<\/td>\n<td class=\"cc\">970<\/td>\n<td class=\"cp\">0.540%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">support<\/td>\n<td class=\"cc\">967<\/td>\n<td class=\"cp\">0.538%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">testuser<\/td>\n<td class=\"cc\">759<\/td>\n<td class=\"cp\">0.422%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">ftpuser<\/td>\n<td class=\"cc\">744<\/td>\n<td class=\"cp\">0.414%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">webadmin<\/td>\n<td class=\"cc\">705<\/td>\n<td class=\"cp\">0.392%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">web<\/td>\n<td class=\"cc\">703<\/td>\n<td class=\"cp\">0.391%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">postgres<\/td>\n<td class=\"cc\">651<\/td>\n<td class=\"cp\">0.362%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">guest<\/td>\n<td class=\"cc\">591<\/td>\n<td class=\"cp\">0.329%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">ts<\/td>\n<td class=\"cc\">585<\/td>\n<td class=\"cp\">0.326%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">teamspeak<\/td>\n<td class=\"cc\">582<\/td>\n<td class=\"cp\">0.324%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">svn<\/td>\n<td class=\"cc\">551<\/td>\n<td class=\"cp\">0.307%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">(other)<\/td>\n<td class=\"cc\">100265<\/td>\n<td class=\"cp\">55.805%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;2&#8243; label=&#8221;Passwords&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 passwords<\/a><\/div>\n<div class=\"tabHeader2\">2) What are the most-commonly supplied passwords during login attempts to my computer network ?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-password.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"c1\">(nothing)<\/td>\n<td class=\"cc\">32625<\/td>\n<td class=\"cp\">18.158%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">123456<\/td>\n<td class=\"cc\">8217<\/td>\n<td class=\"cp\">4.573%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">password<\/td>\n<td class=\"cc\">4177<\/td>\n<td class=\"cp\">2.325%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">111111<\/td>\n<td class=\"cc\">3118<\/td>\n<td class=\"cp\">1.735%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">cacutza<\/td>\n<td class=\"cc\">2838<\/td>\n<td class=\"cp\">1.580%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">1234<\/td>\n<td class=\"cc\">2596<\/td>\n<td class=\"cp\">1.445%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">1qaz2wsx<\/td>\n<td class=\"cc\">2517<\/td>\n<td class=\"cp\">1.401%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">1q2w3e4r<\/td>\n<td class=\"cc\">2333<\/td>\n<td class=\"cp\">1.299%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">12345<\/td>\n<td class=\"cc\">2266<\/td>\n<td class=\"cp\">1.261%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">123<\/td>\n<td class=\"cc\">2160<\/td>\n<td class=\"cp\">1.202%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">abc123<\/td>\n<td class=\"cc\">1583<\/td>\n<td class=\"cp\">0.881%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">test<\/td>\n<td class=\"cc\">1409<\/td>\n<td class=\"cp\">0.784%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">1<\/td>\n<td class=\"cc\">977<\/td>\n<td class=\"cp\">0.544%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">a<\/td>\n<td class=\"cc\">871<\/td>\n<td class=\"cp\">0.485%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">12<\/td>\n<td class=\"cc\">800<\/td>\n<td class=\"cp\">0.445%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">changeme<\/td>\n<td class=\"cc\">628<\/td>\n<td class=\"cp\">0.350%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root<\/td>\n<td class=\"cc\">625<\/td>\n<td class=\"cp\">0.348%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">qwerty<\/td>\n<td class=\"cc\">525<\/td>\n<td class=\"cp\">0.292%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">qazwsx<\/td>\n<td class=\"cc\">515<\/td>\n<td class=\"cp\">0.287%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">1234567<\/td>\n<td class=\"cc\">471<\/td>\n<td class=\"cp\">0.262%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">(other)<\/td>\n<td class=\"cc\">108420<\/td>\n<td class=\"cp\">60.344%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;3&#8243; label=&#8221;Username\/passwords&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 username\/passwords<\/a><\/div>\n<div class=\"tabHeader2\">3) What are the most-commonly supplied username and password combinations during login attempts to my computer network?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-username-password.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"c1\">root \/ (nothing)<\/td>\n<td class=\"cc\">32586<\/td>\n<td class=\"cp\">18.137%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ root<\/td>\n<td class=\"cc\">557<\/td>\n<td class=\"cp\">0.310%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ 123456<\/td>\n<td class=\"cc\">302<\/td>\n<td class=\"cp\">0.168%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ password<\/td>\n<td class=\"cc\">243<\/td>\n<td class=\"cp\">0.135%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">oracle \/ oracle<\/td>\n<td class=\"cc\">195<\/td>\n<td class=\"cp\">0.109%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">test \/ test<\/td>\n<td class=\"cc\">194<\/td>\n<td class=\"cp\">0.108%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ P@ssw0rd<\/td>\n<td class=\"cc\">163<\/td>\n<td class=\"cp\">0.091%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ 111111<\/td>\n<td class=\"cc\">159<\/td>\n<td class=\"cp\">0.089%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ qwerty<\/td>\n<td class=\"cc\">150<\/td>\n<td class=\"cp\">0.084%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ 1q2w3e<\/td>\n<td class=\"cc\">132<\/td>\n<td class=\"cp\">0.074%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">postgres \/ postgres<\/td>\n<td class=\"cc\">129<\/td>\n<td class=\"cp\">0.072%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ redhat<\/td>\n<td class=\"cc\">127<\/td>\n<td class=\"cp\">0.071%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ abc123<\/td>\n<td class=\"cc\">123<\/td>\n<td class=\"cp\">0.069%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ 1234<\/td>\n<td class=\"cc\">119<\/td>\n<td class=\"cp\">0.066%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ shit<\/td>\n<td class=\"cc\">111<\/td>\n<td class=\"cp\">0.062%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ passw0rd<\/td>\n<td class=\"cc\">110<\/td>\n<td class=\"cp\">0.061%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">mysql \/ mysql<\/td>\n<td class=\"cc\">103<\/td>\n<td class=\"cp\">0.057%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">test \/ test123<\/td>\n<td class=\"cc\">94<\/td>\n<td class=\"cp\">0.052%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ abcd1234<\/td>\n<td class=\"cc\">93<\/td>\n<td class=\"cp\">0.052%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">root \/ root123<\/td>\n<td class=\"cc\">85<\/td>\n<td class=\"cp\">0.047%<\/td>\n<\/tr>\n<tr>\n<td class=\"c1\">(other)<\/td>\n<td class=\"cc\">143896<\/td>\n<td class=\"cp\">80.089%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[\/rn-tabs]<\/p>\n<div class=\"chartcaption\">\n&#9650; Nothing too surprising here. The <b>root<\/b> user is the superuser for unix machines, so if you gain access to that you&#8217;ve essentially got complete control of the system. <\/p>\n<p>The password selection here (second tab above the graph) also predominantly checks for the <a href=\"http:\/\/www.dailymail.co.uk\/sciencetech\/article-2223197\/Revealed-The-common-passwords-used-online-year-password-STILL-tops-list.html\">greatest passwords of all time<\/a><\/p>\n<p>An interesting password in the top 10 was &#8220;cacutza&#8221; coming in at number five. It&#8217;s not as popular as &#8220;password&#8221;, but more popular than &#8220;12345&#8221;. I couldn&#8217;t find anything about it on the net, but according to a Romanian friend of mine, it&#8217;s not a word but is close to some urban slang that means prostitute, little shit or a poisoning plant. You learn something new every day \ud83d\ude42\n<\/p><\/div>\n<h2>Top 20 IP addresses<\/h2>\n<div class=\"tabHeader\">\n<div class=\"tabHeader1s\">IP addresses<\/a><\/div>\n<\/div>\n<p>[rn-tabs id=&#8221;t8&#8243; selected=&#8221;1&#8243;]<br \/>\n[rn-tab id=&#8221;1&#8243; label=&#8221;By connection&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 IP addresses (by connection)<\/a><\/div>\n<div class=\"tabHeader2\">4) Which IP addresses are connecting to my computer network ?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-ip-connection.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(219.143.227.168)\">219.143.227.168<\/td>\n<td class=\"cc\">15336<\/td>\n<td class=\"cp\">10.721%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"Chicago, United States\"><\/td>\n<td class=\"c1\">69.175.14.226<\/td>\n<td class=\"cc\">8433<\/td>\n<td class=\"cp\">5.895%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"San Antonio, United States\"><\/td>\n<td class=\"c1\">184.106.247.121<\/td>\n<td class=\"cc\">7812<\/td>\n<td class=\"cp\">5.461%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Tianjin, China\"><\/td>\n<td class=\"c1\">111.161.39.241<\/td>\n<td class=\"cc\">6486<\/td>\n<td class=\"cp\">4.534%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"Garden City, United States\"><\/td>\n<td class=\"c1\">67.55.73.7<\/td>\n<td class=\"cc\">5153<\/td>\n<td class=\"cp\">3.602%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\">222.23.50.196<\/td>\n<td class=\"cc\">4912<\/td>\n<td class=\"cp\">3.434%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\">159.226.114.188<\/td>\n<td class=\"cc\">4283<\/td>\n<td class=\"cp\">2.994%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"Watertown, United States\"><\/td>\n<td class=\"c1\">65.116.132.231<\/td>\n<td class=\"cc\">4177<\/td>\n<td class=\"cp\">2.920%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\">122.49.41.206<\/td>\n<td class=\"cc\">3602<\/td>\n<td class=\"cp\">2.518%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"China\"><\/td>\n<td class=\"c1\">220.231.57.157<\/td>\n<td class=\"cc\">3465<\/td>\n<td class=\"cp\">2.422%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Hangzhou, China\"><\/td>\n<td class=\"c1\">42.121.86.193<\/td>\n<td class=\"cc\">3144<\/td>\n<td class=\"cp\">2.198%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\" title=\"Mumbai, India\"><\/td>\n<td class=\"c1\">115.254.40.205<\/td>\n<td class=\"cc\">2863<\/td>\n<td class=\"cp\">2.002%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Jinan, China\"><\/td>\n<td class=\"c1\">123.129.222.170<\/td>\n<td class=\"cc\">2674<\/td>\n<td class=\"cp\">1.869%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/br.png\" title=\"Belo Horizonte, Brazil\"><\/td>\n<td class=\"c1\">177.43.116.178<\/td>\n<td class=\"cc\">2572<\/td>\n<td class=\"cp\">1.798%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/th.png\" title=\"Bangkok, Thailand\"><\/td>\n<td class=\"c1\">122.155.161.9<\/td>\n<td class=\"cc\">2271<\/td>\n<td class=\"cp\">1.588%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\" title=\"Kakinada, India\"><\/td>\n<td class=\"c1\">117.239.131.1<\/td>\n<td class=\"cc\">2161<\/td>\n<td class=\"cp\">1.511%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/hu.png\" title=\"Hungary\"><\/td>\n<td class=\"c1\">93.189.118.184<\/td>\n<td class=\"cc\">1861<\/td>\n<td class=\"cp\">1.301%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Weifang, China\"><\/td>\n<td class=\"c1\">120.192.167.22<\/td>\n<td class=\"cc\">1769<\/td>\n<td class=\"cp\">1.237%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/hk.png\" title=\"Kwun Tong, Hong Kong\"><\/td>\n<td class=\"c1\">101.78.154.120<\/td>\n<td class=\"cc\">1731<\/td>\n<td class=\"cp\">1.210%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/gb.png\" title=\"United Kingdom\"><\/td>\n<td class=\"c1\">31.222.190.113<\/td>\n<td class=\"cc\">1731<\/td>\n<td class=\"cp\">1.210%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/.png\" title=\"\"><\/td>\n<td class=\"c1\">(other)<\/td>\n<td class=\"cc\">56603<\/td>\n<td class=\"cp\">39.572%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;2&#8243; label=&#8221;by login attempt&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 IP addresses (by login attempt)<\/a><\/div>\n<div class=\"tabHeader2\">5) Which IP addresses are attempt to login to my computer network ?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-ip-login-attempt.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(219.143.227.168)\">219.143.227.168<\/td>\n<td class=\"cc\">30421<\/td>\n<td class=\"cp\">16.931%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"Chicago, United States\"><\/td>\n<td class=\"c1\" title=\"(cloud.radioking.fr)\">69.175.14.226<\/td>\n<td class=\"cc\">8392<\/td>\n<td class=\"cp\">4.671%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"San Antonio, United States\"><\/td>\n<td class=\"c1\" title=\"(184-106-247-121.static.cloud-ips.com)\">184.106.247.121<\/td>\n<td class=\"cc\">7770<\/td>\n<td class=\"cp\">4.325%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\" title=\"Mumbai, India\"><\/td>\n<td class=\"c1\" title=\"(115.254.40.205)\">115.254.40.205<\/td>\n<td class=\"cc\">7426<\/td>\n<td class=\"cp\">4.133%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Tianjin, China\"><\/td>\n<td class=\"c1\" title=\"(dns241.online.tj.cn)\">111.161.39.241<\/td>\n<td class=\"cc\">6254<\/td>\n<td class=\"cp\">3.481%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"Garden City, United States\"><\/td>\n<td class=\"c1\" title=\"(67.55.73.7)\">67.55.73.7<\/td>\n<td class=\"cc\">5120<\/td>\n<td class=\"cp\">2.850%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(222.23.50.196)\">222.23.50.196<\/td>\n<td class=\"cc\">4803<\/td>\n<td class=\"cp\">2.673%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(159.226.114.188)\">159.226.114.188<\/td>\n<td class=\"cc\">4263<\/td>\n<td class=\"cp\">2.373%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"Watertown, United States\"><\/td>\n<td class=\"c1\" title=\"(65.116.132.231)\">65.116.132.231<\/td>\n<td class=\"cc\">4143<\/td>\n<td class=\"cp\">2.306%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(122.49.41.206)\">122.49.41.206<\/td>\n<td class=\"cc\">3582<\/td>\n<td class=\"cp\">1.994%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"China\"><\/td>\n<td class=\"c1\" title=\"(220.231.57.157)\">220.231.57.157<\/td>\n<td class=\"cc\">3447<\/td>\n<td class=\"cp\">1.919%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Hangzhou, China\"><\/td>\n<td class=\"c1\" title=\"(42.121.86.193)\">42.121.86.193<\/td>\n<td class=\"cc\">3125<\/td>\n<td class=\"cp\">1.739%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Jinan, China\"><\/td>\n<td class=\"c1\" title=\"(123.129.222.170)\">123.129.222.170<\/td>\n<td class=\"cc\">2651<\/td>\n<td class=\"cp\">1.475%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/br.png\" title=\"Belo Horizonte, Brazil\"><\/td>\n<td class=\"c1\" title=\"(aliardistribuidora178.static.host.gvt.net.br)\">177.43.116.178<\/td>\n<td class=\"cc\">2555<\/td>\n<td class=\"cp\">1.422%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/th.png\" title=\"Bangkok, Thailand\"><\/td>\n<td class=\"c1\" title=\"(122.155.161.9)\">122.155.161.9<\/td>\n<td class=\"cc\">2253<\/td>\n<td class=\"cp\">1.254%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/hu.png\" title=\"Hungary\"><\/td>\n<td class=\"c1\" title=\"(93.189.118.184)\">93.189.118.184<\/td>\n<td class=\"cc\">1844<\/td>\n<td class=\"cp\">1.026%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Weifang, China\"><\/td>\n<td class=\"c1\" title=\"(120.192.167.22)\">120.192.167.22<\/td>\n<td class=\"cc\">1755<\/td>\n<td class=\"cp\">0.977%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\" title=\"Bangalore, India\"><\/td>\n<td class=\"c1\" title=\"(115.118.133.20.static-ttsl-hyderabad.vsnl.net.in)\">115.118.133.20<\/td>\n<td class=\"cc\">1432<\/td>\n<td class=\"cp\">0.797%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Guangzhou, China\"><\/td>\n<td class=\"c1\" title=\"(59.41.39.70)\">59.41.39.70<\/td>\n<td class=\"cc\">1401<\/td>\n<td class=\"cp\">0.780%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(120.199.64.54)\">120.199.64.54<\/td>\n<td class=\"cc\">1331<\/td>\n<td class=\"cp\">0.741%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/.png\" title=\"\"><\/td>\n<td class=\"c1\" title=\"()\">(other)<\/td>\n<td class=\"cc\">75703<\/td>\n<td class=\"cp\">42.134%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;3&#8243; label=&#8221;by login&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 IP addresses (by successful login attempts)<\/a><\/div>\n<div class=\"tabHeader2\">6) Which IP addresses are successfully logging in to my computer network ?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-ip-login.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"Watertown, United States\"><\/td>\n<td class=\"c1\" title=\"(65.116.132.231)\">65.116.132.231<\/td>\n<td class=\"cc\">107<\/td>\n<td class=\"cp\">2.299%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(61.236.64.56)\">61.236.64.56<\/td>\n<td class=\"cc\">73<\/td>\n<td class=\"cp\">1.568%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Jinan, China\"><\/td>\n<td class=\"c1\" title=\"(123.129.222.170)\">123.129.222.170<\/td>\n<td class=\"cc\">65<\/td>\n<td class=\"cp\">1.396%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/th.png\" title=\"Bangkok, Thailand\"><\/td>\n<td class=\"c1\" title=\"(202.29.239.177)\">202.29.239.177<\/td>\n<td class=\"cc\">58<\/td>\n<td class=\"cp\">1.246%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\" title=\"India\"><\/td>\n<td class=\"c1\" title=\"(117.243.250.249)\">117.243.250.249<\/td>\n<td class=\"cc\">55<\/td>\n<td class=\"cp\">1.182%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"Garden City, United States\"><\/td>\n<td class=\"c1\" title=\"(67.55.73.7)\">67.55.73.7<\/td>\n<td class=\"cc\">55<\/td>\n<td class=\"cp\">1.182%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(122.49.41.206)\">122.49.41.206<\/td>\n<td class=\"cc\">53<\/td>\n<td class=\"cp\">1.139%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Hangzhou, China\"><\/td>\n<td class=\"c1\" title=\"(42.121.86.193)\">42.121.86.193<\/td>\n<td class=\"cc\">50<\/td>\n<td class=\"cp\">1.074%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Tianjin, China\"><\/td>\n<td class=\"c1\" title=\"(dns241.online.tj.cn)\">111.161.39.241<\/td>\n<td class=\"cc\">45<\/td>\n<td class=\"cp\">0.967%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/ro.png\" title=\"Romania\"><\/td>\n<td class=\"c1\" title=\"(110-32-static.mxserver.ro)\">94.60.32.110<\/td>\n<td class=\"cc\">45<\/td>\n<td class=\"cp\">0.967%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(183.203.9.147)\">183.203.9.147<\/td>\n<td class=\"cc\">44<\/td>\n<td class=\"cp\">0.945%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\" title=\"Mumbai, India\"><\/td>\n<td class=\"c1\" title=\"(115.254.40.205)\">115.254.40.205<\/td>\n<td class=\"cc\">43<\/td>\n<td class=\"cp\">0.924%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"China\"><\/td>\n<td class=\"c1\" title=\"(221.13.34.3)\">221.13.34.3<\/td>\n<td class=\"cc\">41<\/td>\n<td class=\"cp\">0.881%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\" title=\"Hasbrouck Heights, United States\"><\/td>\n<td class=\"c1\" title=\"(64.185.226.120)\">64.185.226.120<\/td>\n<td class=\"cc\">33<\/td>\n<td class=\"cp\">0.709%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(114.242.87.141)\">114.242.87.141<\/td>\n<td class=\"cc\">31<\/td>\n<td class=\"cp\">0.666%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/vn.png\" title=\"Hanoi, Vietnam\"><\/td>\n<td class=\"c1\" title=\"(42.117.2.37)\">42.117.2.37<\/td>\n<td class=\"cc\">31<\/td>\n<td class=\"cp\">0.666%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Nanning, China\"><\/td>\n<td class=\"c1\" title=\"(114.118.1.153)\">114.118.1.153<\/td>\n<td class=\"cc\">30<\/td>\n<td class=\"cp\">0.645%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/th.png\" title=\"Thailand\"><\/td>\n<td class=\"c1\" title=\"(118-175-3-220.totisp.net)\">118.175.3.220<\/td>\n<td class=\"cc\">30<\/td>\n<td class=\"cp\">0.645%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/kr.png\" title=\"Seoul, Korea, Republic of\"><\/td>\n<td class=\"c1\" title=\"(1.234.4.10)\">1.234.4.10<\/td>\n<td class=\"cc\">30<\/td>\n<td class=\"cp\">0.645%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/tw.png\" title=\"Taiwan\"><\/td>\n<td class=\"c1\" title=\"(134-78-128-220.TWGATE-IP.twgate.net)\">220.128.78.134<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">0.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/hk.png\" title=\"Central District, Hong Kong\"><\/td>\n<td class=\"c1\" title=\"(153-236-136-14.38cloud.com)\">14.136.236.153<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">0.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/kr.png\" title=\"Ilsan, Korea, Republic of\"><\/td>\n<td class=\"c1\" title=\"(221.143.46.19)\">221.143.46.19<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">0.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"China\"><\/td>\n<td class=\"c1\" title=\"(142.0.135.97)\">142.0.135.97<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">0.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(120.193.102.151)\">120.193.102.151<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">0.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Beijing, China\"><\/td>\n<td class=\"c1\" title=\"(114.113.153.243)\">114.113.153.243<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">0.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"China\"><\/td>\n<td class=\"c1\" title=\"(202.199.224.25)\">202.199.224.25<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">0.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/hk.png\" title=\"Hong Kong\"><\/td>\n<td class=\"c1\" title=\"(112.121.165.114)\">112.121.165.114<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">0.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Hangzhou, China\"><\/td>\n<td class=\"c1\" title=\"(125.210.190.191)\">125.210.190.191<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">0.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/.png\" title=\"\"><\/td>\n<td class=\"c1\" title=\"()\">(other)<\/td>\n<td class=\"cc\">3471<\/td>\n<td class=\"cp\">74.629%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;4&#8243; label=&#8221;by command (1)&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 IP addresses (by interactive commands)<\/a><\/div>\n<div class=\"tabHeader2\">7) Which IP addresses are running the most interactive commands once logged in to my computer network ?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-ip-interactive-command.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\" title=\"Guizhou, China\"><\/td>\n<td class=\"c1\" title=\"(111.122.210.242)\">111.122.210.242<\/td>\n<td class=\"cc\">41<\/td>\n<td class=\"cp\">10.406%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/de.png\" title=\"Hamburg, Germany\"><\/td>\n<td class=\"c1\" title=\"(e182100060.adsl.alicedsl.de)\">85.182.100.60<\/td>\n<td class=\"cc\">37<\/td>\n<td class=\"cp\">9.391%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/se.png\" title=\"Storp, Sweden\"><\/td>\n<td class=\"c1\" title=\"(s83-177-25-176.cust.tele2.se)\">83.177.25.176<\/td>\n<td class=\"cc\">37<\/td>\n<td class=\"cp\">9.391%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/ro.png\" title=\"Romania\"><\/td>\n<td class=\"c1\" title=\"(adsl92-86-235-217.romtelecom.net)\">92.86.235.217<\/td>\n<td class=\"cc\">34<\/td>\n<td class=\"cp\">8.629%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/ro.png\" title=\"Bucharest, Romania\"><\/td>\n<td class=\"c1\" title=\"(79-115-183-120.rdsnet.ro)\">79.115.183.120<\/td>\n<td class=\"cc\">29<\/td>\n<td class=\"cp\">7.360%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/au.png\" title=\"Avalon, Australia\"><\/td>\n<td class=\"c1\" title=\"(d58-106-68-180.sbr800.nsw.optusnet.com.au)\">58.106.68.180<\/td>\n<td class=\"cc\">22<\/td>\n<td class=\"cp\">5.584%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/it.png\" title=\"Italy\"><\/td>\n<td class=\"c1\" title=\"(151.81.79.80)\">151.81.79.80<\/td>\n<td class=\"cc\">16<\/td>\n<td class=\"cp\">4.061%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/lb.png\" title=\"Beirut, Lebanon\"><\/td>\n<td class=\"c1\" title=\"(119.68.246.2)\">119.68.246.2<\/td>\n<td class=\"cc\">15<\/td>\n<td class=\"cp\">3.807%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/.png\" title=\"\"><\/td>\n<td class=\"c1\" title=\"(FILAMENT)\">192.168.0.20<\/td>\n<td class=\"cc\">14<\/td>\n<td class=\"cp\">3.553%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/it.png\" title=\"San Remo, Italy\"><\/td>\n<td class=\"c1\" title=\"(151.59.124.177)\">151.59.124.177<\/td>\n<td class=\"cc\">13<\/td>\n<td class=\"cp\">3.300%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/.png\" title=\"\"><\/td>\n<td class=\"c1\" title=\"(BNEHYP02)\">192.168.0.24<\/td>\n<td class=\"cc\">13<\/td>\n<td class=\"cp\">3.300%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/mk.png\" title=\"Macedonia\"><\/td>\n<td class=\"c1\" title=\"(ctel-78-157-8-192.cabletel.com.mk)\">78.157.8.192<\/td>\n<td class=\"cc\">13<\/td>\n<td class=\"cp\">3.300%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/es.png\" title=\"Madrid, Spain\"><\/td>\n<td class=\"c1\" title=\"(15.pool62-36-57.dynamic.orange.es)\">62.36.57.15<\/td>\n<td class=\"cc\">9<\/td>\n<td class=\"cp\">2.284%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/mk.png\" title=\"Macedonia\"><\/td>\n<td class=\"c1\" title=\"(79.126.248.102)\">79.126.248.102<\/td>\n<td class=\"cc\">9<\/td>\n<td class=\"cp\">2.284%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/ro.png\" title=\"Romania\"><\/td>\n<td class=\"c1\" title=\"(86.35.192.135)\">86.35.192.135<\/td>\n<td class=\"cc\">8<\/td>\n<td class=\"cp\">2.031%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/.png\" title=\"\"><\/td>\n<td class=\"c1\" title=\"(localhost)\">127.0.0.1<\/td>\n<td class=\"cc\">8<\/td>\n<td class=\"cp\">2.031%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/de.png\" title=\"Hamburg, Germany\"><\/td>\n<td class=\"c1\" title=\"(216.45.54.10.zbusa.com)\">216.45.54.10<\/td>\n<td class=\"cc\">8<\/td>\n<td class=\"cp\">2.031%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/lb.png\" title=\"Lebanon\"><\/td>\n<td class=\"c1\" title=\"(89.187.216.3)\">89.187.216.3<\/td>\n<td class=\"cc\">7<\/td>\n<td class=\"cp\">1.777%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/it.png\" title=\"Italy\"><\/td>\n<td class=\"c1\" title=\"(151.58.83.98)\">151.58.83.98<\/td>\n<td class=\"cc\">7<\/td>\n<td class=\"cp\">1.777%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/it.png\" title=\"Italy\"><\/td>\n<td class=\"c1\" title=\"(151.57.94.75)\">151.57.94.75<\/td>\n<td class=\"cc\">6<\/td>\n<td class=\"cp\">1.523%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/.png\" title=\"\"><\/td>\n<td class=\"c1\" title=\"()\">(other)<\/td>\n<td class=\"cc\">48<\/td>\n<td class=\"cp\">12.183%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;5&#8243; label=&#8221;by command (2)&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 IP addresses (by non-interactive commands)<\/a><\/div>\n<div class=\"tabHeader2\">8) Which IP addresses are running the most non-interactive commands once logged in to my computer network ?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-ip-noninteractive-command.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\" title=\"Mumbai, India\"><\/td>\n<td class=\"c1\" title=\"( 115.254.40.205)\">115.254.40.205<\/td>\n<td class=\"cc\">42<\/td>\n<td class=\"cp\">71.186%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/ch.png\" title=\"Switzerland\"><\/td>\n<td class=\"c1\" title=\"( cust.static.84-253-40-245.cybernet.ch)\">84.253.40.245<\/td>\n<td class=\"cc\">7<\/td>\n<td class=\"cp\">11.864%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/de.png\" title=\"Germany\"><\/td>\n<td class=\"c1\" title=\"( h1984613.stratoserver.net)\">85.214.101.166<\/td>\n<td class=\"cc\">6<\/td>\n<td class=\"cp\">10.170%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/it.png\" title=\"Italy\"><\/td>\n<td class=\"c1\" title=\"( 70.124.168.109.host.static.ip.kpnqwest.it)\">109.168.124.70<\/td>\n<td class=\"cc\">2<\/td>\n<td class=\"cp\">3.390%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/de.png\" title=\"Germany\"><\/td>\n<td class=\"c1\" title=\"( 62.112.144.239)\">62.112.144.239<\/td>\n<td class=\"cc\">1<\/td>\n<td class=\"cp\">1.695%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/gb.png\" title=\"United Kingdom\"><\/td>\n<td class=\"c1\" title=\"( 109.203.105.176)\">109.203.105.176<\/td>\n<td class=\"cc\">1<\/td>\n<td class=\"cp\">1.695%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/.png\" title=\"\"><\/td>\n<td class=\"c1\" title=\"()\">(other)<\/td>\n<td class=\"cc\">0<\/td>\n<td class=\"cp\">0.000%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[\/rn-tabs]<\/p>\n<div class=\"chartcaption\">\n&#9650; If you <b>hover your cursor<\/b> over the <b>IP addresses<\/b> in the legend at the right of the graphs to see a reverse DNS lookup of that IP. You can also hover over the <b>flags<\/b> to see the city\/country of that IP according to the <a href=\"http:\/\/dev.maxmind.com\/geoip\/geolite\">Free Maxmind GeoIP database<\/a><\/p>\n<p>I should probably point out that it&#8217;s relatively simple to proxy a login request through another machine, so it&#8217;s highly likely that the countries above aren&#8217;t a real indication of the source of the attacker. So remember to take that into account before you go and <a href=\"http:\/\/www.abc.net.au\/worldtoday\/content\/2004\/s1135079.htm\">declare war on them<\/a>.<\/p>\n<p>Still, it makes the charts look pretty.\n<\/p><\/div>\n<h2>Location<\/h2>\n<div class=\"tabHeader\">\n<div class=\"tabHeader1s\">Location<\/a><\/div>\n<\/div>\n<p>[rn-tabs id=&#8221;t9&#8243; selected=&#8221;2&#8243;]<br \/>\n[rn-tab id=&#8221;1&#8243; label=&#8221;Cities (by connection)&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 cities (by connection)<\/a><\/div>\n<div class=\"tabHeader2\">9) Which cities are making connections to my computer network ?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-city-connection.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\"><\/td>\n<td class=\"c1\">China \/ Beijing<\/td>\n<td class=\"cc\">33331<\/td>\n<td class=\"cp\">23.301%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\"><\/td>\n<td class=\"c1\">United States \/ Chicago<\/td>\n<td class=\"cc\">8565<\/td>\n<td class=\"cp\">5.988%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\"><\/td>\n<td class=\"c1\">United States \/ San Antonio<\/td>\n<td class=\"cc\">8211<\/td>\n<td class=\"cp\">5.740%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\"><\/td>\n<td class=\"c1\">China \/ Tianjin<\/td>\n<td class=\"cc\">6696<\/td>\n<td class=\"cp\">4.681%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\"><\/td>\n<td class=\"c1\">China \/ <\/td>\n<td class=\"cc\">5360<\/td>\n<td class=\"cp\">3.747%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\"><\/td>\n<td class=\"c1\">United States \/ Garden City<\/td>\n<td class=\"cc\">5153<\/td>\n<td class=\"cp\">3.602%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\"><\/td>\n<td class=\"c1\">China \/ Jinan<\/td>\n<td class=\"cc\">4345<\/td>\n<td class=\"cp\">3.038%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\"><\/td>\n<td class=\"c1\">China \/ Hangzhou<\/td>\n<td class=\"cc\">4314<\/td>\n<td class=\"cp\">3.016%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\"><\/td>\n<td class=\"c1\">United States \/ Watertown<\/td>\n<td class=\"cc\">4177<\/td>\n<td class=\"cp\">2.920%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/th.png\"><\/td>\n<td class=\"c1\">Thailand \/ Bangkok<\/td>\n<td class=\"cc\">4145<\/td>\n<td class=\"cp\">2.898%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\"><\/td>\n<td class=\"c1\">India \/ Mumbai<\/td>\n<td class=\"cc\">2908<\/td>\n<td class=\"cp\">2.033%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\"><\/td>\n<td class=\"c1\">China \/ Guangzhou<\/td>\n<td class=\"cc\">2802<\/td>\n<td class=\"cp\">1.959%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/br.png\"><\/td>\n<td class=\"c1\">Brazil \/ Belo Horizonte<\/td>\n<td class=\"cc\">2572<\/td>\n<td class=\"cp\">1.798%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/kr.png\"><\/td>\n<td class=\"c1\">Korea, Republic of \/ <\/td>\n<td class=\"cc\">2478<\/td>\n<td class=\"cp\">1.732%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/kr.png\"><\/td>\n<td class=\"c1\">Korea, Republic of \/ Seoul<\/td>\n<td class=\"cc\">2179<\/td>\n<td class=\"cp\">1.523%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\"><\/td>\n<td class=\"c1\">India \/ Kakinada<\/td>\n<td class=\"cc\">2161<\/td>\n<td class=\"cp\">1.511%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/gb.png\"><\/td>\n<td class=\"c1\">United Kingdom \/ <\/td>\n<td class=\"cc\">2077<\/td>\n<td class=\"cp\">1.452%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/hu.png\"><\/td>\n<td class=\"c1\">Hungary \/ <\/td>\n<td class=\"cc\">1903<\/td>\n<td class=\"cp\">1.330%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\"><\/td>\n<td class=\"c1\">China \/ Weifang<\/td>\n<td class=\"cc\">1769<\/td>\n<td class=\"cp\">1.237%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/hk.png\"><\/td>\n<td class=\"c1\">Hong Kong \/ Kwun Tong<\/td>\n<td class=\"cc\">1731<\/td>\n<td class=\"cp\">1.210%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/.png\"><\/td>\n<td class=\"c1\">(other)<\/td>\n<td class=\"cc\">36163<\/td>\n<td class=\"cp\">25.282%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[rn-tab id=&#8221;2&#8243; label=&#8221;Countries (by connection)&#8221;]<\/p>\n<div class=\"tabHeader1\">Top 20 countries (by connection)<\/a><\/div>\n<div class=\"tabHeader2\">10) Which countries are making connections to my computer network ?<\/div>\n<div style=\"position:relative;\"><img decoding=\"async\" src=\"\/wpf\/honey\/top20-country-connection.png\"\/><\/p>\n<table class=\"pie\">\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/cn.png\"><\/td>\n<td class=\"c1\">China<\/td>\n<td class=\"cc\">67812<\/td>\n<td class=\"cp\">47.407%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/us.png\"><\/td>\n<td class=\"c1\">United States<\/td>\n<td class=\"cc\">29562<\/td>\n<td class=\"cp\">20.667%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/in.png\"><\/td>\n<td class=\"c1\">India<\/td>\n<td class=\"cc\">9363<\/td>\n<td class=\"cp\">6.546%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/kr.png\"><\/td>\n<td class=\"c1\">Korea, Republic of<\/td>\n<td class=\"cc\">5183<\/td>\n<td class=\"cp\">3.623%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/th.png\"><\/td>\n<td class=\"c1\">Thailand<\/td>\n<td class=\"cc\">4448<\/td>\n<td class=\"cp\">3.110%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/br.png\"><\/td>\n<td class=\"c1\">Brazil<\/td>\n<td class=\"cc\">3373<\/td>\n<td class=\"cp\">2.358%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/hk.png\"><\/td>\n<td class=\"c1\">Hong Kong<\/td>\n<td class=\"cc\">2487<\/td>\n<td class=\"cp\">1.739%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/ph.png\"><\/td>\n<td class=\"c1\">Philippines<\/td>\n<td class=\"cc\">2329<\/td>\n<td class=\"cp\">1.628%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/gb.png\"><\/td>\n<td class=\"c1\">United Kingdom<\/td>\n<td class=\"cc\">2086<\/td>\n<td class=\"cp\">1.458%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/hu.png\"><\/td>\n<td class=\"c1\">Hungary<\/td>\n<td class=\"cc\">1903<\/td>\n<td class=\"cp\">1.330%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/tw.png\"><\/td>\n<td class=\"c1\">Taiwan<\/td>\n<td class=\"cc\">1274<\/td>\n<td class=\"cp\">0.891%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/ca.png\"><\/td>\n<td class=\"c1\">Canada<\/td>\n<td class=\"cc\">1157<\/td>\n<td class=\"cp\">0.809%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/co.png\"><\/td>\n<td class=\"c1\">Colombia<\/td>\n<td class=\"cc\">1051<\/td>\n<td class=\"cp\">0.735%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/tr.png\"><\/td>\n<td class=\"c1\">Turkey<\/td>\n<td class=\"cc\">920<\/td>\n<td class=\"cp\">0.643%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/vn.png\"><\/td>\n<td class=\"c1\">Vietnam<\/td>\n<td class=\"cc\">797<\/td>\n<td class=\"cp\">0.557%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/es.png\"><\/td>\n<td class=\"c1\">Spain<\/td>\n<td class=\"cc\">764<\/td>\n<td class=\"cp\">0.534%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/ec.png\"><\/td>\n<td class=\"c1\">Ecuador<\/td>\n<td class=\"cc\">731<\/td>\n<td class=\"cp\">0.511%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/jp.png\"><\/td>\n<td class=\"c1\">Japan<\/td>\n<td class=\"cc\">682<\/td>\n<td class=\"cp\">0.477%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/sn.png\"><\/td>\n<td class=\"c1\">Senegal<\/td>\n<td class=\"cc\">665<\/td>\n<td class=\"cp\">0.465%<\/td>\n<\/tr>\n<tr>\n<td class=\"cl\"><img decoding=\"async\" src=\"\/wpf\/honey\/geo\/ru.png\"><\/td>\n<td class=\"c1\">Russian Federation<\/td>\n<td class=\"cc\">625<\/td>\n<td class=\"cp\">0.437%<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<p>[\/rn-tab]<br \/>\n[\/rn-tabs]<\/p>\n<div class=\"chartcaption\">\n&#9650; So that&#8217;s a lot of connections from China and the US then. Good thing that no-one in the US would ever think of <a href=\"http:\/\/news.cnet.com\/8301-1023_3-57560644-93\/revealed-nsa-targeting-domestic-computer-systems-in-secret-test\/\">proxying their requests through a server in another country<\/a>.\n<\/div>\n<p><script>\njQuery.noConflict();\nvar t1 = new TabGroup($(\"t1\"));\nvar t2 = new TabGroup($(\"t2\"));\nvar t3 = new TabGroup($(\"t3\"));\nvar t4 = new TabGroup($(\"t4\"));\nvar t5 = new TabGroup($(\"t5\"));\nvar t6 = new TabGroup($(\"t6\"));\nvar t7 = new TabGroup($(\"t7\"));\nvar t8 = new TabGroup($(\"t8\"));\nvar t9 = new TabGroup($(\"t9\"));\n<\/script><\/p>\n<p>If I had even a shred of business nouse I&#8217;d throw that all into a webapp or bundle it into a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Raspberry_Pi\">programmable network appliance<\/a> and get people to pay me, oh, $200 a pop for it. Leave a message in the comment sections below if you&#8217;re interested, incidentally.<\/p>\n<p>Not that you can actually <b>do<\/b> that much with the information, but I guess it&#8217;s always nice to know what people are trying to do with random IP addresses out on the internet. <\/p>\n<p>Especially if it&#8217;s <i>your<\/i> random IP addresses out on the internet.<\/p>\n<p><b>Update 30\/1\/2013<\/b>: Added the bit about cacutza in the password section. <\/p>\n<p><b>Update 6\/5\/2013<\/b>: If you find this interesting, you might also want to look at another kippo analysis at <a href=\"http:\/\/blog.macuyiko.com\/2011\/03\/running-ssh-honeypot-with-kippo-lets.html\">http:\/\/blog.macuyiko.com\/2011\/03\/running-ssh-honeypot-with-kippo-lets.html<\/a> .<\/p>\n<p><b>Update 17\/12\/2023<\/b>: So apparently this is now called <a href=\"https:\/\/cowrie.readthedocs.io\/en\/latest\/index.html\">cowrie<\/a>, not kippo. Also noticed that someone else has produced some software to <a href=\"https:\/\/bruteforce.gr\/kippo-graph\/\">produce the same kinds of charts<\/a> that I&#8217;ve got above. At some stage I&#8217;ll rejig all this for the cowrie server I kicked off a month or two ago.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I&#8217;ve been running a Secure shell honeypot for about a year or so, so might as well open up the log files and see what people have been l33ting these days. For the uninitiated, or for normal people, Secure shell (or SSH) is the traditional method that people log in remotely to Linux (or [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3021,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[53,52],"tags":[20,37,41],"class_list":["post-263","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet","category-programming","tag-honeypot","tag-security","tag-ssh"],"_links":{"self":[{"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/posts\/263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/comments?post=263"}],"version-history":[{"count":3,"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/posts\/263\/revisions"}],"predecessor-version":[{"id":3922,"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/posts\/263\/revisions\/3922"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/media\/3021"}],"wp:attachment":[{"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/media?parent=263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/categories?post=263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.randomnoun.com\/wp\/wp-json\/wp\/v2\/tags?post=263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}