ADB Honeypot
I Found something realy interesting, a ADB Honeypot. I installed it one one of my servers via Docker. Than I waited for 24h. Findings after 24h After 24h i logged back into my server and locked at the log data of the honeypot. If you want to take a look: adbhoney.log I analysed the data and here are my findings. Table of connections ID IP Country ASN Connections Tot Time (s) Avg Time (s) Max Time (s) 1 103.205.XXX.XXX VN AS149137 1 45.3 45.3 45.3 2 157.10.XXX.XXX VN AS150862 3 136.2 45.4 45.5 3 198.235.XXX.XXX BE AS396982 2 0 0 0 4 139.59.XXX.XXX IN AS14061 6 2732.2 455.4 748 5 45.200.XXX.XXX NL AS50580 5 5.1 1 1 6 154.213.XXX.XXX DE AS51396 3 136.1 45.4 45.6 7 154.213.XXX.XXX DE AS51396 5 228.2 45.6 46 8 35.203.XXX.XXX GB AS396982 1 182.5 182.5 182.5 9 104.167.XXX.XXX US AS399045 5 228.3 45.7 45.8 10 115.231.XXX.XXX CN AS58461 1 20.9 20.9 20.9 11 172.169.XXX.XXX US AS8075 1 160 160 160 12 167.94.XXX.XXX DE AS398705 4 12.7 3.2 9.1 13 212.64.XXX.XXX TR AS197450 1 45.9 45.9 45.9 Analysis A total of 13 unique IPs contacted my honeypot. The first connection lasted 1h 38min and came from Vietnam. The attacker tried to download and run a script in the temp folder (/data/local/tmp/). I ran the script on virustotal and it says that the script is malware. Only 30 minutes later a new connection came from Vietnam. It also tried to download a script, but it also wanted to kill some processes based on CPU usage. The 3rd just connected and did nothing else, 2 times. The 4th IP came from India and connected 6 times but also never really did anything. The next IP came from the Netherlands and did not send anything. The next 2 IPs came from Germany and tried to download malware to my honeypot 3 times. The 8. IP came from the UK just connected and did nothing. ...