Honeypot intruders’ HTTP activity
One of my Cowrie honeypots has been configured to intercept various outbound connections, redirecting them into an INetSim honeypot offering corresponding services. When intruders think they’re making an outbound HTTPS connection, they only reach the INetSim server, where their attempts are registered and logged.
When someone successfully logs in to the Cowrie honeypot, be it bot or a real person, they often check their network location by polling some “check my IP” URL. This is particularly useful for automated bots who call home to report where they’ve gained a foothold.
Then we have the bots who use their login shell as a bouncer towards external services. Quite a few bots think they’ve found an open SMTP relay and spew out large amounts of spam or phishing mail (all going into the /dev/null sink of INetSim).
Others again use the shell to bruteforce web services for logging in to existing accounts with compromised credentials, or to create new users. The latter is particularly common with social media botnets. There are also some attempts made towards Amazon’s “address change” URL, probably to redirect deliveries.
Without further ado, below is top 30 from the last 40 or so days of URL gathering, focusing on bots that use the HTTP POST method to submit data. I’ve made some aggregations for services using load distributing hostnames (in this extract Omegle and Uber). I suspect the “winner” is the victim of some gift card scheme.
10795 https://deviceapi.amctheatres.com/api/token
5918 https://passport.twitch.tv/login
4768 https://www.officedepot.com/account/loginAccountSet.do
3766 https://www.walmart.com/account/electrode/api/signin
3589 https://auth.riotgames.com/token
3002 https://restmws.fuelrewards.com/fuelrewards/public/rest/v2/frnExcentus/login
2166 https://frontX.omegle.com/start
1862 https://cn-NNNN.uber.com/rt/silk-screen/submit-form
1801 https://account-public-service-prod.ol.epicgames.com/account/api/oauth/token
1746 https://cn-NNNN.uber.com/rt/silk-screen/partner-submit-form
1558 https://api.mobile.walmart.com/v4/mauth/get-token
667 https://ofxdc.wellsfargo.com/ofx/process.ofx
635 https://services.chipotle.com/auth/v1/customerAuth/login
589 https://apisd.ebay.com/identity/v1/device/application/register
351 https://auth.np.ac.playstation.net/np/auth
316 https://device-api.urbanairship.com/api/channels/
200 https://account-public-service-prod03.ol.epicgames.com/account/api/oauth/token
167 https://www.amazon.com/gp/delivery/ajax/address-change.html
127 https://www.netflix.com/Login
106 https://cpa-api.kyivstar.ua/api/gateway/public/send
103 https://steamcommunity.com/login/getrsakey/
96 https://www.netflix.com/login
89 https://www.netflix.com/redeem
86 https://www.instagram.com/accounts/web_create_ajax/attempt/
79 https://graph.instagram.com/logging_client_events
75 https://www.dooney.com/account
70 https://api.coinbase.com/v2/mobile/users
68 https://discordapp.com/api/v6/auth/register
52 https://authserver.mojang.com/authenticate
45 https://bank.bbt.com/auth/pwd.tb