2009
07.15
07.15
利用 Nepenthes 收集资料好几天了,现在分享一些简单数据。因为我只用了一台机器,当然不能代表银行、企业及有价值名望的伺服器,但这可会是你电脑每天正在面对的。记住,我从来没有公开蜜罐地址,所以所有外来连线均是恶意的。
** Most Attacks Region ** [ Russian Federation] has 57 attacks on you. [ Taiwan] has 36 attacks on you. [ Brazil] has 32 attacks on you. [ Germany] has 21 attacks on you. [ United States] has 20 attacks on you. [ Italy] has 16 attacks on you. [ Romania] has 15 attacks on you. [ United Kingdom] has 14 attacks on you. [ Korea, Republic of] has 13 attacks on you. [ India] has 11 attacks on you. [ Poland] has 10 attacks on you. [ Philippines] has 10 attacks on you. [ Japan] has 10 attacks on you. [ Canada] has 9 attacks on you. [ Bulgaria] has 9 attacks on you. [ Hungary] has 8 attacks on you. [ Malaysia] has 8 attacks on you. [ France] has 6 attacks on you. [ Argentina] has 6 attacks on you. [ China] has 6 attacks on you.
这是 七月十二日二零零九年。
俄罗斯的殭尸电脑数量可谓 生化危机裡一样!居然一星期裡多次压倒性击到排行第二的地区。下一位,竟然是台湾(我真的没预想到)。下一个就是巴西,这个倒是很容易猜因为微软的第5份 SIR 裡的地区性有提到。下一个是德国呢,有点不可思议,有别于 Microsoft SIR 5th 裡的数据。总之,这还是不能用来概括世界的。
谨记,网络地址 (IP Address) 无边界。
** Most Visited Ports ** [ 445] : 385 [ 135] : 39 [ 139] : 7 [ 25] : 1
Port 445 和 Port 135 最多访客。似乎是:
Port 445 – MS04-011, 详看 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Port 135 -MS03-026, 又名 Blaster 暴风, 详看 http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
我还在分析这堆杂乱的数据,但以上是现在能分享的。
(7/16/2009 改过了题目,你可以看这里第一篇。)
===
Reference / 參考 / 参考 / さんこう / Referencia / Referenz / Справка :
Microsoft Security Intelligence Report volume 5
Zombie Computer – Wikipedia
殭屍電腦 – 維基百科
** Most Visited Ports ** [ 445] : 385 [ 135] : 39 [ 139] : 7 [ 25] : 1
English
I thought China should have a bigger portion.
BTW, it is a Windows box? or a *nux box?
I prefer the attacker should at least look at what your OS is before performing the attack. Or we can somehow give fake information on this?
@.hac
Linux. (Check out story 1)
>> I thought China should have a bigger portion.
It is not a generalized view of the reality, but a PC’s view. So you can’t generalize, especially from just 1 day’s log I showed.
>> I prefer the attacker should at least look at what your OS is before performing the attack.
Attack is not a human, it’s a program. Most programs (even manual programs) do a “fire and forget” attack.
>> Or we can somehow give fake information on this?
It is possible to fake OS but I think it has to be done in kernel side, since the TCP stack has to be emulated. You can look into Sebek by Honeynet team.