Honeypot study: Unsecured database simulation attacked 18x per day on average


Now there’s proof that every random minute counts when a database is left unsecured on the web. In fact, a recent Comparitech experiment led by researcher Bob Diachenko found that hackers attacked a simulation of an unsecured database an average of 18 times per day.

In a June 10 blog post, Comparitech Privacy Advocate Paul Bischoff describes typical scenarios of how unauthorized third parties discover, access and even modify exposed data without a password or other authentication, thus risking user privacy and security.

The security firm last month set up a honeypot to find out how quickly attackers would hit an Elasticsearch cloud server containing a bogus database with fake data inside, and it subsequently found 175 attacks in eight hours after deployment. The first attack on the decoy occurred just eight hours and 35 minutes after being available for the taking.

Comparitech left the exposed data from May 11 until May 22. The most attacks in one day totaled 22. Additionally, a trend emerged: many hackers use an internet-of-things (IoT) search engines like or BinaryEdge to find potential destinations.

“Within just one minute of being indexed by Shodan, two attacks took place,” Bischoff wrote. “It’s worth nothing that over three dozen attacks occurred before the database was even indexed by search engines, demonstrating how many attackers rely on their own proactive scanning tools rather than waiting on passive IoT search engines like Shodan to crawl vulnerable databases."

On May 29, the honeypot was hit with a malicious bot seeking a ransom, but not before deleting the database’s contents. Still the hacker left a threatening message that the data will be leaked or sold if payment demands weren’t met, as well as contact information and directions as to where to send the payment. 

One Dutch attacker within five seconds extracted the data by using GET methods to obtain index information.

Comparitech ascertained that the most number of attacks originated in the U.S. with 89, followed by Romania (38), and China (15), although the security firm admitted that IP addresses often are faked. However, researchers were able to find out that the majority of requests aimed to get information about the status of the database and its settings.

  • 147 attacks used the GET request method
  • 24 attacks used the POST method, which was particularly popular for attacks originating in China
  • One attack used the PUT method with the intent to change the server configuration
  • One attack used the OPTIONS method to get information about the connection
  • One attack used the HEAD method to get the headers of requests without receiving the responses

Attackers weren’t just interested in stealing data,” Bischoff noted. “Some wanted to hijack servers to mine cryptocurrency, steal passwords, and destroy data.”

A remote code execution exploit placed on Elasticsearch servers tried to install a cryptomining script to gain access to java functions, and then download the bash script miner using a wget command.

While attacks came from different IP addresses, the script’s download source was always the same by using two requests: one with source code and one that had been obfuscated.

Credential theft came by way of targeting passwords contained within the server’s /etc/passwd file, exploiting the same vulnerability as the cryptominer attack plus another path traversal vulnerability.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.