We would like to present the 2006 Philippine internet security statistics based on the data collected through the joint Leurre.com - Philippine Honeynet Project endeavor.

What follows are the highlights of the findings for the past year, 2006:

• The Philippines had the 6th highest internet attacks among the 20 partner nations with an average of 336.2 attacks per day per sensor
• In a local perspective, majority of attacks directed to the Philippines were local attacks, meaning it came from the Philippines itself (31.96 attacks/day/sensor). It is followed closely by those coming from China, Malaysia, Japan, Korea and the United States
• In a worldwide perspective, sensors from other countries detected just a small percentage of attacks coming from the Philippines (0.61attacks/day/sensor). Majority of the attacks monitored came from the United States and China.
• The top ports or services attacked in the Philippines sensors were:
  • 445 - Microsoft Directory Services
  • 135 - DCOM Service Control Manager
  • 139 - NETBIOS Session Service
  • 1433 - Microsoft-SQL-Server
  • 80 - World Wide Web HTTP
  
  Note that most of these ports, except probably for port 80 are ports usually used exclusively by Windows services


• Philippine-directed attacks were highest starting from 3PM and were maintained at a constant rate until midnight. Attacks were lowest between 2 to 6 AM.
• Most attacks are coming from or are staged from Windows machines particularly from Windows 2000 and XP machines. This could indicate higher botnet, malware or worm activity from Windows machines, probably because of it's larger deployment around the world
• Attacks were highest in the last quarter of the year particularly on October and November, consistent with last years report

The full report with the supporting data can be downloaded here

The Philippine Honeynet Project is proud to announce the release of the 2nd Philippine Internet Security Monitor. This report encompasses the first quarter of 2006. The highlights are as follows:

• Average daily internet based attacks went down in the first part of 2006 (33 attacks per computer) compared to the previous quarter (60 attacks per computer).
• Attacks typically rise in the middle of the week (Tuesdays and Wednesdays) and declines at the tail end of the week.
• Attacks are more prevalent in the evenings at around 6 to 9PM.
• Combined attacks from China (CN & HK) make up the bulk of the attacks directed towards RP with the United States coming in at a close second. There was a noticeable drop of attacks coming from local sources (Philippines).
• Data indicates that more attacks are directed towards Linux systems as compared to Microsoft Windows systems.
• Web applications are still the most common targets of malicious activity.
• The most commonly targeted applications are Awstats, XMLRPC, PHPBB, Mambo, WebCalendar, and PostNuke.
• Most common type of web based attack vector are cross site scripting, file inclusion and SQL injection attacks.
• There has also been an indication of growing attacks targeting Cisco Routers.
• There was a spike in IE based exploits and sendmail exploits at the latter part of the quarter.
• Though worm activity still make up the most serious security threats, we have also seen an increase in overall manual hacker activity with corresponding trojan and backdoor exploits.
• A proliferation of Remote Administration Tools (RATs), trojans and backdoors has been apparent the past quarter particularly easily available web-based backdoors like "Defacing Tool 2.0 by r3v3ng4ns".
• Reconnaissance still makes up the highest activity type. This can be attributed to worm, proxy, SMTP and FTP scanning activities.
• Most commonly attacked ports are: 80, 42, 21, 25, and 1900.

The full report can be accessed at this link: