【ハニーポット簡易分析】Honeypot簡易分析(312日目:6/25)

Honeypot簡易分析(312日目:6/25)となります。

◾️Honeytrap

※80ポートは除く

＜国別検知数および検知数＞

f:id:one-chick-sec:20190627183336p:plain

＜ポート検知数（30日平均比）＞

ポート番号	サービス	件数	件数差(30日平均)
445	smb	4043	408
23	telnet	1640	171
3424	Unknown	959	943
5900	vnc	500	-4477
13380	Unknown	102	100
3333	dec-notes	100	74
3352	ssql	100	87
33940	Unknown	100	96
33963	Unknown	100	96
3371	Unknown	99	97

＜新規マルウェアダウンロード＞

マルウェア	ペイロード例
hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	POST /tmUnblock.cgi HTTP/1.1
lsd[.]systemten[.]org	PUT /fileserver/go.txt HTTP/1.1
178[.]62[.]114[.]122	POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
hxxp:/\/185[.]172[.]110[.]226/lmaoWTF/Jaws[.]sh	GET /shell?
103[.]83[.]157[.]41	POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
hxxp://185[.]244[.]25[.]241/k	CNXN............M....
hxxp:/\/185[.]244[.]25[.]241/b/arm7	GET /shell
hxxp://87[.]120[.]254[.]184/curl1	CNXN............M....
89[.]190[.]159[.]189	POST /ctrlt/DeviceUpgrade_1 HTTP/1.1

◾️WoWHoneeypot

＜国別検知数および検知数＞

f:id:one-chick-sec:20190627184129p:plain

一部増加していますが、phpmyadminの調査行為を多く検知していることが原因です。
＜検知パス一覧＞

path	target	CVE	reference	count
/	-	-	-	30
/admin/assets/js/views/login.js	FreePBX	-	https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743	24
/HNAP1/	D-Link DIR-850L	CVE-2015-2051	https://www.morihi-soc.net/?p=981	1
/admin/	-	-	-	1
/blog//	WordPress	-	-	1
/blog//wp-json/wp/v2/users/	WordPress	-	-	1
/blog/wp-login.php	WordPress	-	-	1
/dbadmin/	phpMyAdmin	-	-	1
/forum//	WordPress	-	-	1
/forum//wp-json/wp/v2/users/	WordPress	-	-	1
/forum/wp-login.php	WordPress	-	-	1
/main.php	-	-	-	1
/myadmin/	phpMyAdmin	-	-	1
/phpMyAdmin/	phpMyAdmin	-	-	1
/phpmyadmin	phpMyAdmin	-	-	1
/phpmyadmin/	phpMyAdmin	-	-	1
/pma/	phpMyAdmin	-	-	1
/wp//	WordPress	-	-	1
/wp//wp-json/wp/v2/users/	WordPress	-	-	1
/wp/wp-login.php	WordPress	-	-	1

＜新規検知パス一覧＞

path	target	CVE	reference
/Login.htm	-	-	-
/PMA/	PhpMyAdmin	-	-
/PMA2005/	PhpMyAdmin	-	-
/SQLite/main.php	SQLiteManager	-	-
/SQLiteManager-1.2.4/main.php	SQLiteManager	-	-
/SQLiteManager/main.php	SQLiteManager	-	-
/SQlite/main.php	SQLiteManager	-	-
/agSearch/SQlite/main.php	SQLiteManager	-	-
/hudson/script	Unknown	-	-
/mysql-admin/	PhpMyAdmin	-	-
/mysql/	PhpMyAdmin	-	-
/mysqladmin/	PhpMyAdmin	-	-
/mysqlmanager/	PhpMyAdmin	-	-
/nagiosxi/images/loginsplash.png	PhpMyAdmin	-	-
/openserver/phpmyadmin/	PhpMyAdmin	-	-
/p/m/a/	PhpMyAdmin	-	-
/php-my-admin/	PhpMyAdmin	-	-
/php-myadmin/	PhpMyAdmin	-	-
/phpMyAdmin-2.2.3/	PhpMyAdmin	-	-
/phpMyAdmin-2.2.6/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.1/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.4/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.5-pl1/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.5-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.5-rc2/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.5/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.6-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.6-rc2/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.6/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.7-pl1/	PhpMyAdmin	-	-
/phpMyAdmin-2.5.7/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-alpha/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-alpha2/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-beta1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-beta2/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-pl1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-pl2/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-pl3/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-rc2/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0-rc3/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.0/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.1-pl1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.1-pl2/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.1-pl3/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.1-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.1-rc2/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.2-beta1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.2-pl1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.2-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.2/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.3-pl1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.3-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.3/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.4-pl1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.4-pl2/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.4-pl3/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.4-pl4/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.4-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.6.4/	PhpMyAdmin	-	-
/phpMyAdmin-2.7.0-beta1/	PhpMyAdmin	-	-
/phpMyAdmin-2.7.0-pl1/	PhpMyAdmin	-	-
/phpMyAdmin-2.7.0-pl2/	PhpMyAdmin	-	-
/phpMyAdmin-2.7.0-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.7.0/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.0-beta1/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.0-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.0-rc2/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.0.1/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.0.2/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.0.3/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.0.4/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.0/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.1-rc1/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.1/	PhpMyAdmin	-	-
/phpMyAdmin-2.8.2/	PhpMyAdmin	-	-
/phpMyAdmin-2/	PhpMyAdmin	-	-
/phpMyAdmin2/	PhpMyAdmin	-	-
/phpmanager/	PhpMyAdmin	-	-
/phpmy-admin/	PhpMyAdmin	-	-
/phpmyadmin2/	PhpMyAdmin	-	-
/pma2005/	PhpMyAdmin	-	-
/script	-	-	-
/sqlite/main.php	SQLiteManager	-	-
/sqlitemanager/main.php	SQLiteManager	-	-
/sqlmanager/	SQLiteManager	-	-
/sqlweb/	SQL	-	-
/systemInfo	Unknown	-	-
/test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php	SQLiteManager	-	-
/webadmin/	SQL	-	-
/webdb/	SQL	-	-
/websql/	SQL	-	-

新規ログはphpmyadminの調査行為を主に検知していました。

＜マルウェアダウンロード＞
なし

以上となります。

sec-chick Blog

サイバーセキュリティブログ

【ハニーポット簡易分析】Honeypot簡易分析(312日目:6/25)