sec-chick Blog

サイバーセキュリティブログ

【ハニーポット簡易分析】Honeypot簡易分析(326日目:7/11)

ハニーポット簡易分析】Honeypot簡易分析(326日目:7/11)となります。

◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>

f:id:one-chick-sec:20190713161621p:plain

<ポート検知数(30日平均比)>
ポート番号 サービス 件数 件数差(30日平均)
445 smb 4001 575
23 telnet 1749 533
5900 vnc 611 73
11022 Unknown  233 232
2323 telnet 207 117
8080 proxy 161 129
3306 mysql 91 -76
3389 rdp 78 -75
175 vmnet 72 72
81 hosts2-ns 70 38
<新規マルウェアダウンロード>
malwaredowmload payload(例)
hxxp:/\/89[.]190[.]159[.]178/lovely GET /shell?cd%20/tmp;wget
hxxp://fbihere[.]web2tor[.]cf/love POST /UD/?9 HTTP/1.1
142[.]11[.]240[.]29 POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
hxxp://198[.]46[.]202[.]162/kr POST /picsdesc.xml HTTP/1.1
やはり、Mirai/Gafgyt系のマルウェアが多い傾向です。

◾️WoWHoneeypot
<国別検知数および検知数>

f:id:one-chick-sec:20190713162140p:plain


<検知パス一覧>

path

target CVE reference count
/admin/assets/js/views/login.js FreePBX - https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 20
/ - - - 17
hxxp://110[.]249.212.46/testget Unauthorized Relay - - 8
/index.php - - - 3
/phpmyadmin/index.php phpMyAdmin - - 3
/robots.txt - - - 2
/MyAdmin/scripts/setup.php phpMyAdmin - - 1
/manager/html Tomcat - - 1
/myadmin/scripts/setup.php phpMyAdmin - - 1
/phpMyAdmin/scripts/setup.php phpMyAdmin - - 1
/phpmyadmin/scripts/setup.php phpMyAdmin - - 1
/pma/scripts/setup.php phpMyAdmin - - 1
/user/login.html Unknown - - 1
/w00tw00t.at.blackhats.romanian.anti-sec:) phpMyAdmin - - 1
<新規検知パス一覧>
/myadmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/phpmyadmin/scripts/setup.php
/pma/scripts/setup.php
→いずれもphpMyadminの調査行為と思われます。

マルウェアダウンロード>
なし
 
<テスト中ログ(Suricata)>
alert.category alert.signature count
Generic Protocol Command Decode SURICATA STREAM Packet with broken ack 2366
Not Suspicious Traffic ET INFO Potentially unsafe SMBv1 protocol in use 1218
Generic Protocol Command Decode SURICATA STREAM 3way handshake SYNACK resend with different ack 1088
Generic Protocol Command Decode SURICATA IPv4 padding required 691
Potentially Bad Traffic GPL SCAN loopback traffic 691
Generic Protocol Command Decode SURICATA STREAM 3way handshake SYN resend different seq on SYN recv 437
Generic Protocol Command Decode SURICATA HTTP missing Host header 190
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED SYNACK resend with different ACK 150
Generic Protocol Command Decode SURICATA STREAM FIN recv but no session 143
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED SYN resend with different seq 136
Misc activity ET POLICY SSH Client Banner Detected on Unusual Port 106
Misc activity ET POLICY SSH session in progress on Unusual Port 104
Misc activity GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited 97
Generic Protocol Command Decode SURICATA STREAM Packet with invalid timestamp 85
Generic Protocol Command Decode SURICATA STREAM RST recv but no session 75
Generic Protocol Command Decode SURICATA STREAM Packet with invalid ack 66
Generic Protocol Command Decode SURICATA ICMPv4 unknown code 64
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED invalid ack 64
Generic Protocol Command Decode SURICATA STREAM ESTABLISHED SYNACK resend 55
Generic Protocol Command Decode SURICATA Applayer Detect protocol only one direction 33
Generic Protocol Command Decode SURICATA TLS invalid record type 24
Generic Protocol Command Decode SURICATA TLS invalid record/traffic 24
Generic Protocol Command Decode SURICATA Applayer Mismatch protocol both directions 18
Generic Protocol Command Decode SURICATA TCPv4 invalid checksum 16
Generic Protocol Command Decode SURICATA zero length padN option 16
Generic Protocol Command Decode SURICATA STREAM FIN out of window 8
Generic Protocol Command Decode SURICATA STREAM TIMEWAIT ACK with wrong seq 8
Generic Protocol Command Decode SURICATA SMTP no server welcome message 7
Generic Protocol Command Decode SURICATA STREAM 3way handshake SYNACK with wrong ack 6
Potentially Bad Traffic ET POLICY Tunneled RDP msts Handshake 6
Generic Protocol Command Decode SURICATA TCP option invalid length 5
Generic Protocol Command Decode SURICATA Applayer Wrong direction first Data 4
Generic Protocol Command Decode SURICATA STREAM 3way handshake wrong seq wrong ack 4
Generic Protocol Command Decode SURICATA STREAM excessive retransmissions 4
Generic Protocol Command Decode SURICATA TLS error message encountered 4
Generic Protocol Command Decode SURICATA TLS handshake invalid length 4
Attempted Administrator Privilege Gain ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound 2
Generic Protocol Command Decode SURICATA HTTP unable to match response to request 2
Generic Protocol Command Decode SURICATA STREAM SHUTDOWN RST invalid ack 2
Generic Protocol Command Decode SURICATA STREAM bad window update 2
Misc activity ET INFO Cisco Smart Install Protocol Observed 2
Generic Protocol Command Decode SURICATA HTTP Host header invalid 1
Generic Protocol Command Decode SURICATA STREAM Last ACK with wrong seq 1

以上となります。