【ハニーポット簡易分析】Honeypot簡易分析(326日目:7/11)
【ハニーポット簡易分析】Honeypot簡易分析(326日目:7/11)となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数(30日平均比)>
ポート番号 | サービス | 件数 | 件数差(30日平均) |
---|---|---|---|
445 | smb | 4001 | 575 |
23 | telnet | 1749 | 533 |
5900 | vnc | 611 | 73 |
11022 | Unknown | 233 | 232 |
2323 | telnet | 207 | 117 |
8080 | proxy | 161 | 129 |
3306 | mysql | 91 | -76 |
3389 | rdp | 78 | -75 |
175 | vmnet | 72 | 72 |
81 | hosts2-ns | 70 | 38 |
<新規マルウェアダウンロード>
malwaredowmload | payload(例) |
hxxp:/\/89[.]190[.]159[.]178/lovely | GET /shell?cd%20/tmp;wget |
hxxp://fbihere[.]web2tor[.]cf/love | POST /UD/?9 HTTP/1.1 |
142[.]11[.]240[.]29 | POST /ctrlt/DeviceUpgrade_1 HTTP/1.1 |
hxxp://198[.]46[.]202[.]162/kr | POST /picsdesc.xml HTTP/1.1 |
やはり、Mirai/Gafgyt系のマルウェアが多い傾向です。
◾️WoWHoneeypot
<国別検知数および検知数>
<検知パス一覧>
path |
target | CVE | reference | count |
/admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 20 |
/ | - | - | - | 17 |
hxxp://110[.]249.212.46/testget | Unauthorized Relay | - | - | 8 |
/index.php | - | - | - | 3 |
/phpmyadmin/index.php | phpMyAdmin | - | - | 3 |
/robots.txt | - | - | - | 2 |
/MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/manager/html | Tomcat | - | - | 1 |
/myadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/pma/scripts/setup.php | phpMyAdmin | - | - | 1 |
/user/login.html | Unknown | - | - | 1 |
/w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - | 1 |
<新規検知パス一覧>
/myadmin/scripts/setup.php |
/phpMyAdmin/scripts/setup.php |
/phpmyadmin/scripts/setup.php |
/pma/scripts/setup.php |
<マルウェアダウンロード>
なし
なし
<テスト中ログ(Suricata)>
以上となります。
alert.category | alert.signature | count |
---|---|---|
Generic Protocol Command Decode | SURICATA STREAM Packet with broken ack | 2366 |
Not Suspicious Traffic | ET INFO Potentially unsafe SMBv1 protocol in use | 1218 |
Generic Protocol Command Decode | SURICATA STREAM 3way handshake SYNACK resend with different ack | 1088 |
Generic Protocol Command Decode | SURICATA IPv4 padding required | 691 |
Potentially Bad Traffic | GPL SCAN loopback traffic | 691 |
Generic Protocol Command Decode | SURICATA STREAM 3way handshake SYN resend different seq on SYN recv | 437 |
Generic Protocol Command Decode | SURICATA HTTP missing Host header | 190 |
Generic Protocol Command Decode | SURICATA STREAM ESTABLISHED SYNACK resend with different ACK | 150 |
Generic Protocol Command Decode | SURICATA STREAM FIN recv but no session | 143 |
Generic Protocol Command Decode | SURICATA STREAM ESTABLISHED SYN resend with different seq | 136 |
Misc activity | ET POLICY SSH Client Banner Detected on Unusual Port | 106 |
Misc activity | ET POLICY SSH session in progress on Unusual Port | 104 |
Misc activity | GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited | 97 |
Generic Protocol Command Decode | SURICATA STREAM Packet with invalid timestamp | 85 |
Generic Protocol Command Decode | SURICATA STREAM RST recv but no session | 75 |
Generic Protocol Command Decode | SURICATA STREAM Packet with invalid ack | 66 |
Generic Protocol Command Decode | SURICATA ICMPv4 unknown code | 64 |
Generic Protocol Command Decode | SURICATA STREAM ESTABLISHED invalid ack | 64 |
Generic Protocol Command Decode | SURICATA STREAM ESTABLISHED SYNACK resend | 55 |
Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction | 33 |
Generic Protocol Command Decode | SURICATA TLS invalid record type | 24 |
Generic Protocol Command Decode | SURICATA TLS invalid record/traffic | 24 |
Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions | 18 |
Generic Protocol Command Decode | SURICATA TCPv4 invalid checksum | 16 |
Generic Protocol Command Decode | SURICATA zero length padN option | 16 |
Generic Protocol Command Decode | SURICATA STREAM FIN out of window | 8 |
Generic Protocol Command Decode | SURICATA STREAM TIMEWAIT ACK with wrong seq | 8 |
Generic Protocol Command Decode | SURICATA SMTP no server welcome message | 7 |
Generic Protocol Command Decode | SURICATA STREAM 3way handshake SYNACK with wrong ack | 6 |
Potentially Bad Traffic | ET POLICY Tunneled RDP msts Handshake | 6 |
Generic Protocol Command Decode | SURICATA TCP option invalid length | 5 |
Generic Protocol Command Decode | SURICATA Applayer Wrong direction first Data | 4 |
Generic Protocol Command Decode | SURICATA STREAM 3way handshake wrong seq wrong ack | 4 |
Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions | 4 |
Generic Protocol Command Decode | SURICATA TLS error message encountered | 4 |
Generic Protocol Command Decode | SURICATA TLS handshake invalid length | 4 |
Attempted Administrator Privilege Gain | ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound | 2 |
Generic Protocol Command Decode | SURICATA HTTP unable to match response to request | 2 |
Generic Protocol Command Decode | SURICATA STREAM SHUTDOWN RST invalid ack | 2 |
Generic Protocol Command Decode | SURICATA STREAM bad window update | 2 |
Misc activity | ET INFO Cisco Smart Install Protocol Observed | 2 |
Generic Protocol Command Decode | SURICATA HTTP Host header invalid | 1 |
Generic Protocol Command Decode | SURICATA STREAM Last ACK with wrong seq | 1 |
以上となります。