【ハニーポット簡易分析】Honeypot簡易分析(328-335日目:7/13-7/20)
日にちが空いてしまいました。。。。
今回はある程度、纏めての分析となります。
Honeypot簡易分析(328-335日目:7/13-7/20)
◾️Honeytrap
※80ポートは除く
<検知数>
<宛先ポート別検知数>
ポート番号 | サービス | 件数 | 件数差(30日平均) |
---|---|---|---|
445 | smb | 32015 | 28575 |
23 | telnet | 10082 | 8835 |
3151 | Unknown | 3129 | 3129 |
3306 | mysql | 2421 | 2272 |
3389 | rdp | 1484 | 1352 |
2323 | telnet | 1116 | 1019 |
9000 | cslistener | 899 | 890 |
8888 |
ddi-tcp-1
ddi-udp-1
|
749 | 733 |
3390 | dsc | 630 | 623 |
5900 | vnc | 605 | 129 |
<新規マルウェア>
malware | payload(例) |
hxxp:/\/45[.]80[.]37[.]166/htp/ab[.]arm4 | GET /shellsじ |
hxxp://89[.]248[.]174[.]198/curl | CNXN. |
hxxp:/\/87[.]120[.]37[.]148/htp/ab[.]arm4 | GET /shell |
hxxp://192[.]236[.]208[.]238/Pemex[.]sh | POST /tmUnblock.cgi |
hxxp:/\/195[.]231[.]6[.]216/bins/ok[.]arm4 | GET /shell? |
169[.]239[.]128[.]18 | POST /ctrlt/DeviceUpgrade_1 |
hxxp://134[.]209[.]200[.]179/Pemex[.]sh | POST /tmUnblock.cgi |
hxxp:/\/192[.]236[.]162[.]197/lmaoWTFloligang[.]arm7 | GET /shell? |
hxxp:/\/169[.]239[.]128[.]18/arm6 | GET /shell? |
hxxp:/\/169[.]239[.]128[.]18/arm4 | GET /shell? |
hxxp:/\/169[.]239[.]128[.]18/arm7 | GET /shell? |
hxxp://134[.]209[.]9[.]166/Demon[.]mips | GET /setup.cgi |
hxxp:/\/89[.]248[.]174[.]198/jaws[.]sh | GET /shell? |
hxxp://209[.]141[.]42[.]144/razor/r4z0r[.]mips | POST /picsdesc.xml |
hxxp://23[.]254[.]227[.]7/fortnite[.]mips | POST /picsdesc.xml |
hxxp:/\/89[.]190[.]159[.]178/lovely | GET /shell? |
hxxp://167[.]86[.]71[.]89/Corona[.]mips | POST /picsdesc.xml |
80[.]211[.]36[.]172 | POST /ctrlt/DeviceUpgrade_1 |
142[.]11[.]240[.]29 | POST /ctrlt/DeviceUpgrade_1 |
hxxp:/\/80[.]211[.]6[.]90//lmaoWTF/loligang[.]arm7 | GET /shell? |
hxxp://194[.]99[.]22[.]138/arm7 | GET /shell? |
hxxp://116[.]206[.]177[.]144:93/lst\ | GET /_search? |
hxxp://116[.]206[.]177[.]144:93/s88\ | GET /_search? |
hxxp://116[.]206[.]177[.]144:93/linux | GET /_search? |
hxxp:/\/194[.]99[.]22[.]138/arm7 | GET /shell |
IoT系を狙ったものが多く、MiraiやGafgyt系のマルウェアが多い印象でした。
◾️WoWHoneypot
<検知数>
<ターゲット別検知数>
target | count |
- | 241 |
FreePBX | 145 |
Unauthorized Relay | 72 |
WordPress | 66 |
ThinkPHP | 8 |
phpMyAdmin | 4 |
CGI | 2 |
SSL certificate | 2 |
Tomcat | 2 |
WebDAV | 2 |
xml sitemap | 2 |
D-Link DIR-850L | 1 |
IPC | 1 |
Vmware | 1 |
Webshell | 1 |
Zivif Web | 1 |
<新規パス>
path | target | CVE | reference |
/NmapUpperCheck1563281090 | Nmap | - | - |
/Panel/ | - | - | - |
/Trunks/ | |||
/aastra/ | Aastra | https://en.wikipedia.org/wiki/Aastra_Technologies | |
/adm/adm.php | Anonymous Santa Claus | - | https://github.com/parshukovvv/adm/blob/master/adm.php |
/admin$ | - | - | - |
/ag198/ | ag198 | - | http://www.atcom.cn/dl_ag198.html |
/algo/ | - | - | - |
/algom/ | - | - | - |
/asterisk/ | Asterisk | - | https://ja.wikipedia.org/wiki/Asterisk_(PBX) |
/atacom/ | |||
/atcom/ | atcom | - | http://www.atcom.cn |
/atcom/ag198/ | ag198 | - | http://www.atcom.cn/dl_ag198.html |
/autoload_configs/ | FREESWITCH | - | https://freeswitch.org/confluence/display/FREESWITCH/Default+Configuration |
/baFirmware/ | baFirmware | - | - |
/boot/ | - | - | - |
/bub/ | - | - | - |
/bub2/ | - | - | - |
/bw/ | - | - | - |
/cfg/ | - | - | - |
/cisco | cisco | ||
/cisco/ | cisco | ||
/conf/ | - | - | - |
/config/ | - | - | - |
/configs/ | - | - | - |
/configuration/ | - | - | - |
/cp860/ | CP860 | - | https://www.yealink.com/products_35.html |
/d50/ | |||
/default/ | - | - | - |
/devicecfg/ | |||
/digium/ | d50 | - | https://www.digium.com/products/ip-phones/d50 |
/digium/d50/ | d50 | - | https://www.digium.com/products/ip-phones/d50 |
/directory/ | - | - | - |
/dms/ | - | - | - |
/download/ | - | - | - |
/e3xx/ | FusionPBX | - | https://github.com/fusionpbx/fusionpbx |
/engine/ | - | - | - |
/escene/ | FusionPBX | - | https://github.com/fusionpbx/fusionpbx |
/escene/e3xx/ | FusionPBX | - | https://github.com/fusionpbx/fusionpbx |
/etc/ | Setting File | - | - |
/extensions.conf | Asterisk | - | A4%E3%83%AB_extensions.conf |
/extensions/ | - | - | - |
/fanvil/ | Fanvil Technology | - | |
/fax/ | - | - | - |
/fifo/ | - | - | - |
/firmware | - | - | - |
/firmware/ | - | - | - |
/folder/ | - | - | - |
/fpbx/ | - | - | - |
/freeswitch/ | FreeSWITCH | - | https://freeswitch.org/confluence/display/FREESWITCH/FreeSWITCH+Explained |
/freetdm.conf/ | FreeSWITCH | - | https://freeswitch.org/confluence/display/FREESWITCH/FreeSWITCH+Explained |
/ftp/ | ftp | - | - |
/fw/ | - | - | - |
/gateway | - | - | - |
/gateways/ | - | - | - |
/grandstream/ | Grandstream Networks | - | https://www.grandstream.jp/ |
/gs/ | - | - | - |
/gswave/ | Grandstream Networks | - | https://www.grandstream.jp/ |
/home/ | - | - | - |
/htek/ | htek | - | http://www.htek.com/ |
/index_web1.php | Webshell | - | - |
/line/ | - | - | - |
/linksys/ | - | - | - |
/login.asp | Login Page | - | - |
/login/ | Login Page | - | - |
/manger/ | - | - | - |
/master/ | - | - | - |
/mitel/ | - | - | - |
/nmaplowercheck1563281090 | nmap | - | - |
/obihai/ | OBiTALK | - | www.obihai.com/ |
/overides/ | - | - | - |
/panasonic/ | panasonic | - | - |
/pbx/ | - | - | - |
/phone/ | - | - | - |
/phones/ | - | - | - |
/phpmyadmin/ index.php | phpMyAdmin | - | - |
/pmd/ index.php | phpMyAdmin | - | - |
/pmd/index.php | phpMyAdmin | - | - |
/polycom/ | polycom | - | https://www.otsuka-shokai.co.jp/products/tvm/polycom/ |
/prov/ | - | - | - |
/provision/ | - | - | - |
/provisioner/ | - | - | - |
/provisioning/ | - | - | - |
/ps/ | - | - | - |
/pub/ | - | - | - |
/recordings/ | - | - | - |
/reg | - | - | - |
/sangoma/ | sangoma | - | https://www.sangoma.com/ |
/setup.cgi | DGN1000 Netgea Router | - | - |
/sip/ | sip | - | - |
/sipphone/ | sip | - | - |
/smart/ | - | - | - |
/smarty/ | - | - | - |
/snom/ | - | - | - |
/spa/ | - | - | - |
/spectralink/ | spectralink | - | https://www.spectralink.com/ |
/sys/ | - | - | - |
/temp/ | - | - | - |
/text/ | - | - | - |
/trunks/ | - | - | - |
/vcs754/ | Vtech VCS754 | - | https://businessphones.vtech.com/pd/3439/VCS754-ErisStation-SIP-Conference-Phone-with-Four-Wireless-Mics |
/vodafone/ | Vodafone | - | - |
/voice/ | - | - | - |
/voip/ | voip | - | - |
/vpn/ | vpn | - | - |
/vtech/ | - | - | - |
/xml/ | xml | - | - |
/yealink/ | Yealink | - | https://www.yealink.com/ |
/yeastar/ | Yeastar | - | https://www.yeastar.com/ |
IP電話系の製品が存在していないか確認していると思われている通信を複数検知していました。通信自体は調査行為止まりであり、その後の攻撃は観測されませんでした。
以上となります。