【ハニーポット簡易分析】Honeypot簡易分析(340-343日目:7/25-28)
Honeypot簡易分析(340-343日目:7/25-28)となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数(30日平均比)>
ポート番号 | サービス | 件数 | 件数差(30日平均) |
---|---|---|---|
445 | smb | 15828 | 11929 |
23 | telnet | 7194 | 5842 |
5900 | vnc | 1349 | 968 |
3127 | Unknown | 1287 | 1286 |
24258 | Unknown | 1285 | 1285 |
34653 | Unknown | 1284 | 1284 |
25289 | Unknown | 1278 | 1278 |
29981 | Unknown | 1269 | 1269 |
34221 | Unknown | 1269 | 1269 |
38350 | Unknown | 1268 | 1268 |
ペイロード:
...)$......Cookie: mstshash=NCRACK_USER..
<新規マルウェアダウンロード>
malware_download | 攻撃例 |
51[.]81[.]7[.]103 | POST /ctrlt/DeviceUpgrade_1 |
hxxp://104[.]168[.]215[.]139/mips | POST /picsdesc.xml |
hxxp:/\/80[.]211[.]9[.]40/bins/a[.]arm5 | GET /shell?cd%20/tmp; |
188[.]165[.]179[.]15 | POST /ctrlt/DeviceUpgrade_1 |
hxxp://192[.]236[.]162[.]197/vb/Amakano[.]mpsl | POST /tmUnblock.cgi |
hxxp://51[.]89[.]143[.]177/Demon[.]mips | POST /picsdesc.xml |
hxxp://185[.]246[.]152[.]89/bins/telnet[.]arm | GET /shell?cd%20/tmp; |
hxxp:/\/91[.]211[.]244[.]92/arm6 | GET /shell?cd%20/tmp; |
147[.]135[.]116[.]71 | POST /ctrlt/DeviceUpgrade_1 |
◾️WoWHoneeypot
<国別検知数および検知数>
<検知パス一覧>
wow_path_research | target | CVE | reference | count |
/admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 103 |
/ | - | - | - | 101 |
/robots.txt | - | - | - | 6 |
/favicon.ico | - | - | - | 5 |
/TP/public/index.php | ThinkPHP | - | - | 4 |
/manager/html | Tomcat | - | - | 3 |
/phpmyadmin | phpMyAdmin | - | - | 3 |
/.well-known/security.txt | SSL certificate | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 2 |
/sitemap.xml | xml sitemap | - | - | 2 |
45.79.32.208:60606 | 2 | |||
hxxp://www.baidu.com/ | Unauthorized Relay | - | - | 2 |
www.baidu.com:443 | Unauthorized Relay | - | - | 2 |
//recordings/misc/play_page.php | 1 | |||
/MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/admin/config.php | Admin config | - | - | 1 |
/cgi-bin/user/Config.cgi | AVTECH AVN801 DVR | CVE-2013-4981 | https://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-006100.html | 1 |
/current_config/passwd | dahua camera | - | https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py | 1 |
/currentsetting.htm | NETGEAR Genie | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 1 |
/device_description.xml | UPnP | - | https://medium.com/@djboris/digging-into-upnp-by-searching-a-sonos-api-5e10e080a232 | 1 |
/login.asp | Login Page | - | - | 1 |
/login/login.html | 1 | |||
/manager/text/list | 1 | |||
/myadmin/scripts/setup.php | 1 | |||
/phpMyAdmin/scripts/setup.php | 1 | |||
/phpmyadmin/scripts/setup.php | 1 | |||
/pma/scripts/setup.php | 1 | |||
/scripts/setup.php | phpMyAdmin | - | - | 1 |
/shell | Webshell | - | - | 1 |
/winbox.png | MikroTik | - | https://sec-owl.hatenablog.com/entry/2018/10/12/160525 | 1 |
hxxp://123.125.114.144/ | Unauthorized Relay | - | - | 1 |
<新規検知パス一覧>
wow_path_research | target | CVE | reference | count |
//recordings/misc/play_page.php | FreePBX | - | https://sec23.hatenablog.com/entry/2019/07/24/233000 | 1 |
/login/login.html | login Page | - | - | 1 |
/manager/text/list | Tomcat | - | https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html | 1 |
/myadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/pma/scripts/setup.php | phpMyAdmin | - | - | 1 |
45[.]79[.]32[.]208:60606 | Unauthorized Relay | - | - | 2 |
「/manager/text/list」について
Tomcat関連で現在デプロイされているアプリケーションのリストを表示させるものとなります。アクセス可能な場合、以下のような情報が表示されます。
OK - Listed applications for virtual host localhost
/webdav:running:0:webdav
/examples:running:0:examples
/manager:running:0:manager
/:running:0:ROOT
/test:running:0:test##2
/test:running:0:test##1
<マルウェアダウンロード>
なし
◾️Suricata(参考)
以上となります。