【ハニーポット簡易分析】Honeypot簡易分析(340-343日目:7/25-28)
Honeypot簡易分析(340-343日目:7/25-28)となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数(30日平均比)>
| ポート番号 | サービス | 件数 | 件数差(30日平均) |
|---|---|---|---|
| 445 | smb | 15828 | 11929 |
| 23 | telnet | 7194 | 5842 |
| 5900 | vnc | 1349 | 968 |
| 3127 | Unknown | 1287 | 1286 |
| 24258 | Unknown | 1285 | 1285 |
| 34653 | Unknown | 1284 | 1284 |
| 25289 | Unknown | 1278 | 1278 |
| 29981 | Unknown | 1269 | 1269 |
| 34221 | Unknown | 1269 | 1269 |
| 38350 | Unknown | 1268 | 1268 |
ペイロード:
...)$......Cookie: mstshash=NCRACK_USER..
<新規マルウェアダウンロード>
| malware_download | 攻撃例 |
| 51[.]81[.]7[.]103 | POST /ctrlt/DeviceUpgrade_1 |
| hxxp://104[.]168[.]215[.]139/mips | POST /picsdesc.xml |
| hxxp:/\/80[.]211[.]9[.]40/bins/a[.]arm5 | GET /shell?cd%20/tmp; |
| 188[.]165[.]179[.]15 | POST /ctrlt/DeviceUpgrade_1 |
| hxxp://192[.]236[.]162[.]197/vb/Amakano[.]mpsl | POST /tmUnblock.cgi |
| hxxp://51[.]89[.]143[.]177/Demon[.]mips | POST /picsdesc.xml |
| hxxp://185[.]246[.]152[.]89/bins/telnet[.]arm | GET /shell?cd%20/tmp; |
| hxxp:/\/91[.]211[.]244[.]92/arm6 | GET /shell?cd%20/tmp; |
| 147[.]135[.]116[.]71 | POST /ctrlt/DeviceUpgrade_1 |
◾️WoWHoneeypot
<国別検知数および検知数>
| wow_path_research | target | CVE | reference | count |
| /admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 103 |
| / | - | - | - | 101 |
| /robots.txt | - | - | - | 6 |
| /favicon.ico | - | - | - | 5 |
| /TP/public/index.php | ThinkPHP | - | - | 4 |
| /manager/html | Tomcat | - | - | 3 |
| /phpmyadmin | phpMyAdmin | - | - | 3 |
| /.well-known/security.txt | SSL certificate | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 2 |
| /sitemap.xml | xml sitemap | - | - | 2 |
| 45.79.32.208:60606 | 2 | |||
| hxxp://www.baidu.com/ | Unauthorized Relay | - | - | 2 |
| www.baidu.com:443 | Unauthorized Relay | - | - | 2 |
| //recordings/misc/play_page.php | 1 | |||
| /MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /admin/config.php | Admin config | - | - | 1 |
| /cgi-bin/user/Config.cgi | AVTECH AVN801 DVR | CVE-2013-4981 | https://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-006100.html | 1 |
| /current_config/passwd | dahua camera | - | https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py | 1 |
| /currentsetting.htm | NETGEAR Genie | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 1 |
| /device_description.xml | UPnP | - | https://medium.com/@djboris/digging-into-upnp-by-searching-a-sonos-api-5e10e080a232 | 1 |
| /login.asp | Login Page | - | - | 1 |
| /login/login.html | 1 | |||
| /manager/text/list | 1 | |||
| /myadmin/scripts/setup.php | 1 | |||
| /phpMyAdmin/scripts/setup.php | 1 | |||
| /phpmyadmin/scripts/setup.php | 1 | |||
| /pma/scripts/setup.php | 1 | |||
| /scripts/setup.php | phpMyAdmin | - | - | 1 |
| /shell | Webshell | - | - | 1 |
| /winbox.png | MikroTik | - | https://sec-owl.hatenablog.com/entry/2018/10/12/160525 | 1 |
| hxxp://123.125.114.144/ | Unauthorized Relay | - | - | 1 |
<新規検知パス一覧>
| wow_path_research | target | CVE | reference | count |
| //recordings/misc/play_page.php | FreePBX | - | https://sec23.hatenablog.com/entry/2019/07/24/233000 | 1 |
| /login/login.html | login Page | - | - | 1 |
| /manager/text/list | Tomcat | - | https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html | 1 |
| /myadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /pma/scripts/setup.php | phpMyAdmin | - | - | 1 |
| 45[.]79[.]32[.]208:60606 | Unauthorized Relay | - | - | 2 |
「/manager/text/list」について
Tomcat関連で現在デプロイされているアプリケーションのリストを表示させるものとなります。アクセス可能な場合、以下のような情報が表示されます。
OK - Listed applications for virtual host localhost
/webdav:running:0:webdav
/examples:running:0:examples
/manager:running:0:manager
/:running:0:ROOT
/test:running:0:test##2
/test:running:0:test##1<マルウェアダウンロード>
なし
◾️Suricata(参考)
以上となります。
