【ハニーポット簡易分析】Honeypot簡易分析(344-352日目:7/29-8/6)
お仕事だったり、CFP書いたりして遅くなりました。。。が、これからも頑張って更新していきたいと思います。近いうちに7月のまとめも書きたいと思います。
Honeypot簡易分析(344-352日目:7/29-8/6)の簡易分析となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数>
ポート番号 | サービス | 件数 |
445 | smb | 33519 |
23 | telnet | 14681 |
5038 | Asterisk | 9178 |
5900 | vnc | 2533 |
7070 | Unknown | 2369 |
2323 | telnet | 1162 |
3306 | mysql | 1136 |
25 | smtp | 1047 |
3389 | rdp | 841 |
1433 | ms-sql-s | 571 |
VoIPなどで利用されているオープンソースのPBXソフトウェアであるポート5038およびポート7070宛の通信が増加していました。ペイロードの情報は特になく、ポートが空いているかをチェックしているようでした。
<新規マルウェアダウンロード>
マルウェアはIoT製品が多い傾向です。
malware | payload(例) |
hxxp://34[.]90[.]52[.]127/zehir/z3hir[.]mips | POST /picsdesc.xml |
hxxp:/\/185[.]198[.]57[.]180/p | GET /shell?cd%20/tmp;wget |
hxxp://195[.]189[.]226[.]54/bb[.]sh | CNXN........... |
hxxp:/\/185[.]244[.]150[.]111/x | GET /shell?cd%20/tmp;wget |
hxxp://185[.]164[.]72[.]155/richard | POST /SGPAdmin/fileRequest |
hxxp:/\/142[.]11[.]238[.]236/arm7 | GET /shell?cd%20/tmp;wget |
hxxp://wiu[.]fxxxxxxk[.]me/download[.]exe | GET /public/hydra.php |
51[.]81[.]7[.]103 | POST /ctrlt/DeviceUpgrade_1 |
hxxp:/\/195[.]189[.]226[.]54/quack[.]sh | GET /shell?cd+/tmp;wget |
hxxp://185[.]172[.]110[.]224/mips | POST /picsdesc.xml |
hxxp:/\/87[.]120[.]37[.]148/bins/autism[.]arm5 | GET /shell?cd |
hxxp://104[.]168[.]215[.]139/mips | POST /picsdesc.xml |
hxxp:/\/185[.]244[.]25[.]75/SinixV4[.]armv6l | GET /shell?cd |
hxxp://207[.]148[.]78[.]152/c | CNXN… |
hxxp:/\/80[.]211[.]9[.]40/bins/a[.]arm5 | GET /shell?cd%20/tmp;wget-alive.... |
165[.]22[.]213[.]0 | POST /ctrlt/DeviceUpgrade_1 |
hxxp://34[.]90[.]52[.]127/bins/mips | POST /picsdesc.xml |
hxxp://192[.]236[.]162[.]197/vb/Amakano[.]mpsl | POST /tmUnblock.cgi |
hxxp://34[.]90[.]52[.]127/zehir/z3hir[.]mpsl | POST /picsdesc.xml |
hxxp://192[.]119[.]66[.]148/mips | POST /picsdesc.xml |
hxxp://185[.]158[.]251[.]183/sh | GET /shell?cd%20/tmp |
hxxp:/\/45[.]129[.]3[.]130/lmaoWTF8arm48 | GET /shell?cd%20/tmp |
167[.]71[.]128[.]164 | POST /ctrlt/DeviceUpgrade_1 |
hxxp://irc[.]b0ts[.]club/r | POST /wanipcn.xml HTTP/1.1 |
hxxp://134[.]209[.]45[.]194/adb | POST /UD/?9 |
188[.]165[.]179[.]15 | POST /ctrlt/DeviceUpgrade_1 |
hxxp:/\/103[.]1[.]186[.]118/bins/a[.]arm5 | GET /shell?cd%20/tmp;wget |
hxxp://185[.]222[.]202[.]183/bins/telnet[.]arm | GET /shell? |
ftp://172[.]30[.]1[.]7/160[.]16[.]145[.]183[.]conf | ..............................G7.`......copy system:running-config |
hxxp://134[.]209[.]45[.]194/bins/apep[.]mips | POST /picsdesc.xml |
◾️WoWHoneypot
<国別検知数および検知数>
<検知パス一覧>
wow_path_research | target | CVE | reference | count |
/admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 219 |
/ | - | - | - | 206 |
hxxp://110.249.212.46/testget | Unauthorized Relay | - | - | 7 |
/robots.txt | - | - | - | 6 |
/.well-known/security.txt | SSL certificate | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 4 |
/favicon.ico | - | - | - | 4 |
/phpmyadmin/scripts/setup.php | 4 | |||
/sitemap.xml | xml sitemap | - | - | 4 |
/w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - | 4 |
149.28.164.220:443 | 4 | |||
//recordings/misc/play_page.php | 3 | |||
/MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 3 |
/manager/html | Tomcat | - | - | 3 |
/myadmin/scripts/setup.php | 3 | |||
/pma/scripts/setup.php | 3 | |||
hxxp://149.28.164.220/index.php | 3 | |||
/Login/Login.aspx | Login Page | - | - | 2 |
/TP/public/index.php | ThinkPHP | - | - | 2 |
/jira/secure/ContactAdministrators!default.jspa | 2 | |||
/login.cgi | login Page | - | - | 2 |
/phpMyAdmin/scripts/setup.php | 2 | |||
/secure/ContactAdministrators!default.jspa | 2 | |||
/server-status | Apache Server | - | https://github.com/mazen160/server-status_PWN | 2 |
/shell | Webshell | - | - | 2 |
/ui | 2 | |||
hxxp://portal.kaspersky.site/index.php | 2 | |||
www.baidu.com:443 | Unauthorized Relay | - | - | 2 |
/.env | .env file | - | - | 1 |
//a2billing/customer/templates/default/footer.tpl | FreePBX | - | https://cute-0tter.hatenablog.com/entry/2019/02/25/235730 | 1 |
//vtigercrm/vtigerservice.php | vtiger vtiger CRM 5.2.1 | - | https://www.securityfocus.com/bid/47267/info | 1 |
/GponForm/diag_Form | 1 | |||
/Login.htm | - | - | - | 1 |
/dumpmdm.cmd | 1 | |||
/images/ | 1 | |||
/ipc$ | IPC | - | https://thinline196.hatenablog.com/entry/2018/09/23/153019 | 1 |
/manager/text/list | 1 | |||
/mysql/admin/index.php | phpMyAdmin | - | - | 1 |
/phpmyadmin | phpMyAdmin | - | - | 1 |
/webadmin/script | 1 | |||
cn.bing.com:443 | Unauthorized Relay | - | - | 1 |
hxxp://112.35.63.31:8088/index.php | Unauthorized Relay | - | - | 1 |
hxxp://112.35.66.7:8088/index.php | Unauthorized Relay | - | - | 1 |
hxxp://123.125.114.144/ | Unauthorized Relay | - | - | 1 |
hxxp://172.247.32.25/ddd.html | Unauthorized Relay | - | - | 1 |
hxxp://www.123cha.com/ | Unauthorized Relay | - | - | 1 |
hxxp://www.baidu.com/ | Unauthorized Relay | - | - | 1 |
hxxp://www.ip.cn/ | Unauthorized Relay | - | - | 1 |
1 |
<新規検知パス一覧>
wow_path_research | target | CVE | reference |
//recordings/misc/play_page.php | FreePBX | - | https://community.freepbx.org/t/incorrect-mime-type-sent-when-playing-voicemail-call-recordings-in-web-browser/16774 |
/GponForm/diag_Form | Dasan GPON home router | CVE-2018-10561 | https://nvd.nist.gov/vuln/detail/CVE-2018-10561 |
/dumpmdm.cmd | Cisco RV132W Wireless-N ADSL2+ VPN Router | CVE-2018-0125,CVE-2018-0127 | https://ssd-disclosure.com/archives/3590/ssd-advisory-hack2win-cisco-rv132w-multiple-vulnerabilities |
/images/ | - | - | - |
/jira/secure/ContactAdministrators!default.jspa | JIRA | - | https://ja.wikipedia.org/wiki/JIRA_(%E3%82%BD%E3%83%95%E3%83%88%E3%82%A6%E3%82%A7%E3%82%A2) |
/manager/text/list | Tomcat | - | https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html |
/myadmin/scripts/setup.php | phpMyAdmin | - | - |
/phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - |
/pma/scripts/setup.php | phpMyAdmin | - | - |
/secure/ContactAdministrators!default.jspa | JIRA | - | https://ja.wikipedia.org/wiki/JIRA_(%E3%82%BD%E3%83%95%E3%83%88%E3%82%A6%E3%82%A7%E3%82%A2) |
/ui | - | - | - |
/webadmin/script | OpenDreamBox 2.0.0 | - | https://www.exploit-db.com/exploits/42293 |
149[.]28.164.220:443 | Unauthorized Relay | - | - |
hxxp://149.28.164.220/index.php | Unauthorized Relay | - | - |
hxxp://portal.kaspersky.site/index.php | Unauthorized Relay | - | - |
portal[.]kaspersky.site:443 | Unauthorized Relay | - | - |