【ハニーポット簡易分析】Honeypot簡易分析(353-356日目:8/7-8/10)
Honeypot簡易分析(353-356日目:8/7-8/10)となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数>
ポート番号 |
サービス | 件数 |
445 | smb | 17099 |
23 | telnet | 10956 |
5900 | vnc | 3070 |
25 | smtp | 670 |
2323 | telnet | 575 |
3389 | rdp | 564 |
3306 | mysql | 490 |
8080 | proxy | 329 |
9000 | cslistener | 224 |
8888 |
ddi-tcp-1 |
223 |
ddi-udp-1 |
<新規マルウェアダウンロード>
malware_download | payload例 |
hxxp:/\/185[.]35[.]138[.]156/c | GET /shell?cd%20/tmp;wget% |
hxxp://185[.]244[.]25[.]185/loot/Jaws[.]sh | GET /shell?cd%20/tmp;wget% |
hxxp://91[.]92[.]66[.]192/curl[.]sh | CNXN............ |
hxxp:/\/185[.]244[.]25[.]185/loot/Jaws[.]sh | GET /shell?cd%20/tmp;wget% |
hxxp://23[.]254[.]204[.]46/mips | POST /picsdesc.xml |
hxxp:/\/91[.]92[.]66[.]192/jaws[.]sh | GET /shell?cd+/tmp;wget |
hxxp://91[.]92[.]66[.]192/rt[.]sh | POST /wanipcn.xml |
hxxp:/\/91[.]92[.]66[.]192/quack[.]sh | GET /shell?cd+/tmp;wget |
hxxp://185[.]62[.]189[.]143/richard | POST /users/%2f/%2fproc%2fself%2fcomm |
hxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg | POST /flex2gateway/amf |
<国別検知数および検知数>
<検知パス一覧>
wow_path_research | target | CVE | reference | count |
/ | - | - | - | 90 |
/admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 68 |
/wls-wsat/CoordinatorPortType | 15 | |||
/TP/public/index.php | ThinkPHP | - | - | 10 |
/jsrpc.php | Zabbix | - | - | 8 |
/zabbix/jsrpc.php | Zabbix | - | - | 8 |
//recordings/misc/play_page.php | FreePBX FreePBX |
- - |
https://sec23.hatenablog.com/entry/2019/07/24/233000 https://community.freepbx.org/t/incorrect-mime-type-sent-when-playing-voicemail-call-recordings-in-web-browser/16774 |
4 |
/robots.txt | - | - | - | 4 |
//recordings/ | FreePBX | - | https://cute-0tter.hatenablog.com/entry/2019/02/25/235730 | 3 |
//recordings/theme/main.css | 3 | |||
/index.php | - | - | - | 3 |
/phpmyadmin/index.php | phpMyAdmin | - | - | 3 |
/pma/scripts/setup.php | phpMyAdmin | - | - | 3 |
//hxxpmon.php | Zabbix | - | - | 2 |
//proxies.php | Zabbix | - | - | 2 |
/api_jsonrpc.php | Zabbix | - | - | 2 |
/myadmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
/phpmyadmin/scripts/setup.php | 2 | |||
/w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - | 2 |
/zabbix//hxxpmon.php | Zabbix | - | - | 2 |
/zabbix//proxies.php | Zabbix | - | - | 2 |
/zabbix/api_jsonrpc.php | Zabbix | - | https://www.exploit-db.com/exploits/39937 | 2 |
/.aws/credentials | 1 | |||
/.well-known/security.txt | SSL certificate | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 1 |
/HNAP1 | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 1 |
/Main_Analysis_Content.asp | 1 | |||
/MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/Nmap/folder/check1565369582 | 1 | |||
/NmapUpperCheck1565369582 | 1 | |||
/acadmin.php | Webshell | - | - | 1 |
/admin-console/login.seam | 1 | |||
/evox/about | Trane Tracer SC | - | https://mogu2itachi.hatenablog.com/entry/2019/03/10/173327 | 1 |
/favicon.ico | - | - | - | 1 |
/images/ | - | - | - | 1 |
/login.asp | Login Page | - | - | 1 |
/manager/html | Tomcat | - | - | 1 |
/mysql/admin/index.php | phpMyAdmin | - | - | 1 |
/mysql/scripts/setup.php | 1 | |||
/nmaplowercheck1565369582 | 1 | |||
/page/maintenance/lanSettings/dns | 1 | |||
/phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/phpmyadmin2/scripts/setup.php | 1 | |||
/scripts/ajaxPortal.lua | VMware NSX SD-WAN Edge by VeloCloud | CVE-2018-6961 | https://www.exploit-db.com/exploits/44959 | 1 |
/sdk | Vmware | - | https://github.com/nmap/nmap/blob/master/scripts/vmware-version.nse | 1 |
/server-status | Apache Server | - | https://github.com/mazen160/server-status_PWN | 1 |
/sitemap.xml | xml sitemap | - | - | 1 |
/xmlrpc.php | WordPress | - | - | 1 |
hxxp://112.124.42.80:63435/ | Unauthorized Relay | - | - | 1 |
<新規検知パス一覧>
wow_path_research | target | CVE | reference |
/nmaplowercheck1565369582 | Nmap | - | - |
/page/maintenance/lanSettings/dns | FLIR Thermal Camera FC-S/PT | - | https://www.exploit-db.com/exploits/42788 |
/wls-wsat/CoordinatorPortType | Oracle WebLogic Server | CVE-2017-10271 | https://www.morihi-soc.net/?p=910sし |
<マルウェアダウンロード>
malware | wow_path | count | 参考 |
hxxp://3389[.]space/lx/ss/logo[.]jpg | /wls-wsat/CoordinatorPortType | 5 | coinminer |
hxxp://3389[.]space/nw/vm[.]exe | /wls-wsat/CoordinatorPortType | 5 | coinminer |
hxxp://185[.]164[.]72[.]155/richard | /Main_Analysis_Content.asp | 1 | Downloader |
マルウェアはcoinminer を狙ったものを検知していました。やはり、他の攻撃者を意識してか他のcoinminer 系のプロセスを落としてから
以上となります。