【ハニーポット簡易分析】Honeypot簡易分析(383日目:9/18)
ハニーポットの簡易分析となります。特に大きな変化はなしでした。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数(前日比)>
| ポート番号 | サービス | 件数 | 前日比 |
|---|---|---|---|
| 1433 | ms-sql-s | 12215 | -10757 |
| 445 | smb | 4256 | -209 |
| 22 | ssh | 2914 | -1145 |
| 23 | telnet | 1378 | -213 |
| 3306 | mysql | 340 | 283 |
| 5900 | vnc | 329 | -64 |
| 3389 | rdp | 327 | 196 |
| 2323 | telnet | 201 | 11 |
| 9022 | 196 | 193 | |
| 8080 | proxy | 174 | 53 |
<新規マルウェアダウンロード>
| malware_url | VT_link | status code | hash | total | positives | VT_malware |
| hxxp://lsd[.]systemten[.]org | https://www.virustotal.com/file/b0b835a18624a2b57f7847c3d1d47d367ca1735bb4a9408ca1d7722f4201d034/analysis/1568970635/ | 200 | b8db8b4a1b28fe78e53d2579549248bbf4af0f6d | 56 | 0 | |
| hxxp://174[.]128[.]226[.]101/mips | https://www.virustotal.com/file/c51c776b3aff1533eaf680473d5292cee0fc6d7a8c2821971fc56a781ead56e6/analysis/1568738331/ | 200 | 81542728b7d0ed176f7e9e965880c661ebe72bb0 | 57 | 26 | MicroWorld-eScan:Gen:Variant.Backdoor.Linux.Tsunami.1, FireEye:Gen:Variant.Backdoor.Linux.Tsunami.1, Symantec:Linux.Backdoor.Kaiten, ESET-NOD32:a variant of Linux/Tsunami.NDJ, TrendMicro-HouseCall:Backdoor.Linux.BASHLITE.SMJC10, Avast:ELF:DDoS-Y [Trj], Kaspersky:HEUR:Backdoor.Linux.Tsunami.cb, BitDefender:Gen:Variant.Backdoor.Linux.Tsunami.1, Tencent:Backdoor.Linux.Tsunami.x, Ad-Aware:Gen:Variant.Backdoor.Linux.Tsunami.1, Emsisoft:Gen:Variant.Backdoor.Linux.Tsunami.1 (B), DrWeb:Linux.BackDoor.Tsunami.239, TrendMicro:Backdoor.Linux.BASHLITE.SMJC10, Sophos:Linux/Tsunami-A, Ikarus:Trojan.Linux.Gafgyt, Fortinet:ELF/Tsunami.NDJ!tr, Arcabit:Trojan.Backdoor.Linux.Tsunami.1, AhnLab-V3:Linux/Tsunami.Gen3, ZoneAlarm:HEUR:Backdoor.Linux.Tsunami.cb, Avast-Mobile:ELF:Tsunami-EQ [Trj], ALYac:Gen:Variant.Backdoor.Linux.Tsunami.1, MAX:malware (ai score=94), Rising:Backdoor.Tsunami!1.A1B2 (CLASSIC), GData:Gen:Variant.Backdoor.Linux.Tsunami.1, AVG:ELF:DDoS-Y [Trj], Qihoo-360:virus.elf.tsunami.gen |
| hxxp://35[.]195[.]111[.]236/zehir/z3hir[.]mips | https://www.virustotal.com/file/40ecaec792a18e4c85630ff7bd1b1312b0cde47edd816593910bde478045eada/analysis/1568882712/ | 200 | 6c846e2fe0ecb6ccf1598480fd2d1e9bf00d80ba | 58 | 25 | Symantec:Linux.Mirai, ESET-NOD32:Linux/Mirai.AHI, Avast:Other:Malware-gen [Trj], ClamAV:Unix.Dropper.Mirai-7135899-0, Kaspersky:HEUR:Backdoor.Linux.Mirai.b, NANO-Antivirus:Trojan.Mirai.fzjwmw, AegisLab:Trojan.Linux.Mirai.K!c, Tencent:Backdoor.Linux.Mirai.wao, F-Secure:Malware.LINUX/Mirai.xdjvu, DrWeb:Linux.Mirai.671, TrendMicro:Trojan.Linux.ZYX.USELVIE19, McAfee-GW-Edition:GenericRXIA-VD!BA139CAE680F, Sophos:Linux/DDoS-CI, Cyren:ELF/Trojan.KAGD-22, Jiangmin:Backdoor.Linux.byly, Avira:LINUX/Mirai.xdjvu, Fortinet:ELF/DDoS.CIA!tr, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.b, Microsoft:Trojan:Win32/Ditertag.A, AhnLab-V3:Linux/Mirai.Gen10, McAfee:GenericRXIA-VD!BA139CAE680F, Ikarus:Trojan.Linux.Mirai, GData:Linux.Trojan.Agent.KOBW43, AVG:Other:Malware-gen [Trj], Qihoo-360:Win32/Backdoor.6f4 |
| hxxp://188[.]209[.]52[.]11/curl[.]sh | https://www.virustotal.com/file/aa607b23d9af9c826134867193f43a4d90754718af217fb0279af267907e9bae/analysis/1569027701/ | 200 | 65a3fb231475dc4bd489f5304a721a37336dea3d | 55 | 2 | Kaspersky:Trojan-Downloader.Shell.Agent.bi, ZoneAlarm:Trojan-Downloader.Shell.Agent.bi |
| hxxp://pm[.]cpuminerpool[.]com/pm[.]sh | https://www.virustotal.com/file/81de9fc33ab05928f9abca627435b3fa40a3470e01dc435dddae0e7bec640274/analysis/1568621852/ | 200 | cd3af8bc58dc26936a02e1598992dffe586b3475 | 55 | 0 | |
| hxxp://185[.]181[.]10[.]234/E5DB0E07C3D7BE80V520/init[.]sh | https://www.virustotal.com/file/c523bb5d3985c966fe761f89315f5fa240b328e51700ec91b60f1f0a1bef3594/analysis/1568201583/ | 200 | 773ab67d9863878552a504d4144ebaf6dfc49f56 | 56 | 22 | McAfee:Linux/CoinMiner.x, Symantec:Trojan.Gen.NPE, TrendMicro-HouseCall:Possible_MINERDLOD.SMLBOB, Avast:BV:Miner-BR [Drp], ClamAV:Txt.Coinminer.Downloader-6811173-0, GData:Script.Trojan.Agent.7JIURA, Kaspersky:HEUR:Trojan-Downloader.Shell.Miner.gen, AegisLab:Trojan.Shell.Miner.4!c, Tencent:Heur:Trojan.Linux.Downloader.i, DrWeb:Linux.BtcMine.222, TrendMicro:Trojan.Linux.PUAMSON.USNELEO19, McAfee-GW-Edition:Linux/CoinMiner.x, Cyren:Trojan.DGIS-4, Jiangmin:Trojan.GenericKD.bju, Antiy-AVL:Trojan[Downloader]/Shell.Miner, ZoneAlarm:HEUR:Trojan-Downloader.Shell.Miner.gen, Microsoft:Trojan:Win32/Mamson.A!ml, AhnLab-V3:Shell/Agent, Ikarus:Trojan.Script.Agent, MaxSecure:Trojan.Malware.74320078.susgen, AVG:BV:Miner-BR [Drp], Qihoo-360:Win32/Trojan.Downloader.7dd |
| hxxp://103[.]83[.]157[.]41 | https://www.virustotal.com/url/493ca61c8f8d6ef7b58604e577661cfa6f2ea6b6738a30f4d78683f1f373dda5/analysis/1562037370/ | Unknown | ||||
| hxxp://188[.]241[.]73[.]110 | https://www.virustotal.com/file/d01984d5f581bbb2100fe65e5c677563a9150fe22edbdf875601d86c63862f3d/analysis/1568618881/ | 200 | 042f495f7f6adefc7b376f9d00f9e64f04cadcee | 50 | 0 | |
| hxxp://142[.]11[.]199[.]235/mips | https://www.virustotal.com/file/af18cd19287cdf764418b4212cbcd64e5bba8e8632a3990026f6f5c0b54f3fce/analysis/1567916002/ | 200 | 8bc0fcd0b5f456938cf6db535316146359ea02a8 | 56 | 19 | ESET-NOD32:a variant of Linux/Mirai.AEL, TrendMicro-HouseCall:Backdoor.Linux.MIRAI.SMMR1, Avast:ELF:Hajime-R [Trj], ClamAV:Unix.Trojan.Gafgyt-6748839-0, Kaspersky:HEUR:Backdoor.Linux.Mirai.ad, Rising:Backdoor.Mirai/Linux!1.BAF6 (CLASSIC), DrWeb:Linux.Mirai.1443, TrendMicro:Backdoor.Linux.MIRAI.SMMR1, McAfee-GW-Edition:Linux/Mirai-FDXO!249E607F736C, Sophos:Mal/Generic-S, Fortinet:ELF/Mirai.AE!tr, Microsoft:DDoS:Linux/Gafgyt.YA!MTB, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.ad, Avast-Mobile:ELF:Mirai-UM [Trj], AhnLab-V3:Linux/Exploit.Gen2, McAfee:Linux/Mirai-FDXO!249E607F736C, Tencent:Backdoor.Linux.Mirai.wao, GData:Linux.Trojan.Mirai.E, AVG:ELF:Hajime-R [Trj] |
| hxxp://50[.]3[.]82[.]135/mips | https://www.virustotal.com/url/67fda5ce9e43f72de70279bf5b7a281867753667281c78444e8e388944800a57/analysis/1568815584/ | Unknown | ||||
| hxxp://195[.]231[.]6[.]216/htp/ab[.]arm4 | https://www.virustotal.com/url/85a648a5e6401d1c0fcddfbd3e26816b08b2231b5d0327f3380be63c80701df9/analysis/1569028142/ | Unknown | ||||
| hxxp://31[.]13[.]195[.]109/jaws[.]sh | https://www.virustotal.com/url/bdd12fe0171ecb51d25443c0c09f183b134a8271022b7e9651866e9742eca0c6/analysis/1568526339/ | 404 | ||||
| hxxp://31[.]13[.]195[.]49/x | https://www.virustotal.com/url/65071584ab70a5353da1eeec090311e3fb8c2c1de103387b2c94cb29d32ac4b3/analysis/1568512414/ | Unknown | ||||
◾️WoWHoneypot
<国別検知数および検知数>
<マルウェアダウンロード>
◾️WoWHoneypot
<国別検知数および検知数>
<検知パス一覧>
特に新たな脆弱性を狙った通信は検知していませんでした。
| wow_path | target | CVE | reference | count |
| / | - | - | - | 25 |
| /wp-login.php | WordPress | - | - | 16 |
| /admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 8 |
| /xmlrpc.php | WordPress | - | - | 8 |
| /TP/public/index.php | ThinkPHP | - | - | 3 |
| /shell | Webshell | - | - | 2 |
| /160.16.145.183/ | - | - | - | 1 |
| /admin/ajax.php | - | https://nelog.jp/attacked-php-files | 1 | |
| /cpanel | phpMyAdmin | - | - | 1 |
| /index.php | - | - | - | 1 |
| /manager/html | Tomcat | - | - | 1 |
| /phpmyadmin/index.php | phpMyAdmin | - | - | 1 |
| /robots.txt | - | - | - | 1 |
